The Italian Data Protection Authority (Garante per la protezione dei dati personali – GPDP) has fined Ica s.r.l €30,000 for violating Articles 5(1)(f) and 32 of the GDPR. The company acting as a processor will be held liable for failing to implement appropriate technical and organisational measures.
The decision is the result of an audit initiated by a complaint concerning an online payment service. The company Ica s.r.l provided one Italian municipality with software enabling such transactions and processed the personal data of payers on its behalf. The municipality used the service to collect fines imposed on its citizens. During the operation of the software, a flaw was identified which allowed access to the personal data of the residents of the municipality making remote payments via this service.
In assessing the degree of the infringement, the following circumstances were taken into account:
- the breach lasted for a short period,
- the breach did not affect a significant number of persons,
- the processor took immediate actions to remedy the breach and mitigate any negative effects, while cooperating with the personal data controller,
- the company cooperated with the supervisory authority during the audit,
- the processor has not previously committed a personal data breach.