(Finance) – One Autostrade per l’Italia (Aspi) was fined one million euros by the Privacy Guarantor for illegally processing the data of about 100,000 registered users of the toll reimbursement app, called Free to X. construction sites – had been reported to the Guarantor by a consumer association. The Authority – explains the Guarantor’s Newsletter – has ascertained that Autostrade plays the role of data controller and not of manager, as instead indicated in the documentation that governs the relationship between Aspi and the company Free to X which created and manages the app , as well as in the information provided in this regard to users.
“L’incorrect qualification of the privacy roles covered by the two companies – underlines the Guarantor – has immediate repercussions on the information provided to users which was therefore not correctly formulated. The disclosure should in fact have reported the actual identity of the owner, i.e. Aspi, as well as all the additional information to ensure correct and transparent processing, as required by the Regulation. Furthermore, Aspi has committed a further violation for not having designated Free to X as data controller”.
However, the Guarantor has not indicated corrective measures to Aspi since the company complied with the privacy legislation during the proceeding. Highways for Italy – let Aspi know in a note – it was, in fact, already adapted since 15 December last to the requests of the Privacy Guarantor who asked the company to manage the cashback data directly, and not through the subsidiary Free to X, in the event of delays due to queues due to construction sites. In the note Aspi highlights that the same authority has recognized the free service provided. “Regarding the fine of one million euros imposed by the Guarantor for the protection of personal data on Autostrade per l’Italia – says Aspi – the company explains that, as can be seen from the text of the provision adopted by the Authority itself, this is due not to an illicit or incorrect management of the data of users registered in the application to request cashback, but to a question of attribution of ownership or responsibility for the processing to a company that is internal to the Group.In fact, according to the Guarantor, the subject the competent data controller should not be Free To X, the Aspi subsidiary that manages the refund service, but Autostrade per l’Italia itself.The nature of the ascertained violation, therefore, pertains to aspects of identifying subjects, or who is the owner and manager of the treatment between ASPI and Free To X. In full compliance with the Authority and in a spirit of full collaboration – continues the company – Aspi already on 15 December 2022 complied with the indications of the regarding ownership of the Cashback service. The Authority – continues Aspi – has also found that the cashback service is free and that the company has not achieved any economic benefit from the treatment in question”.