TuPassi: Privacy Guarantor sanctions the municipality of Rome

At the end of a complex procedure that lasted almost three years, the Guarantor for the protection of personal data ordered the municipality of Roma Capitale to pay a fine of 500,000 euros for the unlawful processing of personal data of users and employees through the TuPassi service. . The authority also fined the company that develops the system for a sum of 40,000 euros.

Update: TuPassi clearly explains what happened.

TuPassi: eliminates queues without privacy

TuPassi is a “queue elimination” service used in various municipalities and also included among those of the Digital Solidarity initiative. It allows you to make reservations by appointment via computer, smartphone and totem. Following the checks carried out by the Guarantor on the use of the service by the municipality of Roma Capitale, various criticalities were found in relation to the processing of data.

An excessive number of sensitive information, many of which refer to reservations for health services (type, date, time), they had been stored on the municipality's servers for a long period of time. The system also generated daily reports on employee activity (name, date, waiting time). These operations were carried out without providing users and employees with complete information on data processing, as required by the GDPR (General Data Protection Regulation).

Among other things, the report on the activity of counter staff did not respect the guarantees provided by the workers' statute on remote control. The fine of 500,000 euros was also imposed because the municipality of Rome did not implement adequate technical and organizational measures.

A 40,000 euro fine was also imposed on the company that develops TuPassi, or Miropass, as it did not comply with the current rules on the collection, processing and cancellation of users' personal data. Lastly, the same company received an injunction providing for the obligation to make the necessary updates to the service, in order to make it compliant with the regulations on data protection.

Update: the point of view of TuPassi

Thanks to the collaboration of TuPassi, we learn that the group has offered maximum collaboration to the Guarantor since the preliminary phase to better investigate the findings ascertained by the Authority. Specifically, no problems emerged in relation to the IT infrastructure of the service, but only formal issues underestimated in the first phase of development of the app.

TuPassi is a real-time waiting room management system, which goes beyond the traditional "numeretto" by coordinating various variables that give rise to time slots that can be booked on 3 synchronized channels (totem, Web portal and from App) and manages all concrete needs (such as user delays but also of branches, as recalled, need to return within the day to present missing documents without booking again, etc.): TuPassi offers a unique and innovative service; it found itself placed in a difficult and border area with respect to the necessary rigidity of a regulation but we have worked, since 2018, to overcome this complexity and offer a service that is not only useful but also safe for citizens.

Since 2019, in any case, "the system keeps the personal data of the booked user on the server of the structure that TuPassi uses for a period of time not exceeding the achievement of the purposes for which they are processed". Furthermore, "The user who accesses our system for the first time, after registering and approving our privacy policy, in order to make an online booking on one of the services of the Companies on the TuPassi portal, must give the consent, if he refuses, he can go to the office of interest by booking from the totem but only for the same day depending on availability ".

Security is now guaranteed both from a substantial point of view and from the point of view formal. To use the service the link is this.

Source: Privacy Guarantor