The focus is on the requirement to register to obtain the exemption. The Municipality has been given a €10,000 fine and the obligation to review procedures. The investigation was opened in 2022 and closed in August 2025.
By Leonardo Bison
11 September 2025
The collection of personal data as required by the municipal regulation on the access fee for the City of Venice is largely unlawful. The Italian Data Protection Authority (Garante per la protezione dei dati personali) issued a sanction against the violation in a provision dated August 4, 2025 (which, however, neither the GDPR nor the Municipality has previously disclosed), closing an investigation opened in 2022 regarding the ticket regulation approved by the municipality in 2019.
The procedures required to obtain exemptions, which require declaring the reason for visiting the city, were particularly targeted. The provision also highlights that the elimination of students and residents of the Veneto region from the list of those required to register (in 2025, unlike 2024) was also related to a request from the Authority, which is now calling for the elimination of registration for many more individuals. “The overall processing carried out by the Municipality of Venice” involves “a massive collection of personal data and information on the movements of data subjects which, in addition to being unnecessary, does not appear proportionate to the objectives pursued”, the provision states.
€10,000 fine, but it could have been €20 million
The fine imposed on the Municipality is €10,000, given the collaborative relationship between the municipal offices over the years and the unprecedented nature of the violation. Paradoxically, given the tens of thousands of people affected by the violation (all those who registered on the portal to obtain an exemption, and should not have), it states that “the total amount of the fine is to be quantified, up to €20,000,000.00”: €20 million, but with a discount.
The text of the provision shows that the Data Protection Authority waited throughout 2024 and the first phase of the trial to allow the Municipality to adapt the regulation to the current privacy rules. However, the GDPR has determined that the Municipalities efforts fell far short of requirements, noting “the inadequacy of the measures adopted to ensure full compliance with the principles of necessity and proportionality, lawfulness, fairness and transparency, purpose limitation, data minimization, storage limitation, integrity and confidentiality, as well as privacy by design and privacy by default with regard to the processing of personal data carried out, in particular during the initial testing phase of the Portal, as well as the configuration settings of the so-called ‘totems’.”
Obligation to review the regulation: “All that data is not needed”
Hence the fine, but above all, the request for substantial changes to the Municipality’s current access fee regulation. Specifically, GDPR has requested that the city: “identify additional categories of data subjects who do not need to pre-register on the Portal,” particularly in cases where that data can be obtained in other ways (for example, for those staying in hotels); “also identify, within the portal, additional categories of data subjects who can be included in the residual category of “Other exemptions” so that as few people as possible have to declare why they are exempt; “suspend the acquisition (via registration on the portal) of personal data of individuals invited by residents of the Municipality of Venice, adopting an alternative mechanism aimed solely at verifying the validity of the Friend Code in the event of exemption checks”; “regulate in detail the procedure for subsequent checks, specifying the processing methods, the types of data processed, and identifying appropriate and specific measures to protect the fundamental rights and interests of data subjects.”
This is a serious blow to the 2019 regulation, which, among other things, aimed to collect extensive data on who visits Venice and why. However, it doesn’t reject the “access fee” as such, only the collection of personal data associated with it.
The reactions: “Extremely serious, useless regulation”
Reactions have been swift. What has emerged is “extremely serious,” according to Giuseppe Saccà, leader of the Democratic Party (PD) in the city council: “It’s time for the City Council to thoroughly review the access fee regulation. Unfortunately, the many complaints from administrators and citizens regarding privacy issues, which were later addressed in the Authority’s provision, have gone unheeded.”
“Without a daily threshold, the access fee is just a tax to raise money, as I have always maintained, and as the Authority is now also saying,” adds Marco Gasparinetti of Terra&Acqua. The opposition (PD, M5S, Venezia è Tua, Terra&Acqua, Verde Progressista) submitted an inquiry this morning asking when and what corrective measures will be taken.
Giovanni Andrea Martini of “Tutta la città insieme” also expressed criticism: “The conceit with which the measure (the access fee, Ed.) was presented and promoted should now be buried in shame over the condemnation it just suffered,” he wrote, recalling citizens’ opposition to the measure.
The Municipality: “We are carefully evaluating what steps to take”
The municipal administration announced that, with the support of the Civic Advocacy Office and an external lawyer, it has already initiated “a thorough investigation aimed at a detailed examination of the findings raised by the Authority and evaluating all possible actions necessary to protect the administration’s operations”.
Given these findings, Ca’ Farsetti’s defense focuses on the context and purpose of the measure. “It must be recognized,” the statement reads, “that the introduction of the Access Fee is a completely new and unique provision in the national and international landscape, due to the complexity of the matter and the specific context in which it is inserted, which requires ongoing technical analysis for its implementation.”
The administration’s primary objective, Ca’ Farsetti adds, remains to ensure the livability of the Old City, protecting residents, students, and workers, “through an access management system that is both effective in regulating flows and compliant with current regulations regarding the protection of personal data.” Unfortunately, this goal has yet to be achieved.
Source: Venezia Today
Campaign For A Living Venice 