The Italian Data Protection Authority’s recent decision provided guidance on the true meaning of personal data anonymization and the crucial distinction between the DPO as a monitor – not an executor. In a world driven by AI and public surveillance, both concepts are more relevant than ever.
On April 10, 2025, the Garante issued a EUR 9,000 fine to AMAT, a company owned by the Municipality of Milan, for privacy violations involving a traffic-monitoring system using AI. The project involved video cameras capturing road users – including pedestrians and cyclists – with data being processed in real time. While AMAT claimed that data had been anonymized, the Authority found that personal data anonymization had not been effectively achieved.
When personal data anonymization falls short
The Garante reiterated that personal data anonymization requires more than simply blurring faces or license plates. To qualify as anonymous data under the GDPR, information must be stripped of all identifiers in a way that re-identification is impossible, even when combining data with other reasonably available sources.
In this case, although facial features and plates were blurred, the individuals could still be indirectly identified via contextual clues such as body shape, clothing and location. As a result, the data retained its status as personal data, triggering full GDPR obligations. The concept of personal data anonymization was misapplied – and this misstep became a key factor in the violation.
The DPO is not an executor: Independence matters
Perhaps even more critical was the issue surrounding the Data Protection Officer. AMAT had tasked its internal DPO with drafting and signing the Data Protection Impact Assessment (DPIA). According to the Garante, this directly conflicted with the GDPR’s requirements – and with the DPO’s role as an independent advisor and monitor.
The GDPR explicitly states that a DPO must not be an executor of compliance activities. Their independence must be safeguarded, and assigning them operational responsibilities – such as authoring a DPIA – creates a conflict of interest. This decision reinforces the legal boundaries: the DPO is not an executor. Treating it as such undermines the integrity of the entire compliance framework.
This marks the third time in less than two years that the Garante has taken a public stance on the danger of the DPO being an executor. And it’s clear the Authority is no longer tolerating blurred lines in this regard.
Transparency failures and poor governance
Alongside these two primary issues – personal data anonymization and the DPO being an executor – the decision also cited failures in transparency. Informational signs and privacy notices were either delayed or incomplete. Some notices inaccurately described the anonymization process and omitted critical details like data retention and the legal basis for processing.
The Authority also noted that the DPIA was not clearly dated or formally recorded, raising questions about whether it had even been completed before the launch of the surveillance activities.
Final takeaways
This decision is a clear signal to both public authorities and private companies:
- Personal data anonymization must meet the GDPR’s high threshold – not just technical masking or cosmetic blurring.
- The DPO must never be treated as an executor. Its role is oversight, not implementation.
- Governance frameworks must clearly separate legal accountability from independent advice.
As cities and companies roll out AI-powered monitoring tools, these principles must be embedded from the start – not added later as risk-mitigation exercises.
[View source.]
