By Order No. 68 of February 12, 2026, the Data Protection Authority imposed a fine of 3,000 euros on the Municipality of Aversa for violating the obligations set forth in Article 37, paragraphs 1 and 7, of the GDPR, regarding the designation of the Data Protection Officer (DPO) and the communication of the DPO’s contact information to the Authority.

The ex officio investigation established that the entity had neither formally appointed the DPO nor published the relevant contact details on its official website. The defenses put forward by the Municipality—structural staff shortages, a financial restructuring process, and the timing of upcoming elections—were not deemed sufficient to justify the non-compliance, since the role of the DPO has been, since May 2018, a mandatory and non-negotiable component of public entities’ privacy governance.

Although the Municipality took steps to rectify the situation during the proceedings, the Data Protection Authority nevertheless deemed it necessary to impose the sanction and order the publication of the decision, emphasizing the deterrent function of the measure and reiterating that organizational difficulties do not exempt the data controller from complying with fundamental data protection obligations.