Data breach and theft of identity documents in hospitality structures: copying documents Violates the Minimization Principle

Data Protection

During the August holidays, a major cyberattack on Italian hospitality structures involved the Italian Computer Emergency Response Team for Public Administration of the Agency for Digital Italy (AGID) and the Data Protection Authority. The attack allegedly led to the theft of thousands of high-resolution scans of identity documents (passports, identity cards), acquired at check-in and later illegally sold on the dark web.

The Data Protection Authority reported receiving notifications from some structures and reminded those who had not yet done so of the obligation to promptly report the data breach and inform the affected customers. It also urged the use of the “Alloggiati Web” portal of the State Police for the secure processing of data.

The data breach exposes individuals to serious risks: identity theft, fraud, social engineering attacks, and reputational damage for the operators involved.

However, the violation could have been avoided. The practice – still widespread – of photocopying or scanning identity documents at check-in contradicts the data minimization principle of the GDPR (Article 5) and is not allowed under current legislation (Article 109, paragraph 3 of the TULPS and DM 7 January 2013, as amended in 2021). The regulation requires the identification of the guest, including the recording of the document details, but not the obligation to retain a copy, nor the legitimacy of keeping it for an undetermined period. A simple visual inspection of the document – in line with the identification de visu provided by the Ministry of the Interior’s circular of 18 November 2024 – accompanied by the registration of details and a privacy notice (Articles 13-14 GDPR) is sufficient to ensure compliance.

The Spanish Data Authority has also confirmed that identification can be done through a completed form at check-in without the need to retain a copy of the document.

The LEXIA Data & Technology Innovation team is available to assist hospitality structures in complying with privacy regulations, offering tailored legal, operational, and training support.

The “Pay or OK” model fails the austrian privacy authority and courts

Data Protection

The Austrian Federal Administrative Court (BVwG), rejecting the appeal from the Austrian news outlet “DerStandard” against the 2023 decision of the Austrian Data Protection Authority (DSB), upheld the DSB’s decision that “DerStandard” had not obtained valid and granular consent from users for the individual tracking tools implemented on their site, offering only a global consent or refusal model.

The case revolves around the so-called “Pay or OK” mechanism, where users were asked to choose between paying a monthly subscription (€9.90) or accepting tracking by numerous third parties to access the site’s content. However, the consent offered was singular and global, without the ability to select individual purposes or technologies.

According to the judges, this model does not ensure free, specific, and informed consent as required by Article 7 of the GDPR, as it conditions access to the service on a total waiver of the right to data protection. It is likely that the matter will now be referred to the Austrian Supreme Court, with a potential referral to the Court of Justice of the European Union, which could provide a final ruling on the compatibility of such models with European law.

Beyond the technical aspect of consent, the case raises a broader question: to what extent is it legitimate to “monetize” user personal data in exchange for access to online content or services? In a context where the right to data protection is a fundamental right, the possibility of “giving it up” risks creating a disparity between those who can pay for their privacy and those who cannot, with ethical and social implications.

This issue is not only relevant in Austria: the Italian Data Protection Authority on 29 April 2025 also launched a public consultation on the “Pay or OK” model to assess its compatibility with the GDPR, and the results of this consultation are eagerly awaited.

The LEXIA Data & Technology Innovation team is available to assist organizations and businesses in complying with the GDPR and personal data protection regulations, offering tailored consultancy, operational assistance, and specific training programs.

San Marino approves the first comprehensive eSports law: a model for Italy?

e-Sports

On 29 August 2025, the Republic of San Marino approved the first comprehensive eSports law in Europe, transforming the eSports Code adopted in 2023 into legislation. The text, consisting of 86 articles, systematically and innovatively regulates the entire eSports ecosystem: teams, players, coaches, casters, and other professional operators.

Among the most relevant aspects, the law introduces specific residence permits for sector operators, a dedicated sports justice system, and detailed rules on employment contracts, intellectual property protection, image rights, and the protection of minors. Fiscal incentives are also provided, along with the promotion of dedicated infrastructures such as LAN rooms and spaces for competitive events.

The new eSports Commission will oversee the implementation of the law, ensuring transparency and high professional standards. The declared aim of the Sammarinese authorities is to make the country a European hub for investments, talent, and businesses in the digital and gaming sectors.

The Sammarinese model offers a concrete opportunity for Italy, which currently lacks a comprehensive eSports law. A structured regulation – similar to the one adopted by San Marino – could enhance the professional role of players, regulate fiscal and contractual aspects, and strengthen protections for minors and users.

The international context is moving in the same direction: consider the announcement of the first eSports Olympics recognized by the IOC, scheduled for 2027 in Riyadh. In this scenario, a national law could make the Italian system more attractive to foreign operators, investors, and gaming startups.

In summary, the Sammarinese law sets an important European precedent, showing that it is possible to combine regulatory innovation, economic attractiveness, and protection of rights in a high-growth sector.

The LEXIA Data & Technology Innovation team has recognized expertise in the eSports legal sector, with a consolidated position as a reference point for sector operators: we regularly assist major market players in defining contractual models, governance structures, regulatory compliance, and development strategies, both in Italy and internationally.

Data Act: the European era of data sharing begins on 12 September

Data Strategy & Compliance

The Data Act (EU Regulation 2023/2854) will be fully applicable starting 12 September 2025. This regulation is a key component of the European strategy for the single data market, complementing the Data Governance Act to provide a clear framework for accessing and using data generated by connected devices (IoT).

The Data Act introduces several significant changes that will directly impact businesses, digital service providers, and end-users. Firstly, it establishes the right to access and share data generated by connected devices (IoT): citizens and businesses will be able to obtain usage data from the devices they use and share it with third parties of their choice, promoting greater openness in the data ecosystem.

A second key area concerns data-sharing contracts in the B2B sector. The regulation introduces the principle of contractual fairness according to FRAND (fair, reasonable, and non-discriminatory) criteria, prohibiting the inclusion of unfair or imbalanced clauses in favor of one party. Starting in September 2027, these protections will also apply to existing long-term contracts.

On the infrastructure side, the Data Act imposes clear obligations regarding portability and switching of cloud services: providers must guarantee users the ability to change providers easily, without technical or commercial barriers, in a perspective of greater interoperability and freedom of choice.

Equally important is the focus on the protection of non-personal data: the regulation introduces tools to prevent undue access by authorities from third countries, strengthening guarantees related to digital sovereignty and the extraterritorial management of data.

Finally, each Member State will be required to designate competent authorities to oversee the application of the regulation and to define a sanctions system that is effective, proportionate, and deterrent, ensuring uniform and credible implementation of the new rules across Europe.

This regulation impacts various sectors and business models, transforming data – especially IoT data – from an exclusive resource to a shareable asset. It is not just about regulatory compliance, but also an opportunity to:

1. demonstrate transparency and contractual fairness (FRAND);
2. innovate through access to data and interoperability;
3. atrengthen one’s reputation in a market increasingly focused on data protection.