Categories: Insights, Publications

Tag: GDPR, protezione dei dati personali, whistleblower, Whistleblowing


21 Feb 2020

Coding and safe communication protocol to protect whistleblowers (Il Quotidiano del Lavoro, Il Sole 24 Ore, 21 February 2020 – Vittorio De Luca, Antonella Iacobellis, Martina De Angeli)

With Decision No. 17 of 23 January 2020 and in imposing a sanction on an Italian University for not having properly protected the confidentiality of the identification data of two persons – the whistleblowers –, who had reported possible unlawful behaviours, the Italian Data Protection Authority has laid stress on the fact that an obligation weighs on the Employer, namely, the “Controller” (pursuant to Article 4 of Regulation EU 2016/679, hereinafter, the “GDPR”) to implement technical and organisational measures fit to ensure the protection of the personal data processed (cf. Newsletter of the Italian Data Protection Authority No. 462 of 18 February 2020).

 In particular, at the time of the facts and in aligning itself with the obligations to properly protect the employee that reports unlawful behaviours within the working environment (the so-called “whistleblowing” introduced in the Italian legal system with Legislative Decree No. 165 of 30 March 2001), the University had chosen to use a technological solution. In this case, in order to ensure the protection in the capture and management of all reports of offences, the University had availed itself to the use of a software platform supplied by a third party outside the University’s organisation.

In changing and concomitantly updating the software platform, there was the so-called overwriting of access credentials leading to an exposure of the personal data of the two whistleblowers on some browsers accessible and viewable by whomever searched on the Internet.

As a result of the above, the University served notice on the Italian Data Protection Authority as to the so-called data breach, with which the University reported the spread of the common personal data of the two whistleblowers on the public web, to the extent that they could potentially be consulted by anyone.  

The investigation carried out by the Italian Data Protection Authority has found that the University had not adopted proper technical and organisational measures aimed at ensuring “the security and confidentiality needs typical of data management within whistleblowing procedures”; on the other hand, the University failed to define a correct procedure for controlling accesses, which should have limited data processing to the authorised staff. 

Indeed, the University had limited itself to embrace the security measures chosen by the software supplier. Nonetheless, the above-mentioned security measures were neither suitable nor fit, since they failed to foresee measures such as coding or the adoption of a safe communication protocol for information, thus allowing the infringement of the confidentiality and of the integrity of the personal data processed, as well as the respective incorrect keeping and accessibility.

In particular, the Italian Data Protection Authority held that “As regards the application at issue, in light of the nature, the scope and the aim of the processing, as well as of the high risk for the rights and freedoms of the whistleblowers, the solution adopted by the University can in no way be deemed a technical measure fit to ensure the confidentiality and the integrity of the data processed as well as the authenticity of the website used by the users both as a whistleblowing channel (employees, students, etc.) and as a tool for managing any whistleblowing (Head of Corruption Prevention and of Transparency, i.e. RPCT and the respective collaborators, if any”.

Click here to continue reading the article.

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…