The Data Protection Authority sanctions whistleblowing systems that do not guarantee the processed data confidentiality

On 7 April 2022, in an injunction order issued against a hospital, the Italian Data Protection Authority (“Garante”) found that the data processing carried out as part of the management of its whistleblowing system was unlawful.

The Authority sanctioned the IT company, which was acting as a data processor, and managed the service for reporting alleged corrupt activities or unlawful conduct within the entity.

The investigation

The Authority noted that under Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), the hospital in its capacity as Data Controller, failed to provide specific and prior information about personal data processing carried out following a report. This was in violation of the principle of “lawfulness, fairness and transparency”, which imposes on the data controller the obligation to provide data subjects specific information about the data processing in advance, by taking “appropriate measures” to reach recipients.

It emerged that the health authority failed (i) to trace the processing operations carried out in the Processing Register under Art. 30 of the GDPR and to carry out a preliminary privacy impact assessment.

The Authority stated that the processing of personal data using systems for acquiring and managing reports has risks for the rights and freedoms of the data subjects due to “the sensitivity of processed information, the “vulnerability” of the data subjects in the workplace, and the confidentiality regime of the whistleblower’s identity under the sector’s legislation.”

Furthermore, it noted that:

• during the replacement phase of the person in charge of corruption prevention and transparency, proper management of authentication credentials to access the web application had not been adopted, and
• the IT company appointed by the entity to manage the whistleblowing system had used a (sub) supplier for the application hosting service failing to provide data processing instructions and to inform the health authority (data controller). It used the same hosting service for its own and additional purposes.

The Data Protection Authority’s decision

The Authority fined the hospital and the IT Company € 40,000 and gave the hospital a further 30 days to make its relationship with its supplier compliant with the relevant legislation.

◊◊◊◊

As specified in the communiqué shared by the Data Protection Authority, the investigation carried out, in this case, was part of “a series of inspections on the processing methods of data acquired through whistleblowing systems, particularly those most used in Italy by employers.”

Other related insights:

• Whistleblowing: the Decree transposing the EU Directive is coming soon
• Whistleblowing: Italian law and EU Directive compared