Categories: Insights, Practice

Tag: GDPR


27 May 2022

The Data Protection Authority sanctions whistleblowing systems that do not guarantee the processed data confidentiality

On 7 April 2022, in an injunction order issued against a hospital, the Italian Data Protection Authority (“Garante”) found that the data processing carried out as part of the management of its whistleblowing system was unlawful.

The Authority sanctioned the IT company, which was acting as a data processor, and managed the service for reporting alleged corrupt activities or unlawful conduct within the entity.

The investigation

The Authority noted that under Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), the hospital in its capacity as Data Controller, failed to provide specific and prior information about personal data processing carried out following a report. This was in violation of the principle of “lawfulness, fairness and transparency”, which imposes on the data controller the obligation to provide data subjects specific information about the data processing in advance, by taking “appropriate measures” to reach recipients.

It emerged that the health authority failed (i) to trace the processing operations carried out in the Processing Register under Art. 30 of the GDPR and to carry out a preliminary privacy impact assessment.

The Authority stated that the processing of personal data using systems for acquiring and managing reports has risks for the rights and freedoms of the data subjects due to “the sensitivity of processed information, the “vulnerability” of the data subjects in the workplace, and the confidentiality regime of the whistleblower’s identity under the sector’s legislation.”

Furthermore, it noted that:

  • during the replacement phase of the person in charge of corruption prevention and transparency, proper management of authentication credentials to access the web application had not been adopted, and
  • the IT company appointed by the entity to manage the whistleblowing system had used a (sub) supplier for the application hosting service failing to provide data processing instructions and to inform the health authority (data controller). It used the same hosting service for its own and additional purposes.

The Data Protection Authority’s decision

The Authority fined the hospital and the IT Company € 40,000 and gave the hospital a further 30 days to make its relationship with its supplier compliant with the relevant legislation.

◊◊◊◊

As specified in the communiqué shared by the Data Protection Authority, the investigation carried out, in this case, was part of “a series of inspections on the processing methods of data acquired through whistleblowing systems, particularly those most used in Italy by employers.”

Other related insights:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…