With Decision No. 17 of 23 January 2020 and in imposing a sanction on an Italian University for not having properly protected the confidentiality of the identification data of two persons – the whistleblowers –, who had reported possible unlawful behaviours, the Italian Data Protection Authority has laid stress on the fact that an obligation weighs on the Employer, namely, the “Controller” (pursuant to Article 4 of Regulation EU 2016/679, hereinafter, the “GDPR”) to implement technical and organisational measures fit to ensure the protection of the personal data processed (cf. Newsletter of the Italian Data Protection Authority No. 462 of 18 February 2020).

 In particular, at the time of the facts and in aligning itself with the obligations to properly protect the employee that reports unlawful behaviours within the working environment (the so-called “whistleblowing” introduced in the Italian legal system with Legislative Decree No. 165 of 30 March 2001), the University had chosen to use a technological solution. In this case, in order to ensure the protection in the capture and management of all reports of offences, the University had availed itself to the use of a software platform supplied by a third party outside the University’s organisation.

In changing and concomitantly updating the software platform, there was the so-called overwriting of access credentials leading to an exposure of the personal data of the two whistleblowers on some browsers accessible and viewable by whomever searched on the Internet.

As a result of the above, the University served notice on the Italian Data Protection Authority as to the so-called data breach, with which the University reported the spread of the common personal data of the two whistleblowers on the public web, to the extent that they could potentially be consulted by anyone.  

The investigation carried out by the Italian Data Protection Authority has found that the University had not adopted proper technical and organisational measures aimed at ensuring “the security and confidentiality needs typical of data management within whistleblowing procedures”; on the other hand, the University failed to define a correct procedure for controlling accesses, which should have limited data processing to the authorised staff. 

Indeed, the University had limited itself to embrace the security measures chosen by the software supplier. Nonetheless, the above-mentioned security measures were neither suitable nor fit, since they failed to foresee measures such as coding or the adoption of a safe communication protocol for information, thus allowing the infringement of the confidentiality and of the integrity of the personal data processed, as well as the respective incorrect keeping and accessibility.

In particular, the Italian Data Protection Authority held that “As regards the application at issue, in light of the nature, the scope and the aim of the processing, as well as of the high risk for the rights and freedoms of the whistleblowers, the solution adopted by the University can in no way be deemed a technical measure fit to ensure the confidentiality and the integrity of the data processed as well as the authenticity of the website used by the users both as a whistleblowing channel (employees, students, etc.) and as a tool for managing any whistleblowing (Head of Corruption Prevention and of Transparency, i.e. RPCT and the respective collaborators, if any”.

Click here to continue reading the article.