Whistle-blowing without privacy: the Italian SA fines hospital and IT service provider

10 June 2022

Background information

  • Date of final decision: 7 April 2022
  • Cross-border case or national case: national case
  • Controller: Azienda ospedaliera di Perugia, Perugia Public Hospital
  • Processor/controller: Isweb srl - Provider of the whistle-blowing management system
  • Legal Reference: GDPR: Art. 5, para. 1, letters a) and f) (lawfulness, fairness and transparency; integrity and confidentiality); Art. 13 and 14 (Information); Art. 25 (Data protection by design and by default); Art. 28 (Processor); Art. 30 (Record of processing activities); Art. 32 (Security of processing); Art. 35 (DPIA).  
  • Decision: finding of GDPR infringement; imposition of administrative fine.
  • Key words: employer-employee relations; whistle-blowing; record of processing activities; authentication; hosting; DPIA.

 

Summary of the Decision

Origin of the case:  

The case originated from a set of inspections on the processing of data acquired via whistle-blowing management systems, with particular regard to those most used by Italian employers.

The inspections also brought to light infringements that could be traced back to the IT company (Isweb Srl) that provided the whistle-blowing management software to the hospital as a processor.

Key Findings:

The whistle-blowing management system in question tracked the accesses to the software as the connections to the whistle-blowing app were recorded and stored in firewall logs; accordingly, users of the app could be tracked including potential whistleblowers.  No information had been provided to employees on the processing of personal data for the purpose of reporting misconduct. Additional findings: no DPIA had been carried out; no entry for this processing activity was found in the record referred to in Article 30 GDPR; the authentication credentials enabling the ‘Corruption and Transparency Manager’ to access the whistle-blowing app had been handled inappropriately during the transition to the next incumbent.

Specific infringements were also found regarding the IT company that provided the whistle-blowing app to the hospital as a processor. The company in question failed to regulate its relations with the hosting provider both when acting as a processor (to the hospital) and when acting as a separate controller (in respect of its internal services, e.g. regarding management of its employees or accounting and administration activities),

Decision:

The domestic legislation on whistle-blowing falls within the scope of the ‘more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context’ referred to in Article 88(1) GDPR; indeed, whistle-blowing entails processing personal data that relate both to the whistle-blowing employee and to the individuals reported against, to witnesses and third parties and a special confidentiality regime is envisaged to protect the whistleblower’s identity.

The controller (the Public Hospital) failed to lay down adequate technical and organisational measures to ensure the appropriate level of security by having regard to the specific risks arising from the processing in question, which required implementing a whistle-blowing management system that was in line with the data protection by design and by default principles – also in the light of the opinion given in this respect by the Hospital’s Data Protection Officer (DPO).

The whistle-blowing service provider had not regulated its relationships with the hosting provider it relied upon both in connection with the multifarious processing activities for which it was the controller (in breach of Article 28, paragraphs 1 and 3, GDPR) – ranging from the management of its employees to accounting and administrative activities up to the processing inherent in supplying its services – and in respect of the processing activities for which it was a processor acting on behalf of its customers including the Perugia Public Hospital (in breach of Article 28, paragraphs 2 and 4, GDPR).

Both the Public Hospital and the IT company were fined EUR 40,000.

 

For further information: links to national language decisions

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.