Italian DPA fines healthcare facility and their service provider due to whistle-blowing app violations

In April 2022, the Italian data protection authority (hereinafter – Italian DPA) fined a healthcare facility, Azienda ospedaliera di Perugia, and their service provider ISWEB S.p.A. for GDPR violations in relation to the whistle-blowing app. This is not the first time the Italian DPA has imposed fines for violations of this nature; last year, Italian airport Aeroporto Guglielmo Marconi di Bologna S.p.a. and their service provider aiComply S.r.l. received fines for highly similar breaches.

Context and findings

The case resulted from inspections carried out by the Italian DPA, where the supervisory authority audited the personal data acquired via whistle-blowing channels with regard to those most used by Italian employers. During the investigation of the healthcare facility, the Italian DPA found out that the service provider of the whistleblowing app had also violated GDPR.

Throughout the investigation, the DPA found several violations of GDPR. Firstly, the whistle-blowing management system was tracking access to the software, and connection to the app was recorded and stored in firewall logs. Due to this, users, including the whistle-blowers, of the whistle-blowing app could have been tracked. The Italian DPA also found that employees were not notified about the processing of their data through the usage of the app. There were also other violations; for example, the controller failed to conduct a DPIA, and no entry for the processing was found in the record processing activities. Violations were also found in the handling of authentication credentials.

Case relevance for Lithuanian companies

As Member States of the EU have been obligated to integrate Directive (EU) 2019/1937 into national law, the example set by the Italian DPA might be relevant to most data controllers and processors within the EU, e.g., in Lithuania, this directive has been implemented via the Law on the Whistle-blower’s Protection of the Republic of Lithuania. The law requires employers with 50 or more employees to set up an internal reporting channel (e.g., a telephone hotline, an intranet line, or a dedicated email address) for employees to report potential misconduct. The law applies to smaller businesses, too; Lithuanian companies that employ less than 50 employees must abide by other rules set in the law, such as ensuring the confidentiality of whistle-blowers and ensuring they are not adversely affected by the reporting.

What to take out from this?

Providing a safe and secure way to report potential misconduct is crucial, but so is ensuring data safety of such channels:

  • when implementing a third-party service provider for reporting misconduct, ensure that DPIA is conducted before any data processing takes place,
  • ensure that both your employees and other persons who may report about the breach are informed about the processing of personal data of whistle-blowing channels,
  • ensure data retention is set for this kind of processing. Personal data processed via whistle-blowing channels should be retained only for the duration it is needed or as set forth by the law,
  • upkeep your records of processing activities. Used whistle-blowing management system service provider, if outsourced, should be included in the data processor register, and the carried-out processing activities should be included in the data processing activity register,
  • when providing authentication credentials, ensure that no other parties can access them.

The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related with whistle-blowing management system and GDPR compliance, or any other question related to personal data protection, please consult the experts of ECOVIS ProventusLaw.

Link to the fines can be found here (ISWEB S.p.A. fine), here (Azienda ospedaliera di Perugia fine), here (aiComply S.r.l. fine) and here (Aeroporto Guglielmo Marconi di Bologna S.p.a. fine). Text is available in Italian only.

This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė

Newsletter SubscriptionGet in touch