We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
06 March 2020
Whistleblowing is regulated by Paragraphs 2bis, 2ter and 2quater of Article 6 of Legislative Decree 231/2001 in particular.
Specifically, Paragraph 2bis provides that "organisational, management, and control models" must identify one or more channels to allow people who perform management functions, those subject to their supervision and those who collaborate in any capacity with an entity to submit detailed reports of any unlawful conduct or violations of an entity's organisational models of which they have become aware through their work (although no clear proof is required). These channels of communication (one of which must be a computer process) must guarantee the confidentiality of a whistleblower's identity.
Employers must ensure that the technical-organisational measures and software that they use are adequate to protect the confidentiality of whistleblowers. On 23 January 2020 the data protection authority reiterated this point when it fined La Sapienza, a major university in Rome, for failing to prevent the data of two people who had notified the university of possible data violations from being accessible online. The university notified the data protection authority in accordance with Article 33 of the General Data Protection Regulation (GDPR) about the disclosure of personal data processed through a platform that the university used to manage employee and third-party reports on irregular behaviour as part of its whistleblowing regulation frame. In particular, La Sapienza informed the data protection authority of the "involuntary disclosure of ordinary personal data" (ie, names and email addresses) relating to two whistleblowers through its whistleblowing platform.
This information was subsequently indexed by a number of search engines until the university intervened to have the data deindexed and any cache copies deleted.
During the course of the investigation, the data protection authority found that although the data breach had been accidental and had been promptly notified pursuant to Article 33 of the GDPR, it had still resulted in the following breaches of the GDPR:
The data protection authority highlighted that according to the GDPR, data controllers (in this case La Sapienza) are primarily responsible for the implementation of technical and organisational measures to ensure a level of security appropriate to any potential risks.
This includes a procedure to regularly test, verify and evaluate the effectiveness of any measures taken. Conversely, La Sapienza had just implemented changes recommended by a service provider, which did not provide for the encryption of personal data (eg, the identity of whistleblowers, information relating to whistleblowing reports and any attached documentation) nor the adoption of a transmission protocol that would guarantee secure communication for the confidentiality and integrity of data exchanged.
According to the data protection authority, the seriousness of the breach was exacerbated by the apparent confidentiality established by the rules on whistleblowing, precisely for the greater protection of the persons concerned.
Having ascertained that the data processing had been unlawful and the security obligations imposed by the GDPR had not been complied with (taking into account that the breach concerned only two persons and that La Sapienza had actively cooperated throughout the investigation), the data protection authority imposed an administrative fine of €30,000 on the university.
This ruling shows that the protection of personal data is not only a matter of policy, but also involves the careful choice of the technical tools used for data processing purposes.
For further information on this topic please contact Luca Daffra at Ichino Brugnatelli e Associati by telephone (+39 (0)2 48193249) or email (email@example.com). The Ichino Brugnatelli e Associati website can be accessed at www.ichinobrugnatelli.it.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.