For proper whistleblowing management, it is essential to pay due attention to the protection of the personal data processed.
In achieving the necessary balance between the whistleblower’s need for confidentiality, the need to ascertain the wrongdoing and the whistleblower’s right to defence and cross-examination, the adoption of appropriate measures to ensure the protection and security of personal information is a key factor in achieving this balance.
Vittorio De Luca, Managing Partner of Studio De Luca & Partners commented: “The recent measure adopted by the Data Protection Authority is only the latest of the measures adopted on the subject which, as the Authority pointed out, is part of a broader inspection plan dedicated to verifying the utmost respect for the protection of personal data during the management of unlawful conduct reports. Without prejudice to this, proper management of the “whistleblowing system” is part of an effective corporate compliance strategy. Implementing organisation, management and control systems built based on the results of a preliminary risk analysis makes it possible to reduce the risk of offences being committed and the risk of incurring the heavy penalties provided for by applicable legislation. It is necessary to adopt corporate procedures and appropriate technical and organisational measures for the protection and security of the information of those involved without neglecting the importance of awareness-raising and training users of these systems and those in charge of managing and verifying the reports made. Reaching a high level of awareness and culture among corporates must be one of the first objectives to be achieved.”
On 7 April 2022, in an injunction order issued against a hospital, the Italian Data Protection Authority (“Garante”) found that the data processing carried out as part of the management of its whistleblowing system was unlawful.
The Authority sanctioned the IT company, which was acting as a data processor, and managed the service for reporting alleged corrupt activities or unlawful conduct within the entity.
The Authority noted that under Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), the hospital in its capacity as Data Controller, failed to provide specific and prior information about personal data processing carried out following a report. This was in violation of the principle of “lawfulness, fairness and transparency”, which imposes on the data controller the obligation to provide data subjects specific information about the data processing in advance, by taking “appropriate measures” to reach recipients.
It emerged that the health authority failed (i) to trace the processing operations carried out in the Processing Register under Art. 30 of the GDPR and to carry out a preliminary privacy impact assessment.
The Authority stated that the processing of personal data using systems for acquiring and managing reports has risks for the rights and freedoms of the data subjects due to “the sensitivity of processed information, the “vulnerability” of the data subjects in the workplace, and the confidentiality regime of the whistleblower’s identity under the sector’s legislation.”
The Authority fined the hospital and the IT Company € 40,000 and gave the hospital a further 30 days to make its relationship with its supplier compliant with the relevant legislation.
◊◊◊◊
As specified in the communiqué shared by the Data Protection Authority, the investigation carried out, in this case, was part of “a series of inspections on the processing methods of data acquired through whistleblowing systems, particularly those most used in Italy by employers.”
Other related insights:
In the last few days, Italian online services and sites, including the websites of the Senate and the Ministry of Defence, have suffered a cyber-attack from a group of Russian cybercriminals. Vittorio De Luca, from Studio De Luca & Partners said:
“Cyber-attacks are a daily occurrence and no one can consider themselves safe. Attacks on institutions cause a stir, but for years hundreds of companies suffered daily attacks from cybercriminals. These attacks have a considerable impact on productivity and lead to data theft, service disruption and image damage. Robust cyber security is essential to protect a company’s knowledge assets and ensure business continuity. GDPR requires small and large companies to conduct a survey of their cyber risk exposure and the impact they could have on their business. An “incident” response plan must be prepared, security policies and measures to protect the IT system must be adopted. There must be periodic audits. It is essential to raise employee awareness on cyber security through training sessions, so that they can recognise and deal with the various threats. Protection from cyber-attacks takes place in two phases – prevention and protection. If there is a successful attack, companies must inform the data protection authority, and initiate a data breach procedure within 72 hours of becoming aware of the violation.”
Based on the principles in the Court of Justice Schrems II judgement of 16 July 2020, with Decision no. 2021/914 of 4 June 2021, the European Commission has approved two new sets of Standard Contractual Clauses (“SCCs“) which, from 27 September, must be included in contracts to regulate a transfer of personal data to non-EU countries or international organisations. For contracts signed before this date, there will be a transition period ending on 27 December 2022, provided that the processing operations covered by the contracts remain unchanged and the “old” clauses ensure that the transfer of personal data is subject to adequate safeguards. After this deadline, these contracts will need to be updated based on the new SCCs. The new SCCs will cover cases where personal data is transferred to non-EU countries or international organisations that do not offer a system of protection equivalent to that provided by the Data Protection Regulation (EU) 2016/679 (the “GDPR“). The new SCCs must be adopted for personal data transfers: (i) between data controllers; (ii) between a controller and its processor; (iii) between a processor and its (sub) processor; and (iv) between a processor and its controller where the latter is not subject to the GDPR scope.
Other related insights:
In its 15 April 2021 injunction order, the Italian Data Protection Authority fined a company operating in the manufacturing sector for failing to punctually and adequately inform the employees about the features of a computer system. In doing so, the company unlawfully processed workers’ data beyond the limits set by the authorisation of the local labour inspectorate and the purposes indicated in the provided policies.
The Data Protection Authority intervened following the complaint lodged by the FIOM CGIL, on behalf of some workers, requesting the adoption of an investigation and compliance measure against the employer company. It was alleged that the company’s system required a personal password on the workstation before starting work, which made it possible to store the data of individual workers relating to stoppages and production throughout the working day. Since the data collected relates to the work of individual employees following authentication with the password, the company, in the union’s opinion, collected data through this system and for purposes other than those outlined in the privacy policy.
As a result of the investigation carried out by the Data Protection Authority, it emerged that the computer system coexisted with the previous work organisation method, based on the completion of paper forms in which the names of employees were revealed in plain text. The forms were stored and recorded on the software, but without any form of separation, thus contradicting the privacy policies on the system functioning and the authorisation issued by the Labour Inspectorate, which had expressly prohibited using the data collected for disciplinary purposes. It had emerged that the data collected through this tool had been used to verify the truthfulness of the statements made by an employee during disciplinary proceedings initiated against them.
In addition, it emerged that there were irregularities in the retention periods of the data collected and processed, which, according to the company’s statement, should have been commensurate with what was necessary for the “monitoring/evaluating production cycles.”
In the light of the information gathered, the Data Protection Authority ordered the definitive limitation of the processing operations carried out using the data collected through this system, ordering the company (i) to bring its organisation and processing operations in line with Regulation (EU) 2016/679, including by updating the privacy policy provided to the employees concerned, (ii) adopt appropriate measures to segregate the data collected using paper forms and software and (iii) pay €40,000 as a financial penalty for the violations found.
Other related insights:
