Italian data protection supervisory authority

On June 10, 2021, the Italian data protection authority GARANTE PER LA PROTEZIONE DIE DATI PERSONALI (GPDP) imposed a fine of €40,000 on Bologna Airport, ref. 9685922. The company concerned had commissioned a provider or processor to provide a digital whistleblowing system. Users could use this system - also anonymously - to report legal irregularities. The Italian legal framework provides in particular for the public and private sectors that whistleblowers who disclose their identity are to be protected from reprisals and discriminatory measures. 

Commissioning of a digital whistleblower system 

The provider already did not use a secure network protocol (not even the https protocol) for data transfer, although the whistleblower system is accessible via the Internet. The data stored in the database was also not encrypted. Furthermore, log data about the navigation behavior of users of the whistleblower system was stored via a firewall configuration. Furthermore, the company concerned had not carried out a data protection impact assessment when implementing the whistleblower system. 

The Italian data protection authority considered the behavior of the company concerned to be several violations of the requirements of the General Data Protection Regulation ("GDPR") and imposed a fine of €40,000:

Lack of encryption - violation of Art. 32 GDPR

The Italian data protection authority saw a violation of the mandatory implementation of technical and organizational measures pursuant to Art. 32 (1) (a) and Art. 5 (1) (f) GDPR in that the company did not implement suitable encryption mechanisms for the transport and storage of the notices. The http protocol (Hypertext Transfer Protocol) cannot guarantee the confidentiality as well as integrity of the data in the notices exchanged between the whistleblower's browser and the provider's server. Furthermore, the authenticity of the website of the whistleblower system cannot be verified by the whistleblower. It was also objected that the data of the tips in the database of the whistleblower system was stored unencrypted. 

In particular, the Italian data protection authority also emphasized that the nature of the data of the notice and the high risks that may result from misuse of these data require a high encryption mechanism.  

The argument of the company concerned that the more extensive data security measures would have caused further costs did not change anything about a violation for the data protection authority. In addition, the company concerned is also responsible for compliance with such measures when a processor is acting. 

Inadmissibility of logging - violation of Art. 25 GDPR

Noteworthy and often not taken into account in practice was the complaint of the data protection supervisory authority that the logging of whistleblower navigation processes on the website of the whistleblower system constitutes a violation of Art. 5(1)(f), Art. 25 and Art. 32 of the GDPR. 

Due to a firewall configuration, accesses by employees to the website of the whistleblower system with workstations or personal devices connected to the corporate network were stored in log files and kept for 90 days. These included the IP address and - due to a connection with the Active Directory - also the user name. 

This constituted a violation of the principle of "data protection by design" and "data protection by default settings" according to Art. 25 GDPR. Whistleblower systems must therefore be designed in such a way that no log files are stored. Otherwise, confidentiality and anonymity are at risk. 

Lack of data protection impact assessment 

The Italian data protection supervisory authority also objected to the fact that the company concerned had not carried out a data protection impact assessment pursuant to Art. 35 GDPR. However, this should have been done when implementing a whistleblower system. The tips may contain sensitive data. They may contain information about suspected violations of the law and have massive consequences for the accused and the whistleblower. This poses particular risks to the rights and freedoms of the data subjects. 

Implement all requirements with our Hintbox

The decision of the Italian data protection supervisory authority highlights two aspects: First, confidentiality and anonymity can basically only be guaranteed by a digital whistleblower system. Second, such a whistleblower system requires the implementation of some technical measures. Our Hintbox implemented all the requirements of data protection law and the specifications of the data protection supervisory authorities in a legally compliant manner. 

End-to-end encryption and database encryption

All information and communication between the whistleblower and compliance officer is encrypted end-to-end. In addition, the data in the database is encrypted again. The data is hosted in an ISO-27001 certified data center in Germany. 

No tracking of IP addresses or other device data

No data or information, such as the IP address or other device data, is stored when using our whistleblower system. This is the only way to ensure confidentiality and anonymity.

We support you with your data protection impact assessment

Of course, we support your company free of charge with your data protection impact assessment, so that you can implement all the requirements of Art. 35 DSGVO quickly and correctly.