Introduction

Whistleblowing is regulated by Paragraphs 2bis, 2ter and 2quater of Article 6 of Legislative Decree 231/2001 in particular.

Specifically, Paragraph 2bis provides that "organisational, management, and control models" must identify one or more channels to allow people who perform management functions, those subject to their supervision and those who collaborate in any capacity with an entity to submit detailed reports of any unlawful conduct or violations of an entity's organisational models of which they have become aware through their work (although no clear proof is required). These channels of communication (one of which must be a computer process) must guarantee the confidentiality of a whistleblower's identity.

Data protection breach

Employers must ensure that the technical-organisational measures and software that they use are adequate to protect the confidentiality of whistleblowers. On 23 January 2020 the data protection authority reiterated this point when it fined La Sapienza, a major university in Rome, for failing to prevent the data of two people who had notified the university of possible data violations from being accessible online. The university notified the data protection authority in accordance with Article 33 of the General Data Protection Regulation (GDPR) about the disclosure of personal data processed through a platform that the university used to manage employee and third-party reports on irregular behaviour as part of its whistleblowing regulation frame. In particular, La Sapienza informed the data protection authority of the "involuntary disclosure of ordinary personal data" (ie, names and email addresses) relating to two whistleblowers through its whistleblowing platform.

This information was subsequently indexed by a number of search engines until the university intervened to have the data deindexed and any cache copies deleted.

During the course of the investigation, the data protection authority found that although the data breach had been accidental and had been promptly notified pursuant to Article 33 of the GDPR, it had still resulted in the following breaches of the GDPR:

  • The processing of personal data had failed to comply with the principles of "lawfulness, correctness and transparency" under Article 5(1)(a) of the GDPR.
  • The processing of personal data, without a legal basis, had violated Articles 2ter(1) and (3) of Legislative Decree 231/2001 and Articles 6(1)(c) and (e) and Paragraphs 2 and 3(b) of the GDPR.
  • The university had violated "more specific rules to ensure the protection of rights and freedoms with regard to the processing of personal data of employees in the context of employment relationships" pursuant to Article 88(1) of the GDPR as well as Article 54bis of Legislative Decree 165 of 30 March 2001.
  • La Sapienza had violated Article 32 of the GDPR due to the absence of adequate technical and organisational measures to ensure the confidentiality and integrity of personal data processed through the application.

The data protection authority highlighted that according to the GDPR, data controllers (in this case La Sapienza) are primarily responsible for the implementation of technical and organisational measures to ensure a level of security appropriate to any potential risks.

This includes a procedure to regularly test, verify and evaluate the effectiveness of any measures taken. Conversely, La Sapienza had just implemented changes recommended by a service provider, which did not provide for the encryption of personal data (eg, the identity of whistleblowers, information relating to whistleblowing reports and any attached documentation) nor the adoption of a transmission protocol that would guarantee secure communication for the confidentiality and integrity of data exchanged.

According to the data protection authority, the seriousness of the breach was exacerbated by the apparent confidentiality established by the rules on whistleblowing, precisely for the greater protection of the persons concerned.

Having ascertained that the data processing had been unlawful and the security obligations imposed by the GDPR had not been complied with (taking into account that the breach concerned only two persons and that La Sapienza had actively cooperated throughout the investigation), the data protection authority imposed an administrative fine of €30,000 on the university.

Comment

This ruling shows that the protection of personal data is not only a matter of policy, but also involves the careful choice of the technical tools used for data processing purposes.