The Italian data protection authority ('Garante') announced, on 11 May 2022, in its monthly newsletter, that it had issued, on 7 April 2022, its Decision No. 134, in which it imposed a fine of €40,000 to Perugia Hospital, for violations of Articles 5(1)(a), 5(1)(f), 13, 14, 25, 32, and 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an ex officio investigation by the Garante, and in conjunction with a decision issued against ISWEB S.p.a.

Background to the decision

In particular, the Garante reported that it had initiated the investigation in question as part of a wider investigation plan concerning the processing of personal data acquired through whistleblowing systems. Specifically, the Garante stated that investigations were carried out into the Hospital and ISWEB, an IT company which provides and manages the whistleblowing application used by the Hospital. Further to this, the Garante specified that the former operated as data controller and the latter as data processor.

Additionally, the Garante outlined that at the end of the investigation, it had notified the Hospital the initiation of the procedure for the adoption of enforcement measures pursuant to Article 58(2) of the GDPR.

Findings of the Garante

Subsequently, the Garante found that the Hospital had processed the personal data of employees and other data subjects, through the use of the whistleblowing application, without informing the same in advance about the processing of personal data carried out for whistleblowing purposes, thus violating Articles 5(1)(a), 13, and 14 of the GDPR.

Moreover, the Garante observed that the whistleblowing web application used by the Hospital, based on open-source software, could be accessed through systems that, not having been properly configured, recorded and stored, within the logs of the firewall, users' browsing data, so as to allow the identification of the users, including the potential whistleblowers. As such, the Garante held that the Hospital had processed the personal data in a manner which was inconsistent with the principles of integrity and confidentiality, Data Protection by Design, and Data Protection by Default, in violation of Articles 5(1)(f) and 25 of the GDPR, and in the absence of appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the processing, thus violating Article 32 of the GDPR.

In addition, the Garante determined that the Hospital had violated Article 30 of the GDPR, by failing to record in the register of processing activities the acquisition and management of whistleblowing reports, and Article 35 of the GDPR, by failing to carry out a Data Protection Impact Assessment ('DPIA').

Further to this, the Garante, based on the violations occurred, imposed an administrative fine on the Hospital and, in quantifying the same, took into account the following circumstances, among others:

• the fact that, at the time of the investigation, there were no whistleblowing reports within the application in question;
• the fact that the Hospital had fully cooperated with the Garante during the investigation; and
• the prompt adoption by the Hospital of technical and administrative measures aimed at bringing the processing operations in compliance with the rules on the protection of personal data.

Outcomes

In conclusion, the Garante imposed the aforementioned fine and ordered the publication of the decision on its website as an ancillary sanction, taking into account the particular nature of the personal data processed and the related risks for the whistleblower and the other data subjects in the employment context. Lastly, the Garante highlighted that the Hospital has 30 days to settle the dispute by paying an amount equal to half of the sanction imposed and that, within the same timeframe, it may also lodge an appeal before the ordinary judicial authority.

You can read the newsletter here and the decision here, both only available in Italian.

UPDATE (17 June 2022)

EDPB publishes English summary of Garante's decisions to fine Perugia Hospital and ISWEB €40,000 each

The European Data Protection Board ('EDPB') published, on 10 June 2022, an English summary of the Garante's decisions to fine Perugia Hospital and ISWEB €40,000 each in realtion to the whistleblowing management system in place.

You can read the summary here.