Italy: Garante fines ISWEB €40,000 for GDPR violations in relation to whistleblowing system
The Italian data protection authority ('Garante') announced, on 11 May 2022, in its monthly newsletter, that it had issued, on 7 April 2022, its Decision No. 135, in which it imposed a fine of €40,000 to ISWEB S.p.a., for violations of Articles 28(1), 28(2), 28(3), and 28(4) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an ex officio investigation by the Garante, and in conjunction with a decision issued against Perugia Hospital.
Background to the decision
In particular, the Garante reported that it had initiated the investigation in question as part of a wider investigation plan concerning the processing of personal data acquired through whistleblowing systems. Specifically, the Garante stated that investigations were carried out into Perugia Hospital and ISWEB, an IT company which provides and manages the whistleblowing application used by numerous clients, including the Perugia Hospital.
Further to the initial inspections carried out, the Garante outlined that it had notified ISWEB of the initiation of the procedure for the adoption of enforcement measures pursuant to Article 58(2) of the GDPR.
Findings of the Garante
Subsequently, the Garante found that ISWEB had failed to regulate the relationship with the hosting service provider, noting that ISWEB had engaged the hosting service provider both to carry out processing in its capacity as data controller, in breach of Article 28(1) and 28(3) of the GDPR, and for the processing carried out in its capacity as data processor on behalf of its clients, including the Hospital, in breach of Article 28(2) and 28(4) of the GDPR.
Further to this, the Garante, based on the aforementioned violations, imposed an administrative fine. Additionally, the Garante noted that, in quantifying the amount of the sanction, it had considered, among other things, with regards to the processing carried out on behalf of the Perugia Hospital:
- the nature, subject, and purpose of the processing, and the high degree of confidentiality required by sector regulations in relation to the identity of the data subjects in cases of whistleblowing; and
- the fact that no whistleblowing reports were available in the system at the time of the investigation.
With regard to the processing operations carried out in the capacity of data controller, the Garante took into account the fact that ISWEB had not regulated in any way the relationship with the hosting service provider.
In conclusion, the Garante imposed the aforementioned fine and further ordered ISWEB to regulate the relationship with the hosting service provider, in compliance with Articles 28(2) and 28(4) of the GDPR, within 30 days, and to provide adequately documented feedback to the Garante in relation to the initiatives undertaken to ensure compliance of the processing activities with the GDPR. Moreover, the Garante ordered the publication of the decision on its website as an ancillary sanction. Lastly, the Garante highlighted that ISWEB may lodge an appeal before the ordinary judicial authority within 30 days.
UPDATE (17 June 2022)
EDPB publishes English summary of Garante's decisions to fine Perugia Hospital and ISWEB €40,000 each
The European Data Protection Board ('EDPB') published, on 10 June 2022, an English summary of the Garante's decisions to fine Perugia Hospital and ISWEB €40,000 each in realtion to the whistleblowing management system in place.
You can read the summary here.