Garante (Italian data protection authority) during wide-ranged controls connected with implementation of 2019/1937 directive (whistleblowing directive), found out that Perugia hospital violated few GDPR provisions. Hospital used reporting system provided by external IT company (ISWEB), which didn’t guarantee adequate security and encryption of personal data, including data of potential whistleblowers. Moreover, the data subjects were not informed about the process of transferring data to the system intended to handle the reporting of violations. Garante assumed that the hospital, together with the IT company, violated Art. 13 and 14 (failing to comply with information obligations towards data subjects) and art. 25 and 32 GDPR (failing to implement appropriate technical and organizational measures and to ensure appropriate safeguards, proportional to the risk of violations).
At the same time, the authority pointed on the extreme importance of confidentiality in reporting breaches process. The systems on which the functioning of whistleblowers is to be based must guarantee their anonymity and protection against unauthorized access to their data. The situation in which the ISWEB company, using external hosting, transferred data to another entity without any instructions to their processing, could not be considered as providing such guarantees, which resulted in imposing the fine of 40 thousand. euro for both entities.