Whistle-blowing is considered to be important to combat crime. However: GDPR is also playing a role in whistle-blowing cases as is seen in the decision of 7 April 2022 of the Italian data protection authority, published on 10 June on the EDPB website. Key findings:

The whistle-blowing management system in question tracked the accesses to the software as the connections to the whistle-blowing app were recorded and stored in firewall logs; accordingly, users of the app could be tracked including potential whistleblowers.  No information had been provided to employees on the processing of personal data for the purpose of reporting misconduct. Additional findings: no DPIA had been carried out; no entry for this processing activity was found in the record referred to in Article 30 GDPR; the authentication credentials enabling the ‘Corruption and Transparency Manager’ to access the whistle-blowing app had been handled inappropriately during the transition to the next incumbent.

Specific infringements were also found regarding the IT company that provided the whistle-blowing app to the hospital as a processor. The company in question failed to regulate its relations with the hosting provider both when acting as a processor (to the hospital) and when acting as a separate controller (in respect of its internal services, e.g. regarding management of its employees or accounting and administration activities).

Both the controller (the hospital) and the IT-provider were fined. From the summary of the decision:

The controller (the Public Hospital) failed to lay down adequate technical and organisational measures to ensure the appropriate level of security by having regard to the specific risks arising from the processing in question, which required implementing a whistle-blowing management system that was in line with the data protection by design and by default principles – also in the light of the opinion given in this respect by the Hospital’s Data Protection Officer (DPO).

The whistle-blowing service provider had not regulated its relationships with the hosting provider it relied upon both in connection with the multifarious processing activities for which it was the controller (in breach of Article 28, paragraphs 1 and 3, GDPR) – ranging from the management of its employees to accounting and administrative activities up to the processing inherent in supplying its services – and in respect of the processing activities for which it was a processor acting on behalf of its customers including the Perugia Public Hospital (in breach of Article 28, paragraphs 2 and 4, GDPR).

Both the Public Hospital and the IT company were fined EUR 40,000.