The Garante issued a GDPR fine in Italy against a University due to the lack of privacy-related security measures of their whistleblowing system.
We are receiving considerable requests of advice in relating to whistleblowing systems that are set up by the majority of companies. The main component of a whistleblowing scheme is to ensure the confidentiality of individuals reporting misconduct; otherwise, the whole rationale of the scheme would fall apart. Therefore, compliance with GDPR obligations is a priority for a whistleblowing scheme as the expectation of privacy by reporting individuals is high.
The GDPR issue of the whistleblowing system adopted by a University of Rome
A Univerisity of Rome had adopted a whistleblowing system that, because of a technical issue, had made visible on the web the name, email, office, telephone number, and date of the report of two individuals. Such information had also been indexed by search engines.
Following the identification of the data breach, the University had promptly removed access to the information and notified the occurrence to the Italian data protection authority (the Garante) and the affected individuals, also referring to the circumstance that the data breach occurred before the 25th of May 2018 and therefore the GDPR was not applicable.
The decision of the Garante on the whistleblowing system that led to the GDPR fine
The Garante held that the GDPR was applicable since the data breach occurred before the 25th of May 2018, but the remediating measures had been adopted only in December 2018. Therefore, in their view, the breach had continued up to the removal of the contents from the web.
On this basis, the Italian data protection authority challenged to the University the lack of GDPR compliant security measures in their whistleblowing system, since
- there was free access to data that were indexed on the web and
- such weakness had not been identified because of the lack of performance of tests on the proper functioning of organizational and technical security measures to limit access to data.
Also, the protocol of communication of data relating to reports was not secure since data were not encrypted, which was in contrast with the recommendations of the Italian Anticorruption Authority on whistleblowing.
The Garante issued a GDPR fine of € 30,000 because of the above and taking into account the limited amount of affected data and the corrective measures promptly adopted by the University once the data breach was identified.
My top 3 takeaways on the case
The position of the Garante on the applicability of the GDPR to events that occurred in the past is very dangerous. Also, it does not take into account that the standard of security measures that represented state of the art in the past was considerably lower. In the cybersecurity sector, a year is a considerable period, and standards significantly evolve, also because of the introduction of more stringent regulations. Likewise, there is no doubt that the coming into effect of the GDPR has introduced a threshold of required security measures that is higher than what provided under the previous regime, also because of the higher potential fines.
Adopting the approach that any breach occurred in the past is subject to the GDPR would require a massive amount of work for data that in the majority of the cases might be out-of-date and therefore do not represent a high risk for individuals’ rights.
You can review Italian obligations on whistleblowing schemes in this article “Whistleblowing law in Italy: What do you need to do now?“.