In an injunction of July 10, 2021, published the following month, the Italian data protection authority (Garante per la protezione dei dati personali) has fined the Airport of Bologna € 40,000 for not having implemented adequate technical and organizational measures for a whistleblowing application. Further, the authority held that for that application, a data protection impact assessment (DPIA) was required which the airport had failed to conduct.
The Facts of the Case
The Bologna Airport had used a whistleblowing system, whereby illegal conduct of employees or other stakeholders could be reported. The application was a cloud solution (SaaS) and operated by a provider that acted as a processor according to Art. 28 GDPR for the airport, which is the data controller in this case. The system was set up in such way that reports on the denounced behavior were generated, which could contain personal data that might reveal the whistleblower’s identity, as well as any attached documents, possibly containing further personal data. The data stored in the whistleblowing system was not encrypted. A DPIA had not been carried out.
The Ruling of the Authority
The authority held that the airport as a controller is obliged to comply with the principle of integrity and confidentially set forth in Art. 5 (1) lit. f) GDPR, which means that personal data must be processed in a way that guarantees adequate security, including the protection from unauthorized processing, destruction or damage.
According to the Italian authority, the nature of the personal data processed via the whistleblowing system as well as a possibly access to such data by third parties, is to be qualified as highly risky. Therefore, an unencrypted access to the database did not ensure an adequate level of security. In order to meet that requirement, encryption for both, the transport and the storage of the data, would be required, as well as a data protection impact assessment. The authority held that, in absence of these measures, the data processing via the whistleblowing app is in violation of Art. 5 (1) lit. f), Art. 25 (1), Art. 32, and Art. 35 GDPR.
Arguments of the Airport
The data controller explained that the decision not to encrypt the data was based on the circumstance that, in its view, the concerned data was of “little use” for third parties and the probability of threats was “extremely low”. The airport further said that it forwent to conduct a DPIA because of the limited number of data and reports actually processed via the system, besides, the costs for implementing such measure would have been unproportionally high.
The Garante was not Convinced
According to Art. 32 GDPR, the implementation of adequate technical and organizational security is to be taken into account, inter alia, on the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. However, the authority was not convinced by the airport’s arguments, partly basing its decision on the absence of a DPIA.
The data protection impact assessment (DPIA), according to Art. 35 reflects the GDPR’s risk-based approach, in that it serves to identify and mitigate high risks for the rights and freedoms of natural persons from a data processing activity. Considering that, the decision — or at least the fine — might have been different if the airport had actually pondered and documented their arguments in a formal assessment according to Art. 35 GDPR.
Another Fine for the Service Provider
The Garante further pointed out that the general responsibility for defining adequate measures lies with the controller and cannot be excluded through reference to the processor. Interestingly, the company who provided the software to the airport was fined € 20,000 in a separate proceeding for not having implemented adequate security measures within the application and for having failed to inform the airport of two sub-processors.
In light of the approaching deadline for transposal of Directive (EU) 2019/1937 (“Whistleblower Directive”) in December of this year, we will likely see more companies implementing whistleblower systems. Apart from general compliance questions, the data protection requirements to safeguard the information processed with those systems will also need to be considered, for which the present Italian authority’s ordinance has provided some indication.