The Italian DPA Fines Hospital and IT Service Provider EUR 40,000

The Italian Data Protection Authority’s (“DPA” – “ Garante per la protezione dei dati personali”) decision dated 7 April 2022 has been recently released on the website of the European Data Protection Board.

  • Facts of the case:

The case originates from a set of inspections on the processing of data acquired via whistle-blowing management systems within the body of a hospital (as a controller). This whistle-blowing management system software is provided to the hospital by an IT company (Isweb Srl) (as a processor).

  • Key findings:

The key findings of those inspections are as follows:

  • The whistle-blowing management system tracked the accesses to the software as the connections to the whistle-blowing app were recorded and stored in firewall logs; users of the app could be tracked including potential whistleblowers.  No information had been provided to employees on the processing of personal data for the purpose of reporting misconduct;
  • No DPIA[1] had been carried out; no entry for this processing activity was found in the record referred to in Article 30 of the General Data Protection Regulation (“GDPR”);
  • The authentication credentials enabling the ‘Corruption and Transparency Manager’ to access the whistle-blowing app had been handled inappropriately during the transition to the next incumbent.

 

  • Decision:

The controller failed to lay down adequate technical and organizational measures to ensure the appropriate level of security by having regard to the specific risks arising from the processing, which required implementing a whistle-blowing management system that was in line with the data protection by design and by default principles.

The processor had not regulated its relationships with the hosting provider it relied upon both in connection with the multifarious processing activities for which it was the controller (in breach of Article 28, paragraphs 1 and 3 of the GDPR) – ranging from the management of its employees to accounting and administrative activities up to the processing inherent in supplying its services.

Both the controller and the processor were fined EUR 40,000 by the DPA.

You can find further information here.

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr