It has been reported an employer and the provider of the app
The identity of the whistleblower is protected by a specific regime of guarantee and confidentiality required by the legislation for the particular sensibility of processed information and for higher risks of extorsions and discriminations in the working contest. In this framework, the data controller shall comply principle of personal data protection by ensuring the integrity and the security.
It has been reaffirmed by the Authority that, after some inspection activities on app used for reporting illicit (whistleblowing), has sanctioned the company Aereoporto Guglielmo Marconi of Bologna for 40.000 EUR and its software provider for 20.000 for having breached the rules for personal data protection.
In case of the airport company the Authority has verified the lack of usage of techniques of cryptography for the transmission and the storage of personal data and the breach of the principle of privacy by design and by default.
During the investigation it has surged that the access to the app for the acquisition and the managing of reports of illicit was carried out without a usage of a safe network protocol (as the https) and that the same app did not provide for the encryption of identifier data of the reporting, of information connected to the report and the eventual annexed documentation.
The airport company, data controller, was tracking with general log by firewall, the access to the app by employees connected to the business network. This makes inefficient other measures adopted in order to protect the confidentiality of reporting, by considering also the huge number of connection to the app.
In addition, by keeping in mind the delicacy of the processed information, risks and vulnerabilities of data subjects, the company shall have carried out an impact assessment.
In imposing the sanction, the Authority has reaffirmed that the data controller, also when is using products or services realized by third parties, shall verify the compliance to personal data protection principles by giving the necessary instructions to the service provider (for example, by deactivating the contrast functions with industries standards).
The Authority has sanctioned with a second provision also the provider of the app, as a data processor, both for the breach of security obligation, both for the lack of the regulation of the relationship with two other companies which were processing personal data on its behalf.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP