Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
ITALIAN SUPERVISORY AUTHORITY: Whisteblowin, Authority, there is the need to provide better protections for the reporting

ITALIAN SUPERVISORY AUTHORITY: Whisteblowin, Authority, there is the need to provide better protections for the reporting

It has been reported an employer and the provider of the app

The identity of the whistleblower is protected by a specific regime of guarantee and confidentiality required by the legislation for the particular sensibility of processed information and for higher risks of extorsions and discriminations in the working contest. In this framework, the data controller shall comply principle of personal data protection by ensuring the integrity and the security.

It has been reaffirmed by the Authority that, after some inspection activities on app used for reporting illicit (whistleblowing), has sanctioned the company Aereoporto Guglielmo Marconi of Bologna for 40.000 EUR and its software provider for 20.000 for having breached the rules for personal data protection.

In case of the airport company the Authority has verified the lack of usage of techniques of cryptography for the transmission and the storage of personal data and the breach of the principle of privacy by design and by default.

During the investigation it has surged that the access to the app for the acquisition and the managing of reports of illicit was carried out without a usage of a safe network protocol (as the https) and that the same app did not provide for the encryption of identifier data of the reporting, of information connected to the report and the eventual annexed documentation.

The airport company, data controller, was tracking with general log by firewall, the access to the app by employees connected to the business network. This makes inefficient other measures adopted in order to protect the confidentiality of reporting, by considering also the huge number of connection to the app.

In addition, by keeping in mind the delicacy of the processed information, risks and vulnerabilities of data subjects, the company shall have carried out an impact assessment.

In imposing the sanction, the Authority has reaffirmed that the data controller, also when is using products or services realized by third parties, shall verify the compliance to personal data protection principles by giving the necessary instructions to the service provider (for example, by deactivating the contrast functions with industries standards).

The Authority has sanctioned with a second provision also the provider of the app, as a data processor, both for the breach of security obligation, both for the lack of the regulation of the relationship with two other companies which were processing personal data on its behalf.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP

Recommended to you

Advanced Research