On date 10 June 2021 [doc. web 9685922] the Authority has sanctioned a data controller for having implemented without a privacy impact assessment a platform for whistleblowing management purposes in breaching of the principles of privacy by design and by default.
The case addressed by the Authority concerned the use of a Saas platform used in the framework of the c.d. whistleblowing discipline, the regulation on the reporting of wrongdoing by workers (see article 54-bis of Legislative Decree. 30 March 2001, n. 165, introduced by art. 1, paragraph 51, of l. n. 190/2012 and l. 30 November 2017, n. 179 “Provisions for the protection of persons who report offences or irregularities of which they have become aware in the context of a public or private employment relationship”).
The application, exposed on the Internet, did not use a secure network protocol (such as https protocol) and with reference to the retention of data related to reports had emerged that the platform did not provide encryption of personal data (identifying data of the reporting agent, information related to the reporting as well as any attached documentation) stored in the relevant database, as recommended by ANAC (see Guidelines on the protection of civil servants who report wrongdoing – c.d. whistleblower -, adopted with determination n. 6 of 28 April 2015).
Failure to use encryption tools, the Authority observes, for the transport and storage of data does not comply with the provisions of article 5, paragraph 1, letter f), and article 32 of the Regulation which, in its paragraph 1, letter a), explicitly identifies encryption as one of the possible security measures appropriate to ensure a level of security appropriate to the risk (see also recipient 83 of the Regulation in so far as it provides that “the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption “).
The Authority noted that the Company has put in place processing of personal data of employees and other interested parties, through the use of the application for the acquisition and management of unlawful reports, in a manner not in accordance with the principles of “integrity and confidentiality”, “data protection by design” and “data protection by default”, in violation of article 5, paragraph 1, letter f), and 25 of the Regulation; in the absence of appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the treatment, in violation of article 32 of the Regulation; not having carried out an impact assessment on data protection, in violation of art. 35 of the Regulation.
The data controller, even when using products or services made by third parties, must verify, also using the support of the data protection officer where appointed, compliance with the principles applicable to data processing (article 5 of the Regulation) adopting, in accordance with the principle of accountability, the appropriate technical and organizational measures and giving the necessary instructions to the service provider (article 5, paragraphs 2, 24, 25 and 32 of the Regulation).
In this context, the controller must carry out a risk assessment and ensure that functions which do not have a legal basis are deactivated, are not compatible with the purposes of the processing, or are in contrast with specific sector rules provided by law (see, in particular, the rules on whistleblowing, but also the national rules and greater protection for those concerned with regard to treatment in the workplace, Art. 88 of the Regulation in relation to Articles 113 and 114 of the Code; in the latter respect, with regard to tracing the connections to Internet sites by employees, last provision. 13 may 2021).
In conclusion, a correct and precise privacy impact assessment pursuant to Article 35 Reg. EU 679/2016 would represent not only a useful and fundamental accountability tools but also a suitable tool for compliance with the principles of privacy by design and by default.
SOURCE: FEDERPRIVACY