Personal data protection and whistleblower protection are undoubtedly closely linked. On June 10, 2021, the Italian supervisory authority for personal data protection (the equivalent of the Polish Personal Data Protection Office) imposed a fine of €40,000 on the company managing Bologna Airport. The fine was imposed due to inadequate protection of whistleblowers' personal data.

Event

Aeroporto Guglielmo Marconi di Bologna Spa (AdB) – a state-owned company – decided to use the external "WB Confidential" application when implementing its internal whistleblower protection system. According to the supervisory authority, the whistleblowers' personal data processed in the application was improperly secured because it used the unencrypted HTTP network protocol. It also turned out that there was no confirmation of the " Privacy by design " and " Privacy by default " procedures, as they were deemed unnecessary by AdB.

Recommendation

The protection of whistleblowers' personal data is a new problem facing organisations following the entry into force of the EU directive on the protection of whistleblowers.

The data of whistleblowers and other individuals included in reports should be protected with the utmost care. Maintaining complete anonymity of the personal data of whistleblowers—those who decide to report irregularities or illegal activities—reduces the risk of discrimination and prevents negative consequences for their actions.

This case also demonstrates that the method of data transfer is crucial from a personal data protection perspective. The unencrypted HTTP protocol raises concerns about the confidentiality of data exchange between the user's browser and the server, and third-party interference poses too great a risk.


|

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 7