Whistleblowing: Italian Data Protection Authority fines hospital and IT company
With provisions Nos. 134 and 135 of 2022, the Data Protection Authority sanctioned a hospital and the IT company that operated the service for reporting alleged corrupt activities or other illegal behavior within the institution. Audits at a hospital company revealed several infringements of the Regulation (EU) 2016/679 (hereinafter “GDPR” or “Regulation”). In fact, the access to the whistleblowing web application, based on open source software, was through systems that, not having been properly configured, recorded and stored users’ browsing data, allowing the identification of users, including potential whistleblowers. In addition, the company had in fact used an external provider for the hosting service of the systems that hosted the application without giving specific instructions on the processing to the data subjects and without notifying the health facility.
The Authority, taking into account the full cooperation offered during the investigation also to remedy the problems detected, fined the healthcare facility and the IT company for 40,000 €.
Data Protection Authority sanctions Inail for three data breaches involving unauthorized access to workers’ health data
The Data Protection Authority, with provision No. 147 of 2022, sanctioned a data controller following three computer incidents involving unauthorized access to employers data, particularly data on health and injuries suffered.
The DPA investigation found that, on at least three different occasions, the data controller allegedly allowed some users to accidentally consult the accident and occupational disease files of other employers. In the measure, in particular, the Authority remarked that a public entity, which processes particularly sensitive data referable to even vulnerable data subjects, is required to adopt, in line with the principle of accountability required by the GDPR, technical and organizational measures that ensure on a permanent basis the confidentiality of the processed data, as well as the integrity of the related systems and services.
The Authority, taking into account the full cooperation offered by the public administration during the investigation and the small number of people involved in the identified data breaches, fined the public entity for 50,000 €.
Data Protection Authority sanctions a data processor for breach of Articles 5 and 32 of the GDPR
The Data Protection Authority, with provision No. 107 of 2022, imposed a fine, of € 10,000.00 to a data processor, a software provider company, for violating the principles of Articles 5(1)(f) and 32 of the GDPR, not seeing the prerequisites for taking a measure against the Data Controller as well.
In fact, as a general rule, although Article 28 of the GDPR allows the Data Controller to avail of Data Processors to carry out a processing of personal data that present sufficient guarantees to put in place appropriate technical and organizational measures so as to ensure that the processing complies with the applicable legislation, and despite the fact that Art. 32 places the obligation to adopt such measures also on the Data Processor, the DPA, in the case of failures put in place by the Data Processor, generally, applies sanctions also against the Data Controller for culpa in vigilando on the work of the Data Processor.
ACN launches National Cybersecurity Strategy
The National Cybersecurity Agency (ACN) has published the “National Cybersecurity Strategy”.
The document was drafted in view of the new forms of strategic competition that characterize the current geopolitical scenario and have made it necessary to increase national cybersecurity initiatives, as well as to revise the related design of the Italian architecture.
The strategy is inspired by a whole-of-society approach, implying the involvement of numerous actors, including private operators, academia and research, and civil society as a whole.