Whistleblowing, the Data Protection Authority sanctions a company and the application provider: more protection is needed for the reporter.
The identity of whistleblowers is protected by a specific guarantee and confidentiality regime provided by the industry regulations due to the particular sensitivity of the information processed and the high risk of retaliation and discrimination in the workplace. In this context, the controller shall respect the principles of data protection, ensuring their integrity and security.
This is confirmed by the Italian Data Protection Authority that, as a result of inspections on the applications used for whistleblowing, sanctioned a company for 40,000 € and its software provider for 20,000 € for violations of the rules that protect personal data processed.
Obscuration of personal data in a judgment is admissible only for valid reasons.
When a judgment is published, can the parties of the proceeding request the obscuration of their data identity? The answer is yes, but there must be good reasons, such as the sensitivity of the matter or the presence of data belonging to the categories of art. 9 GDPR. To deal with the very current issue of privacy protection the Supreme Court, fifth civil section, in order n. 22561/21 filed on August 10, 2021, on a dispute of a completely different nature.
Privacy, the audit report is not directly actionable.
With regard to the protection of personal data, the report certifying the infringement cannot be directly challenged by the data subject. It is, in fact, an act of procedural nature not suitable to produce effects on the subjective situation, which is affected only by the enactment of the order-injunction. Only against such act it is possible to propose opposition. To affirm it is the Supreme Court with the order n. 19947/2021. The occasion for this clarification is provided to the judges of legitimacy by the case of a doctor, whose privacy was harmed by the hospital in which he worked, by posting on a notice board a communication related to the provision of the service “for incapacity for work”.
Data Protection Authority: green light to bodycams for critical police operations.
The use of bodycams by police operators is increasingly frequent thanks to the powerful deterrent effect represented by the visibility of the camera on the uniform. That’s the reason why the Italian Data Protection Authority with the provision n. 290 of 22 July 2021 clarified that the police can use wearable cameras in case of critical operations with data retention extended to six months, but this has to be done with the utmost constant attention to the correct processing of personal data and in particular to the perimeter of computer security and without ever resorting to facial recognition.
Creative Commons and data protection: new Memorandum of understanding between the Italian Data Protection Authority and Creative Commons
The Italian Data Protection Authority has signed a memorandum of understanding that starts a collaboration with the “Creative Commons” (CC), an international non-profit organization that provides free licenses and tools that holders of copyright and related rights can use to allow others to legally share and reuse their works. This system is aimed to allow data controllers to automatically generate a simple and clear privacy policy and, in this way, to make people more aware of the information content regarding the processing of their personal data. Italy is the first country to experience the implementation of the Creative Commons method in the field of privacy, but the ultimate goal, which will be based on its final results, is to create a system, available in all European Member States, to build a digital environment where data protection issues are managed in a coordinated way within the digital single market.
Certification and accreditation under the GDPR: New FAQs with clarifications developed by the Italian Data Protection Authority and Accredia
The Italian Data Protection Authority released new FAQs on certification and accreditation in collaboration with Accredia, the only national accreditation body based in Italy, as a part of an agreement aimed at exchanging information regarding the certification and accreditation activities under the GDPR. The document is dedicated to general aspects and provides useful clarifications for all data controllers and data processors who wish to use certification to demonstrate their strong commitment in observing data protection rules and obligation and the compliance of data processing with GDPR. The privacy legislation establishes certification mechanisms and data protection marks and requires that Member state must ensure that certification bodies which issue the certification, pursuant to article 42, are accredited by the competent supervisory authority or by the national accreditation body, or both.
Algorithms and discrimination of employees: the Italian Data Protection Authority issued an Injunction order of € 2,6 million against a company
The Italian Data Protection Authority achieved, for the first time ever, a cooperation with the Spanish Data Protection Authority (AEPD) to verify the data protection compliance of a digital Platform active in the food delivery field. After the examination of the Data processing agreement between the data controller and the data processor, the Italian Authority found out several violations regarding data protection law, such us: the lack of information for workers about the functioning of the algorithm system and the total absence of guarantee about the accuracy and the fairness of the results of the algorithmic system used to evaluate riders performances. Moreover the company did not even provide adequate procedures to protect the riders right to contest the decisions based on the algorithms including the unjustified exclusion from job opportunities and drafted several information with different content.
