Commissioning of a digital whistleblowing system

On June 10, 2021, the Italian data protection authority GARANTE PER LA PROTEZIONE DIE DATI PERSONALI (GPDP) imposed a fine of € 40,000 on Bologna Airport, ref. 9685922. The company concerned had commissioned a provider or processor to provide a digital whistleblowing system. Users could use this system – also anonymously – to report legal irregularities. The Italian legal framework provides in particular for whistleblowers who disclose their identity to be protected from reprisals and discriminatory measures in both the public and private sectors.

The provider already did not use a secure network protocol (not even the https protocol) for data transfer, although the whistleblower system is accessible via the Internet. The data stored in the database was also not encrypted. Furthermore, log data about the navigation behavior of the users of the whistleblower system was stored via a firewall configuration. In addition, the company concerned had not carried out a data protection impact assessment when implementing the whistleblower system.

The Italian data protection authority saw several violations of the requirements of the General Data Protection Regulation (“GDPR”) in the behavior of the company concerned and imposed a fine of € 40,000:

Lack of encryption – violation of Art. 32 DSGVO

The Italian data protection authority saw a violation of the mandatory implementation of technical and organizational measures pursuant to Art. 32 (1) (a) and Art. 5 (1) (f) GPDR in that the company did not implement appropriate encryption mechanisms for the transport and storage of the reports. The http protocol (Hypertext Transfer Protocol) cannot guarantee the confidentiality as well as integrity of the data in the notices exchanged between the whistleblower’s browser and the provider’s server. Furthermore, the authenticity of the website of the whistleblower system cannot be verified by the whistleblower. It was also objected that the data of the reports in the database of the whistleblower system was stored unencrypted.

The Italian data protection authority also emphasized in particular that the nature of the whistleblower data and the high risks that could result from misuse of this data make a high level of encryption necessary. 

The fact that the argument of the company concerned that the more extensive data security measures would have caused further costs did not change anything for the data protection authority in terms of a violation. In addition, the affected company is also responsible for compliance with such measures when a processor is acting.

Inadmissibility of logging – violation of Art. 25 GDPR

Noteworthy and often disregarded in practice was the complaint of the data protection authority that the logging of navigation processes of whistleblowers on the website of the whistleblower system constituted a violation of Art. 5(1)(f), Art. 25 and Art. 32 GDPR.

Through a firewall configuration, accesses by employees to the whistleblower system website with workstations or personal devices connected to the corporate network were stored in log files and kept for 90 days. These included the IP address and – due to a connection with the Active Directory – also the user name.

This constituted a violation of the principle of “data protection through technology” and “data protection through data protection-friendly default settings” pursuant to Art. 25 GDPR. Whistleblower systems must therefore be designed in such a way that no log files are stored. Otherwise, confidentiality and anonymity are at risk.  

Lack of data protection impact assessment

The Italian data protection authority also objected to the fact that the company concerned had not carried out a data protection impact assessment pursuant to Art. 35 GDPR. However, this should have been done when implementing a whistleblower system. The reports may contain sensitive data. They may contain information about suspected violations of the law and have massive consequences for the accused and the whistleblower. This poses particular risks to the rights and freedoms of the data subjects.

Implement all requirements with our Hintbox

The decision of the Italian data protection authority shows two aspects: First, confidentiality and anonymity can basically only be guaranteed by a digital whistleblowing system. Second, such a whistleblower system requires the implementation of some technical measures. Our Hintbox implemented all the requirements of data protection law and the specifications of the data protection supervisory authorities in a legally compliant manner.

End-to-end encryption and database encryption

All information and communication between the whistleblower and compliance officer is encrypted end-to-end. In addition, the data in the database is encrypted again. The data is hosted in an ISO-27001 certified data center in Germany.

No tracking of IP addresses or other device data

No data or information, such as the IP address or other device data, is stored when using our whistleblowing system. This is the only way to ensure confidentiality and anonymity.

We support you with your data protection impact assessment

Of course, we support your company free of charge with your data protection impact assessment, so that you can implement all the requirements of Art. 35 GDPR quickly and correctly.

Test our whistleblower system now free of charge

Within minutes, we will provide you with an isolated Hintbox that will allow you to implement all the requirements of the EU Whistleblower Directive.

Test now for free

The safety of our customers is our top priority.

Our whistleblower system meets all IT security and data protection requirements. In particular, through our ISMS and secure Hintbox, all technical, organizational and regulatory requirements of the General Data Protection Regulation and the EU Whistleblower Directive (2019/1937) are met.

More information