July – December semester inspection plan: focus on whistleblowing


The Italian Data Protection Supervisory Authority recently published the measure whereby it decided on the audit plan for this six-month period, citing one of the processing activities that could be inspected:
“1. For the period from July to December 2019, the auditing activity initiated and carried out by the Data Protection Supervisory Authority, including through the Guardia di Finanza, shall address:
a) Assessments with regard to profiles of general interest for categories of data subjects in the context of the processing of personal data by applications for the management of reports of misconduct (so-called Whistleblowing)”.



The Italian Data Protection Authority also issued its own Recommendation No 1/2019 “on internal procedures of external relevance for the performance of the tasks and exercise of the powers invested in the Italian Data Protection Supervisory Authority”, detailing the tasks and procedures to be followed in the performance of its duties.


Main aspects 

Articles 21 and 22 of the said Italian Recommendation lay down the provisions on audits. Specifically,  with reference to the first of these two standards, it is established that: “in the performance of the Supervisory tasks or otherwise exercised by the Supervisory Authority may, in assessing the information in their possession and even in the absence of any complaint, report or notification of a personal data breach, itself undertake a preliminary investigation to verify the existence of appropriate elements concerning possible breaches of the relevant data protection framework”. The second of these two rules establish the actual procedure to be followed in the event of audits. In particular, paragraphs 5 and 6 of this provision specify that: “the service order in which the audit activity is initiated shall identify the controller or  processor to whom the audit is addressed, the location of the audit, the person responsible for the activity and the other participants, designated in accordance with the managers of the departments, services or other organizational units; the order of service shall also indicate the penalties provided for in Article 10(2) of the Staff Regulations. 83(5)(e) of the GDPR and Articles 166 and 168 of the Privacy Code”. In addition, it is specified that copies of documents, information/explanations may be requested during these activities, access to databases and archives ay be assisted by his advisers in the course of the audit activity and may also reserve the right to produce further documentation in his defense.

The main sources of the audit, in addition to those identified in the audit plan, may be the result of alerts or complaints from data subjects or of notified data breaches.


Practical implications

First, as part of a possible audit, the Auditing Team will verify the procedure followed by the company in the whistleblower field, i.e. to understand which channels are chosen for the alerts, the data flow, to check the data retention time and to understand whether, in the event that the recipient is an internal entity, if there are “second level” recipients ready to receive an alert which concerns the main recipient.
Once the procedure has been duly verified, a request to provide privacy documentation may arise, which would demonstrate that the processing of the data subjects’ personal data has been adequately managed. It is likely, above all, that a register of processing activities will be requested, which will have to adequately reflect all data flows consistent with the procedure.

Secondly, the controller may be required to produce the privacy policy describing the processing, including, where appropriate, checking that the proper dissemination of the document to the employees.
In addition, the data controller should be able to demonstrate that he has properly regulated relations with the providers involved in the processing, if any, by signing contracts for the processing of personal data.

Finally, the controller should have properly regulated the privacy of the recipients of the reports and, as a measure of accountability, the controller may have to exhibit a register of alerts during the audit.