Whistleblowing: two new decisions from the Italian Data Protection Authority

Authors: Valentina Sapuppo, Luciana Di Vito, Marco Emanuele Carpenelli


Briefing on Whistleblowing and the most recent case law on the issue

Whistleblowing has been under the attention of the Italian Data Protection Authority (hereinafter the ‘Authority’) for some time now and the Authority has pronounced itself on the subject on several occasions in recent years[1]. In this scenario, the non-implementation of Directive (EU) 2019/1937 (hereinafter, the ‘Directive’)[2], on the part of the Italian legislator has not facilitated the adherence of organizations to the legislation at hand, which is still not harmonized today, (in particular, Article 6, c. 2-bis of Legislative Decree no. 231/2001, concerning private organizations, Article 54-bis of Legislative Decree no. 165/2001, concerning public administrations). The aforementioned Directive, which imposes an obligation on Member States to lay down common minimum standards to ensure effective protection of Whistle-blowers[3] – through organic regulation for both the private and the public sector, has not yet been transposed into Italian law. The deadline for the Government to exercise the delegated power to implement it expired on 17 December 2021[4].

Recently, the Authority returned to the issue of Whistleblowing, confirming that Public administrations and Companies must observe the maximum care in setting up and managing Whistleblowing systems, guaranteeing the highest confidentiality of employees and other persons reporting illegal behaviours’. Indeed, on 7 April, the Authority published two decisions concerning violations of the legislation on personal data protection with a specific focus on Whistleblowing and imposed administrative sanctions on the Azienda ospedaliera di Perugia (a hospital located in Perugia, Italy)[5] and the company ISWEB S.p.A.[6]. ISWEB S.p.A. acted as a data processor on behalf of the controller (Azienda ospedaliera di Perugia), pursuant to Article 28 of Regulation (EU) 679/2016 (hereinafter, also referred to as ‘GDPR’). Each enterprise was fined EUR 40,000.

The main aspect highlighted by the aforementioned decisions, as we shall also see in more detail in the following section, is once again to be found in the need to preserve the confidentiality of Whistle-blowers, which should be guaranteed in all stages of processing. The Authority made the same considerations with reference to the security measures to be implemented on the Whistleblowing management platform. This is in line with the consistent approach adopted by the Authority[7]. It is also important to recall the decisions of the Authority concerning the Bologna Guglielmo Marconi Airport S.p.A. and its supplier aiComply S.r.l., in which they were fined EUR 40,000[8] and EUR 20,000 respectively.


The case: the violations committed by the Azienda ospedaliera di Perugia and ISWEB S.p.A.

Regarding the examination of the violations mentioned above, it should be observed that the Authority identified that the Azienda ospedaliera di Perugia had implemented insufficient security measures on the application in use (GlobalLeaks open-source software)[9]. Furthermore, it had acted in contradiction with the ‘principles of lawfulness, fairness and transparency and without providing the data subjects with information about the processing, contrary to Articles 5(1)(a), 13 and 14 of the Regulation’ and acted ‘in a manner not compliant with the principles of integrity and confidentiality, of data protection by design and of data protection by default, contrary to Articles 5(1)(f) and 25 of the Regulation’.  Additionally, Article 30 of the GDPR was breached, since [the Company] has not reported in the register of processing operations the activities for the acquisition and management of Whistleblowing notifications. As a result of the investigations carried out by the Authority, it was also found that the necessary Data Protection Impact Assessment under Article 35 of the GDPR had not been carried out.

Concerning the violations committed by ISWEB S.p.A., as the provider of the management software for the Whistleblowing management platform, it was found that the data processing relationship with Seeweb S.r.l. (hosting provider of the first processor), was not regulated according to Article 28 of the GDPR, with Seeweb S.r.l., hosting provider of the first processor, whose systems hosted the Whistleblowing management platform in use by the Perugia Hospital Company. From the Authority’s point of view, the above-mentioned failure to regulate the relationship entailed the unlawfulness of the overall processing activities carried out to manage Whistleblowing reports. This is because the relationship was not adequately regulated as it was performed in the absence of the necessary instructions, technical and otherwise (such as, for example, about the appointment of sub- processors), and of adequate mechanisms for verifying the security measures guaranteed by the provider, in addition to the absence of any explanation of the methods and purposes of the processing.


Conclusions and practical recommendations

From reading the above-mentioned provisions it becomes clear that organizations which decide to equip themselves with a Whistleblowing management platform must be extremely careful to respect the protection of personal data that are processed through the implemented system. In this regard, it is therefore essential to:

    • thoroughly verify the security measures, also and especially if implemented through data processors and sub-processors;
    • ensure and reinforce the guarantees, throughout the processing, of confidentiality of the identity of the Whistleblower;
    • manage the entire system in compliance with the rules in force, through:
          • the provision of adequate notice to data subjects;
          • the provision of adequate instructions to the recipients of the reports;
          • the detailed description of the processing in the Register of Processing Activities;
          • the preparation of authorizations and data processing agreements;
          • the performance and, if necessary, the continuous updating of a Data Protection Impact Assessment.



[1] For a more in-depth discussion on the subject, please see other articles provided by ICTLC:






[2] See Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law


[3] Whistle-blowers are those who report possible violations of the organizational model or code of ethics of the organization they belong to and, more generally, unlawful actions and conduct.

[4] New draft laws are currently being examined by the Italian legislator to renew the delegation of powers by the Government to transpose the Directive into the Italian legal system. In this regard, it may also be of interest to note that, during the hearing of the Authority on 8 March 2022 on the European Delegation Bill 2021 (Italian web doc. 9751458 of March, 2022), it was reiterated how, in the exercise of the aforementioned delegation, it is necessary to ‘strike an appropriate balance between the need for confidentiality of the report – functional to the protection of the reporter, the need to ascertain the offenses and the right of defence and to be heard of the reported person. The protection of personal data is, of course, a determining factor in the balance between these instances, and it is therefore appropriate for the Garante to be involved in the exercise of the delegation‘. [As translated by the authors of this article; the original text is available in Italian only].

[5] See the Order against Azienda ospedaliera di Perugia (Italian web doc. 9768363 of 7 April, 2022). [As translated by the authors of this article; the original text is available in Italian only].

[6] See Order against ISWEB S.p.A. (Italian web doc. 9768387 of 7 April, 2022). [As translated by the authors of this article; the original text is available in Italian only].

[7] For 2009, see the Report of the Authority to the Parliament and the Government, on the identification, using reporting systems, of offenses committed by persons operating in various capacities in the company organization (Italian web doc. 1693019 of 10 December, 2009).

For 2019, see Deliberation of 12 September 2019 – Initiative inspection activities by the Office of the Authority, including the Finance Police (Italian web doc. 9147297 of July-December, 2019).

For 2020, see the Resolution of 1 October 2020 – Own-initiative inspection activity by the Office of the Authority, including the Finance Police (Italian web doc. 9468750 of July-December, 2020).

[8] See the Order against Guglielmo Marconi Airport of Bologna S.p.A. (Italian web doc. 9685922 of June, 2021), where it is stated that ‘the company had processed the personal data of employees and other interested parties, through the use of the application for the acquisition and management of unlawful reports, in a manner that did not comply with the principles of integrity and confidentiality, of data protection by design and of data protection by default, in violation of Articles 5(1)(f) and 25 of the Regulation; in the absence of appropriate technical and organizational measures to ensure an appropriate security level according to the risks presented by the processing, contrary to Article 32 of the Regulation; by failing to carry out a data protection impact assessment, contrary to Article 35 of the Regulation. […] Within this framework, the persons obliged to comply with the aforementioned provisions must process the data necessary for the acquisition and management of the reports, in compliance also with the rules on the protection of personal data.’ [As translated by the authors of this article; the original text is available in Italian only].

[9] See Opinion on the framework  ‘Guidelines on the protection of persons who report crimes or irregularities of which they have become aware in the course of an employment relationship, according to Article 54- bis of Legislative Decree 165/2001 (so-called Whistleblowing)’  (Italian web doc. 9215763 of December, 2019).