Whistleblowing is a corporate compliance tool through which employees or third parties of a company can report, in a confidential and protected manner, any wrongdoing encountered in the course of their work.
Recently, DPA sanctioned a hospital and the IT companies that operated whistleblowing service for violating the regulations under the GDPR. The companies used systems that recorded and stored users’ browsing data, allowing them to be identified, including potential whistleblowers.
In particular, the healthcare company had not informed workers in advance about the processing of personal data carried out for the purpose of reporting wrongdoing, had not conducted a privacy impact assessment, and had not even entered such operations into the register of processing activities (a useful tool for assessing risks to the rights and freedoms of data subjects).
Privacy Guarantor’s provision no. 134 of 7 April 2022