The issue is always particularly crucial both for the information handled and for the high risks of retaliation and discrimination in the workplace.

Especially in Italy.

The identity of whistleblowers must be protected.

The employer, data controller, is required to comply with the principles of data protection, ensuring their integrity and security.

This was recently recalled by the Italian Privacy Guarantor, sanctioning an airport company and its software supplier for a total of over 60,000 euros.

The Guarantor reiterated that the employer data controller, even when using products or services made by third parties, must verify compliance with the data protection principles by giving the necessary instructions to the service provider.

In the case under analysis, the Guarantor ascertained the non-use of encryption techniques for the transmission and storage of data and the violation of the principle of privacy by design:

• access to the whistleblowing application took place without the use of a secure network protocol
• the application did not provide the encryption of the data
• accesses to the application by employees connected to the company network were tracked through the logs generated by the firewalls

This rendered ineffective the other measures adopted to protect the confidentiality of the identity of the reporting parties.