Aeroporto Guglielmo Marconi di Bologna S.p.a. – €40,000 Fine (Italy, 2021)

The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian DPA (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software supplier EUR 20,000 for violations of the GDPR. In the course of the DPA's investigation, it was found that the application for collecting and managing criminal reports was accessed without the use of a secure network protocol (e.g., the link protocol) and that the application itself did not provide for encryption of the reporting party's identification data, the information about the report and the attached documents. The DPA considered this to be a violation of the obligation to take technical and organizational measures that ensure a level of security appropriate to the risk to the data subjects. In addition, the DPA found that the controller should have conducted an impact assessment, given the sensitivity of the information processed and the risks and vulnerability of the data subjects.