Guglielmo Marconi Airport of Bologna Spa – €40,000 Fine (Italy, 2021)
Guglielmo Marconi Airport of Bologna was fined for not protecting whistleblower data properly. This case is important because it highlights that organizations must take data security seriously, especially when handling sensitive reports.
What happened
The airport used a whistleblowing app but did not encrypt the personal data it collected, risking unauthorized access.
Who was affected
Whistleblowers and employees whose data was processed through the airport's whistleblowing application.
What the authority found
The Italian DPA ruled that the airport failed to ensure the integrity and confidentiality of personal data, violating data protection rules.
Why this matters
This ruling underscores the need for organizations to implement strong data protection measures, especially when dealing with sensitive information like whistleblower reports.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data controller used the whistleblowing application “WB confidential” for the organizational acquisition and management of reports on illegal conduct by its employees and other stakeholders. The application was operated by a SaaS supplier that acted as a processor for the controller in accordance with Article 28 GDPR. The delivered reports could contain the identification data of the whistleblower, information relating to the report and any attached documentation. Due to the limited number of reports and data processed, however, the controller decided to not carry out an data protection impact assessment. Similarly, because of the “little use" for any third parties and the "extremely low probability of threats” the controller decided to not encrypt the personal data stored within its database and transmitted over the public network. In motivating its decision, the controller held that adopting the measure of encryption was only applicable and adequate in cases of large volumes of processing data in specific subjective areas. The implementation of such a functionality had required the purchase of an additional component with disproportionate implementation costs. Also, technical access was reserved exclusively for the processor, who had no interest in communicating or disseminating any data. The Italian DPA found that the controller is required to comply with the principle of integrity and confidentiality from Article 5(1)(f) GDPR. Accordingly, the data must be processed in a way that guarantees adequate security, including the protection from unauthorized processing, destruction or damage. The Garante ruled the nature of the data exchanged and their possible acquisition by third parties as highly risky. In this regard, an unencrypted access to the system does not guarantee an adequate level of security. The data controller must implement adequate technical and organizational measures taking into account the state of the art, the nature, purposes and risks as
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Guglielmo Marconi Airport of Bologna Spa in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 July 2021
Authority
Garante per la protezione dei dati personali
Fine Amount
€40,000
GDPRhub ID
gdprhub-3706About this data
Cite as: Cookie Fines. Guglielmo Marconi Airport of Bologna Spa - Italy (2021). Retrieved from cookiefines.eu
Last updated: