Guglielmo Marconi Airport of Bologna Spa – €40,000 Fine (Italy, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Guglielmo Marconi Airport of Bologna Spa was fined €40,000 for not protecting personal data in its whistleblowing application. The airport failed to encrypt sensitive information, which could lead to data breaches. This case highlights the importance of implementing proper security measures to protect user data.
What happened
Guglielmo Marconi Airport of Bologna Spa did not encrypt personal data in its whistleblowing application, risking the security of that information.
Who was affected
Employees and whistleblowers whose data was processed through the airport's application were affected by this lack of protection.
What the authority found
The Italian DPA found that the airport violated data protection rules by not ensuring the integrity and confidentiality of personal data through encryption.
Why this matters
This case underscores the necessity for organizations to implement strong security measures, like encryption, to protect personal data and avoid significant fines.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data controller used the whistleblowing application “WB confidential” for the organizational acquisition and management of reports on illegal conduct by its employees and other stakeholders. The application was operated by a SaaS supplier that acted as a processor for the controller in accordance with Article 28 GDPR. The delivered reports could contain the identification data of the whistleblower, information relating to the report and any attached documentation. Due to the limited number of reports and data processed, however, the controller decided to not carry out an data protection impact assessment. Similarly, because of the “little use" for any third parties and the "extremely low probability of threats” the controller decided to not encrypt the personal data stored within its database and transmitted over the public network. In motivating its decision, the controller held that adopting the measure of encryption was only applicable and adequate in cases of large volumes of processing data in specific subjective areas. The implementation of such a functionality had required the purchase of an additional component with disproportionate implementation costs. Also, technical access was reserved exclusively for the processor, who had no interest in communicating or disseminating any data. The Italian DPA found that the controller is required to comply with the principle of integrity and confidentiality from Article 5(1)(f) GDPR. Accordingly, the data must be processed in a way that guarantees adequate security, including the protection from unauthorized processing, destruction or damage. The Garante ruled the nature of the data exchanged and their possible acquisition by third parties as highly risky. In this regard, an unencrypted access to the system does not guarantee an adequate level of security. The data controller must implement adequate technical and organizational measures taking into account the state of the art, the nature, purposes and risks as
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Guglielmo Marconi Airport of Bologna Spa in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 July 2021
Authority
Garante per la protezione dei dati personali
Fine Amount
€40,000
GDPRhub ID
gdprhub-3706About this data
Cite as: Cookie Fines. Guglielmo Marconi Airport of Bologna Spa - Italy (2021). Retrieved from cookiefines.eu
Last updated: