aiComply S.r.l. – €20,000 Fine (Italy, 2021)

The company 'aiComply Srl' (the ‘Processor’) provided the Airport of Bologna (the ‘Controller’) with the whistleblowing application “WB confidential” for the organizational acquisition and management of reports on illegal conduct by its employees and other stakeholders. The processor further offered maintenance of the application through two other companies, ‘Agic Technology Srl’ carrying specialist assistance activities and ‘A1Tech Srl’ carrying out the management of the IT-infrastructure. Investigations of the DPA found, that personal data transferred and stored within the application was not encrypted. Furthermore, it was verified that all three processing companies shared a non-nominal “System-Administrator” profile for the application. In this regard, aiComply had never informed the airport about this relationship with the two sub-processors. aiComply argued, that suitable security measures and especially encryption, had not be considered due to an extraordinarily limited amount of processing relating to only few reports transmitted through the system. Accordingly, the application was sufficiently protected by a firewall and an only internal or VPN access. It was negotiated with the airport that no further security measures shall be adopted. The processor also argued, that both involved companies for the maintenance did not process any personal data due to carrying out only technical activities and were generally appointed as suppliers of system administration tasks by aiComply. The DPA decided that both the controller and the processor are obliged to implement adequate technical and organizational measures to ensure a level of security within their scope and competencies. The missing encryption and sharing of a non-nominal ‘Admin-User’ with two other companies therefore lack the implementation of such adequate safeguards and violate Article 32 GDPR. In this regard, the controller has not received any communications or requests for authorization from the pr