Azienda ospedaliera di Perugia
Non-compliance with general data processing principles
Decision Date
7 de abril de 2022
Authority
Italian Data Protection Authority (Garante)
IT
Sector
Health Care
Country
IT
Law
GDPRStatus
FINALDescription
The Italian DPA (Garante) has fined Azienda ospedaliera di Perugia EUR 40,000. During an investigation at the healthcare facility, the DPA found multiple GDPR violations. The DPA's investigation took place as part of a series of inspections dealing with the processing of data in the context of whistleblower systems at employers. The healthcare facility used an open source-based whistleblowing web application. However, the application was accessed through systems that were not properly configured. This made it possible to record and store users' browsing data, thus identifying those users and, as such, potential whistleblowers. With respect to the processing of personal data, the health facility had failed to inform the employees in advance. In addition, the DPA found that the healthcare facility had not conducted a data protection impact assessment and had not registered the processing in the register of processing activities. Thus, no sufficient assessment of the risks to the rights and freedoms of the data subjects had been carried out. '