Italy's Data Protection Authority Fines a Hospital €40,000 for GDPR Violations in Whistleblowing System

Wednesday, October 25, 2023

10 Minutes reading time

Whistlehub content team

A detailed analysis of a recent case where a hospital in Perugia, Italy, was fined €40,000 for GDPR violations in their whistleblowing system. Learn about the legal implications and how to ensure compliance.


The Italian Data Protection Authority, known as Garante, recently imposed a €40,000 fine on a hospital in Perugia for multiple violations of the General Data Protection Regulation (GDPR) in relation to their whistleblowing system. This case serves as a critical reminder for organizations to ensure compliance with data protection laws, particularly when implementing whistleblowing systems.

Detailed Violations

Table: Types of Violations and Their Implications

Violation CategorySpecific IssueLegal Requirement
TransparencyFailure to inform data subjects about the processing of their personal data for whistleblowing purposes.Under GDPR, data subjects must be informed about how their data will be used.
Integrity and ConfidentialityThe system allowed for the potential identification of whistleblowers.GDPR mandates that personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing.
Data Protection MeasuresAbsence of a Data Protection Impact Assessment (DPIA) and failure to record activities in their register of processing activities.Organizations are required to conduct a DPIA for high-risk processing activities and maintain a record of processing activities under GDPR.

Lack of Transparency

The hospital processed personal data without adequately informing the individuals involved. This is a direct violation of GDPR's principle that data subjects should be aware of how their data is being used.

Integrity and Confidentiality

The whistleblowing system used by the hospital had the potential to identify whistleblowers, contravening GDPR principles of data integrity and confidentiality. This compromises the anonymity that is often crucial for whistleblowers to report misconduct without fear of reprisal.

Inadequate Data Protection Measures

The hospital failed to conduct a Data Protection Impact Assessment (DPIA), a mandatory step for high-risk data processing activities. Additionally, the hospital did not maintain a register of processing activities, another requirement under GDPR.

Recommendations for Compliance

  1. Data Protection by Design and Default: Implement technical and organizational measures to ensure data protection from the onset.
  2. Conduct a DPIA: A DPIA is crucial for identifying and minimizing data protection risks.
  3. Maintain Records: Keep a detailed register of data processing activities as required by GDPR.

Whistlehub's Perspective

At Whistlehub, we emphasize the importance of GDPR compliance in whistleblowing systems. Our solutions are designed to meet the highest standards of data protection, ensuring that organizations can facilitate secure and anonymous reporting.


The fine imposed on the Perugia hospital serves as a stark reminder of the legal obligations organizations face when implementing whistleblowing systems. Compliance with data protection laws is not optional; it is a legal requirement that carries significant penalties for violations.

© All Rights Reserved. Whistlehub Inc