In the EU, all data must be handled in accordance with the General Data Protection Regulation (GDPR) – and whistleblowing data is no exception. It’s essential that your whistleblowing processes account for the requirements of both GDPR and the EU Whistleblower Directive…and the areas where the two potentially conflict with one another. Data privacy is crucial given the type of information submitted to a whistleblowing hotline, so below we outline what’s required of whistleblowing programs under GDPR and the EU Whistleblower Directive.
Data protection for whistleblowers and subjects under the EU Whistleblower Directive and GDPR
There’s no getting around it – whistleblowing hotlines process personal data. And while GDPR does not specifically reference whistleblowing, that doesn’t mean whistleblowers and the subjects of their reports are any less protected. The potential risks to all parties involved in a whistleblowing report can’t be overstated, so data protection is crucial.
Processing whistleblower data
There are two legal bases for processing personal data in the context of whistleblowing. These are:
- The processing is necessary for compliance with a legal obligation, or
- It is deemed to be a “legitimate interest” of the controller, company or third-party
As the EU Whistleblower Directive is transposed into law in the individual Member States, the first legal basis will become effective. There has been, and will continue to be, reliance on “legitimate interests” for a range of activities associated with whistleblowing. Plus, the nature of some whistleblowing reports may involve what is termed “special categories of personal data,” which will require additional precautions, including confirmation that the processing is legal.
The rights of data subjects, both whistleblowers and report subjects
Confidentiality is central to the operation of any whistleblowing program – confidentiality both for reporters and the subjects of their reports. A key element of discharging these rights includes publishing notices and policies which include transparent information on the hotline process, including how it operates, who will be involved, and how the rights of data subjects can be exercised.
Complying with GDPR, when it comes to whistleblowing data, can get complex. For example, responding to a Data Subject Access Request could jeopardize an investigation or expose a whistleblower. This type of scenario is generally reflected in GDPR’s provisions and exceptions regarding the collection of personal data – and allows for responses to be delayed for as long as the risk exists. In a similar vein, the exercising of rights such as data erasure may be restricted to protect the rights and freedoms of others affected by the reporting.
Data controls and security under GDPR and the EU Whistleblower Directive
Data controllers are required to implement controls and provisions to ensure the security of personal data obtained during the whistleblowing process. This includes ensuring the reporter’s identity is not disclosed either accidentally or illegally. Organizational provisions, for example, can ensure that only a limited number of designated people have access to report data – and that such data is only shared with those who need it to investigate and manage reports.
For multi-national companies where there may be a requirement to transfer report data within and beyond the EU, GDPR remains in effect and its data transfer restrictions must be recognized.
A key element of the overall approach to data security under the EU Whistleblower Protection Directive and GDPR is to ensure that any data processors used in the whistleblowing process, including third parties, have in place the necessary contractual provisions and that they are compliant with all relevant regulations.
Complying with the EU Whistleblower Directive and GDPR, step-by-step
When evaluating your whistleblowing hotline for compliance with the intersecting requirements, check the following items:
- System or process is fully GDPR-compliant in each EU Member State
- Data is located with the EU
- Employees and third parties have been educated on their privacy rights regarding a whistleblower report
- System or process allows redaction of personal data in case of central investigation or cross-border transfer
- System or process collects informed consent at all stages of the investigation
- System or process allows personal data deletion when and where necessary, including after case closure
Click here to complete our full EU Whistleblower Directive compliance checklist.
Looking forward
The EU Data Protection Board (EDPB) may issue new guidance on the relationship between GDPR and the EU Whistleblower Directive as more Member States transpose the Directive into local law. In the meantime, companies will have to rely on industry bodies, local regulators, external advisors, and their own knowledge of data protection as they implement the directive’s requirements.
Master the other requirements of the EU Whistleblower Directive with our Ultimate Guide
Learn about all whistleblowing requirements you must now comply with using our Ultimate Guide to the EU Whistleblower Directive.
