In the EU, all data must be handled in accordance with the General Data Protection Regulation (GDPR) – and whistleblowing data is no exception. It’s essential that your whistleblowing processes account for the requirements of both GDPR and the EU Whistleblower Directive…and the areas where the two potentially conflict with one another. Data privacy is crucial given the type of information submitted to a whistleblowing hotline, so below we outline what’s required of whistleblowing programs under GDPR and the EU Whistleblower Directive.
There’s no getting around it – whistleblowing hotlines process personal data. And while GDPR does not specifically reference whistleblowing, that doesn’t mean whistleblowers and the subjects of their reports are any less protected. The potential risks to all parties involved in a whistleblowing report can’t be overstated, so data protection is crucial.
There are two legal bases for processing personal data in the context of whistleblowing. These are:
As the EU Whistleblower Directive is transposed into law in the individual Member States, the first legal basis will become effective. There has been, and will continue to be, reliance on “legitimate interests” for a range of activities associated with whistleblowing. Plus, the nature of some whistleblowing reports may involve what is termed “special categories of personal data,” which will require additional precautions, including confirmation that the processing is legal.
Confidentiality is central to the operation of any whistleblowing program – confidentiality both for reporters and the subjects of their reports. A key element of discharging these rights includes publishing notices and policies which include transparent information on the hotline process, including how it operates, who will be involved, and how the rights of data subjects can be exercised.
Complying with GDPR, when it comes to whistleblowing data, can get complex. For example, responding to a Data Subject Access Request could jeopardize an investigation or expose a whistleblower. This type of scenario is generally reflected in GDPR’s provisions and exceptions regarding the collection of personal data – and allows for responses to be delayed for as long as the risk exists. In a similar vein, the exercising of rights such as data erasure may be restricted to protect the rights and freedoms of others affected by the reporting.
Data controllers are required to implement controls and provisions to ensure the security of personal data obtained during the whistleblowing process. This includes ensuring the reporter’s identity is not disclosed either accidentally or illegally. Organizational provisions, for example, can ensure that only a limited number of designated people have access to report data – and that such data is only shared with those who need it to investigate and manage reports.
For multi-national companies where there may be a requirement to transfer report data within and beyond the EU, GDPR remains in effect and its data transfer restrictions must be recognized.
A key element of the overall approach to data security under the EU Whistleblower Protection Directive and GDPR is to ensure that any data processors used in the whistleblowing process, including third parties, have in place the necessary contractual provisions and that they are compliant with all relevant regulations.
When evaluating your whistleblowing hotline for compliance with the intersecting requirements, check the following items:
The EU Data Protection Board (EDPB) may issue new guidance on the relationship between GDPR and the EU Whistleblower Directive as more Member States transpose the Directive into local law. In the meantime, companies will have to rely on industry bodies, local regulators, external advisors, and their own knowledge of data protection as they implement the directive’s requirements.
Learn about all whistleblowing requirements you must now comply with using our Ultimate Guide to the EU Whistleblower Directive.