In the EU, all data must be handled in accordance with the General Data Protection Regulation (GDPR)—and whistleblowing data is no exception. It’s essential that your whistleblowing processes account for the requirements of both GDPR and the EU Whistleblower Protection Directive…and the areas where the two potentially conflict with one another. Data privacy is crucial given the types of reports that come in through a whistleblowing hotline, so in today’s blog, we’ll outline what’s required of whistleblowing programs under GDPR and the EU Whistleblower Protection Directive.
But first—if you’d like to know more about the EU Whistleblower Protection Directive in general, start with one of our previous blog posts in this series:
- The EU Whistleblower Directive Part 1: Everything You Need to Know
- The EU Whistleblower Directive Part 2: How to Comply With The EU Whistleblower Protection Directive
- 1. The EU Whistleblower Protection Directive: The Vital Few Actions You Must Take
- 2. The EU Whistleblower Protection Directive: Finding a Hotline Vendor That Will Help You Comply
- 3. The EU Whistleblowing Protection Directive: Hotline Reporting Requirements
- 4. The EU Whistleblower Protection Directive: Consequences and Practicalities
- 5. The EU Whistleblower Protection Directive: Retaliation and the Reverse Burden of Proof
- 6. The EU Whistleblower Protection Directive: Essential Processes and Process Management Your Organization Will Need
- 7. The EU Whistleblower Protection Directive: Employee Awareness, Training, and Communication
Data Protection for Whistleblowers and Subjects Under the EU Whistleblower Protection Directive and GDPR
Invariably, whistleblowing hotlines involving processing of personal data. The EU Whistleblower Protection Directive requires that such processing take place in compliance with EU data protection law, namely GDPR. GDPR does not specifically reference whistleblowing—but that doesn’t mean whistleblowing is any less protected. The potential risks to reporters and subjects of a report can’t be overstated, so data protection is crucial for all parties involved.
Processing Whistleblower Data
There are essentially two legal bases for processing personal data in the context of whistleblowing. These are generally:
- The processing is necessary for compliance with a legal obligation, or
- It is deemed to be a ‘legitimate interest’ of the controller, company or third-party.
Clearly, transposition of the EU Whistleblower Protection Directive in the individual Member States will result in the first legal basis becoming effective. There has been, and will continue to be, reliance on ‘legitimate interests’ for a range of activities associated with whistleblowing. Clearly, the nature of some whistleblowing reports may involve what is termed ‘special categories of personal data’, which will require additional precautions, including confirmation that the processing is legal.
The Rights of Data Subjects, Both Whistleblowers and Report Subjects
Confidentiality is central to the operation of any whistleblowing program—confidentiality both for reporters and the subjects of their reports. A key element of discharging these rights includes publishing notices and policies which include transparent information on the hotline process, including how it operates, who will be involved, and how the rights of data subjects can be exercised.
Clearly, there can be complexities in whistleblowing where, for example, responding to a Data Subject Access Request could jeopardize an investigation or expose a whistleblower. This type of scenario is generally reflected in GDPR’s provisions and exceptions regarding the collection of personal data—and allows for responses to be delayed for as long as the risk exists. In a similar vein, the exercising of rights such as data erasure may be restricted to protect the rights and freedoms of others affected by the reporting.
Data Controls and Security under GDPR and the EU Whistleblower Protection Directive
Data controllers are required to implement controls and provisions to ensure the security of personal data obtained during the whistleblowing process. This includes ensuring the reporter’s identity is not disclosed either accidentally or illegally. Organizational provisions, for example, can ensure that only a limited number of designated people have access to report data—and that such data is only shared with those who need it to investigate and manage reports.
For multi-national companies where there may be a requirement to transfer report data within and beyond the EU, GDPR remains in effect and its data transfer restrictions must be recognized.
A key element of the overall approach to data security under the EU Whistleblower Protection Directive and GDPR is to ensure that any data processors used in the whistleblowing process, including third parties, have in place the necessary contractual provisions and that they are compliant with all relevant regulations. For example, Convercent’s data privacy compliance is outlined here.
Sapin II and the EU Whistleblower Protection Directive
France is one of a few EU Member States that has existing whistleblowing and hotline legislation in place. In practice, a number of provisions of Sapin II are reflected in the EU Whistleblower Protection Directive, but the directive will require changes to France’s whistleblowing regime, including the reporting structure, recognition of whistleblowing “facilitators,” and third-party access to hotlines.
The EU Data Protection Board (EDPB) may issue new guidance on the relationship between GDPR and the EU Whistleblower Protection Directive. In the meantime, companies will have to rely on industry bodies, local regulators, external advisors, and their own knowledge of data protection as they implement the directive’s requirements.
Master the other requirements of the EU Whistleblower Protection Directive with our free Masterclass series
Prepare to comply with the requirements of the EU Whistleblower Protection Directive by the deadline of December 17, 2021, with this free series of eight expert-led webinars.