With the entry into force, at the end of September this year, of the Act of June 14, 2024, on the Protection of Whistleblowers, in addition to ensuring the proper application of its provisions, organizations must pay attention to issues related to the protection of personal data of individuals involved in processes related to reporting potential violations of law. The GDPR plays a key role in ensuring the security and confidentiality of information concerning whistleblowers, as well as other individuals affected by the reports, which requires appropriate actions on the part of organizations.
- Legal basis for processing whistleblowers’ data
The General Data Protection Regulation (GDPR) of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016, regarding the protection of individuals with respect to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”, requires that any processing of personal data must have a legal basis.In the context of whistleblower protection, employers and organizations must determine the legal basis for processing the data of individuals reporting violations. The most commonly used bases are:- processing is necessary to fulfill a legal obligation incumbent on the controller (e.g., arising from whistleblower protection laws) under Article 6(1)(c) of the GDPR,
- the consent of the data subject (e.g., in connection with the disclosure of the whistleblower’s identity, which, under the Whistleblower Protection Act, is protected and can only be disclosed in cases permitted by law and when the whistleblower has consented, based on Article 8(1) of the above Act) in accordance with Article 6(1)(a) of the GDPR,
- the protection of the legitimate interests of the controller or a third party, provided that these interests do not override the rights and freedoms of the reporting person, pursuant to Article 6(1)(f) of the GDPR (this ground can serve as “supplementary” when whistleblower data processing principles are not, for example, explicitly specified in the Act, and processing is necessary to enable the organization to conduct proceedings in response to the reports).
Determining the appropriate legal basis for processing data in connection with the application of the Whistleblower Protection Act will be significant in fulfilling GDPR documentation obligations, including, among other things, properly determining the legal grounds for processing activities, which should be reflected in the data processing register maintained by the data controller.
- Data minimization principle
Under the data minimization principle, only the personal data of whistleblowers necessary to achieve the purpose of the violation report should be processed. This means that employers and organizations must avoid collecting excessive information unrelated to the specific case. For example, if the report concerns a particular incident, there should be no collection of the whistleblower’s entire employment history unless necessary.It should also be noted that, in accordance with the principle of data minimization and other principles set forth in Article 5 of the GDPR (including the principles of adequacy, purpose limitation, legality, fairness, and accountability), there is a duty to issue authorizations for individuals receiving and reviewing whistleblower reports, and the scope of such authorizations should be appropriately tailored to the tasks to be performed by individuals authorized to process data in connection with obligations arising from the Whistleblower Protection Act. - Confidentiality and security of data processing
One of the key aspects of whistleblower protection is ensuring the confidentiality of their personal data. Organizations should implement appropriate technical and organizational measures to protect data from unauthorized access, disclosure, or accidental destruction. In practice, this may involve encrypting reports, limiting access to data to individuals strictly involved in handling reports, and regularly auditing the security of IT systems.It is also undisputed that, in implementing the Act, there is a flow of information, including personal data, between the whistleblower and the entity implementing the Act’s provisions. This flow may include third-party data (e.g., the data of individuals violating the law or witnesses). Therefore, implementing an appropriate system for receiving reports, potentially based on external infrastructure (provided by a vendor offering solutions to facilitate effective report management), should be preceded by a risk analysis. The findings of this analysis should include the implementation of optimal and adequate data security measures. In practice, this may mean that, in addition to the organizational measures adopted (such as a password policy and access controls for email inboxes containing whistleblower reports), additional technical security measures must be adopted to protect the confidentiality of data, such as the whistleblower’s identity or information contained in the reports (which may also include sensitive data about other individuals). Proper storage of documents collected in the course of follow-up actions by the data controller is also necessary, as the Whistleblower Protection Act explicitly states that certain actions in connection with the procedure for receiving reports may be documented in paper form (e.g., the obligation to document reports via an unrecorded telephone line as per Article 26(4) of the Act). - Whistleblowers rights as data subjects
Whistleblowers, like any other natural person, have several rights under the GDPR, including the right to access their data, the right to rectification, the right to erasure (the right to be forgotten), and the right to restrict processing. However, in the context of violation reports, there may be a conflict between the whistleblower’s right to data deletion and the organization’s obligation to retain such data, for example, for evidentiary purposes. Organizations must appropriately manage such situations in compliance with applicable laws.As part of implementing the provisions of the Act, the data controller must not forget about fulfilling the information obligations set out in Articles 12, 13, and 14 of the GDPR. In certain circumstances, these obligations should be fulfilled in a manner that does not undermine the purposes of the Whistleblower Protection Act (for example, the obligation to inform individuals whose data are the subject of a report about the source of the data may be limited, as the overriding principle in this case is to protect the identity of the whistleblower). It is also not possible, due to the provisions protecting the identity of the whistleblower under the Act, to fully realize the data subject’s access rights under Article 15 of the GDPR (e.g., the right requested by the person concerned by the report). Therefore, the proper implementation of information obligations must be carefully considered and adapted to the conditions under which GDPR provisions will apply in the context of implementing the Act. It is worth noting that the Act does not exempt the application of the provisions of Chapter III of the GDPR in any way. - Sharing whistleblowers’ data with third parties
The GDPR also regulates the transfer of personal data to third parties, including law enforcement agencies, external auditors, or other consulting firms. In the context of whistleblower protection, organizations must ensure that any transfer of data complies with the law.This includes considering:- the legality of processing (i.e., does the data controller have a clear and valid legal basis for disclosing personal data?),
- ensuring adequate data protection guarantees/security measures when transferring data outside the European Union, if applicable (e.g., in cases where data transfer occurs in the context of handling reports within corporate groups),
- informing whistleblowers of such transfers, provided it does not negatively affect ongoing investigations – this is important for complying with both the Whistleblower Protection Act and the GDPR, taking into account information obligations for whistleblowers as well as those affecting individuals concerned by the reports (e.g., offenders, witnesses, etc.).
- Data retention period
The GDPR requires data controllers to specify how long personal data will be retained. For whistleblowers, this period should be limited to the time necessary to process the report, conduct any internal or external investigations, and retain evidence for potential future legal proceedings. Once the data is no longer needed for these purposes, it should be deleted or anonymized. In the context of applying the provisions of the Whistleblower Protection Act, it is worth updating data retention periods in the internal retention policy of the data controller, and the appropriate periods should also be included in the data processing register maintained under Article 30 of the GDPR.In general, under the Act:- personal data and other information in the internal reporting register are retained for three years after the end of the calendar year in which follow-up actions were completed or after the conclusion of proceedings initiated by these actions,
- personal data processed in connection with the receipt of a report or the implementation of follow-up actions, and documents related to this report, are retained by the legal entity for three years after the end of the calendar year in which the external report was forwarded to the public authority responsible for follow-up actions, or after the conclusion of proceedings initiated by these actions.
- Documentation obligations, procedures, and registers
Whistleblower protection issues in the context of the GDPR also include the obligation for the data controller to maintain an appropriate register of reports (for the organization receiving reports based on internal procedures and the provisions of the Act). This register must contain the elements specified in the Act, such as data regarding the reports, information about follow-up actions taken, the whistleblower’s data, the subject of the violation, etc. Moreover, in line with the risk-based approach, the controller should conduct risk analyses related to personal data processing within the solutions adopted for receiving and analyzing reports based on the methodology adopted by the organization. In situations where data processing may pose a high risk to the rights and freedoms of individuals concerned, especially when the criteria of Article 35 of the GDPR are met (e.g., if the processing involves new technologies and is likely to result in a high risk to individuals’ rights or freedoms), it is necessary to carry out a data protection impact assessment (DPIA) and document the analysis. High risk may also arise when implementing mechanisms from external providers.
