Implementing the Whistleblower Act? Update GDPR!

18.07.2024

The implementation of the Whistleblower Act introduces a series of new obligations for Data Controllers. It involves processing personal data contained in the whistleblowing report as well as the data of the whistleblowers themselves if the report is not anonymous. Entrepreneurs, as Data Controllers, must adapt their data protection procedures and policies to ensure compliance with the new regulations. What should be given special attention? We explain:

Identification of Purposes and Legal Bases

Administrators must clearly define the purposes for which they collect and process personal data related to whistleblowing reports. These purposes should comply with the principle of purpose limitation (Article 5(1)(b) GDPR), meaning they should be specific, explicit, and legitimate. This will, in turn, allow the determination of the legal basis for processing, which may vary depending on the purpose and the individual whose data is involved (e.g., whistleblower or the person committing the violation).

Data Minimization

According to the principle of data minimization (Article 5(1)(c) GDPR), Administrators should limit the collected personal data to what is necessary to achieve the purposes of processing. This means carefully analyzing which data is essential for receiving and processing whistleblowing reports and which might be superfluous, reflecting this in their whistleblowing procedures.

Ensuring Data Confidentiality

The Whistleblower Act imposes an obligation on Administrators to ensure the confidentiality of whistleblowers’ personal data. This includes protecting the identity of whistleblowers from unauthorized disclosure. In practice, this means implementing a whistleblowing system that guarantees this. The highest level of confidentiality is naturally ensured by allowing anonymous reports; however, this may prevent the completion of the whistleblowing registry, which should include data necessary to identify the whistleblower.

Fulfillment of Information Obligations

In managing reports, Administrators must not forget to provide the relevant information clause fulfilling the information obligation referred to in Articles 13 or 14 of the GDPR. This information should be provided to both the whistleblower and the person the report concerns, except that in the latter case, to ensure the confidentiality of the whistleblower’s data, the law excludes the obligation to disclose the source of their data.

Data Protection Impact Assessment (DPIA)

One of the key obligations of Data Controllers when implementing the Whistleblower Act is conducting a mandatory Data Protection Impact Assessment (DPIA). The obligation to perform this assessment stems from the Communication of the President of the Personal Data Protection Office of June 17, 2019, regarding the list of types of personal data processing operations that require an impact assessment for data protection.

Training and Awareness Raising

A critical element in implementing the new regulations is employee education. Administrators should conduct regular training on data protection, which should also cover the principles of processing whistleblowers’ data. If the whistleblowing system has not functioned before or training has not included this matter, it is recommended to supplement employees’ knowledge in this area to ensure that all employees are aware of their responsibilities and can appropriately respond to whistleblowing reports.

Implementation of the Whistleblower Act: Review and Update of Policies

Managing whistleblower reports constitutes a distinct data processing activity that should be included in the record of processing activities maintained by each Administrator. The implementation of the Whistleblower Act may require changes to existing internal policies and procedures, particularly those concerning data protection. It is essential to continuously monitor legal changes and adjust internal regulations to meet new requirements. Considering the aspects we highlighted will help in correctly updating or adjusting the documentation.