Whistleblowers and GDPR

by Klaudia Kamińska-Kiempa and Maciej Ogórek

16 February 2021

The whistleblowing system is a challenge for the security of personal data processing in an organisation. Before implementing it, you should remember about ensuring anonymity and confidentiality of data, as well as about ethical principles and respecting the rights of whistleblowers and other participants in proceedings.

Whistleblower's personal data protection – legal acts

Whistleblower's personal data protection is addressed in two legal acts:

1. Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the so-called Whistleblower Directive).
2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

The Whistleblower Directive, which the EU Member States must implement by 17 December 2021, points to the need for procedures to ensure identity protection of:

• every reporting person (whistleblower);
• person concerned (potential “perpetrator”);
• third parties referred to in the report (e.g. witnesses).

However, the Directive does not contain specific provisions on the processing of personal data. It merely says that the Member States are to ensure its effectiveness using the GDPR guidelines and the personal data protection act of the particular State.  

Principles of personal data processing

Accordingly, the processing of personal data of the whistleblower and other participants in whistleblowing proceedings should be based on the general principles referred to in the GDPR, i.e.:

• transparency
• fairness
• lawfulness
• purpose limitation
• data minimisation
• data accuracy
• storage limitation
• integrity
• confidentiality
• accountability

When developing a whistleblowing system in your organisation, you should pay particular attention to the principle of confidentiality. It is only by building a safe and trusting environment and ensuring reliable protection of the identity of participants in the proceedings that you will succeed in launching the whistleblowing process in your organisation.

Basis for data processing – the principle of lawfulness

In accordance with the GDPR, personal data of whistleblowers may be processed if:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary to protect the vital interests of the data subject (or of another natural person);
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 

When implementing a whistleblowing system in your organisation, you need to remember that whistleblowers may remain anonymous and the system cannot require them to provide their data. If whistleblowers decide to disclose their identity – the basis for processing personal data is their voluntary consent.

The situation is different in the case of data that need to be disclosed in the proceedings – i.e. data of the person concerned or of witnesses (third parties) – here the basis for processing personal data is the necessity for compliance with a legal obligation of the controller.

Basis for processing personal data contained in the report (personal data of the whistleblower and of third parties):

• processing is necessary for compliance with a legal obligation (Article 6(1)(c) GDPR) – after implementation of the Directive, when controllers will be subject to a specific legal obligation to establish internal control procedures in strictly defined areas;
• or for the purposes of the legitimate interests pursued by the controller or by a third party whose data are disclosed (Article 6(1)(f) GDPR) – processing that cannot be justified by a requirement to comply with legal obligations may still be possible if the controller can prove that it is necessary to pursue its legitimate interests and has balanced those interests against the interests of the persons referred to in the report.   

Insofar as processing may involve special categories of personal data as defined in Article 9 GDPR, the controller will also need to satisfy itself that the processing of such data is lawful. For this purpose, it can be argued that processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law.

Technical security

The personal data controller should also implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of violating the rights or freedoms of natural persons. These measures will vary depending on the enterprise (number of employees, structure, etc.).

Technical security measures for data processing under the GDPR are:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.  

The GDPR does not impose specific measures to be taken to ensure data security. The organisation is therefore not obliged to use the most technologically advanced or the most expensive solutions. What is important is that the system should technically and organisationally secure the personal data against leakage or unauthorised disclosure.

The GDPR describes the risks which need to be taken into account so that the controller or the contract processor can select appropriate data security measures on their own.

This means that the controller or processor should select their own safeguards, taking into account the needs and capabilities of the entity.