Data pro­tec­tion in whistleblowing

Many com­pa­nies are curr­ent­ly con­cer­ning them­sel­ves with the sub­ject of whist­le­b­lo­wing. Direc­ti­ve (EU) 2019/1937 on the pro­tec­tion of per­sons who report brea­ches of Uni­on law (the Whist­le­b­lower Direc­ti­ve) has exis­ted sin­ce 2019, and Ger­ma­ny now plans to imple­ment this Direc­ti­ve into natio­nal law in the form of a Whist­le­b­lower Pro­tec­tion Act. That com­pa­nies can make mista­kes in imple­men­ting the Directive’s gui­de­lines is demons­tra­ted by a case in Ita­ly, whe­re the data pro­tec­tion aut­ho­ri­ty impo­sed fines in the amount of EUR 40,000 against a hos­pi­tal and an IT ser­vice pro­vi­der for data pro­tec­tion vio­la­ti­ons in con­nec­tion with the hand­ling of whistleblowers.

The Whist­le­b­lower Directive

The Whist­le­b­lower Direc­ti­ve requi­res com­pa­nies with more than 50 employees to set up at least one inter­nal report­ing chan­nel. In accordance with Artic­le 9 of the Whist­le­b­lower Direc­ti­ve, report­ing chan­nels are to be desi­gned in a secu­re man­ner that ensu­res that the con­fi­den­tia­li­ty of the iden­ti­ty of the report­ing per­son and any third par­ty men­tio­ned in the report is pro­tec­ted. Whist­le­b­lo­wers must be able to report infor­ma­ti­on oral­ly or in wri­ting, and com­pa­nies may use web- or intranet-based sys­tems for this pur­po­se. The requi­re­ments of the GDPR gene­ral­ly app­ly for the­se systems.

Data pro­tec­tion violations

But an Ita­li­an hos­pi­tal fai­led to ade­qua­te­ly con­sider this fact. In set­ting up the neces­sa­ry inter­nal report­ing chan­nels, this hos­pi­tal used an IT ser­vice pro­vi­der which pro­vi­ded soft­ware in the Cloud. This soft­ware could only be acces­sed via the com­pa­ny net­work, so that poten­ti­al whist­le­b­lo­wers could be iden­ti­fied via the network’s fire­wall sys­tems. In the view of the Ita­li­an data pro­tec­tion aut­ho­ri­ty, this vio­la­tes the requi­re­ments for data pro­tec­tion by design and default in accordance with Artic­le 25 of the GDPR. Addi­tio­nal pro­blems were rai­sed by the fact that the com­pa­ny which offe­red the whist­le­b­lo­wing ser­vice was working tog­e­ther with an IT ser­vice pro­vi­der but had not con­cluded a pro­ces­sing con­tract with that pro­vi­der. The hos­pi­tal was also char­ged with fai­ling to con­duct a data pro­tec­tion impact assess­ment. Such an assess­ment is requi­red in accordance with Artic­le 35 of the GDPR when a type of pro­ces­sing, par­ti­cu­lar­ly using new tech­no­lo­gies and taking into account the natu­re, scope, con­text and pur­po­ses of the pro­ces­sing, is likely to result in a high risk to the rights and free­doms of natu­ral per­sons. Given the sen­si­ti­vi­ty of the data and the high per­so­nal risk to whist­le­b­lo­wers, the­re is good reason to belie­ve that such an assess­ment is requi­red when set­ting up inter­nal report­ing channels.

Ten­si­on bet­ween the GDPR and the Whist­le­b­lower Directive

Bey­ond the case in Ita­ly, the­re are addi­tio­nal chal­lenges in data pro­tec­tion law in con­nec­tion with imple­men­ta­ti­on of the Whist­le­b­lower Direc­ti­ve. Whist­le­b­lower reports typi­cal­ly include infor­ma­ti­on about the whist­le­b­lower, so that such reports fall within the scope of the GDPR. But this is fre­quent­ly the case not only for the whist­le­b­lo­wers them­sel­ves but for third par­ties as well. In the inte­rest of cla­ri­fy­ing the sta­te of affairs, it may be appro­pria­te not to noti­fy the­se per­sons right away, par­ti­cu­lar­ly e.g. in cases whe­re a com­pa­ny employee is accu­sed of mis­con­duct. But in accordance with Artic­les 14 and 15 of the GDPR, the com­pa­ny would actual­ly be requi­red to noti­fy the­se third par­ties and pro­vi­de them with infor­ma­ti­on in such cases. Careful review is requi­red in order to deter­mi­ne which duties in data pro­tec­tion law may be super­se­ded by the Whist­le­b­lower Direc­ti­ve in any indi­vi­du­al case.

What should com­pa­nies keep in mind?

In Ger­ma­ny as well, the Whist­le­b­lower Direc­ti­ve will be imple­men­ted into natio­nal law in the fore­seeable future. Com­pa­nies should the­r­e­fo­re exami­ne the­se new requi­re­ments right away. In doing so, com­pa­nies should devo­te par­ti­cu­lar atten­ti­on not only to the tech­ni­cal imple­men­ta­ti­on and set-up of the inter­nal report­ing chan­nels, but to the requi­re­ments of data pro­tec­tion law as well. The­se requi­re­ments will typi­cal­ly include the con­duct of a data pro­tec­tion impact assess­ment. The case in Ita­ly demons­tra­tes once again that com­pa­nies should not rely blind­ly on exter­nal IT ser­vice pro­vi­ders in mat­ters whe­re data pro­tec­tion law is invol­ved.