Data pro­tec­tion in whistleblowing

Many com­pa­nies are cur­r­ent­ly con­cer­ning them­sel­ves with the sub­ject of whist­leb­lowing. Direc­ti­ve (EU) 2019/1937 on the pro­tec­tion of per­sons who report breaches of Uni­on law (the Whist­leb­lower Direc­ti­ve) has exis­ted sin­ce 2019, and Ger­ma­ny now plans to imple­ment this Direc­ti­ve into natio­nal law in the form of a Whist­leb­lower Pro­tec­tion Act. That com­pa­nies can make mista­kes in imple­men­ting the Directive’s gui­de­li­nes is demons­tra­ted by a case in Ita­ly, whe­re the data pro­tec­tion aut­ho­ri­ty impo­sed fines in the amount of EUR 40,000 against a hos­pi­tal and an IT ser­vice pro­vi­der for data pro­tec­tion vio­la­ti­ons in con­nec­tion with the hand­ling of whistleblowers.

The Whist­leb­lower Directive

The Whist­leb­lower Direc­ti­ve requi­res com­pa­nies with more than 50 employees to set up at least one inter­nal repor­ting chan­nel. In accordance with Arti­cle 9 of the Whist­leb­lower Direc­ti­ve, repor­ting chan­nels are to be desi­gned in a secu­re man­ner that ensu­res that the con­fi­den­tia­li­ty of the iden­ti­ty of the repor­ting per­son and any third par­ty men­tio­ned in the report is pro­tec­ted. Whist­leb­lo­wers must be able to report infor­ma­ti­on oral­ly or in wri­ting, and com­pa­nies may use web- or intranet-based sys­tems for this pur­po­se. The requi­re­ments of the GDPR gene­ral­ly app­ly for the­se systems.

Data pro­tec­tion violations

But an Ita­li­an hos­pi­tal fai­led to ade­qua­te­ly con­si­der this fact. In set­ting up the necessa­ry inter­nal repor­ting chan­nels, this hos­pi­tal used an IT ser­vice pro­vi­der which pro­vi­ded soft­ware in the Cloud. This soft­ware could only be acces­sed via the com­pa­ny net­work, so that poten­ti­al whist­leb­lo­wers could be iden­ti­fied via the network’s fire­wall sys­tems. In the view of the Ita­li­an data pro­tec­tion aut­ho­ri­ty, this vio­la­tes the requi­re­ments for data pro­tec­tion by design and default in accordance with Arti­cle 25 of the GDPR. Addi­tio­nal pro­blems were rai­sed by the fact that the com­pa­ny which offe­red the whist­leb­lowing ser­vice was working tog­e­ther with an IT ser­vice pro­vi­der but had not con­clu­ded a pro­ces­sing con­tract with that pro­vi­der. The hos­pi­tal was also char­ged with fai­ling to con­duct a data pro­tec­tion impact assess­ment. Such an assess­ment is requi­red in accordance with Arti­cle 35 of the GDPR when a type of pro­ces­sing, par­ti­cu­lar­ly using new tech­no­lo­gies and taking into account the natu­re, scope, con­text and pur­po­ses of the pro­ces­sing, is likely to result in a high risk to the rights and free­doms of natu­ral per­sons. Given the sen­si­ti­vi­ty of the data and the high per­so­nal risk to whist­leb­lo­wers, the­re is good rea­son to belie­ve that such an assess­ment is requi­red when set­ting up inter­nal repor­ting channels.

Ten­si­on bet­ween the GDPR and the Whist­leb­lower Directive

Bey­ond the case in Ita­ly, the­re are addi­tio­nal chal­len­ges in data pro­tec­tion law in con­nec­tion with imple­men­ta­ti­on of the Whist­leb­lower Direc­ti­ve. Whist­leb­lower reports typi­cal­ly inclu­de infor­ma­ti­on about the whist­leb­lower, so that such reports fall wit­hin the scope of the GDPR. But this is fre­quent­ly the case not only for the whist­leb­lo­wers them­sel­ves but for third par­ties as well. In the inte­rest of cla­ri­fy­ing the sta­te of affairs, it may be appro­pria­te not to noti­fy the­se per­sons right away, par­ti­cu­lar­ly e.g. in cases whe­re a com­pa­ny employee is accu­sed of mis­con­duct. But in accordance with Arti­cles 14 and 15 of the GDPR, the com­pa­ny would actual­ly be requi­red to noti­fy the­se third par­ties and pro­vi­de them with infor­ma­ti­on in such cases. Care­ful review is requi­red in order to deter­mi­ne which duties in data pro­tec­tion law may be super­se­ded by the Whist­leb­lower Direc­ti­ve in any indi­vi­du­al case.

What should com­pa­nies keep in mind?

In Ger­ma­ny as well, the Whist­leb­lower Direc­ti­ve will be imple­men­ted into natio­nal law in the fore­see­ab­le future. Com­pa­nies should the­re­fo­re exami­ne the­se new requi­re­ments right away. In doing so, com­pa­nies should devo­te par­ti­cu­lar atten­ti­on not only to the tech­ni­cal imple­men­ta­ti­on and set-up of the inter­nal repor­ting chan­nels, but to the requi­re­ments of data pro­tec­tion law as well. The­se requi­re­ments will typi­cal­ly inclu­de the con­duct of a data pro­tec­tion impact assess­ment. The case in Ita­ly demons­tra­tes once again that com­pa­nies should not rely blind­ly on exter­nal IT ser­vice pro­vi­ders in mat­ters whe­re data pro­tec­tion law is invol­ved.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.