Data pro­tec­tion in whistleblowing

Many com­pa­nies are curr­ent­ly con­cer­ning them­sel­ves with the sub­ject of whist­le­b­lo­wing. Direc­ti­ve (EU) 2019/1937 on the pro­tec­tion of per­sons who report brea­ches of Uni­on law (the Whist­le­b­lower Direc­ti­ve) has exis­ted sin­ce 2019, and Ger­ma­ny now plans to imple­ment this Direc­ti­ve into natio­nal law in the form of a Whist­le­b­lower Pro­tec­tion Act. That com­pa­nies can make mista­kes in imple­men­ting the Directive’s gui­de­lines is demons­tra­ted by a case in Ita­ly, whe­re the data pro­tec­tion aut­ho­ri­ty impo­sed fines in the amount of EUR 40,000 against a hos­pi­tal and an IT ser­vice pro­vi­der for data pro­tec­tion vio­la­ti­ons in con­nec­tion with the hand­ling of whistleblowers.

The Whist­le­b­lower Directive

The Whist­le­b­lower Direc­ti­ve requi­res com­pa­nies with more than 50 employees to set up at least one inter­nal report­ing chan­nel. In accordance with Artic­le 9 of the Whist­le­b­lower Direc­ti­ve, report­ing chan­nels are to be desi­gned in a secu­re man­ner that ensu­res that the con­fi­den­tia­li­ty of the iden­ti­ty of the report­ing per­son and any third par­ty men­tio­ned in the report is pro­tec­ted. Whist­le­b­lo­wers must be able to report infor­ma­ti­on oral­ly or in wri­ting, and com­pa­nies may use web- or intranet-based sys­tems for this pur­po­se. The requi­re­ments of the GDPR gene­ral­ly app­ly for the­se systems.

Data pro­tec­tion violations

But an Ita­li­an hos­pi­tal fai­led to ade­qua­te­ly con­sider this fact. In set­ting up the neces­sa­ry inter­nal report­ing chan­nels, this hos­pi­tal used an IT ser­vice pro­vi­der which pro­vi­ded soft­ware in the Cloud. This soft­ware could only be acces­sed via the com­pa­ny net­work, so that poten­ti­al whist­le­b­lo­wers could be iden­ti­fied via the network’s fire­wall sys­tems. In the view of the Ita­li­an data pro­tec­tion aut­ho­ri­ty, this vio­la­tes the requi­re­ments for data pro­tec­tion by design and default in accordance with Artic­le 25 of the GDPR. Addi­tio­nal pro­blems were rai­sed by the fact that the com­pa­ny which offe­red the whist­le­b­lo­wing ser­vice was working tog­e­ther with an IT ser­vice pro­vi­der but had not con­cluded a pro­ces­sing con­tract with that pro­vi­der. The hos­pi­tal was also char­ged with fai­ling to con­duct a data pro­tec­tion impact assess­ment. Such an assess­ment is requi­red in accordance with Artic­le 35 of the GDPR when a type of pro­ces­sing, par­ti­cu­lar­ly using new tech­no­lo­gies and taking into account the natu­re, scope, con­text and pur­po­ses of the pro­ces­sing, is likely to result in a high risk to the rights and free­doms of natu­ral per­sons. Given the sen­si­ti­vi­ty of the data and the high per­so­nal risk to whist­le­b­lo­wers, the­re is good reason to belie­ve that such an assess­ment is requi­red when set­ting up inter­nal report­ing channels.

Ten­si­on bet­ween the GDPR and the Whist­le­b­lower Directive

Bey­ond the case in Ita­ly, the­re are addi­tio­nal chal­lenges in data pro­tec­tion law in con­nec­tion with imple­men­ta­ti­on of the Whist­le­b­lower Direc­ti­ve. Whist­le­b­lower reports typi­cal­ly include infor­ma­ti­on about the whist­le­b­lower, so that such reports fall within the scope of the GDPR. But this is fre­quent­ly the case not only for the whist­le­b­lo­wers them­sel­ves but for third par­ties as well. In the inte­rest of cla­ri­fy­ing the sta­te of affairs, it may be appro­pria­te not to noti­fy the­se per­sons right away, par­ti­cu­lar­ly e.g. in cases whe­re a com­pa­ny employee is accu­sed of mis­con­duct. But in accordance with Artic­les 14 and 15 of the GDPR, the com­pa­ny would actual­ly be requi­red to noti­fy the­se third par­ties and pro­vi­de them with infor­ma­ti­on in such cases. Careful review is requi­red in order to deter­mi­ne which duties in data pro­tec­tion law may be super­se­ded by the Whist­le­b­lower Direc­ti­ve in any indi­vi­du­al case.

What should com­pa­nies keep in mind?

In Ger­ma­ny as well, the Whist­le­b­lower Direc­ti­ve will be imple­men­ted into natio­nal law in the fore­seeable future. Com­pa­nies should the­r­e­fo­re exami­ne the­se new requi­re­ments right away. In doing so, com­pa­nies should devo­te par­ti­cu­lar atten­ti­on not only to the tech­ni­cal imple­men­ta­ti­on and set-up of the inter­nal report­ing chan­nels, but to the requi­re­ments of data pro­tec­tion law as well. The­se requi­re­ments will typi­cal­ly include the con­duct of a data pro­tec­tion impact assess­ment. The case in Ita­ly demons­tra­tes once again that com­pa­nies should not rely blind­ly on exter­nal IT ser­vice pro­vi­ders in mat­ters whe­re data pro­tec­tion law is invol­ved.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.