Many companies are currently concerning themselves with the subject of whistleblowing. Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the Whistleblower Directive) has existed since 2019, and Germany now plans to implement this Directive into national law in the form of a Whistleblower Protection Act. That companies can make mistakes in implementing the Directive’s guidelines is demonstrated by a case in Italy, where the data protection authority imposed fines in the amount of EUR 40,000 against a hospital and an IT service provider for data protection violations in connection with the handling of whistleblowers.
The Whistleblower Directive
The Whistleblower Directive requires companies with more than 50 employees to set up at least one internal reporting channel. In accordance with Article 9 of the Whistleblower Directive, reporting channels are to be designed in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected. Whistleblowers must be able to report information orally or in writing, and companies may use web- or intranet-based systems for this purpose. The requirements of the GDPR generally apply for these systems.
Data protection violations
But an Italian hospital failed to adequately consider this fact. In setting up the necessary internal reporting channels, this hospital used an IT service provider which provided software in the Cloud. This software could only be accessed via the company network, so that potential whistleblowers could be identified via the network’s firewall systems. In the view of the Italian data protection authority, this violates the requirements for data protection by design and default in accordance with Article 25 of the GDPR. Additional problems were raised by the fact that the company which offered the whistleblowing service was working together with an IT service provider but had not concluded a processing contract with that provider. The hospital was also charged with failing to conduct a data protection impact assessment. Such an assessment is required in accordance with Article 35 of the GDPR when a type of processing, particularly using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Given the sensitivity of the data and the high personal risk to whistleblowers, there is good reason to believe that such an assessment is required when setting up internal reporting channels.
Tension between the GDPR and the Whistleblower Directive
Beyond the case in Italy, there are additional challenges in data protection law in connection with implementation of the Whistleblower Directive. Whistleblower reports typically include information about the whistleblower, so that such reports fall within the scope of the GDPR. But this is frequently the case not only for the whistleblowers themselves but for third parties as well. In the interest of clarifying the state of affairs, it may be appropriate not to notify these persons right away, particularly e.g. in cases where a company employee is accused of misconduct. But in accordance with Articles 14 and 15 of the GDPR, the company would actually be required to notify these third parties and provide them with information in such cases. Careful review is required in order to determine which duties in data protection law may be superseded by the Whistleblower Directive in any individual case.
What should companies keep in mind?
In Germany as well, the Whistleblower Directive will be implemented into national law in the foreseeable future. Companies should therefore examine these new requirements right away. In doing so, companies should devote particular attention not only to the technical implementation and set-up of the internal reporting channels, but to the requirements of data protection law as well. These requirements will typically include the conduct of a data protection impact assessment. The case in Italy demonstrates once again that companies should not rely blindly on external IT service providers in matters where data protection law is involved.back