Last year just before the “big date” of May 25, I wrote a post trying to analyze GDPR provisions through the lens of the whistleblowing process. At that time there were many questions ranging from how the rules will apply to whistleblowing on a national level to how to balance individuals’ privacy rights against companies’ need to pursue investigations.
Ambiguity was there, and we hoped that after the GDPR enforcement date the national Data Protection Authorities or DPAs would issue guidelines on the best ways to implement whistleblowing procedures in compliance with the new legislation. It has been a year since that time — let’s see how much clarity we got so far.
It’s worth noting up front that the German Data Protection Authority was the only national DPA to issue specific whistleblower-related guidance. Others either incorporated minor comments into the “mainstream” guidelines or so far didn’t address the issue in their communications.
Legitimate interest, As we have seen from the enforcement cases that I wrote about last week, having legitimate grounds for data processing is a crucial area for any sector and is particularly relevant in a whistleblowing context.
According to the German DPA guidance “On Whistleblowing Hotlines” the collection of personal data via a whistleblowing hotline is permissible if it relates to the following subject matters: fraud, internal accounting controls, auditing matters, corruption and bribery, banking and financial crimes, insider trading, human rights violations, environmental concerns, and alleged violation of the law against equal treatment. The regulator confirms that the data processing related to these violations is legitimate based on the Article 6 (1)(f) because the processing is necessary for the purposes of the legitimate interests pursued by the controller. Unfortunately, the regulator didn’t indicate whether these arguments could also be applied to other subject matters such as violations of data privacy law, anti-trust law, or harassment cases.
As we have seen from the Google case, ensuring transparency in the data processing is key, which is very relevant for whistleblowing facilities. Employees should be made aware of how their data will be processed at the point of contact. This clarity must be provided in the Code of Conduct, whistleblowing policy or other communications including training programs.
Rights of the data subject. The German DPA has taken a very particular approach to interpreting Article 14 relating to the personal data that have not been obtained from the data subject. Pursuant to the requirements of the Art. 14 (2)(f), the regulator deems that the identity of the whistleblower must be disclosed to the individuals mentioned in the report, and in particular to the alleged person. At the same time, the guidance further determines there is no statutory justification for the disclosure of a whistleblower’s name — therefore, whistleblower’s consent will be required.
As a result, a whistleblower has two options when submitting a report: 1) identify themselves and give consent at the point of contact to the company disclosing their identity to the alleged; or 2) submit the report anonymously. The second option is strongly encouraged by the regulator which interestingly reversed its position on anonymous reporting 180 degrees.
In case a whistleblower decides to take the first option, they retain the rights to withdraw the consent at any time pursuant to the Article 7(3), however, given the one-month timescale of notification, this right is unlikely to be exercised in time.
Following the criticism of this position which may disproportionately harm a whistleblower, the regulator issued an updated version of the guidance now addressing several exemptions to the whistleblower identity disclosure requirement, including:
- The obligation can be postponed pursuant to Article 14(5)(b) in case it is likely to render impossible or seriously impair the achievement of the objectives of the data processing. Once the disclosure cannot compromise the investigation anymore, the disclosure obligation must be fulfilled.
- The obligation shall not apply where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy (Article 14(5)(d)).
- Pursuant to the Section 29(1) sentence 1 of the German Federal Data Protection Act, the obligation shall not apply as far as meeting this obligation would disclose information which by its nature must be kept secret, in particular, because of overriding legitimate interests of a third party.
Data Protection Impact Assessment (DPIA). Under Article 35(1), where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller has the responsibility to carry out the DPIA. DPIAs are considered important tools for accountability, as they demonstrate that appropriate measures have been taken to ensure compliance with GDPR provisions.
Some of the national DPAs (for example, the ones of France and Germany) have specifically stated that whistleblowing facilities represent “high risk” processing and, therefore, require full DPIAs. At least for this requirement, we are likely to have an identical treatment on Member States level.
How the EU-wide Whistleblowing Regulation May Help. On April 16, 2019, the European Parliament voted with an overwhelming majority in favor of the new EU rules to better protect whistleblowers who report breaches of EU law. The EU-wide Whistleblower Protection Directive was first proposed by the European Commission in April 2018. Among other benefits, its introduction is expected to provide important guidance on how to interpret certain GDPR requirements and address some of the difficulties mentioned above, including:
- Pursuant to Article 4, it would provide for the legitimate grounds for the data processing with the basis of processing laid down by Union law (Article 6(3)(a) GDPR).
- Pursuant to Article 5, it would resolve the paradox of the right to be forgotten versus a legitimate interest to retain: the obligation to erase the personal data of an individual upon request will not apply when the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject (Article 17(3)(b) GDPR).
- The obligation to disclose the identity of a whistleblower to the individuals mentioned in the report may no longer be applicable – pursuant to Article 5, there will be a requirement under Union Law to maintain a whistleblowing facility and process the data in a confidential manner (Article 14(5)(c) GDPR).
Currently, only ten EU members – France, Hungary, Ireland, Italy, Lithuania, Malta, the Netherlands, Slovakia, Sweden, and the UK have comprehensive whistleblower protection laws. The new regulation will address the existing fragmentation of whistleblower protection. The directive’s interaction with GDPR, particularly in relation to data subject rights, may finally resolve most of the ambiguity and help to establish GDPR definitions consistent across all Member States. The latter now have two years to transpose the Directive to national legislation with a due date of May 15, 2021.
Vera Cherepanova, FCCA, CIA, MSc (pictured above), has more than 10 years’ experience as a compliance officer. She’s the founder of Studio Etica, a boutique consultancy that provides advice on corporate ethics and compliance programs to companies around the world. She speaks English, French, Italian, and Russian. She can be contacted here.