The goal of the EU Whistleblower Directive is to ensure that procedures provide safe channels for personnel or other informants to report serious wrongdoing such as fraud or corruption. The processing of personal data during this procedure is inevitable e.g. information related to those accused of wrongdoing, informants and other individuals such as witnesses.
The purpose of the whistleblowing scheme is to detect and expose fraud, bribery, theft, and other acts of wrongdoing in the workplace. The confidentiality is important in order to encourage individuals to report their concerns without a fear of retaliation e.g. in a form of firing or harassment. Although the EU Whistleblower Directive (2019/1937) profoundly concentrates on safeguarding whistleblowers there are also other stakeholders to be acknowledged especially related to the processing of personal data. There are a few specific rules related to processing of personal information, but mainly EU Whistleblowing Directive just refers to the General Data Protection Regulation (“GDPR”).
Why the data protection rules are important in the context of whistleblowing schemes? The personal data in a report can be related to whistleblowers, accused persons, persons under investigation, witnesses or other individuals. All these stakeholders can be affected. Unauthorized disclosures or leaks may have adverse consequences all individuals in question. Documents may contain names, contact details, data relating individuals’ activities, such as working relations and economic or social behaviour or other information that can result indirect identification. Depending on the report it can also contain information clearly not relevant to the allegations such as health data. The processing contains sensitive personal information i.e. criminal offences or related data. From the accused persons’ perspective there is a risk of stigmatization and victimization even before they are aware that they have been incriminated or the facts are investigated. There is also possibility of false statements sometimes made even maliciously. The data protection rules and principles are to protect individuals’ rights, but also there to help creating reliable and secure whistleblowing schemes.
Accountability applies to all operations that process personal information incl. whistleblowing schemes. This means that you need to be prepared to demonstrate that organization respect data protection obligations. When preparing and planning to establish a whistleblowing channel for the organization it is worthwhile to pay attention to these outlined issues and ensure that the procedure and the life cycle of personal data is designed from the collection to the deletion.
EU Member States are required to implement the EU Whistleblower Directive into their national laws. After national laws we will have the overall understanding of the rules that must be applied to these schemes. At some point it is most likely that we will have a revised guidance from the European Data Protection Board (“EDPB”) and supervisory authorities. In the meantime, the opinion of the Article 29 Data Protection Working Party adopted 2006 on whistleblowing schemes is worth reading.