The Council of Europe announced through a press release on the 7th of October 2019 that it had formally adopted new rules for the protection of whistle-blowers. With the adoption of the “Whistle-blower Directive” across the EU, European private and public organisations have an obligation to make available safe channels for reporting concerns on subjects such as money laundering, data protection, protection of the Union’s financial interest, food and product safety, public health, environmental protection and nuclear safety. The new legislation will be signed and published in the Official journal within the next days. From then on, Member states will have a time frame of 2 years to transpose the directive into national law.

Under the Directive, companies with more than 50 employees are obligated to make effective and efficient reporting channels available to whistle-blowers. The Directive lays down common minimum standards for the protection of persons reporting breaches[1], including the application of data protection principles, security of networks and security of information systems[2].

The whistle-blower Directive has a direct implication on the protection of personal data, as the reporting is usually carried out by identified natural persons and often relates to actions or omissions committed by natural persons. Therefore, the parties involved in the whistleblowing reporting scheme, are considered data subjects as defined under article 4 of the General Data Protection Regulation.

The reporting activities carried out through whistle blowing systems are considered essential to the functioning and well being of the internal market and society as a whole[3].

What should the whistleblowing system contain according to the Directive?

  • The reporting channels available to whistle-blowers must have appropriate procedures for the processing of the reports in compliance with the GDPR in order to protect the personal data of the individuals within the report. These methods should focus on protecting the identity of all data subjects throughout the process[4].
  • When processing, exchanging or transmitting information for the purposes of whistle-blower channels, companies must ensure the implementation of the GDPR[5], in particular the principles contained within article 5 of such Regulation and Article 25, in reference to the principle of data protection by design and by default[6].

Special consideration should be taken to ensure the confidentiality of the data subjects involved as one of the main goals of the Directive is to introduce safeguards for the protection of whistle-blowers, their assisting colleagues and relatives, from any retaliation measures such as intimidation. The Directive emphasizes the duty of confidentiality that should be respected by all Members States[7].  Therefore, when attending to the technical and organizational measures in place for the channel, it shall be guaranteed that it’s designed, established and operated in a secure manner, safeguarding the identity of all data subjects involved in the reporting[8]. As long as these channels are available to individuals, they may pose a high risk to the rights and freedoms of data subjects, hence a Data Privacy Impact Assessment under Article 35 GDPR should be conducted, preferably prior to their implementation in order to ensure that the chosen reporting channel complies with the requirements of the GDPR.

 

[1] Article 2, of the DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of persons who report breaches of Union law (PE-CONS 78/19).

[2] Directive (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for high common level of security of network and information systems across the Union.

[3] Recital 14, of the DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of persons who report breaches of Union law (PE-CONS 78/19).

[4] Recital 76 and article 16, of the DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of persons who report breaches of Union law (PE-CONS 78/19).

[5] Article 17, of the DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of persons who report breaches of Union law (PE-CONS 78/19).

[6] Recital 83, of the DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of persons who report breaches of Union law (PE-CONS 78/19).

[7] Article 16, of the DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of persons who report breaches of Union law (PE-CONS 78/19).

[8] Article 9, of the DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of persons who report breaches of Union law (PE-CONS 78/19).