According to the Directive (EU) 2019/1937 of the European Parliament and of the Council, any person who reports a violation to which he or she was a direct or indirect witness is protected. Whistleblowers' data should be strictly secured against unauthorized persons. How is the Whistleblower protection law related to the GDPR?
Who is protected according to the new regulations?
Before the introduction of the Directive of the European Parliament and of the Council, persons who witnessed violations and then reported them were not legally protected to such an advanced degree against repercussions from, for example colleagues or management. The retaliatory actions consisted of being demoted or completely losing employment. Since each member state of the European Union has been obliged to create and implement state regulations regarding Whistleblowers, all individuals working in the private or public sector and meeting the provisions of the directive have become legally protected. Applies to:
- Current and former employees.
- People applying for employment.
- People who perform work based on a civil law contract or according to the supervision and management of a contractor, subcontractor, or supplier.
- Entrepreneurs.
- Shareholders or partners.
- Members of the bodies of legal persons.
- Interns.
- Volunteers.
How does the GDPR affect the Whistleblower Directive?
Protecting Whistleblowers against retaliation is to protect the confidentiality of their identity. The processing, exchange, and transfer of personal data of persons reporting violations must be carried out in accordance with the GDPR and the DODO Directive (the Act of 14 December 2018 on the protection of personal data in connection with the prevention and combating of crime). Any data that is unrelated to a specific report should not be collected and, if collected, must be immediately deleted.
The new draft act on the protection of Whistleblowers stipulates that the personal data of Whistleblowers and other information needed to establish their identity shall not be disclosed unless the Whistleblowers have given their consent. The exceptions are when the employer, public authority, or central authority has received a notice and is working to verify its authenticity and take corrective action. Moreover, the personal data needed to process reports may be stored by the above-mentioned authorities for no longer than 5 years from the date of their receipt.
How can the employer protect the reporting data?
First of all, employers have to explain to employees any doubts concerning the whistleblowing process and inform them about the rules of whistleblowing. The system that certainly improves communication in the relations between the employer and employees is Whistleblower system for handling tickets.
To protect the personal data of persons reporting irregularities, employers should introduce comprehensive organizational solutions. These include, among others:
- Authorizations. Only persons who have been authorized in writing to handle it should have access to a specific report. It is important that there are as few of them as possible and that they are obliged to maintain secrecy and respect the principles of protecting the confidentiality of Whistleblowers' identities.
- Regulations. Employers should create appropriate provisions that transparently and reliably describe all stages of handling reports so that all employees' doubts are dispelled. For this purpose, they may use the form of regulations or documentation of procedures.
- Data anonymization. These activities consist in modifying personal data in such a way that the connection of information with a specific individuals impossible or requires too high financial costs.
According to the established provisions of the GDPR, employers covered by the Whistleblower Protection Directive should fulfill the information obligation towards the person reporting the breach and the person concerned. There are several ways to notify the Whistleblower, one of which is, for example, by including the relevant information in the form of a reply in the Whistleblower system. In the event of the breach concerned by the incident, in accordance with the GDPR, the employer has 30 days to provide the information from the moment of obtaining the data.
To sum up, the employer should ensure the effective protection of the confidentiality of Whistleblowers' identities in accordance with both the guidelines of the European Union directive and the provisions of the GDPR.