Skip to content

The Complete GDPR And Whistleblowing Data Protection Guide

Post Picture

The EU Whistleblowing Directive has to be transposed in national law by 17th December 2021. Organisations employing 250 staff members or more, as well as municipalities serving more than 10,000 citizens, have to implement internal whistleblowing reporting systems by that date. 

Implementing the system itself can be difficult but, when you add the fact that you also have to be mindful of GDPR, it becomes a true challenge. One of the biggest concerns to organisations is how they will protect all of the data they will collect and stay compliant with the data privacy regulations within the union. 

GDPR and whistleblowing go hand-in-hand. This article is here to help data protection officers and compliance teams do what they can do to prepare. 

We will go over the basics behind the General Data Protection Regulation (GDPR), the scope of the Whistleblowing Directive, the main data protection issues and the elements you need to instigate as part of your compliance strategy. 


1. What is GDPR in simple terms?

GDPR applies to your business if you:

  • are based in the European Union
  • do business within the European Economic Area (EEA)
  • collect, store, transfer or use personal information about EU citizens.

It is a legal framework that dictates how companies collect and store data, and is built on seven principles. These are: 

  • lawfulness, transparency and fairness
  • only use data for the exact purpose it was obtained
  • only collect the amount of data necessary
  • make sure the data collected is accurate
  • only store data in an identifiable form for as long as is needed for the purposes of the processing
  • ensure the security of the data you process
  • show that you have put processes in place to ensure all of the above. 

You must ensure you have consent to process and store someone’s personal data, and they have the right to access it at any time. Citizens can also request the erasure of their data by an organisation under the “Right to be Forgotten”. 

The fines for failing to comply are 4% of turnover or €20 million, whichever is the greater.


2. Scope of the EU Whistleblower Protection Directive

The Whistleblowing Directive is designed to prevent retaliation, discrimination and harassment against anyone who reports violations and breaches of EU law that they have uncovered as part of their employment. It also requires all businesses and public entities with 50 or more employees to implement confidential internal reporting channels for whistleblowers, as well as systems for following up on the reports and appropriate measures to protect the reporting person. 

The directive requires organisations to offer protection to the whistleblowers themselves, their family and any colleagues who have supported them and aided them in reporting. 

3. What are the main whistleblowing data protection issues?

When a whistleblower leaves a report, they will usually provide information that falls within the remit of GDPR. This personal data must be handled in a GDPR-compliant manner. These are some of the major whistleblowing data protection issues you should consider:

Issue Why this matters
Knowing how long to retain whistleblower records The GDPR data protection law requires companies to only hold data in an identifiable form for as long as is necessary. But, as each whistleblowing case has a different outcome and ends in a different resolution, this makes it more difficult to work out how long to retain the data. 

You must formulate a policy for when you consider a case to be closed and then put in place a timeframe following that in which to anonymise or destroy the data. 

For example, after an investigation, some cases may move on to legal action, whereas other cases come to nothing and do not progress further. You cannot close a case until the trial and any appeals have taken place, but you can close those that are not subject to prosecution and then destroy the data soon after. 

You should be aware that Article 17.3 of the GDPR does allow data retention as long as this is necessary to comply with a legal obligation.

Working with GDPR’s “Right to be Forgotten” If a reporting person requests to exercise their right to be forgotten, you must ensure that all data is anonymised or destroyed.

When you accept reports in written form, email or telephone channels, this requires you to track down all related information wherever it has been stored, which might prove difficult. 

That’s why it’s a good idea to keep everything organised in one place. With the help of a GDPR-compliant online whistleblowing system such as IntegrityLog, you can easily call up all recorded data and anonymise or destroy it in accordance with the law. 

Ensuring data quality You should only collect the data that is absolutely necessary to carry out your investigation, which means that you should design any questionnaires or submission forms to only ask for the details you truly need.

IntegrityLog, for example, allows you to take control over the data fields you request from the reporting person. This helps you stay compliant.  

Handling right of access Everyone has the right to access data that you hold about them and to request adjustments to incorrect or out-of-date information in a complaint. However, you should ensure that this does not infringe on someone else’s rights. For example, a person who has been accused of wrongdoing in a whistleblowing report should not be able to uncover the identity of the whistleblower by exercising their right of access. 

You should implement policies to maintain the whistleblower’s anonymity and the confidentiality of the information at all times, superseding the right of access.  

4. Whistleblowing and GDPR compliance strategy

4.1 Ensure lawfulness of data processing

With regard to the lawfulness of your processing data relating to whistleblowing reports, you can justify using one of two different reasons, as set out in the data protection directive:

  • You are doing so to comply with a legal obligation
  • You are pursuing a legitimate interest using the data.  

In most cases, your legal basis for data processing will fall under the first reason. When a whistleblower makes a report, you are obliged to investigate, which requires processing data. If the first reason does not apply, you would have to prove that you were processing data in the public interest, relating to national or EU law, to justify your actions under the second reason. 

4.2 Understand data subject rights 

A good practice for setting up your whistleblowing reporting channels for the processing of personal data is to inform all individuals in the organisation about the existence and workings of those channels, as well as the reasons behind setting them up. This could be an entry in the company handbook laying out the rights of the data subject, for example. 

You should make sure that your communications make clear that whistleblowers will face no punishments provided they make reports in good faith, and that their information will remain confidential throughout the process. You might also choose to reiterate this to the whistleblower following a report being made. 

You should tell individuals what their rights are in case they are involved in the whistleblowing process. This applies to both reporting persons and ‘persons concerned’, who are individuals named in a report and being accused of wrongdoing. 

In order to comply with GDPR, you should inform persons concerned about the fact you are processing their data. However, as this could hinder any investigation, you are allowed to delay disclosure until the high risk of obstructing the reporting process is diminished. Article 14.5(b) of GDPR offers an exemption in cases where disclosure is “likely to render impossible or seriously impair the achievement of the objectives of that processing.“ 

4.3 Take care of data security

You should put in place measures to keep the data secure from the outset. You are obliged to ensure it isn’t accidentally lost, unlawfully destroyed, subject to a data breach or accessed by or disclosed to unauthorised individuals. 

Although there are many different types of whistleblowing channels allowable under the Whistleblowing Directive, you should keep in mind that they offer varying levels of security. For example, using a postbox in an office makes it easy for people to be able to access and read the entries when no one is looking. Using a telephone whistleblowing hotline might require a call handler to take written notes that could fall into the wrong hands. 

A cloud-based online reporting system like IntegrityLog is the most secure method, as it is password-protected, and the data is encrypted both in transit and at rest.

4.4 Manage data sharing

The whistleblower directive requires you to designate an independent, competent individual or department to handle reports. It is also possible to contract third parties to carry out these tasks. But, in either case, you should set up organisational measures to minimise the chance of someone sharing confidential data with the wrong people.

Access should be given only to those who need to process the data in order to perform the investigation and to follow it up in the interests of privacy. 

The guidance allows you to share whistleblowing data with other entities in your group of businesses in EU member states and beyond, only if this is necessary to fully carry out the investigation. 

5. FAQs

5.1 Who qualifies as a whistleblower?

An employee who reports wrongdoing such as fraud, corruption and bribery in the workplace qualifies as a whistleblower. However, they do not have to be a full-time employee, but could also be a contractor, freelancer, volunteer, prospective employee, former employee, shareholder, supplier or any number of other connected people to an organisation.

6. Conclusion

There are a number of actions compliance officers need to take right now to comply with the rules connecting GDPR and whistleblowing. One way to make life easier and ensure compliance in your reporting channels is to use IntegrityLog.

This cloud-based online tool is designed to comply with GDPR in terms of how you process the data you receive when someone makes a report, ensuring the protection of whistleblowers. You can limit the information you accept to the bare essentials and avoid unauthorised access. Request a demo of IntegrityLog or request a 14-day free trial to find out more.

7. References and Further Reading

Share this post

Article Summary

Subscribe to our newsletter

Stay up to date with the latest news and products


Sign up for our newsletter

Stay up to date with the latest news and products

You have successfully subscribed!

This is your official confirmation. Thank you for joining ComplyLog Newsletter. While you wait for the next issue of ComplyLog, check out the latest articles and references.

Related articles

Post Picture

Whistleblowing And The New EU-US Data Transfer Agreement

The European Union and the United States agreed on the principle of the Privacy Shield in 2016, allowing personal data to flow freely from the EU to...
Read More
Post Picture

How To Choose An Internal Whistleblowing System

Whistleblowers are integral to stamping out corruption and other wrongdoing within businesses and public bodies. With a typical company losing 5% of...
Read More
Post Picture

Creating A Whistleblowing Policy: What, How And Why Now?

The EU Whistleblowing Directive will soon be transposed into national law and your business needs to be compliant. In order to fulfil the directive’s...
Read More
Post Picture

All About The EU Whistleblowing Directive (Summary + Key Points)

Directive (EU) 2019/1937 of the European Parliament, commonly known as the ‘EU whistleblowing directive’ requires member states to create laws to...
Read More
All articles