Whistleblowing and data protection – frequently asked questions
The Act on the Protection of Persons Reporting Infringements of European Union and National Law, based on the EU Whistleblowing Directive and known as the Whistleblower Act entered into force on 1 January this year. The Whistleblower Act, obligates large and medium-sized enterprises as well as public sector actors to establish, within certain transitional periods, an internal reporting channel through which the personnel and certain other stakeholders, among others, can report suspected abusive practices. The transitional period for establishing a reporting channel will come to an end on 17 December 2023, which means it is high time to start implementing a channel or to ensure that the one already adopted fulfils the requirements of the Whistleblower Act.
The Whistleblower Act lays down some new requirements, for example with respect to the handling of reports, the protection of the reporting person and providing information about the reporting channel. In this blog, we will answer some typical data protection questions that have surfaced in organisations when establishing an internal reporting channel.
In addition to fulfilling the requirements of the Whistleblower Act, it is also important that the reporting channel is implemented and the reports handled in accordance with the data protection legislation. The requirements of data protection regulation must be complied with already when implementing the channel so that the reports and the personal data included therein can be handled legally in the first place. A reporting channel that meets data protection obligations along with proper privacy documentation are key tools for an organisation to demonstrate compliance.
What data protection matters should be kept in mind when establishing a reporting channel?
When planning the implementation of the reporting channel and the report handling process, the organisation must define the grounds and purposes for processing personal data. The purposes of use and the grounds for processing will vary based on whether the channel is intended for reports concerning only infringements in the scope of the Whistleblower Act or whether it will also be used for reporting other suspected abusive practices, such as employment relationship matters or breaches of the organisation’s internal guidelines. The purposes and grounds for processing must be included, for example in the records of processing activities, data mapping documentation or other similar internal data protection documentation.
All those subject to processing of personal data must be informed of the processing as required by law, and the da subjects’ legal rights under data protection legislation must be ensured. These obligations must be fulfilled not only for the reporting person but also for the person concerned and anyone who participates in the investigation. When planning the internal processes concerning the rights of the data subjects, it should be noted that the Whistleblower Act restricts these rights in some respects, for example by restricting the right to request access to one’s own personal data.
Organisations must also prepare a data protection impact assessment under data protection legislation before implementing a reporting channel. This assessment is a type of internal risk assessment in which the organisation must describe the processing of personal data within the context of the reporting channel, assess whether the processing is necessary and proportionate and, in particular, assess the risks caused by the processing and the necessary actions to mitigate these risks.
If the organisation falls under the scope of the Act on Co-operation, the processing of personal data within the context of the reporting channel must be handled with the personnel in a dialogue procedure under the Act on Co-operation before the implementation of the channel can be decided on. This dialogue also provides a good opportunity to discus with the personnel on the data protection documentation of the reporting channel.
Which data protection obligations apply to report handling?
The report handling process and the storage of related data must be organised in such a way that the access is restricted by means of technical and organisational safeguards to only the parties entitled to handle the reports. In addition to the reports, this applies to all data related to investigations, such as any internal emails and interview notes. The data storage locations and the measures to restrict access must be included in the data protection and data security documentation.
Pursuant to the Whistleblower Act, reports can, as a rule, only be handled by pre-designated persons who must be both impartial and independent. However, during the investigation it might become necessary to include other internal or external experts in the process. The Act makes this possible, as more handlers or external experts can be assigned to a report on a case-by-case basis.
Under the Whistleblower Act, the persons responsible for the handling of the report have an obligation to keep confidential the identity and any information that can directly or indirectly reveal the identity of the reporting person and the person concerned. This confidential information cannot be disclosed without the express consent of the person it concerns, unless the recipient is a party expressly specified in the Act, such as a competent authority. The reporting person must receive prior notification that their identity will be revealed, unless providing this notification would compromise the investigation of the report or the related pre-trial investigation or trial.
In practice, the sharing of data concerning reports must be restricted to a minimum, and the legal basis for data sharing must be ensured on a case-by-case basis. The report handling process and resources should be defined in a way that minimises the need to disclose reports and the related personal data to parties others than the pre-designated persons, the case-specific experts who participate in the investigation and the other recipients defined under the Whistleblower Act. Those in charge of handling the reports must have sufficient skills and the autonomy to investigate the matter independently. Insofar as possible, they should also have the authority to decide on the necessary follow-up. It is good practice to document the report handlers’ tasks and authority with respect to the investigation and follow-up in the handling process description.
Can a report be disclosed to the management?
The Whistleblower Act does not explicitly provide for the conditions under which reports can be disclosed to the management or board of directors, among others. As a general rule, the Act does not prevent disclosing anonymous information. The regular reporting on infringements should be done in an anonymous format. However, the requirements concerning confidentiality and report handling may limit the possibilities for disclosing information that may reveal the identity of the reporting person or the person concerned. Disclosing such information should be assessed on a case-by-case basis.
The Whistleblower Act does not prevent designating a person who is part of the organisation’s management as one of the persons responsible for handling reports, provided that the person can act independently and impartially. It is also possible for the person responsible for handling reports to refer the matter concerning a suspected infringement to a stakeholder in the organisation who is in charge of deciding on follow-up actions. In individual cases, this can make it possible to disclose the report to senior management if it is the management’s responsibility to decide on such actions.
For how long can reports be stored?
Personal data included in the reports and investigation data can be retained only as long as necessary for the purposes of use defined by the organisation. The retention periods of reports are based on the type of suspected infringement and the possible follow-up, for example. As the situations are varied, it is often impossible to set a clearly defined retention period that would apply to all reports.
A report under the Whistleblower Act must be deleted no later than five years after the report was received, unless its storage is necessary for the purposes of protecting legal rights or complying with legal obligations or for a trial. If the report concerns a suspected infringement unrelated to the Whistleblower Act, the retention period is determined on different grounds.
The retention periods and their criteria for reports and other investigation data must be defined as accurately as possible and included in the data protection documentation. Furthermore, organisations should adopt a practice in which any unnecessary personal data which clearly bears no significance to the handling of the report is removed when the report is received. Another good practice is to assess the retention need regularly during and after the investigation so that any unnecessary data can be deleted. The procedure for deleting unnecessary data should be assigned internally, for example to the persons responsible for the handling of reports.
For more information, read our previous blogs on whistleblowing channels: