29.11.2023

Whistleblowing and data protection – frequently asked questions

Related services

The Act on the Protection of Persons Reporting Infringements of European Union and National Law, based on the EU Whistleblowing Directive and known as the Whistleblower Act entered into force on 1 January this year. The Whistleblower Act, obligates large and medium-sized enterprises as well as public sector actors to establish, within certain transitional periods, an internal reporting channel through which the personnel and certain other stakeholders, among others, can report suspected abusive practices. The transitional period for establishing a reporting channel will come to an end on 17 December 2023, which means it is high time to start implementing a channel or to ensure that the one already adopted fulfils the requirements of the Whistleblower Act.

The Whistleblower Act lays down some new requirements, for example with respect to the handling of reports, the protection of the reporting person and providing information about the reporting channel. In this blog, we will answer some typical data protection questions that have surfaced in organisations when establishing an internal reporting channel.

In addition to fulfilling the requirements of the Whistleblower Act, it is also important that the reporting channel is implemented and the reports handled in accordance with the data protection legislation. The requirements of data protection regulation must be complied with already when implementing the channel so that the reports and the personal data included therein can be handled legally in the first place. A reporting channel that meets data protection obligations along with proper privacy documentation are key tools for an organisation to demonstrate compliance.

What data protection matters should be kept in mind when establishing a reporting channel?

When planning the implementation of the reporting channel and the report handling process, the organisation must define the grounds and purposes for processing personal data. The purposes of use and the grounds for processing will vary based on whether the channel is intended for reports concerning only infringements in the scope of the Whistleblower Act or whether it will also be used for reporting other suspected abusive practices, such as employment relationship matters or breaches of the organisation’s internal guidelines. The purposes and grounds for processing must be included, for example in the records of processing activities, data mapping documentation or other similar internal data protection documentation.

All those subject to processing of personal data must be informed of the processing as required by law, and the  da subjects’ legal rights under data protection legislation must be ensured. These obligations must be fulfilled not only for the reporting person but also for the person concerned and anyone who participates in the investigation. When planning the internal processes concerning the rights of the data subjects, it should be noted that the Whistleblower Act restricts these rights in some respects, for example by restricting the right to request access to one’s own personal data.

Organisations must also prepare a data protection impact assessment under data protection legislation before implementing a reporting channel. This assessment is a type of internal risk assessment in which the organisation must describe the processing of personal data within the context of the reporting channel, assess whether the processing is necessary and proportionate and, in particular, assess the risks caused by the processing and the necessary actions to mitigate these risks.

If the organisation falls under the scope of the Act on Co-operation, the processing of personal data within the context of the reporting channel must be handled with the personnel in a dialogue procedure under the Act on Co-operation before the implementation of the channel can be decided on. This dialogue also provides a good opportunity to discus with the personnel on the data protection documentation of the reporting channel.

Which data protection obligations apply to report handling?

The report handling process and the storage of related data must be organised in such a way that the access is restricted by means of technical and organisational safeguards to only the parties entitled to handle the reports. In addition to the reports, this applies to all data related to investigations, such as any internal emails and interview notes. The data storage locations and the measures to restrict access must be included in the data protection and data security documentation.

Pursuant to the Whistleblower Act, reports can, as a rule, only be handled by pre-designated persons who must be both impartial and independent. However, during the investigation it might become necessary to include other internal or external experts in the process. The Act makes this possible, as more handlers or external experts can be assigned to a report on a case-by-case basis.

Under the Whistleblower Act, the persons responsible for the handling of the report have an obligation to keep confidential the identity and any information that can directly or indirectly reveal the identity of the reporting person and the person concerned. This confidential information cannot be disclosed without the express consent of the person it concerns, unless the recipient is a party expressly specified in the Act, such as a competent authority. The reporting person must receive prior notification that their identity will be revealed, unless providing this notification would compromise the investigation of the report or the related pre-trial investigation or trial.

In practice, the sharing of data concerning reports must be restricted to a minimum, and the legal basis for data sharing must be ensured on a case-by-case basis. The report handling process and resources should be defined in a way that minimises the need to disclose reports and the related personal data to parties others than the pre-designated persons, the case-specific experts who participate in the investigation and the other recipients defined under the Whistleblower Act. Those in charge of handling the reports must have sufficient skills and the autonomy to investigate the matter independently. Insofar as possible, they should also have the authority to decide on the necessary follow-up. It is good practice to document the report handlers’ tasks and authority with respect to the investigation and follow-up in the handling process description.

Can a report be disclosed to the management?

The Whistleblower Act does not explicitly provide for the conditions under which reports can be disclosed to the management or board of directors, among others. As a general rule, the Act does not prevent disclosing anonymous information. The regular reporting on infringements should be done in an anonymous format. However, the requirements concerning confidentiality and report handling may limit the possibilities for disclosing information that may reveal the identity of the reporting person or the person concerned. Disclosing such information should be assessed on a case-by-case basis.

The Whistleblower Act does not prevent designating a person who is part of the organisation’s management as one of the persons responsible for handling reports, provided that the person can act independently and impartially. It is also possible for the person responsible for handling reports to refer the matter concerning a suspected infringement to a stakeholder in the organisation who is in charge of deciding on follow-up actions. In individual cases, this can make it possible to disclose the report to senior management if it is the management’s responsibility to decide on such actions.

For how long can reports be stored?

Personal data included in the reports and investigation data can be retained only as long as necessary for the purposes of use defined by the organisation. The retention periods of reports are based on the type of suspected infringement and the possible follow-up, for example. As the situations are varied, it is often impossible to set a clearly defined retention period that would apply to all reports.

A report under the Whistleblower Act must be deleted no later than five years after the report was received, unless its storage is necessary for the purposes of protecting legal rights or complying with legal obligations or for a trial. If the report concerns a suspected infringement unrelated to the Whistleblower Act, the retention period is determined on different grounds.

The retention periods and their criteria for reports and other investigation data must be defined as accurately as possible and included in the data protection documentation. Furthermore, organisations should adopt a practice in which any unnecessary personal data which clearly bears no significance to the handling of the report is removed when the report is received. Another good practice is to assess the retention need regularly during and after the investigation so that any unnecessary data can be deleted. The procedure for deleting unnecessary data should be assigned internally, for example to the persons responsible for the handling of reports.

 

For more information, read our previous blogs on whistleblowing channels:

It is advisable to start preparing a whistleblowing channel now

The new Whistleblower Protection Act is approved – here’s how to prepare for investigating reports

Blog It is advisable to start preparing a whistleblowing channel now
Blog The new Whistleblower Protection Act is approved – here’s how to prepare for investigating reports

Latest insights

Article published 6.5.2024 – Employment Outsourcing company functions – four key points for success
Tomi Kemppainen
Kim Parviainen
Eija Warma-Lehtinen

Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen

 Article published 15.3.2024 – Employment Five questions concerning industrial actions
Mikko Hanni
Outi Tähtinen

Mikko Hanni & Outi Tähtinen

 Article published 22.2.2023 – Employment Temporary agency work – 5 things all employers should be aware of
Suvi Kettunen

Suvi Kettunen

 Article published 15.2.2023 – Employment Do we need data to promote diversity and equality?
Eija Warma-Lehtinen
Outi Tähtinen

Eija Warma-Lehtinen & Outi Tähtinen
Insights

Latest references

Merger of Oomi and Lumme Energia
We are acting as the joint legal advisor to Oomi Oy and Lumme Energia Oy in a transaction whereby Lumme Energia will merge with Oomi. As from the completion of the merger, the combined entity will be the largest electricity retail and service company in the Finnish market. In 2024, Oomi reported a turnover of EUR 373.9 million and had approximately 110 employees. Lumme Energia’s turnover for the same year was approximately EUR 314.6 million and it had approximately 50 employees. The transaction is primarily driven by the recent developments in the electricity market and the strategic goal to develop competitive products and services. Another key objective is to further enhance the customer experience, which is a shared value between the two companies. As a result of the merger, Lumme Energia’s customers will transfer to Oomi, and Lumme Energia will become one of Oomi’s shareholders. The completion of the transaction is subject to an approval by the Finnish Competition and Consumer Authority.
Case published 29.8.2025
HANZA – Acquisition of Milectria
We acted as Finnish legal advisor to HANZA AB in connection with its acquisition of the contract manufacturing division of Milectria, a group of companies specialising in electrical systems for the defence industry.  The transaction comprises 100% of the shares in Milectria Oy (Finland), Milectria OÜ (Estonia), and the real estate company Kiinteistö Oy Kanungin Karhu. The transaction is expected to close in September 2025, subject to customary closing conditions, including regulatory approvals.  Founded in 2008, HANZA is a Swedish mechanical engineering and electronics contract manufacturing company listed on the Nasdaq Stockholm main list. The company operating in seven countries currently has annual sales of approximately SEK 6 billion and approximately 3,100 employees. Milectria is a Finnish contract manufacturer of electrical systems for the defence industry.
Case published 21.7.2025
Nevel – Acquisition of Labio’s business
We advised Nevel Oy in its acquisition of the business of Labio Oy. Lahti Aqua Oy and Salpakierto Oy sold their entire shareholdings in Labio to Nevel, expanding Nevel’s already significant biogas portfolio. The transaction will have no impact on Lahti Aqua’s water utility operations or Salpakierto’s municipal waste management responsibilities. Labio’s operations and customer relationships will continue as before. ‘This partnership is a natural next step for us as we continue investing in sustainable material efficiency and renewable energy solutions. By integrating Labio’s comprehensive offerings and expertise, we can provide customers with a strong platform for material circularity. We are also strengthening our market position as one of Finland’s leading material efficiency solution providers,’ says Ville Koikkalainen, Director of Industrial and Biogas Business at Nevel. Nevel is an energy infrastructure company offering advanced, climate-positive solutions for industry and real estate. It operates more than 130 energy production plants and manages over 40 district heating networks. Nevel’s annual turnover is EUR 150 million, and it employs 190 experts in Finland, Sweden and Estonia.
Case published 16.7.2025
Pihlajalinna – Sale of special housing services
We advised Pihlajalinna Plc on an arrangement whereby Pihlajalinna Terveys Oy and Ikipihlaja Setälänpiha Oy sold their special housing services business to Esperi Care Oy.  The transaction involved three Pihlajalinna Uniikki units in Hämeenlinna, Lohja and Riihimäki as well as Ikipihlaja Oiva in Raisio. As a result of the arrangement, more than 100 employees transferred to Esperi. Pihlajalinna is one of Finland’s leading private providers of social and healthcare services, offering a wide range of services to both private and public sector clients. Pihlajalinna has more than 160 locations across Finland.
Case published 2.6.2025
All cases