Data protection in reporting channels
As we have commented in a previous post on the new EU Directive 2019/1937 in relation to whistleblowing channels, it is essential to protect whistleblowers so that they do not suffer retaliation from the organization if they report any infringement and, in this sense, the protection of the whistleblower’s data throughout the process is particularly relevant.
The fact that companies have a whistleblower channel adds value and transparency to them in the marketplace, and in many cases can prevent fraud and other crimes from being committed.
However, for this to happen, it is not enough to simply implement it; it is also necessary to guarantee its full effectiveness, and for this to happen, the organization must respect a series of basic principles of data protection, thus generating full confidence in potential whistleblowers, which will encourage them to disclose incorrect behavior because they feel safe. It is clear that privacy is a must, but how to implement a secure whistleblowing channel?
Keys to a secure whistleblowing channel
In order to respect the privacy of the parties involved in the complaint, it is an indispensable requirement to comply with the data protection principles regulated by the General Data Protection Regulation (GDPR).
First of all, one of the fundamental pillars for lawful data processing is to have a legitimate basis (art. 6 and 9 RGPD) that justifies the processing of personal data. According to the Spanish supervisory authority (Spanish Data Protection Agency), it is not necessary to obtain the consent of the data subject, since this would affect the effectiveness of the complaint, but it is necessary to have a contractual relationship with the organization (art. 6.1.b RGPD), which may be of a civil, labor or commercial nature, thus also making it possible to receive complaints from suppliers or customers. On the other hand, the Article 29 Working Group also defends the legitimate interest (art. 6.1.f) of the data controller as a basis for legitimacy, insofar as the latter has the right to know about irregularities committed within the organization and to establish measures for their prevention, as long as his interest does not harm the presumption of innocence of the accused.
The next step, once the principle of legality has been complied with, is to inform (art. 13 and 14 RGPD) the employees about the existence of the complaints channel. The European Data Protection Supervisor (EDPS) establishes that the information has to be provided in a general way, through the employment contract, or through informative circulars to the employees, but, it is also necessary to inform about the data processing to be carried out at the time the complaint is received; however, at this point it is necessary to take into account some limitations imposed by Regulation 2016/680, which allows restricting through legislative measures the data protection right of the complainant to avoid hindering the complaints and their follow-up.
We must not forget to comply with the principle of proportionality and limitation of the purpose of the information contained in the complaint, since only the processing of data related to the fraudulent acts, where there is an effective relationship between the company and the defendant, will be legitimate. On the other hand, the principle of purpose limitation implies that the information collected can only and exclusively be used for the intended purpose: the investigation of the reported facts.
On the other hand, for the protection of the whistleblower’s data, it is essential that the company has a series of technical and organizational measures by the data controller that help to preserve the security and confidentiality of the information, such as: limiting access to the data only to those persons entrusted with the management of the whistleblowing channel and the investigation of the event; implementing an access logging system; establishing a signature of reinforced confidentiality commitments with authorized users; carrying out impact assessments for this particular procedure and, above all, professionally training the competent personnel in charge of the channel on the regulations applicable to the data.
It should be noted that these measures must be especially taken into account in those cases where a third party company manages the complaints channel, since a transfer of data takes place which, in many cases, may be international, so those affected must be duly informed.
Another aspect to highlight is the period of retention and deletion of data. According to Art. 5.1.e of the GDPR, they shall be kept for the time strictly necessary to fulfill the purpose for which they were collected. The EDPS and the OWG29, state that different retention periods should apply depending on the case, but that, in any case, the information in the complaint should be deleted as quickly as possible, as it is sensitive data, and usually within two months from the end of the first assessment of the case.
Finally, it is necessary to guarantee the exercise of the rights of access, limitation, rectification, suppression and opposition of the denounced, without revealing the identity of the denouncer, but as in the previous case, these rights may also be restricted for a reasonable period of time for the protection of the investigation.
Data protection for bad faith whistleblowers
The new EU Directive 2019/1937 to which we referred at the beginning of this article mentions in its Article 6 the conditions of protection of whistleblowers, stating that “those who have reasonable grounds to believe that the reported infringement is truthful at the time of the complaint shall be protected”, therefore, it is conceivable that all those whistleblowers who report false facts, causing harm to another worker, will not be protected by the measures that we have stated above, so much so, that art. 23 of the same regulatory text establishes the imposition of “effective, proportionate and dissuasive” sanctions to those who report knowing the facts to be false, whose qualification shall be determined by each Member State, to those natural or legal persons, who:
- Prevent or attempt to prevent the reporting of complaints.
- Adopt retaliatory measures against persons protected by the Directive.
- Promote abusive procedures against persons protected by the Directive.
- Incompliance with the duty to maintain the confidentiality of the identity of the complainants.