Whistleblowing and GDPR: New data protection rules from 25 September 2024
25 September 2024, the law on protection of whistleblowers came into force in Poland. This regulation affects many aspects of business, an important one being data protection.
Let’s see what impact the whistleblower protection rules introduced by this law have on data protection rules. Details of whistleblowing act in general are described HERE and HERE.
Anonymity of Whistleblowers: How to ensure effective data protection?
In certain cases, depending on the solutions designed by the entity implementing whistleblowing protection solutions, anonymous submissions can be provided. In such a situation fully anonymous contact shall be enabled for use by whistleblower.
Confidentiality of Whistleblower Data: Key Regulations You Need to Know
The basic principle provided by the law is the secrecy of the whistleblower’s personal data. Disclosure of such data is only permissible under specific circumstances, such as with the whistleblower’s consent.
The bill regulates exceptions towards information clauses given to data subjects (such as individuals mentioned in a whistleblower’s report). Specifically, the source of the personal data should not be disclosed to ensure the whistleblower’s protection. Such a measure enables real whistleblower protection. Similarly, the ability of data subjects to enforce their rights regarding the origin of their personal data (from a whistleblower) has been limited.
In addition, a whistleblower’s notification or public disclosure will not give rise to liability for a breach of the GDPR. This is a key protection guarantee.
Also data retention periods have been regulated by the bill in detail. The issues of confidentiality and authorization to process data have also been emphasized in the law on protection of whistleblowers.
Outsourcing whistleblower notifications: how to ensure GDPR compliance and avoid risks?
When outsourcing the processing of whistleblowing notifications, it is essential to remember about principles of entrustment of personal data processing.
Implementing whistleblowing solutions shall also entail reviewing and completing internal GDPR documentation, such as registers, risk analyses, authorizations to process personal data.
If you have any questions or need assistance, feel free to contact us. Our Law Firm will help you! We also encourage you to subscribe to our newsletter to stay updated with the latest legal news and important regulatory changes.