Personal data protection /

Whistleblowing and GDPR: New data protection rules from 25 September 2024

25 September 2024, the law on protection of whistleblowers came into force in Poland. This regulation affects many aspects of business, an important one being data protection.

Let’s see what impact the whistleblower protection rules introduced by this law have on data protection rules. Details of whistleblowing act in general are described HERE and HERE.

Anonymity of Whistleblowers: How to ensure effective data protection?

In certain cases, depending on the solutions designed by the entity implementing whistleblowing protection solutions, anonymous submissions can be provided. In such a situation fully anonymous contact shall be enabled for use by whistleblower.

In certain cases anonymous submissions can be provided. In such a situation fully anonymous contact shall be enabled for use by whistleblower.

Confidentiality of Whistleblower Data: Key Regulations You Need to Know

The basic principle provided by the law is the secrecy of the whistleblower’s personal data. Disclosure of such data is only permissible under specific circumstances, such as with the whistleblower’s consent.

The bill regulates exceptions towards information clauses given to data subjects (such as individuals mentioned in a whistleblower’s report). Specifically, the source of the personal data should not be disclosed to ensure the whistleblower’s protection. Such a measure enables real whistleblower protection. Similarly, the ability of data subjects to enforce their rights regarding the origin of their personal data (from a whistleblower) has been limited.

In addition, a whistleblower’s notification or public disclosure will not give rise to liability for a breach of the GDPR. This is a key protection guarantee.

Also data retention periods have been regulated by the bill in detail. The issues of confidentiality and authorization to process data have also been emphasized in the law on protection of whistleblowers.

Notification or public disclosure by a whistleblower will not give rise to liability for a breach of the GDPR.

Outsourcing whistleblower notifications: how to ensure GDPR compliance and avoid risks?

When outsourcing the processing of whistleblowing notifications, it is essential to remember about principles of entrustment of personal data processing.

Implementing whistleblowing solutions shall also entail reviewing and completing internal GDPR documentation, such as registers, risk analyses, authorizations to process personal data.

If you have any questions or need assistance, feel free to contact us. Our Law Firm will help you! We also encourage you to subscribe to our newsletter to stay updated with the latest legal news and important regulatory changes.

Author team leader DKP Legal Alicja Mruczkiewicz
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Alicja Mruczkiewicz

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.WROCLAWPOLAND
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]