Whistleblowing procedure – how to ensure its compliance with the GDPR?

Systems for signaling irregularities (the so-called whistleblowing scheme), especially in the workplace, are a big challenge in ensuring the security of personal data processing. Prior to their implementation, it is necessary to ensure that the personal data of all participants in the proceedings are duly protected and their rights are respected.

Protection of personal data of a whistleblower
The signalman has the right to decide if he wants to reveal his identity when reporting the violation or he prefers to remain anonymous. His data should be particularly protected in this situation. Increasingly, employers use the help of dedicated systems, guaranteeing the protection of employees’ identity – whistleblowers, e.g. through the use of pseudoanonymisation. The basis for the processing of personal data of a whistleblower will be his consent in this case (Article 6 § 1 letter a of GDPR), which means that he will be able to exercise his right to withdraw it at any time. The employer should therefore prepare a system for reporting violations so that:
a) the whistleblower knows he has the right to decide whether he would disclose his personal details,
b) the whistleblower knows that he could change his mind and withdraw his consent to the processing of his personal data at any time,
c) the whistleblower was aware that withdrawal of consent does not affect the processing of data that took place during its validity – if he decides to withdraw his consent after a certain time, information about his data may already be transferred to the person to whom the report relates;
d) personal details of the whistleblower were protected against unauthorized access.

Limited period of personal data processing
The employer, as the data controller, should determine how long the personal data obtained in connection with the whistleblowing system will be processed and after that time it should be deleted. Since not every reporting of a breach leads to further action, a correspondingly shorter retention period should be introduced for those personal data that have been obtained as a result of the notification which does not lead to the initiation of the proceedings. Periods of data processing should of course be included in the information clause.

Obligation to inform the whistleblower and persons concerned by the proceedings
The employer is obliged to provide the whistleblower with full information on the processing of personal data (the so-called information clause) and as soon as possible after receiving the notification. The practical solution is to include the information clause in the content of the application form. It is not recommended in this case to limit to placing information on the employer’s website, e.g. in the form of a privacy policy. According to art. 14 (1) and (2) of the GDPR, the information obligation also applies to persons whose data will be obtained in connection with the notification of a violation of, for example, witnesses or a person who is accused of incorrect behavior. In some cases, due to the purpose of the proceedings, the full information obligation towards the persons concerned by the notification may be postponed.

Need to evaluate the effects of data processing (DPIA)
The Whistleblowing procedure was placed by the President of the Office for Data Protection in the list of processing activities for types of personal data processing operations requiring assessment of the effects of processing for their protection (DPIA). The employer should carry out an assessment of the effects of data processing prior to the implementation of the whistleblowing system. Based on the obtained results, it may be necessary to introduce additional data protections or procedures.