Whistleblower's personal data and Directive 2019/1937
Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law addresses the need to introduce and apply regulations on the protection of whistleblowers' personal data . There is no doubt that when whistleblowers report identified breaches, their personal data will be processed.
Therefore, in order to protect the reporting person from retaliatory actions and to ensure that the proceedings are conducted in accordance with applicable legal provisions, it has become necessary to regulate issues related to the appropriate protection of the whistleblower's personal data.
This is indicated in Recital 76, which " instructs EU Member States to ensure that their authorities have in place appropriate procedures aimed at protecting the processing of reports and the personal data of persons referred to in reports. Such procedures should ensure that (i) the identity of each reporting person, (ii) the persons concerned by the report, (iii) and third parties referred to in the report, such as witnesses or colleagues, is protected at all stages of the procedure ."
Protection of confidential data
One of the ways to protect the identity of a whistleblower, as provided for in the directive, is to keep confidential the data obtained as a result of the report .
An exception to the above rule, which is primarily indicated in the directive, is obtaining the whistleblower's consent to the disclosure of his or her personal data or other information that will allow the identity of the reporting person to be established .
This is in line with Article 16(1) of Directive 2019/1937, which states that " Member States shall ensure that the identity of the reporting person is not disclosed without that person's explicit consent [...] ".
It should therefore be stated that in the absence of the above consent, the personal data of the reporting person or other data enabling their identification should, as a rule, remain confidential.
Anonymous report
Despite the possibility for whistleblowers to make so-called anonymous reports, as provided for in the above-mentioned Directive, the final decision on their introduction into a given legal order depends on the national legislator.
In the case of the Republic of Poland, the draft law does not currently include the procedure for so-called "anonymous reports".
This means that in the event of an anonymous report (without providing personal data of the reporting person), the Act does not oblige the entity in question to verify the report and take appropriate action as a result (i.e. apply the rigors specified in the Act in question), but it does not exclude this .
Importantly, however, if personal data (or other identifying data) of a whistleblower making a so-called anonymous report were to be disclosed, resulting in retaliatory action being taken against the reporting person, the act referred to above should be applied.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of January 11, 2023
author:
