Whistleblowers are individuals who disclose irregularities, abuses, or illegal activities within public institutions or private companies. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR) imposes certain key obligations to ensure appropriate protection and encourage them to act in the interests of all organizations.
First, it should be noted that the controller of personal data provided by a whistleblower is the person who received the specific report. Upon receipt of the information, the organization has the right to process such data to the extent necessary to accept the report and take any necessary follow-up action. The data will be stored for a period of fifteen months from the completion of follow-up action or the submission of the report to a public authority. If the data is to be processed by a third party, a data processing agreement will be required, in accordance with Article 28 of the GDPR.
The most important obligation imposed by the GDPR is to create a safe and trusted work environment for whistleblowers. This involves ensuring appropriate procedures and security measures within the organization that will enable these entities to safely report irregularities and prevent any forms of retaliation or harassment by colleagues. Therefore, proper protection of personal data is necessary to prevent the identification and establishment of the whistleblower's identity by unauthorized entities. Such disclosure will only be possible in the situations specified in the GDPR, i.e., with their express consent and when it is a necessary and proportionate legal obligation related to explanatory or judicial proceedings conducted by public authorities or courts. The whistleblower must be informed of such disclosure. Another important aspect is the obligation to notify the supervisory authority, i.e., the President of the Personal Data Protection Office, of a personal data breach disclosed by the whistleblower. Such a report should be made within 72 hours of detection, so that the authority can take appropriate action. Furthermore, an internal investigation is necessary to clarify irregularities and take corrective action if a violation is identified. Whistleblowers in every organization should also be aware of their rights, which is why training and further education on GDPR is essential.
Thanks to the GDPR, whistleblowers' actions are protected, which facilitates the detection of any irregularities and the taking of effective remedial action. It is therefore essential that organizations respect the provisions of the Regulation and provide an appropriate work environment and support for whistleblowers.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of February 14, 2024.
author:
