The Act on Protection of Reporting Persons (“the Act“), will come into force on 1 August 2023, and for obliged entities, this means, among other things, the obligation to introduce an effective internal reporting system by that date, while obliged entities employing between 50 and 250 employees on the effective date of the Act have a longer implementation period, until 15 December 2023.
The implementation of protection of reporting persons mechanisms poses several related challenges. One of the main ones is the need to ensure the protection of personal data following the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“).
The protection of reporting persons is a complex topic bringing several new institutes and processes, including the acceptance, assessment, and registration of reports under the Act – all while maintaining the confidentiality of the reporting person’s identification. It is in connection with the submission of a report, its assessment, and subsequent registration that the processing of personal data disclosed by the reporting person is necessarily involved.
This topic is the subject of this separate article, which is the next one in a series on the protection of reporting persons in the Czech Republic.
Personal Data of the Reporting Person
In the context of the protection of reporting persons, the data of the reporting person may be such personal data that the reporting person discloses to the obliged entity – the controller of personal data in connection with the submission of the report. In doing so, the personal data protection mechanisms must be trustworthy for the reporting person.
It should be noted that, according to the Act, providing information about the identity of the reporting person without his consent is an offence for which the designated person is liable to a fine of up to CZK 100,000, and if the reporting person is subjected to retaliatory measures because of the disclosure of his identity, the obliged entity is liable to a fine of up to CZK 1,000,000.
According to Article 4 of the GDPR, personal data is “any information relating to an identified or identifiable natural person”, i.e., in principle any data about a natural person from which the natural person can be identified. Personal data includes pseudonymised data which, although encrypted or otherwise modified to make it initially unidentifiable, can be used for retrospective identification. Logically anonymised personal data are not considered to be personal data.
The Act requires that the report be made in such a way that the reporting person identifies himself by providing his data when making the report.
Submitting reports anonymously the Act does not allow and does not grant protection to the reporting person of an anonymous report, but obliged entities may accept and handle such reports voluntarily.
It can therefore be concluded that the reporting person will, as a rule, disclose his data when submitting the report, at least to the extent provided for in Section 2(2) of the Act, i.e., name, surname, date of birth, and/or other data from which the identity of the reporting person can be inferred.
Principles of Personal data Processing
Even in the case of processing personal data in the context of the protection of reporting persons, it is necessary to comply with the basic principles of processing as defined by the GDPR, which are as follows:
(a) the principle of the lawfulness of the processing of personal data – it is always necessary to establish one of the seven legal grounds for the processing, transparently to the reporting person (most often the legal ground will be the fulfilment of a legal obligation and/or legitimate interest);
(b) the principle of data minimisation – the reporting person must not be compelled to disclose personal data that are not necessary to achieve the purpose of the processing, i.e., to verify the validity of the report;
(c) the legitimate purpose principle – personal data may only be processed to achieve a legitimate purpose, i.e., the submission of the report and its subsequent assessment and further processing;
(d) the principle of limited retention – the report must be retained designated person for 5 years from the date of receipt; and
(e) the principle of data security – a key principle that ensures confidence in the internal reporting system, whereby the right technical means and organisational measures must be chosen, together with appropriately set internal processes.
Personal Data of Other Persons
In addition to the personal data of the reporting person, the personal data of other persons will usually also be processed if the reporting person has indicated them in the report (e.g., the alleged perpetrator, victim, or witness) and they are affected by the report.
The reporting person may indicate different persons and different categories of personal data that will subsequently be processed by the designated person. To fulfil the purpose of the internal reporting system, it is necessary to respect the protection of the personal data of such persons as well, as regard the possible subsequent stigmatisation related to the leakage of their data.
Rights of Reporting and Affected Persons
Data subjects have rights under the GDPR in connection with the processing of their data – the right to information, the right to access personal data, the right to rectification, the right to erasure – the so-called right to be forgotten, the right to data portability, the right to object to the processing of personal data and others not listed here.
The proper exercise of these data subjects’ rights could in some cases impede the investigation of the reported breach and consequently the disclosure of the identity of the reporting person, so exceptions apply in these specific cases.
The fundamental right of the data subject is the right of access by the data subject (Article 15 GDPR) processed about him. The controller of the personal data (in the context of the protection of reporting persons, the obliged entity) must inform the data subject (in the context of protection of reporting persons, the reporting person and/or affected person) of the processing of the personal data and, where appropriate, ensure their transfer.
Given the nature of the data protection mechanisms and their purpose and intent, such a transfer could also give rise to liability for the offence, since the person affected and/or the alleged offender identified by the reporting person could learn the identity of the reporting person and thus prevent the effective resolution of the report. In the extreme case, retaliatory measures could be imposed, resulting in a fine.
Similar exceptions apply to other selected guaranteed rights, such as the right to erasure or the right to rectification of recorded data, as the alteration/erasure could destroy evidence and prevent an effective investigation of the report.
Logically, the right to direct information to data subjects about the processing of their data will also be limited and will have to be addressed generally together with information about the internal reporting system.
Position of the Designated Person
In addition to the introduction of the internal reporting system itself, obliged entities are required to appoint a designated person – a natural person who will process and evaluate the reports received.
To ensure compliance of the internal reporting system and procedures with the GDPR, it is necessary to consider the relationship with the designated person and to regulate the rules of personal data processing and data security within the contractual relationship with them.
Transfer of Personal Data (not only to the USA)
Many obliged entities will address the establishment of an internal reporting system through an online comprehensive solution, primarily in the form of a software solution or web application.
It is necessary to pay close attention to where the personal data collected is stored, i.e., where the provider of the solution, which will often be operated as a cloud service, stores all the data and information collected.
Although it is currently possible to transfer personal data to the US under the new legal framework recently adopted by the European Commission, it is generally recommended to store personal data and metadata in data centres in EU member states.
However, it is possible to transfer personal data to US companies that participate in the legal framework and are included in the list available on the website here, securely and virtually without restriction. On the other hand, non-registered companies are allowed to transfer based on standard contractual clauses, and no longer must examine the level of security of personal data, as has been the case to date. In addition to the technical measures, which are the storage of personal data in the data centres of EU member states, encryption of data in transit, and pseudonymisation, there should be an organisational measure, i.e., training and implementation of proper compliance documentation.
Implementation of GDPR Compliance
When implementing an internal reporting system, the obliged entity must necessarily bear in mind the principle and obligation set out in the GDPR referred to as Privacy by Design, which determines the obligation not to forget about the protection of personal data when introducing any new processing and to assess its fulfilment before starting the processing.
In general, then, the following topics need to be addressed:
- the fulfilment of the information obligation towards the reporting person and the data subjects concerned,
- the establishment of internal data protection rules and processes, including processing records,
- ensuring the technical security of personal data, or
- setting up relationships with the designated person and other service providers in the context of data protection.
Data protection is one of the pillars of protection of reporting persons, particularly because trust in the entire internal reporting system is key to its proper functioning, and if a reporting person believes that his identity may be disclosed, he is more likely to change his mind and turn to the external reporting system run by the Ministry of Justice.
Equally important is the transparency of the processing of personal data, by properly informing its employees of the possibility of making a report.
In view of the above, most of the obliged entities will not avoid the necessary modifications of internal documentation related to the processing of personal data.
PEYTON legal is at Your disposal in connection with data protection and protection of reporting persons issues, if necessary.
Mgr. Jakub Málek, managing partner – email@example.com
Mgr. Tomáš Maux, junior lawyer – firstname.lastname@example.org
Tereza Benešová, legal assistant – email@example.com
25. 7. 2023