The Member States of the European Union must transpose Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the so-called whistleblowing directive) (hereinafter referred to as the “Directive“) by 17 December 2021. With regard to the above and to the proposed Czech bill on the protection of whistleblowers, which we have already discussed in more detail in our previous articles (here and here), the question also arises regarding the relationship between legislation on whistleblower protection, which will, on the Czech level, be represented mainly by the act on the protection of whistleblowers, and legislation on the protection of personal data, represented mainly by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”) and Act No. 110/2019 Coll., on the processing of personal data.
The issue of whistleblowing is looked upon in different ways in connection with the protection of personal data. Is it a risk management tool for “GDPR compliance” of companies, or rather a separate process that itself must be GDPR compliant? Or is it a combination of both of these approaches? How will the issue of personal data protection and the notification system interact in terms of whistleblower protection?
Whistleblowing, or the notification of infringements, in particular by workers, is the main subject of the adopted Directive. The Directive applies to persons working in both the public and private sectors who have obtained information about infringements of European Union law in the context of their relationship with an employer or other superior body.
The so-called whistleblowers should be entitled to protection under the Directive if (i) they had legitimate grounds for notification under the Directive, (ii) the case fell within the scope of the Directive and (iii) they were of the opinion that the information was true at the time of notification. Workers may submit notifications internally in accordance with Article 7 and externally in accordance with Article 10 of the Directive or make the information available directly externally or publicly in accordance with Article 15 of the Directive.
Member States are expressly permitted by the Directive to introduce or maintain provisions of national law which are more favorable to the rights of whistleblowers than those contained in the Directive.
On the Czech legislative level, a bill on the protection of whistleblowers is currently in the legislative process (it should be noted that it was proposed before the adoption of the Directive), which expands the scope of the Directive, especially as regards the subject of protected interests, i.e. the extent of areas in which the notifiers may make notifications in protected mode.
Whistleblowing and personal data protection
In general, it can be said that the legal regulation in the field of whistleblowing in the Czech Republic is currently insufficient. It is therefore de facto a new area of law, and mainly due to this fact conflicts may arise in the future between the protection of the personal data of the whistleblower (notifier) and possibly of the accused natural person and their rights and obligations under the regulation of whistleblowing.
In connection with the notification process, the processing of personal data can generally be looked upon in two ways. The first case is the processing of the personal data of the whistleblower submitting the notification (if this has not been done anonymously). In the second case, we can talk about the personal data of third parties – natural persons, which will appear in the notification submitted by the whistleblower (notifier).
It should be noted that we only talk about personal data if they relate to a natural person – an individual who can be identified by them.
We do not talk about the processing of personal data, among other things, in the case where personal data is handled by a natural person – an individual – for their own use (usually a whistleblower).
It can therefore generally be concluded that it will be the respective organizations (employers and institutions) whose workers will submit a notification of infringement under the whistleblowing rules to them, who will in that moment become the recipients and controllers of the personal data of natural persons identified in such notification. In our opinion, the standard rules of personal data protection will apply to these organizations within this new “process” of personal data processing – receipt, processing and resolving of the received notification of alleged violation of legal regulations according to whistleblowing rules.
Personal data of the whistleblower
As part of the notification process, the whistleblower has two options when submitting a notification:
- make a notification on their behalf, or
- submit the report anonymously.
In the case of filing of a notification on ones own behalf, it is first of all important to remember the basic principles of personal data protection and the related obligations of the recipient of the notification, i.e. the controller of personal data, as the personal data of the notifier is being processed in this case.
Here we mean in particular:
- legality, fairness, transparency – it is necessary to determine at least one legal reason for processing and make it transparent to the notifier (data subject) – it is essential here to inform the notifier (data subject) about all decisive facts of personal data processing (information obligation when submitting the notification);
- purpose limitation – personal data must be collected only for specified and legitimate purposes and must not be processed in a way incompatible with those purposes;
- data minimization – the personal data obtained must be proportionate and relevant in relation to the purpose for which they are processed – the internal systems must be set up in such a way that the notifier enters only the really necessary data about himself;
- accuracy – personal data must be accurate – a simple and secure procedure for verifying the identity of the notifier must be put in place – g. confirmation e-mail, unique code and password, etc.;
- storage restrictions – personal data should be stored in a form which allows identification of data subjects for period that is necessary for the purposes for which they are processed – determination of the standard time since the notification is resolved;
- integrity and confidentiality – technical and organizational security of personal data needs to be put in place – in the case of whistleblowing, this issue is even more important and absolutely crucial.
In the case of anonymous submission, personal data should not be processed in any part of the process. All internal notification systems should be set up in such a way that not even the administrator (even external) of these systems is able to determine who entered the notification into the system.
According to the bill, the provision of information on the identity of the notifier to third parties should only be possible with the written consent of the notifier, even if the notifier has not requested for his identity to remain confidential.
Personal data of persons identified in the notification
As part of the notification process, the notifier may identify an indeterminable circle of persons, to varying degrees of detail and scope of data.
In this case, the notification should be approached in such a way that most respects, as far as practicable, the principles of personal data protection, in particular transparency (general information documents and memoranda), strict purpose limitation, data accuracy and post-verification corrections, integrity and confidentiality, although other non-listed principles must be taken into account.
Comprehensive documentation and process
The above-mentioned principles of personal data protection and in general all obligations arising from the GDPR should already be implemented and observed by organizations within the general rules of personal data, which should also include procedures for introducing new personal data processing processes in an organization (risk analysis, DPIA, privacy by design and privacy by default).
In relation to whistleblowing processes emphasis should, in our opinion, be placed on raising awareness, informing of potential whistleblowers in an organization and ensuring the integrity and confidentiality of the entire process.
To this end, organizations will usually use a comprehensive system of documentation (general guidelines and memoranda, information documents, documentation facilitating the exercise of rights, etc.), tools (notification interface or software with security and discretion guarantee) and activities (training, inspections, process reviews, etc.).
If the processing of personal data could result in a high risk of endangering the rights and freedoms of natural persons, according to the Directive, the controller (organization or recipient of the notification) is obliged to carry out a personal data protection impact assessment (DPIA).
Some national authorities in European countries have directly defined the cases in which high-risk processing is involved and therefore need a full DPIA – in which case the information must meet two criteria:
- sensitive data or data of a highly personal nature, which include data relating to convictions for misdemeanors or criminal offenses, and
- data on vulnerable data subjects – this refers to situations where data subjects cannot easily consent to or oppose the processing of their data or exercise their rights, including workers.
The elaboration of DPIA can be recommended especially for larger organizations or organizations operating in industry sectors with higher requirements for security, integrity and continuity of activities (especially critical infrastructure, state authorities, banks, etc.).
Rights of the whistleblowers
The person who reports the infringement has the right to protection, which consists in particular in the fact that the identity of the notifier is not disclosed to anyone without his express consent, with the exception of authorized staff responsible for receiving notifications or follow-up. The same applies to any other information from which the identity of the notifier could be deduced directly or indirectly.
However, an exception may be made in so far as this is a necessary and proportionate obligation under Union or national law in connection with an investigation or legal proceeding conducted by national authorities, including the preservation of the rights of defense of the person concerned. In this case, however, the person must be informed of the disclosure of his / her identity before he or she occurs, unless such information would jeopardize the related investigation or legal proceedings. When notifying notifiers, the competent authorities must provide a written justification explaining the reasons for the disclosure of the confidential information concerned.
When transposing, Member States shall ensure that competent authorities receiving information on infringements which contain business secrets do not use or disclose such business secrets for purposes other than those necessary for appropriate follow-up.
Protection will also consist in the prohibition of retaliation, the implementation of which is the responsibility of the Member States. These include, for example, temporary dismissal or equivalent measures, transfer to a lower position or non-promotion, coercion, intimidation or harassment, etc.
Closely related to the above is the personal data protection and privacy of whistleblowers, which must be maintained throughout and after the notification investigation.
Scope and processing time
In preparation for the forthcoming legal regulation of whistleblowing in our country, and thus the transposition of the new Directive, it is necessary to define reasonable retention periods for personal data processed in the notification, depending on the nature and procedure of processing each case.
Personal data that are not relevant to the processing process should not be further processed and should be destroyed.
If the initial assessment concludes that the case does not fall within the scope of whistleblowers, personal data should be deleted immediately, and the notification kept only in anonymised or pseudonymized form for record purposes. Personal data should be deleted without delay, usually within two months of the completion of the preliminary assessment.
However, in certain cases, the retention period for personal data and all other data related to whistleblowing reports may vary, depending on the complexity of the investigation. As the specified retention period is not always applicable, notifiers should be advised that their data will be retained until the case is closed and the notification resolved, and guidelines should be established with regard to the evolution of each notification, as indicated above.
Whistleblowing remains an important area in the protection of personal data, where the protection of personal data increases the principle of confidentiality, which is crucial for a reliable mechanism of whistleblowing. It should be noted that the legal regulation of whistleblowing in the Czech Republic is currently insufficient due to the novelty of the legal area as such. Due to the lack of legal regulation, it would be appropriate for whistleblowing to be more appropriately enshrined in the light of GDPR, or for the interplay of the two areas of law to be clarified.
Before personal data protection legislation responds to issues related to whistleblowing or vice versa, we recommend that, in the light of personal data protection, whistleblowers make their notifications anonymously. At the same time, we point out that this step may make it more difficult to investigate the violation of European Union law itself in the context of their relationship with the employer or another superior body.
We will keep you informed about the upcoming legislative development in the Czech Republic in the field of whistleblowing.
If you have any questions about this topic, we are at your disposal.
Tereza Pšenčíková, LL.B., LL.M., lawyer– email@example.com
Mgr. Jakub Málek, partner – firstname.lastname@example.org
30. 09. 2020