For companies, internal misconduct and especially criminality within their own organisation can have threatening consequences. To counter this risk, more and more companies are enabling their employees to report the misconduct of colleagues via a specific channel (anonymously).
However, setting up such a whistleblower system raises various data protection issues. Under what circumstances can employers establish and operate a whistleblower system and at the same time comply with the requirements of the General Data Protection Regulation (GDPR)?
Data protection in whistleblowing in the company
Whistleblowing systems are intended to complement the regular information and reporting channels within a company – such as the works council, quality control or internal auditors who are specifically designated to identify and report any grievances that arise. Whistleblower systems are primarily used for anonymous reporting when employees fear consequences. The EU Whistleblower Directive therefore prescribes reporting channels for companies with 50 or more employees that ensure appropriate protection for the whistleblower.
Whatever form such a whistleblower system takes, the reporting of breaches of conduct involves the processing of personal data. Data subjects can be the whistleblowers (in the case of non-anonymous reporting), but above all, the accused employees.
When processing employee data, both automated and non-automated processing fall within the scope of the GDPR and § 26 of the Federal Data Protection Act (BDSG) in conjunction with Art. 88 GDPR.
When assessing the admissibility of reporting procedures under data protection law using a whistleblower system, companies must take into account some provisions of the GDPR:
Necessity of the whistleblower system
The implementation of the EU Whistleblower Directive into national law provides a legal obligation for the establishment of a whistleblower system in EU Member States.
If there is no legal obligation for companies to set up a reporting system, the planning and introduction of a whistleblowing system must be based on the principle of necessity under data protection law. Those responsible must try to realistically assess the extent to which the company is exposed to certain dangers due to internal grievances or even criminal activities. If such cases repeatedly occur in the company due to internal perpetrators, a whistleblowing system may provide additional useful information.
Lawfulness of data processing
As a general rule, the processing of personal data requires permission under data protection law – i.e. also when data with a personal reference is processed in the context of the whistleblowing procedure.
Since consent in an employee relationship is often associated with problems due to the lack of voluntariness, the company’s legitimate interest in clarifying and preventing certain grievances in the company is recommended as a legal basis. If the data protection principles described in more detail here are observed when setting up and operating the whistleblower system, it will usually be possible to assume that the interests of the company prevail when weighing the interests of the accused employee and those of the company.
A legal obligation to set up a whistleblower system can also be considered as a legal basis. This currently arises, for example, for the banking sector in Germany from section 25a (1) sentence 6 no. 3 of the German Banking Act (KWG). There are also legal obligations to establish strengthened control mechanisms in connection with the fight against corruption. The EU Whistleblower Directive has been implemented into German law, and a legal obligation has arisen for all companies with 50 or more employees (see our article on the Whistleblower Protection Act).
Collective agreements such as collective bargaining agreements and works council agreements can also be the basis for the processing of personal data in the employment relationship. However, the provisions of the GDPR must also be observed when drafting such agreements.
Principle of data economy and data minimisation
(Additional) Information that is not relevant for the described purpose of the whistleblower system may also not be stored. Storage periods must also be defined for the personal data collected in connection with the procedure and it must be ensured that these are strictly adhered to. Finally, personal data must be deleted as soon as its intended purpose has been fulfilled.
Transparency 1: general information of the employees about the procedure
Employees should be made aware (e.g. in an appropriate policy) of the following points:
- The need for the procedure: What cases of criminal activity have occurred in the past? What does this mean for the company (i.e. what risks or damage, if any, have occurred)?
- The scope of application: Which cases are to be covered by the procedure and which are not? Explain as precisely as possible the different groups of criminal offences that are to be contained: What impact does industrial espionage have on the company? What forms of fraud or financial crime pose a risk to the company?
- The procedure itself: How exactly does the procedure work? What happens to the data collected in the process? How is the data adequately protected? How can abuse of the procedure be avoided? What possibility does a data subject have to comment on allegations? What are the consequences of reporting? Who is to be involved in the procedure?
Transparency 2: concrete information of the persons involved in a specific procedure
In addition, data protection law requires certain information on the handling of personal data in Art. 13 and 14 of the GDPR. This must also be adequately taken into account in the context of informing the data subjects about the whistleblower system.
- Insofar as an anonymous whistleblower system is introduced, the obligation to inform the whistleblower pursuant to 13 of the GDPR does not apply, as no personal data of the whistleblower is processed.
- Otherwise, they must be comprehensively informed about the points contained in 13 GDPR (e.g. controller, purpose of the processing and possible recipients of the data).
- According to 14 GDPR, the accused must always be informed – the processing of their personal data is precisely the core of the procedure. The accused must be informed at the latest one month after receipt of the data – this does not apply, however, if the information could jeopardise the clarification of the reported offence. In this case, the information can be postponed until the investigation has been completed.
Attention: The information must be provided in a “clear, transparent, comprehensible and easily accessible form in plain and simple language”.
Further data protection aspects
Furthermore, you should consider the following points when whistleblowing within the company:
- The data protection officer should be involved in the planning and implementation of the system at an early stage.
- The data protection officer should also check whether a data protection impact assessment (DPIA) is necessary for the introduction of the system and, if so, carry it out in a documented manner.
- If the whistleblowing procedure is carried out as part of commissioned data processing via an external service provider, a data processing agreement (DPA) is necessary. You should note that if you have sensitive data processed by an external service provider, you yourself remain responsible for the protection of this data. You are then also obliged to check that the contractor complies with the legal requirements for data protection. Something else only applies if the service provider itself is subject to a legal confidentiality obligation (such as a lawyer).
Data security in corporate whistleblowing
When setting up a whistleblower system, it must be ensured that the procedure meets the requirements of the GDPR in terms of data security. The corresponding technical and organisational measures should be documented, and it must be ensured that the employees are aware of these measures and also observe them.
- Technical measures include, for example, ensuring reliable protection of the stored data against unauthorised access by means of pseudonymisation or encryption of the data.
- From an organisational point of view, it is recommended to have rules on the allocation of rights as well as on the timely complete deletion of data, which in turn should be technically monitored and/or enforced.
Conclusion: Data protection in whistleblowing is not witchcraft
Overall, whistleblower systems in companies are subject to comparable data protection requirements as other processing of personal data of employees. Companies that already work in a GDPR-compliant manner should have no problems setting up and operating a whistleblower system.
