The whistleblower system allows whistleblowers to report breaches in numerous areas through internal or external reporting methods, thereby protecting them from possible retaliation. For more information about the concrete obligations, please refer to our blog about the Whistleblower Policy. The regulations not only require organizations to take additional measures, but also have consequences in terms of compliance with the GDPR.
The General Data Protection Regulation (GDPR) also applies to these new (albeit legally required) processing activities. The organizations that receive notifications are considered to be controllers under GDPR. Any processing of personal data under the Whistleblower Act, including the exchange or transfer of personal data, must therefore be carried out in accordance with the GDPR.
What do you have to take into account in practice?
- Possibly carrying out a data protection impact assessment (DPIA)
- Updating the Records of Processing Activities
- Informing via Privacy Statement or other document
- Specification of the procedure for exercising the rights of data subjects
- Specification of the data retention policy
- Security measures regarding the reporting channel
Reflections
Finally, keep in mind that whistleblowers can also report alleged GDPR violations through the whistleblowing policy, which may overlap with your existing breaches and/or incident procedure.
Whistleblowers themselves can also include personal data of themselves or third parties (e.g. persons targeted by the reporter) within the report.
Would you like to know more about how we can help you comply with the GDPR because of these requirements? Then take a look at our services page:
Or contact us via the link at the bottom of this page.