Vera Cherepanova: GDPR implications for the whistleblowing process
Thursday, May 3, 2018 at 7:28AM
Vera Cherepanova in GDPR, General Data Protection Regulation, Whistleblower

The EU’s General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) is set to take effect on May 25, 2018. In spite of having been adopted nearly two years ago, in April 2016, analysts predict that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.

The stakes are high: a failure to comply can incur a fine of €20 million ($24.5 million) or 4 percent of annual revenues, whichever is higher.

From a standpoint of compliance and ethics programs, GDPR has an extensive impact on the whistleblowing process. Because of the new personal data handling requirements and the new rights given to individuals, compliance officers need to consider how to best meet the regulatory expectations. The general nature of GDPR provisions creates certain ambiguity and raises concerns regarding potential conflicts between personal data protection imperatives and whistleblowing mechanisms. In the absence of a more specific guideline, I make an attempt to analyze GDPR provisions through the lens of whistleblowing process.

Article 4(1) defines personal data as any information relating to identifiable natural person or "data subject" who can be identified by name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It is clear from this extensive definition that the term will now apply to a wider range of situations.

Personal data can be part of the whistleblowing process at least in the following 2 ways:

Principles of data processing. Article 5 requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject, whereas Article 6 further elaborates on the notion of ‘lawfulness’ and stipulates that any processing of personal data must have a legal basis, such as the data subject’s consent, the performance of a contract, compliance with a legal obligation or the purpose of a legitimate interest pursued by the controller.

Article 4(11) defining consent says that it must be given by a clear affirmative action of the data subject rather than just implied. A way to address this requirement in the context of whistleblowing process would be to advise all employees that in the process of using a hotline/whistleblowing service/system their data may be processed and request their consent to proceed. At this stage, some other requirements can be addressed, such as:

However, under Article 7(3) the data subject has the right to withdraw his or her consent at any time. Once the consent has been withdrawn, the data subject can request from the controller to erase his or her personal data, thereby exercising "the right to be forgotten," as stipulated by Article 17(1)(b). While data controllers should be able to remove personal data from the reports, the investigation may be seriously hampered without this information.

Therefore, it is more advisable to address the lawfulness criterion of data processing by relying on one of the following conditions:

Rights of the data subject. Under Article 15, the data subject has the right to obtain a confirmation if their personal data is being processed, and, if so, have access to the following information:

Apparently, it would be counter-productive to inform data subjects, upon their request, that they are a subject of an ongoing investigation. The last point also raises serious concerns -- hypothetically it may lead to the exposure of whistleblower’s identity. The potential conflict may be resolved by applying the provisions outlined in Article 23 which afford the right to each Member State to restrict by national legislation the scope of the rights to access in order to safeguard the following:

Apart from the fact that national whistleblowing laws mostly provide for the confidentiality of the whistleblower’s identity, it could be also argued that the Article 29 Working Party in its Guidelines on processing personal information within a whistleblowing procedure recommends that: "Under no circumstances can the person accused in a whistleblower’s report obtain information about the identity of the whistleblower …except where the whistleblower maliciously makes a false statement. Otherwise, the whistleblower’s confidentiality should always be guaranteed."

Data protection impact assessment (DPIA). Under Article 35(1), where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller has the responsibility to carry out the DPIA. DPIAs are considered important tools for accountability, as they demonstrate that appropriate measures have been taken to ensure compliance with GDPR.

The Article 29 Working Party "Guidelines on data protection impact assessment" (revised in October 2017) outline 9 criteria of personal data processing. Meeting at least 2 of them would require a DPIA to be carried out. Depending on the nature of the report and circumstances of the alleged misconduct, whistleblowing process may satisfy the following 2 criteria:

Once these criteria are met, the requirement of carrying out a DPIA would apply to organizations which implemented whistleblowing mechanisms.

GDPR is an important step towards the new generation of data regulations in EU. Its implementation requires significant changes to data processing routines, whistleblowing process being no exception. At this stage, it is clear that the Regulation puts whistleblowers in a stronger position regarding the authority over their own data. At the same time, the new requirements raise certain ambiguity. It is therefore desirable that in the coming months’ national data protection authorities issue guidelines on the best ways to implement whistleblowing procedures in compliance with GDPR.


Vera Cherepanova, FCCA, CIA, MSc (pictured above), has more than 10 years' experience as a compliance officer. She's currently a self-employed ethics and compliance consultant based in Milan, Italy. She speaks English, French, Italian, and Russian. She can be contacted here.

Article originally appeared on The FCPA Blog (
See website for complete article licensing information.