Yes, GDPR has already changed the whistleblowing landscape
Wednesday, May 22, 2019 at 8:08AM
Vera Cherepanova in GDPR, data privacy

Last year just before the “big date” of May 25, I wrote a post trying to analyze GDPR provisions through the lens of the whistleblowing process. At that time there were many questions ranging from how the rules will apply to whistleblowing on a national level to how to balance individuals’ privacy rights against companies’ need to pursue investigations.

Ambiguity was there, and we hoped that after the GDPR enforcement date the national Data Protection Authorities or DPAs would issue guidelines on the best ways to implement whistleblowing procedures in compliance with the new legislation. It has been a year since that time -- let’s see how much clarity we got so far.

It’s worth noting up front that the German Data Protection Authority was the only national DPA to issue specific whistleblower-related guidance. Others either incorporated minor comments into the “mainstream” guidelines or so far didn’t address the issue in their communications.

Legitimate interest, As we have seen from the enforcement cases that I wrote about last week, having legitimate grounds for data processing is a crucial area for any sector and is particularly relevant in a whistleblowing context.

According to the German DPA guidance “On Whistleblowing Hotlines” the collection of personal data via a whistleblowing hotline is permissible if it relates to the following subject matters: fraud, internal accounting controls, auditing matters, corruption and bribery, banking and financial crimes, insider trading, human rights violations, environmental concerns, and alleged violation of the law against equal treatment. The regulator confirms that the data processing related to these violations is legitimate based on the Article 6 (1)(f) because the processing is necessary for the purposes of the legitimate interests pursued by the controller. Unfortunately, the regulator didn’t indicate whether these arguments could also be applied to other subject matters such as violations of data privacy law, anti-trust law, or harassment cases.

As we have seen from the Google case, ensuring transparency in the data processing is key, which is very relevant for whistleblowing facilities. Employees should be made aware of how their data will be processed at the point of contact. This clarity must be provided in the Code of Conduct, whistleblowing policy or other communications including training programs.

Rights of the data subject. The German DPA has taken a very particular approach to interpreting Article 14 relating to the personal data that have not been obtained from the data subject. Pursuant to the requirements of the Art. 14 (2)(f), the regulator deems that the identity of the whistleblower must be disclosed to the individuals mentioned in the report, and in particular to the alleged person. At the same time, the guidance further determines there is no statutory justification for the disclosure of a whistleblower’s name -- therefore, whistleblower’s consent will be required. 

 As a result, a whistleblower has two options when submitting a report: 1) identify themselves and give consent at the point of contact to the company disclosing their identity to the alleged; or 2) submit the report anonymously. The second option is strongly encouraged by the regulator which interestingly reversed its position on anonymous reporting 180 degrees.

In case a whistleblower decides to take the first option, they retain the rights to withdraw the consent at any time pursuant to the Article 7(3), however, given the one-month timescale of notification, this right is unlikely to be exercised in time.

Following the criticism of this position which may disproportionately harm a whistleblower, the regulator issued an updated version of the guidance now addressing several exemptions to the whistleblower identity disclosure requirement, including:

Data Protection Impact Assessment (DPIA).  Under Article 35(1), where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller has the responsibility to carry out the DPIA. DPIAs are considered important tools for accountability, as they demonstrate that appropriate measures have been taken to ensure compliance with GDPR provisions.

Some of the national DPAs (for example, the ones of France and Germany) have specifically stated that whistleblowing facilities represent “high risk” processing and, therefore, require full DPIAs. At least for this requirement, we are likely to have an identical treatment on Member States level.

How the EU-wide Whistleblowing Regulation May Help. On April 16, 2019, the European Parliament voted with an overwhelming majority in favor of the new EU rules to better protect whistleblowers who report breaches of EU law. The EU-wide Whistleblower Protection Directive was first proposed by the European Commission in April 2018. Among other benefits, its introduction is expected to provide important guidance on how to interpret certain GDPR requirements and address some of the difficulties mentioned above, including:

Currently, only ten EU members - France, Hungary, Ireland, Italy, Lithuania, Malta, the Netherlands, Slovakia, Sweden, and the UK have comprehensive whistleblower protection laws. The new regulation will address the existing fragmentation of whistleblower protection. The directive’s interaction with GDPR, particularly in relation to data subject rights, may finally resolve most of the ambiguity and help to establish GDPR definitions consistent across all Member States. The latter now have two years to transpose the Directive to national legislation with a due date of May 15, 2021.


Vera Cherepanova, FCCA, CIA, MSc (pictured above), has more than 10 years' experience as a compliance officer. She's the founder of Studio Etica, a boutique consultancy that provides advice on corporate ethics and compliance programs to companies around the world. She speaks English, French, Italian, and Russian. She can be contacted here.

Article originally appeared on The FCPA Blog (
See website for complete article licensing information.