How to prepare for implementing the Whistleblower Protection Act from a GDPR perspective?

Like every new process introduced within an organization, the implementation of a whistleblower reporting system also requires verification to ensure that it meets the security standards set out in the GDPR.

In this article, we discuss how to prepare for the implementation of the Whistleblower Protection Act so as to ensure that this process is fully compliant with the GDPR and thereby protect whistleblowers' personal data.

The obligation to implement a whistleblower reporting system applies to employers for whom, as of 1 January or 1 July of a given year, at least 50 people perform paid work.

The provisions of the Whistleblower Protection Act enter into force on 25 September 2024.

Disclosure of a whistleblower's personal data. First and foremost, it should be emphasized that the provisions of the Whistleblower Protection Act expressly prohibit disclosing a whistleblower's identity.

Such data may be disclosed by the employer only with the whistleblower's consent.

A public authority or a court, on the other hand, may disclose a whistleblower's data to the person concerned by the report only where such disclosure is a necessary and proportionate obligation arising from the law in connection with ongoing proceedings.

One example of such an obligation is ensuring the right to a defense for the person concerned by the report.

Even in such a case, however, a public authority or a court must, as a rule, take additional measures to protect the whistleblower by first notifying the whistleblower of its intention and providing reasons for its decision.

Importantly, disclosing the data of a whistleblower, a person assisting a whistleblower, or a person connected with a whistleblower (for example, a spouse) in breach of the provisions of the Whistleblower Protection Act may result in negative consequences for the person making the disclosure, in the form of a fine, a restriction of liberty, or even imprisonment for up to one year.

Furthermore, when implementing a whistleblower reporting system, it is important to keep in mind the principle of data minimization, which means that the employer should collect only as much data as is actually necessary to receive the report or to take follow-up action.

Where data is collected that is not necessary to clarify the violation, it must be deleted within 14 days of the determination that it is irrelevant to the matter.

Who may receive and verify whistleblower reports. Only persons holding written authorization from the employer may be permitted to receive and verify internal reports and to take further steps.

It is important that these persons be required to keep confidential all information and personal data they obtain in connection with handling a whistleblower's report, including after their cooperation with the employer has ended.

Interestingly, the provisions of the Whistleblower Protection Act allow for the involvement of external entities in receiving reports from whistleblowers.

The Act does not, however, allow for this option when it comes to examining those reports.

This means that reports should be examined by persons within the employer's organizational structure.

If the employer decides to outsource the receipt of whistleblower reports to an external entity, it should remember the obligation to conclude a personal data processing agreement.

Data protection impact assessment for the processing of whistleblowers' data and updating the record of personal data processing activities. The processing of whistleblowers' personal data may entail a high risk to their rights and freedoms, which is why it is necessary to carry out a data protection impact assessment (DPIA) for this process.

This obligation also follows from the list of types of personal data processing operations requiring a data protection impact assessment published by the President of the Personal Data Protection Office.

A DPIA makes it possible to identify and minimize potential risks associated with the processing of the personal data of whistleblowers and of persons concerned by a report.

Carrying out a DPIA should include: a detailed description of the planned personal data processing process, that is, answering the questions of what personal data will be processed, for what period, for what purpose, and on what legal basis; an assessment of whether the processing operations are necessary and proportionate in relation to the data processing purposes chosen by the employer; an assessment of the risk to the rights or freedoms of whistleblowers and of persons concerned by reports; and an assessment of the planned remedial measures implemented to adequately safeguard the personal data processing operation.

The employer should also include the new data processing activity related to internal whistleblowing in its record of personal data processing activities.

In accordance with Articles 13 and 14 of the GDPR, the employer should inform the persons whose data it processes in connection with receiving a report of a legal violation about the rules governing the processing of their personal data.

However, given the need to protect the whistleblower's identity, the legislator has exempted the employer from the obligation to provide the source of the data to the person whose data it obtained from the whistleblower (for example, the offender).

By way of exception, the employer may provide the source of the data where the whistleblower is not subject to statutory protection because they deliberately reported a false violation, or where the whistleblower has expressly consented to the disclosure of their identity.

The information obligation should be fulfilled at the time the personal data is obtained, that is, with respect to the whistleblower at the time their report is received, and with respect to the person concerned by the report no later than within one month of obtaining the data.

Data retention period. The employer may store the personal data processed in connection with receiving a report of a legal violation or taking follow-up action, along with the documents related to that report, for a period of 3 years following the end of the calendar year in which the follow-up action was completed, or following the conclusion of proceedings initiated by that action.

In addition, where data is obtained that is irrelevant to the matter, the employer should delete it within 14 days of the determination that it is irrelevant.

Summary. When implementing a whistleblower reporting system, the employer should not overlook the obligation to ensure the security of the data obtained from the whistleblower.

Fulfilling this obligation is not only a sign that the employer complies with the GDPR but, above all, a key element in building a reporting system that is safe for whistleblowers and worthy of trust.

For this reason, implementing the Whistleblower Protection Act in line with the principles of the GDPR is essential for the effective functioning of a whistleblower reporting system.

If you need help or a consultation in the process of implementing a whistleblower reporting system, get in touch with us!

We will answer all your questions and point you toward concrete solutions!

Authors: Aleksandra Zomerska, Aleksandra Woźniak. Have a question?

Let's talk. A 20-minute conversation.

No briefs, no forms.

We will give you a straight answer.

Book a call → See more articles