Work is underway on a bill implementing the EU’s Whistleblower Directive (2019/1937). It is not yet clear whether the directive will be implemented into Polish law on time (by 17 December 2021), but many companies are already drafting the necessary documents and organisational procedures.
It is clear that during the investigations conducted after irregularities are reported by whistleblowers, personal data will be processed: data of the whistleblower, witnesses, the subject of the report, and possibly other persons whose data are disclosed during the investigation. As a rule, the employer will be the controller of these data within the meaning of the General Data Protection Regulation ((EU) 2016/679), and will thus bear a number of related obligations. Among other things, the controller will have to implement appropriate technical and organisational measures to meet the requirements of the GDPR and to protect the rights of data subjects.
Data protection issues should be comprehensively analysed before launching a channel for reporting irregularities. To this end, the employer should resolve such issues as:
- Data retention—the bill provides that personal data processed in connection with submission of a whistleblower report must be stored no longer than 5 years after submission of the report
- Location for storing data
- Granting access to data
- Manner of ensuring confidentiality—according to the bill, “the personal data of the reporting person and other data enabling identification of the reporting person shall not be disclosed except at that person’s express consent”
- Manner of ensuring anonymity—if the company decides to allow anonymous reporting
- Possibility and manner of realisation of the rights of data subjects.
Employer’s data protection obligations
Below we mention some of the duties involving data protection related to implementation of a whistleblowing policy by employers. It should be remembered, however, that work on the bill is still continuing, which could affect the final form of the data protection obligations.
- Data protection impact assessment
According to the list issued by Poland’s data protection authority, the President of the Personal Data Protection Office, a whistleblowing system constitutes a processing operation requiring preparation of a data protection impact assessment, i.e. an analysis filed under Art. 35 GDPR containing such items as a description of the planned processing operation, an assessment of the risks to the rights and freedoms of data subjects, and the measures envisaged to address the risks.
In practice, staff from various divisions within the organisation, such as HR and IT, should be involved in drafting the DPIA, so that the process can be structured efficiently and actual risks related to the process can be identified, such as risks of access to data.
The DPIA should be conducted at the initial stage of implementing the whistleblowing policy (before any personal data are processed). A “privacy by design” analysis can be part of the assessment, to address data protection issues at the phase of developing the whistleblowing policy.
- Informational obligations
Under Art. 13–14 GDPR, the employer will have to carry out informational obligations with respect to persons whose data are processed in connection with investigation of a whistleblower report.
In the case of the whistleblower, this duty should be performed at the time the report is made (e.g. in the reporting form).
In the case of other persons (witnesses or the subject of the report), the time when the informational obligation must be performed should be analysed in each case in light of the specific circumstances. In some instances, informing the person at an early stage of the proceeding could defeat the purpose of the investigation. The current form of the Polish bill does not exclude the necessity to carry out informational obligations with respect to the subject of the report. It only excludes the duty to inform the subject of the source of the data.
For greater transparency, information about the processing of personal data should also be expressly included in the whistleblowing policy.
When identifying the legal basis for processing of personal data in the informational clause, it should be borne in mind that the basis will not be consent. In our view, when it comes to ordinary personal data, the basis will be a legal obligation of the controller, and in some instances also legitimate interests pursued by the controller, enabling the employer to conduct an investigation of the whistleblower’s report.
Also in the case of special categories of data, consent will not be a proper basis, in our view. It seems that, depending on the circumstances, the basis could be:
- Art. 9(2)(b) GDPR—obligations under employment law
- Art. 9(2)(f) GDPR—establishment, exercise or defence of legal claims
- Art. 9(2)(g) GDPR—substantial public interest.
Hopefully, legislators will resolve doubts in this respect and clarify the bill accordingly.
- Authorisation and confidentiality
The employer will have to issue written authorisation to persons handling whistleblower reports and require them to maintain the confidentiality of the information.
- Updating documentation
It will be necessary to update the register of data processing activities to include activities connected with the whistleblowing procedure.
- Flow of personal data
Potential flows of personal data between the employer and external entities (e.g. the supplier of the infrastructure for handling reports) should also be addressed.
If data are processed on behalf of the data controller by other entities, it should be confirmed that they can guarantee implementation of appropriate technical and organisational measures (for purposes of accountability, these measures should be documented).
Issues of the flow of data should also be addressed in instances where employers decide to share resources for submission and review of whistleblower reports and follow-up measures. The current bill allows for this possibility for employers in the private sector with 50–249 employees.
Evidently, the range of data protection obligations is extensive, and there may be little time left to implement them. We will report further on changes in this regard as they develop.
Karolina Romanowska, Klaudia Czarniecka