On 17 December 2021, the deadline for transposition of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (Whistleblowing Directive), the Belgian Data Protection Authority published an advice on a proposal of ordinance of the French-speaking Community implementing the Whistleblowing Directive in the (Walloon) public sector (see here).
Although the advice concerns the public sector, it contains a few interesting points that may also apply to the private sector. Below is a summary of the key messages.
- The DPA reminds that any processing of personal data pursuant to a legal obligation must have a clear and precise legal framework, which includes the identification of the data controller and the definition of the key features of such processing, including the purposes, the categories of data, the categories of data subjects, the (categories of) recipients, the circumstances surrounding possible transfers of data and the retention period.
- Pursuant to Art. 7 (1) and 7 (2) of the Whistleblowing Directive, whistleblowing should remain optional. There may not be an obligation for persons to report breaches (‘blow the whistle’).
- The GDPR directly and fully applies to any processing of personal data within the context of a whistleblowing scheme. Hence, there is no need for the law or ordinance to state that the GDPR applies or to repeat some of the obligations stemming from the GDPR (e.g., the obligation to ensure security and confidentiality of data).
- The data controller in respect of the processing of personal data within the context of a whistleblowing scheme is the organisation (or, in the public sector, the public service) within which the authorised staff member competent to receive or follow up on reports (the Report Handler) executes his/her function and not the Report Handler him/herself.
- The identity of the reporting person may not be disclosed to persons other than those responsible for receiving and handling whistleblowing reports without the reporting person’s explicit consent.
- Any processing of personal data within a whistleblowing scheme should be limited to relevant and necessary (factual) data. Given the sensitive nature of the processing (including the processing of personal data relating to criminal convictions and offences), special attention should be paid to avoid the processing of excessive data.
- The law should clearly define the criteria to be considered by the Report Handler when further investigating and collecting documents and information regarding the reported facts. How further investigation is carried out cannot be left to the mere discretion of the Report Handler.
- Even though these may seem obvious, the law should clearly define the purposes of any whistleblowing scheme, to enable the data subjects to have a clear and precise idea of the processing of their personal data in the context of such scheme.
- Any reporting of personal data by the Report Handler to higher management on whistleblowing reports received must be limited to what is strictly necessary (principle of data minimisation). In addition, the name of the reporting person may not be disclosed, unless the latter has given his/her explicit consent. The same applies to personal data regarding other persons mentioned in such reports (e.g., witnesses or persons having provided more information on the breach reported).
- Whistleblowing reports must be retained and archived in compliance with the GDPR, i.e., not for longer than is necessary for the purposes. A retention period of ten (10) years as proposed by the draft ordinance is excessive and not warranted. This is all the more true for reported breaches that are, after investigation, classified without further consequences.
Please contact us should you need assistance in setting up your whistleblowing scheme. We have developed a suite of services to assist clients with respect to compliance with the Whistleblowing Directive (see here). Lydian offers – via Whistleblower Software, a European experienced software provider – a ready-to-use web portal, that meets all requirements of the Directive and Belgian law.