:quality(80)/business-review.eu/wp-content/uploads/2024/04/PPC-Dentons-Ghid-practic-privind-procesul-de-achizitie-sectoriala5099558.2.png)
:quality(80)/business-review.eu/wp-content/uploads/2023/12/Simona-Moisa-Dentons.jpg)
On the 23rd of October 2019, the Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of European Union law (“Directive”) was published and since then transposed into the Romanian legislation through Law no. 361/2022.
By Simona Moisa, Senior Associate, Dentons
Even though the national law came into effect on December 17, 2022, the implementation of the new obligations – especially those relating to the establishment of the internal reporting channel – is done in stages, depending on the number of employees in each private entity. Thus, private entities with 250 or more employees were obliged to set up their internal reporting channels as soon as the legislation came into effect, while private entities with less than 250 are obliged to set up their internal reporting channels by December 17th, 2023.
As the whistleblowing procedures and its specific activities reached a certain level of maturity, it became clear what were the challenges a private entity faced upon the creation of its internal whistleblowing mechanism. It is safe to say that observing the data privacy principles in the implementation process was one of the most challenging aspect private entities had to overcome, as the two regulatory frameworks (the Directive and the GDPR) may appear to be, at first glance, in conflict.
The information below seeks to provide guidance for data controllers (private entities) to implement reporting mechanisms, in compliance with the GDPR principles and obligations.
Involvement of the Data Protection Officer (DPO). Data Protection by Design and Default
Given the sensitive nature of the material covered within the whistleblowing process, data controllers should seek expert advice from their DPO during the initial stages of designing whistleblowing systems, policies and procedures and compliance with data protection by design and default should be ensured.
Data Protection Impact Assessment (DPIA)
Even though there is no express legal provision establishing the obligation for data controllers to carry out a DPIA in the whistleblowing context, it is strongly advisable to conduct one in the initial phase of the process. This advice is justified by the sensitive nature of information that may be disclosed in the entire whistleblowing process and the associated risks to the involved individuals.
Transparency – practical implications and measures
Information on the personal data processing activity in the whistleblowing process should be provided to the entire personnel of the data controller in a complete and proactive manner. This could entail a two-step procedure:
a. Preparation of a complete and comprehensive internal policy with its associated procedure related to the whistleblowers protection and established mechanisms within the organization. This policy should contain, among others general information regarding the processing activity of personal data. Continuous access to the policy should be granted to all personnel;
b. As the generality of the first step could be overlooked, the main recommendation of the European Institutions was to provide a specific data privacy notice as soon as possible to the directly affected individuals (whistleblowers, witnesses, third parties). The communication of privacy notice to the alleged wrongdoer could be postponed if that would affect the pending investigation or if there is a risk of identifying the whistleblower and of retaliation actions against him/her.
Purpose limitation
The scope of the whistleblowing policy must be clearly specified within its content and explicit rules of when to use the procedure and when not to use it should be regulated and brought to the knowledge of all the employees.
As the main purpose of the whistleblowing procedure is to establish and provide safe channels of communication/reporting for anyone who became aware of any potential fraud, corruption or other serious legal breaches and/or irregularities, the staff will not be able to use it to exercise their statutory rights (such as: lodging a request/complaint for harassment or personal disagreements, etc.). There are other mechanisms in place for exercising such rights.
Furthermore, the whistleblowing policy should regulate that sensitive information (such as: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) not relevant for the case, will not be further processed (thus following the minimization principle).
Data minimization. Avoidance of excessive processing
If the personal data is clearly of no interest or relevance to the investigation/allegation, it will not be further processed.
The designated personnel (facilitator and investigator, and other authorized persons) that will handle the whistleblowing reports will be made aware of this rule and specific privacy training should be mandatory for all involved parties.
Right of Access. Limitations
Ensuring a full right of access to all parties involved could create difficulties in conducting the investigation under the whistleblowing procedure, and as such the right of access may be subjected to certain limitations, depending on: the status of the requester, the stage of the investigation, the level of sensitivity of information held, disclosure risks, etc..
It is advisable to adopt internal rules that would be applicable in exceptional cases – where the information could be deferred or restricted all together.
Notwithstanding the above mentioned, any type of restriction of the right of access should be documented and well-reasoned (possibly a necessity and proportionality test could be required).
To ensure the protection of the personal data, rights of individuals and also to avoid any potential risks of retaliation, any data related to third parties should be firstly removed before granting access to the requester.
Storage Limitation
Following the general principle established by the GDPR, personal data should not be kept longer than necessary with regards to the purpose of processing. Having said this, different storage periods could be applicable depending on the type of information and the impact in the investigation, as such:
– Personal data that is not relevant to the investigation should be deleted with undue delay;
– Personal data that is relevant to the investigation should be archived following the national applicable legislation. During the archive period, access to such data should still be limited and where possible anonymization and/or pseudonymization should be used.
Integrity and confidentiality
Creating a safe and confidential internal channel is one of the most effective way of encouraging personnel to report any concerns they might have related to fraudulent activities, illegal conducts, etc..
The identity of the whistleblowers should be protected at all costs and treated with the utmost confidentiality, as to avoid any possible retaliation actions. As a side note, the identity of the whistleblower may be revealed in exceptional circumstances, e.g. if the whistleblower consents to such a disclosure; if it is necessary in any subsequent criminal proceedings, if the whistleblower with intent makes a false accusation.
During the investigation, the identity of the whistleblower will not be the only one protected by confidentiality, as the person against whom an allegation was made should be protected in the same manner. Also, if the whistleblowing report contains personal information related to third persons, such as witnesses or colleagues, this information will also be protected during each stage of the process.
Appropriate technical and organizational measures should be implemented in order to ensure a level of security appropriate to the processing activity and the associated potential risks to the involved individuals rights.
The security measures should reflect the sensitive nature of the processed personal information and should effectively prevent personal information from being accessed by non-authorized persons and to guarantee its integrity.
With this in mind, a company should expressly appoint personnel that may handle any whistleblowers requests. The access to such information may be granted on layers/levels and should be disclosed only on a need-to-know basis. Also, the designated personnel must be subjected to a reinforced obligation of confidentiality.
Access control requirements should be fully implemented, effectively limiting, monitoring and controlling who has access to whistleblowing reports/investigations. Access logs should be kept and reviewed constantly. Access rights should be analyzed and easily removed if there is any plausible reason to do so.
Encryption may be considered to strengthen the integrity and confidentiality of any personal information.
Accountability
To demonstrate accountability, a data controller should be able to demonstrate that upon the implementation of the whistleblowing mechanism, the privacy principles and regulations were taken into account (data protection by design and default).
Accountability may be demonstrated by:
a. Internal policy and associated procedures regarding the whistleblowing mechanism;
b. Limitation of certain rights of data subjects, the grounds on which the limitation are based and the reasoning for the application of such restrictions;
c. Conducting a DPIA;
d. Mandatory training of the designated personnel to handle the whistleblowing reports;
e. Reinforcement of the designated personnel confidentiality clause.
Finally, the personal data processing activity related to the whistleblowing process should be described in the general record of the processing activities (as the case may be).
:quality(30)/business-review.eu/wp-content/themes/business-review/assets/images/no-picture.png)
:quality(80)/business-review.eu/wp-content/uploads/2024/04/COVER-1.jpg)
:quality(80)/business-review.eu/wp-content/uploads/2024/04/cover-april.jpg)