Personal data are processed when reports are made under the Whistleblower Protection Act (HSchG). Reports contain information about natural persons who have allegedly breached legislation. Moreover, information about the whistleblower him/herself and about persons who support the whistleblower may also be included in such reports. Persons affected by such reports may see this as an impairment of their confidentiality interests. The HSchG contains some specific provisions concerning the processing of personal data, which are outlined below.
Processing of personal data for the purpose of whistleblowing
The HSchG states that the processing of personal data for the purpose of whistleblowing is permissible. To the extent required, this includes sensitive and crime-related data.
Enterprises which process personal data in the context of a whistleblower system - within the limits set by the HSchG - may therefore rely on the principle of compliance with a legal obligation (Art 6 (1) (c) GDPR). If, however, whistleblower systems provide for further reporting options, enterprises will no longer be able to rely on compliance with a legal obligation but may be able to invoke legitimate interests (Art 6 (1) (f) GDPR).
Data subject rights and whistleblowing
Data subjects have so-called data subject rights vis-à-vis the data controller. These include the right to information, access, rectification and erasure. If these rights were also allowed in the context of whistleblowing, there would be a risk that a tip could no longer be followed up effectively. The pursuit of rights or prosecution would be jeopardised. The fact that the identity of the whistleblower would have to be disclosed is another problem – whistleblowers’ identities are precisely what the reporting offices are supposed to protect. Legislation therefore stipulates that these data subject rights do not apply in the area of whistleblowing.
GDPR-compliant design of the whistleblower system
For the operation of a whistleblower system, enterprises must provide and implement appropriate technical and organisational measures in accordance with the GDPR and keep these updated. This is the only to ensure that the identity of whistleblowers or other persons involved remain confidential. For example, enterprises may use measures such as the introduction of access authorisation concepts, encryption techniques and sufficient logging, or define special internal organisational procedures.
Data protection impact assessment for whistleblower system?
The GDPR stipulates that data processing operations likely to result in a high risk to the rights and freedoms of data subjects must be subject to a data protection impact assessment. Such a risk is deemed to exist i.a. when sensitive or crime-related personal data are processed. Since such processing can be expected to happen in the operation of a whistleblower system, the performance of a data protection impact assessment would in principle be required. However, according to the GDPR, this obligation does not apply if lawmakers already carried out a data protection impact assessment when enacting the related legal provision. With the enactment of the HSchG, this was done upstream so that there is no obligation for enterprises to carry out another assessment. It should, however, be noted that under certain circumstances, there may still be a separate obligation to conduct a data protection impact assessment. This could for example be the case if the whistleblower system goes beyond the legal minimum framework of the HSchG.
Summary
Whistleblowing and data protection open up a loaded field. Special provisions in the HSchG should counteract this. However, numerous individual questions remain open, especially from a data protection perspective. In any case, enterprises are required to implement a whistleblowing system which complies with data protection law.
Your KWR Data Protection Team will be happy to support you with any questions you may have on the subject of whistleblowing.