top of page
Search

Data Processed Under EU Whistleblower Law Covered by the GDPR

  • Dec 16, 2020

Last year, the European Parliament passed EU Directive 2019/1937 in order to protect people who report breaches of EU law. This new whistleblower law requires that personal data processing done pursuant to the reporting of EU law violations comply with the General Data Protection Regulation. Whistleblowers can file reports when required to do so by law, or when they are impacted by the violation of a law. Authorities have to keep confidential records of the reports, and the identity of the whistleblowers must be kept private, but individuals whose data has been processed must also be notified that their data has been collected.


Any whistleblower data has to be processed under the provisions of Article 5 of the GDPR, which provides that data be processed in a transparent manner; collected for a limited purpose; updated to be accurate; anonymized to the extent possible; and kept secure. Pursuant to Article 28, data controllers that have outside processors process the whistleblower data, cannot allow them to use sub-processors.


Whistleblower data can only be transferred under Chapter V of the GDPR which prevents data from being sent to countries without adequate data protection measures.




UK Waiting to See If It Is Adequate . . .

  • Dec 8, 2020

The Brexit transition period ends on December 31, 2020. After the end of the year, the United Kingdom will be considered a third country under the General Data Protection Regulation. In order for data to be transferred from the European Union to the UK, the UK must obtain an adequacy decision from the EU.


Data transfers from the UK to the EU, will not be restricted by the UK. See this post on the main site for Her Majesty's Government. The British government recommends that standard contractual clauses be used to ensure the law transfer of data from the European Union. Templates for SCCs are available in Word documents from the Information Commissioner's Office - an independent regulatory body which reports to Parliament.




The GDPR will continue to be part of British law after the transition period.

S.D.N.Y. Orders Redactions In Summary Judgment Exhibits for PII Covered by GDPR

  • Nov 29, 2020

This past week, Judge Ronnie Abrams issued a decision, Letchford v. Scotwork (N. Am.), Inc., 19-CV-8921, 2020 U.S. Dist. LEXIS 221770 (S.D.N.Y. Nov. 24, 2020) granting the parties' joint motion to seal exhibits for their summary judgment motions.


The parties requested permission to redact personal information (email addresses, telephone numbers, and home addresses) of Scotwork employees who were EU citizens pursuant to the requirements of the General Data Protection Regulation. The Court determined that even though there was a strong presumption of access, since the documents were relevant for the Court's judicial function, it found limited redactions could be made since the personal information was not necessary or helpful to deciding the summary judgment motion. "Court thus finds that the parties' interest in maintaining the confidentiality of Defendants' employees' personal information sufficient to rebut the common-law presumption of access." Id. at *3.

Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page