The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at any time. The owner is not an attorney, and nothing posted on this site should be construed as legal advice. Litigation Support Tip of the Night does not provide confirmation that any e-discovery technique or conduct is compliant with legal, regulatory, contractual or ethical requirements.
Data Processed Under EU Whistleblower Law Covered by the GDPR
Last year, the European Parliament passed EU Directive 2019/1937 in order to protect people who report breaches of EU law. This new whistleblower law requires that personal data processing done pursuant to the reporting of EU law violations comply with the General Data Protection Regulation. Whistleblowers can file reports when required to do so by law, or when they are impacted by the violation of a law. Authorities have to keep confidential records of the reports, and the identity of the whistleblowers must be kept private, but individuals whose data has been processed must also be notified that their data has been collected.
Any whistleblower data has to be processed under the provisions of Article 5 of the GDPR, which provides that data be processed in a transparent manner; collected for a limited purpose; updated to be accurate; anonymized to the extent possible; and kept secure. Pursuant to Article 28, data controllers that have outside processors process the whistleblower data, cannot allow them to use sub-processors.
Whistleblower data can only be transferred under Chapter V of the GDPR which prevents data from being sent to countries without adequate data protection measures.