top of page

Data Processed Under EU Whistleblower Law Covered by the GDPR

Last year, the European Parliament passed EU Directive 2019/1937 in order to protect people who report breaches of EU law. This new whistleblower law requires that personal data processing done pursuant to the reporting of EU law violations comply with the General Data Protection Regulation. Whistleblowers can file reports when required to do so by law, or when they are impacted by the violation of a law. Authorities have to keep confidential records of the reports, and the identity of the whistleblowers must be kept private, but individuals whose data has been processed must also be notified that their data has been collected.


Any whistleblower data has to be processed under the provisions of Article 5 of the GDPR, which provides that data be processed in a transparent manner; collected for a limited purpose; updated to be accurate; anonymized to the extent possible; and kept secure. Pursuant to Article 28, data controllers that have outside processors process the whistleblower data, cannot allow them to use sub-processors.


Whistleblower data can only be transferred under Chapter V of the GDPR which prevents data from being sent to countries without adequate data protection measures.




Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page