top of page

Data Processed Under EU Whistleblower Law Covered by the GDPR

Last year, the European Parliament passed EU Directive 2019/1937 in order to protect people who report breaches of EU law. This new whistleblower law requires that personal data processing done pursuant to the reporting of EU law violations comply with the General Data Protection Regulation. Whistleblowers can file reports when required to do so by law, or when they are impacted by the violation of a law. Authorities have to keep confidential records of the reports, and the identity of the whistleblowers must be kept private, but individuals whose data has been processed must also be notified that their data has been collected.

Any whistleblower data has to be processed under the provisions of Article 5 of the GDPR, which provides that data be processed in a transparent manner; collected for a limited purpose; updated to be accurate; anonymized to the extent possible; and kept secure. Pursuant to Article 28, data controllers that have outside processors process the whistleblower data, cannot allow them to use sub-processors.

Whistleblower data can only be transferred under Chapter V of the GDPR which prevents data from being sent to countries without adequate data protection measures.


bottom of page