To ensure that personal data is protected when being disclosed in the whistleblower channel, the following items should be observed and prepared accordingly:
1. Internal access control
Access to the data contained in these systems shall be limited exclusively to those carrying out the internal control and compliance functions, or to processors appointed for this purpose. Other persons (e.g. in-house lawyers) may also have access where this is necessary for disciplinary action or legal proceedings. If disciplinary action is to be taken against an employee within the company, access should be granted to the human resources department or staff with management functions.
2. Confidentiality
It is essential that the company adopts the necessary measures to preserve the identity and guarantee the confidentiality of the data corresponding to the persons affected by the information provided, especially that of the person who brought the facts to the entity’s attention, in the event that he/she has been identified.
3. Conservation
The data of the whistleblower, employees, and third parties shall be retained in the reporting system only for as long as is necessary to decide whether to initiate an investigation into the facts reported. After three months have elapsed since the complaint data were entered, they must be deleted from the system. With the exception that they may be retained as evidence of the functioning of the model for preventing the commission of offenses by the legal person. In this way, the company can avoid criminal liability. Once this period has elapsed, the data may continue to be processed by the body responsible for the investigation of the reported facts, but may not be kept in the whistleblower information system itself.
4. Anonymous reports
Article 24.1 of the LOPDGDD allows anonymous reporting. Despite this, it is advisable that the whistleblower identifies himself/herself in order to truly protect his/her personal data. In fact, it is companies that should invite whistleblowers not to use anonymity, in order to avoid abuse of the channel and to prevent the tool from being misused. This is the advice of the European Data Protection Supervisor (EDPS), who advocates avoiding anonymity in order to obtain effective protection for the whistleblower, and to be able to gather more information about the reported facts.
5. Documentation
To ensure we comply with the data protection laws, we must inform data subjects that our organisation is processing personal data that is shared through the whistleblower channel. In this regard, we must update our Privacy Policy and add this new processing activity, and also add a new data protection clause available in our website in reference to the whistleblower channel. We must make sure that our employees are well aware of these documents.
