The relationship between data protection and whistleblowing
The Whistleblower Protection Act (HinSchG) represents an important further development in the area of data protection and supplements the provisions of the General Data Protection Regulation (GDPR). The HinSchG aims to provide better legal protection for persons who report violations and draw attention to abuses. Data protection law (DSGVO) and the HinSchG have a complex relationship with each other. This is examined in more detail in this article.
While the GDPR establishes general data protection principles and obliges controllers and processors to properly protect personal data, the Whistleblower Protection Act (HinSchG) creates a specific legal framework for whistleblowers. The protection of privacy and data is an important principle in the processing and sharing of personal data. Whistleblowing often discloses confidential information to expose misconduct, which contradicts the basic principles of data protection.
What is the content of the GDPR?
The GDPR results from the basic right to informational self-determination and serves to harmonize data protection law. The declared goal is to protect natural persons in the processing of personal data and at the same time to guarantee the free movement of such data (Art. 1 para. 1 GDPR).
The processing of personal data is generally prohibited. It is only permitted exceptionally if the conditions of a permission norm are met (Art. 6 para. 1 GDPR). Companies must obtain the consent of the person concerned before processing personal data. Public authorities may only process personal data if this is necessary to fulfill their tasks.
Furthermore, the GDPR regulates the rights of those affected. Those whose data are processed, for example, have a right to information about the processing and, building on this, also rights to correction, objection, and deletion.
Data protection in the HinSchG
Generally, the internal reporting office may only collect and process personal data based on a legal basis. Such a special legal basis is contained in § 10 HinSchG. According to this, the reporting office is authorized to process personal data as far as this is necessary for the fulfillment of its tasks (e.g. the operation of the reporting office); the processing of special categories is also possible after that. In this case, the reporting office must provide specific and appropriate measures to protect the interests of the person concerned.
Confidentiality offer is anchored in the HinSchG
Internal reporting offices and whistleblower systems must ensure that the data of the whistleblowers, the person subject to the notice, and other persons are treated confidentially and only authorized persons have access to the internal reporting office. This is important to ensure their safety and protect them from possible reprisals. The commandment of confidentiality of identity also applies regardless of whether the reporting office is responsible for the incoming report or not.
Rights of access of the data subject according to Art. 15 para. 1 GDPR
In tension with the provisions of the HinSchG is in particular the right to information of the data subject. The person concerned can generally demand information from the person responsible for data processing about which data is stored or processed there. Information can also be requested about the purpose of the processing, the origin of the data, about the recipient, etc. In this way, the person concerned can keep control over the data flow. The right to information includes master data and the communication conducted with them as well as internal notes. The right to information finds its limits in the rights of third parties, operational and business secrets, and other laws such as the HinSchG.
When submitting a report, data about the person subject to the notice and other persons connected with the report are usually transmitted and processed.
Data that is typically collected and processed via a whistleblower system:
Information about the whistleblower (unless they remain anonymous)
Information about the reported facts with details of possible accused and affected parties
Data from internal investigations, e.g., from IT systems, databases, emails, surveys for fact-finding
Therefore, the persons concerned have a basic right to information. A violation of the duty to provide information is generally subject to a fine.
The interest of the whistleblower and the obligations of the employer in keeping their identity confidential regularly oppose the right to information. To avoid undermining the protection of whistleblowers, data protection and whistleblower protection must be brought into a reasonable balance and equally taken into account. An exception rule (§ 29 para. 1 sentence 2 BDSG) also helps, according to which the right to information does not exist, as far as the information would disclose information that must be kept secret according to a legal provision. The confidentiality requirement of the HinSchG specifically requires such secrecy.
Collect as little data as possible.
Companies and organizations setting up internal reporting offices should ensure that only the information relevant to the investigation is collected and processed. It is important to reduce data as far as possible and only collect the personal data that is absolutely necessary to fulfill the purpose of the report. In addition, the data should only be accessible to those responsible and trained for the investigation of the reported incident and operation of the reporting office.
What deletion obligations apply under the HinSchG?
In terms of the GDPR, the question arises about the deletion obligations under the HinSchG. According to the GDPR, personal data must generally be deleted when they are no longer necessary for the purposes for which they were collected. According to the HinSchG, the documentation of the reports must be deleted three years after the procedure has been completed. However, the documentation can be kept longer to meet certain requirements from the HinSchG or other legal provisions, as long as this is necessary and proportionate.
Setting up a whistleblower system
The establishment of an internal reporting office, which fully ensures confidentiality – for example, by outsourcing – can appropriately balance the tension between data protection and reporting. A digital whistleblower system with the possibility of anonymous reporting can help here. The anonymous processing of reports often eliminates the personal reference and the provisions of the GDPR are not directly applicable. A digital whistleblower system allows discreet transmission of reports by not having to disclose any personal information such as names, email addresses, or phone numbers. This ensures that no personal reference can be established via these data. However, a data protection impact assessment should of course be carried out before the system is set up.
In processing personal data, the internal reporting office must comply with data protection regulations. As far as the internal reporting office processes personal data in the fulfillment of its tasks, this is not the person responsible for processing in the sense of data protection regulations, particularly in the case of an internal reporting office operated by an individual.
Our lawyers and compliance experts are also bound by confidentiality, which not only ensures the independence of the internal reporting office from the company or administration, but also ensures an even higher level of data protection.
Have you not yet set up an internal reporting service? Then we should talk!
As of: June 14, 2023
