No unconditional right of access under whistleblower schemes
The right of access means that employees and others have a right to see the information that is being processed about them. However, it can be problematic to comply with an access request under a whistleblower scheme. The reason is that access to the information could potentially both put the whistleblower’s protection and the investigation of the report on the line.
When a whistleblower makes a report, the whistleblower unit will usually receive different types of personal data about one or several persons who might have committed an offence or been involved in a serious matter. That could for example be a report on sexual harassment, theft, or fraud at the workplace.
As it in any case would be a serious matter, a need to keep the information in the report as confidential as possible will arise. If the involved parties suddenly ask to see the information processed about them, it could put whistleblower unit in a difficult position.
The reason is that the right of access under the data protection rules entails that the involved parties as a main rule have a right of access the information that is processed about them. The purpose of the rules is to create transparency – that transparency can, however, counteract the effective protection of the whistleblower and the whistleblower unit’s investigation of the report.
Whistleblower units should know the exceptions
Naturally, whistleblower units must comply with the data protection rules as part of the handling of the incoming reports through the whistleblower scheme. However, like many of the main rules under the applicable data protection rules, exceptions apply to the general right of access.
For example, whistleblower units can deny an access request if an individual assessment of the request shows that the interest in access should is trumped by public interests under applicable law. Also, whistleblower units can choose to reject an access request if the interest in access to the information is trumped by the interest of the protection of others, such as the whistleblower.
In either case, access to the information – whether fully or partly - could give the opportunity for a person to prevent or in another way complicate whistleblower unit’s investigation, such as by the destruction of relevant evidence and the like.
IUNO’s opinion
Whistleblower units should be aware that the data protection rules require that the assessment of whether a request on access should be denied fully or partly ultimately requires an individual assessment of each piece of information. This assessment can be difficult to make and will depend on the circumstances in each case.
IUNO recommends that companies - as part of the training of the responsible whistleblower unit - include a thorough training in the data protection rules, irrespective of whether the whistleblower unit partly has outsourced the responsibility under the rules to an external third party. The reason is that many different questions and issues will arise which could ultimately lead to breach of the data protection rules if the whistleblower unit does not have the right routines in place from the outset.
Read more on how we can help with GDPR and whistleblower schemes here.
[Act on the protection of whistleblowers of 24 June 2021]
When a whistleblower makes a report, the whistleblower unit will usually receive different types of personal data about one or several persons who might have committed an offence or been involved in a serious matter. That could for example be a report on sexual harassment, theft, or fraud at the workplace.
As it in any case would be a serious matter, a need to keep the information in the report as confidential as possible will arise. If the involved parties suddenly ask to see the information processed about them, it could put whistleblower unit in a difficult position.
The reason is that the right of access under the data protection rules entails that the involved parties as a main rule have a right of access the information that is processed about them. The purpose of the rules is to create transparency – that transparency can, however, counteract the effective protection of the whistleblower and the whistleblower unit’s investigation of the report.
Whistleblower units should know the exceptions
Naturally, whistleblower units must comply with the data protection rules as part of the handling of the incoming reports through the whistleblower scheme. However, like many of the main rules under the applicable data protection rules, exceptions apply to the general right of access.
For example, whistleblower units can deny an access request if an individual assessment of the request shows that the interest in access should is trumped by public interests under applicable law. Also, whistleblower units can choose to reject an access request if the interest in access to the information is trumped by the interest of the protection of others, such as the whistleblower.
In either case, access to the information – whether fully or partly - could give the opportunity for a person to prevent or in another way complicate whistleblower unit’s investigation, such as by the destruction of relevant evidence and the like.
IUNO’s opinion
Whistleblower units should be aware that the data protection rules require that the assessment of whether a request on access should be denied fully or partly ultimately requires an individual assessment of each piece of information. This assessment can be difficult to make and will depend on the circumstances in each case.
IUNO recommends that companies - as part of the training of the responsible whistleblower unit - include a thorough training in the data protection rules, irrespective of whether the whistleblower unit partly has outsourced the responsibility under the rules to an external third party. The reason is that many different questions and issues will arise which could ultimately lead to breach of the data protection rules if the whistleblower unit does not have the right routines in place from the outset.
Read more on how we can help with GDPR and whistleblower schemes here.
[Act on the protection of whistleblowers of 24 June 2021]
Similar
Draft bill to ensure responsible use of AI
GDPR fines must be calculated based on total worldwide annual turnover
Review and use of private e-mails led to severe criticism
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine