EN
Technology

No unconditional right of access under whistleblower schemes

logo
Legal news
calendar 24 february 2022
globus Denmark

The right of access means that employees and others have a right to see the information that is being processed about them. However, it can be problematic to comply with an access request under a whistleblower scheme. The reason is that access to the information could potentially both put the whistleblower’s protection and the investigation of the report on the line.

When a whistleblower makes a report, the whistleblower unit will usually receive different types of personal data about one or several persons who might have committed an offence or been involved in a serious matter. That could for example be a report on sexual harassment, theft, or fraud at the workplace.

As it in any case would be a serious matter, a need to keep the information in the report as confidential as possible will arise. If the involved parties suddenly ask to see the information processed about them, it could put whistleblower unit in a difficult position.

The reason is that the right of access under the data protection rules entails that the involved parties as a main rule have a right of access the information that is processed about them. The purpose of the rules is to create transparency – that transparency can, however, counteract the effective protection of the whistleblower and the whistleblower unit’s investigation of the report.

Whistleblower units should know the exceptions

Naturally, whistleblower units must comply with the data protection rules as part of the handling of the incoming reports through the whistleblower scheme. However, like many of the main rules under the applicable data protection rules, exceptions apply to the general right of access.

For example, whistleblower units can deny an access request if an individual assessment of the request shows that the interest in access should is trumped by public interests under applicable law. Also, whistleblower units can choose to reject an access request if the interest in access to the information is trumped by the interest of the protection of others, such as the whistleblower.

In either case, access to the information – whether fully or partly - could give the opportunity for a person to prevent or in another way complicate whistleblower unit’s investigation, such as by the destruction of relevant evidence and the like.

IUNO’s opinion

Whistleblower units should be aware that the data protection rules require that the assessment of whether a request on access should be denied fully or partly ultimately requires an individual assessment of each piece of information. This assessment can be difficult to make and will depend on the circumstances in each case.

IUNO recommends that companies - as part of the training of the responsible whistleblower unit - include a thorough training in the data protection rules, irrespective of whether the whistleblower unit partly has outsourced the responsibility under the rules to an external third party. The reason is that many different questions and issues will arise which could ultimately lead to breach of the data protection rules if the whistleblower unit does not have the right routines in place from the outset.

Read more on how we can help with GDPR and whistleblower schemes here.

[Act on the protection of whistleblowers of 24 June 2021]

When a whistleblower makes a report, the whistleblower unit will usually receive different types of personal data about one or several persons who might have committed an offence or been involved in a serious matter. That could for example be a report on sexual harassment, theft, or fraud at the workplace.

As it in any case would be a serious matter, a need to keep the information in the report as confidential as possible will arise. If the involved parties suddenly ask to see the information processed about them, it could put whistleblower unit in a difficult position.

The reason is that the right of access under the data protection rules entails that the involved parties as a main rule have a right of access the information that is processed about them. The purpose of the rules is to create transparency – that transparency can, however, counteract the effective protection of the whistleblower and the whistleblower unit’s investigation of the report.

Whistleblower units should know the exceptions

Naturally, whistleblower units must comply with the data protection rules as part of the handling of the incoming reports through the whistleblower scheme. However, like many of the main rules under the applicable data protection rules, exceptions apply to the general right of access.

For example, whistleblower units can deny an access request if an individual assessment of the request shows that the interest in access should is trumped by public interests under applicable law. Also, whistleblower units can choose to reject an access request if the interest in access to the information is trumped by the interest of the protection of others, such as the whistleblower.

In either case, access to the information – whether fully or partly - could give the opportunity for a person to prevent or in another way complicate whistleblower unit’s investigation, such as by the destruction of relevant evidence and the like.

IUNO’s opinion

Whistleblower units should be aware that the data protection rules require that the assessment of whether a request on access should be denied fully or partly ultimately requires an individual assessment of each piece of information. This assessment can be difficult to make and will depend on the circumstances in each case.

IUNO recommends that companies - as part of the training of the responsible whistleblower unit - include a thorough training in the data protection rules, irrespective of whether the whistleblower unit partly has outsourced the responsibility under the rules to an external third party. The reason is that many different questions and issues will arise which could ultimately lead to breach of the data protection rules if the whistleblower unit does not have the right routines in place from the outset.

Read more on how we can help with GDPR and whistleblower schemes here.

[Act on the protection of whistleblowers of 24 June 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

16 June 2022

Unfortunate software update gave thousands of employees access to job applications

logo
Technology

2 June 2022

Failure to inform shareholder breached the data protection rules

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

logo
Technology

31 March 2022

24/7 CCTV monitoring at the workplace was a breach of the data protection rules

logo
Technology HR-legal Corporate

2 November 2021

Joint whistleblower schemes for multinationals

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate