The regulation allows for the implementation of whistleblowing systems in organisations respecting a number of basic data protection principles.
Whistleblowing systems are an instrument for exposing acts or conduct contrary to the law or collective bargaining agreements within companies or in the actions of third parties contracting with them. These systems are usually set up through the creation of internal mailboxes, generally online, through which workers can report this type of situation.
Data protection regulations allow the implementation of these systems as long as a series of basic principles are respected. The Agency itself, as part of the commitments set out in its Social Responsibility Action Framework and the provisions of its Code of Ethics, has set up a whistleblowing channel.
If we want to set up a whistleblowing system in our company or organisation, we should pay attention to the following basic aspects related to privacy:
- Informing employees
It is essential that employees are informed of the existence of the whistleblowing system and the processing of data involved in making a complaint. This can be communicated directly in the employment contract; individually or collectively when implementing or modifying the system, or through information circulars to staff and their representatives.
- Respect the principle of proportionality and purpose limitation.
Reports should only refer to cases in which the facts or actions have an effective implication in the relationship between the company and the reported party and, likewise, the information obtained in this way may not be used for any purpose other than that envisaged for the implementation of the system.
- Protection of whistleblower data
The law allows anonymous reporting systems, but in the case of non-anonymous reporting, the whistleblower’s information must be kept secure and the whistleblower’s identification must not be made available to the respondent. This implies implementing reinforced measures of security and confidentiality of the information.
- Limiting access to information
Access should be limited exclusively to those carrying out internal control and compliance functions or to the data processor designated for this purpose. Access by other persons or disclosure to third parties shall only be lawful when necessary for the purpose of disciplinary measures or legal proceedings, as the case may be.
- Retention and deletion of data
The data should be kept only for the time necessary for the investigation of the facts, unless the investigation leads to the adoption of certain measures against the accused person, in which case it would be possible to keep the data for a longer period. In any event, the data must be deleted three months after they have been entered into the complaints system.
- Data protection rights
The rights of access, rectification, erasure and objection of the data subject should be guaranteed, without revealing the identity of the complainant. The reported person should be able to know as soon as possible the fact that he/she is accused in order to be able to duly defend his/her interests, and therefore this information should be provided to him/her after a reasonable period of time during which the preliminary investigation of the facts is carried out.