The Whistleblower Act
Since March 13, 2023, Law 2/2023 of 20 February has been in force, better known as the Whistleblower Act, governing the protection of people who report violations of regulations, and the fight against corruption.
This regulation transposes Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019, regarding the protection of persons who report breaches of Union Law, into the Spanish legal system.
There are multiple analyses to be made of this regulation, so here we will focus specifically, and briefly, on one aspect that is, without a doubt, related to the mechanisms provided for in this law, which are none other than its connection with the rights and obligations of data protection regulations.
The Whistleblower Act provides for the obligation in companies with more than 50 employees to implement an internal information system so that the administrative bodies are aware of the reports made by different individuals in relation to the company, from employees to external professionals, and including company shareholders.
The implementation of these systems will therefore almost certainly imply the processing of additional personal data, which can range from that of the whistleblower themselves, to the person or persons reported (if applicable) and those authorised within the organisation to access said information.
The implementation of these systems also has other consequences in terms of data protection, such as the lawful basis for the processing of said data, the storage time or the “star” measure of the Act: the possibility for the identity of the whistleblower to remain anonymous.
The Whistleblower Act: What to take into account in terms of data protection?
Privacy policies: you must adapt or write privacy policies appropriate to the type of process related to internal information systems, so that whoever completes and submits a report knows the use that will be made of the information.
Information access policies: Only the following are legally entitled to have access to complaints, monitor them and, where appropriate, close them: the system manager, the human resource manager, the legal affairs manager, the designated data processors (with the guarantees of the data protection regulations), and the data protection officer. Whether the authorised persons must accept additional or complementary confidentiality commitments to those they have already signed should be analysed.
Data deletion: no personal data may be processed that is not necessary for the investigation of reportable behaviour according to the Act. In application of the principle of proportionality, only the personal data necessary for the investigation of offences covered by the Law may be processed, deleting them immediately if this is not the case.
The same applies if the information received includes particularly sensitive data (such as health, sexual orientation, race or similar). Additionally, after 3 months from the receipt of the report, where no investigative action has been initiated, the data must be deleted from the system. Finally, personal data may not be kept in the system for more than 10 years, whatever the circumstances.
Right to anonymity: The Act provides for the right to submit anonymous reports, as the Information Systems technically allow for this possibility. It is surprising, at this point, that the identity of the whistleblower can only be provided “to the court authority, the Public Prosecutor’s Office or the competent governmental authority within the framework of a criminal, disciplinary or sanctioning investigation”. It is surprising because one requirement of anonymisation is that it must be impossible to identify the person whose data has been anonymised, so it will be important to see how this is solved in practice.
We will therefore have to closely monitor the practical implementation of this law and how the companies affected are taking measures to comply with it. This is, without a doubt, a legal text with strong and significant implications regarding the protection of personal data, and adopting the provisions of the Whistleblower Act must also be observed, especially from the point of view of the LOPD and the GDPR.
If you are a company affected by this new act and you need more information, don’t hesitate to contact us!:
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.