He whistleblowing It is an Anglo-Saxon term associated with the formulation of complaints through a specific channel by a worker who has witnessed or is aware of the commission of an alleged crime at his or her workplace. For its part, the European Data Protection Supervisory body has established that the objective of this whistleblowing is to shed light on corruption by providing safe channels for staff or other whistleblowers to report unethical behavior. Such procedures require the processing of sensitive personal information related to alleged infringers, complainants and other parties, such as witnesses.[Yo]. The EU institutions and bodies are obliged to establish clear whistleblowing procedures, minimizing possible risks in the protection of personal data of all those involved.
In a practical approach, a sector of the doctrine has indicated that “it is common to use the term whistleblowing to make reference, both to the internal alert systems or corporate reporting channels to process the aforementioned complaints, and to the practice itself of reporting said non-compliance. The fact of having a whistleblowing system constitutes an example of good governance and demonstrates commitment, as well as contributes significantly to reducing potential risks and sanctions for companies for non-compliance that has occurred under their sphere of supervision."[ii].
In our regulations, this topic is included for the first time in the section 2 of art. 31 bis Penal Code formulating the duty of “report possible risks and non-compliance to the body in charge of monitoring the operation and observance of the prevention model.”. Currently they stand out:
- ISO 19600 Standard, on Compliance Management Systems.
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantees of digital rights. Specifically, art. 24: “The creation and maintenance of information systems through which a private law entity can be made aware, even anonymously, of the commission within it or in the actions of third parties that contract with it, of acts will be lawful. or conduct that could be contrary to the general or sectoral regulations that apply. Employees and third parties must be informed about the existence of these information systems (…)”.
- Opinion No. 1/2006 of the Working Group of article 29, the content of which expressly points out the importance of “Applying EU data protection rules to whistleblowing programs means giving specific consideration to the issue of data protection of the person who may have been incriminated in an alert. In this sense, the Working Group emphasizes that whistleblowing programs carry a very high risk of stigmatization and humiliation of said person within the organization to which they belong.”.
- Legal report of the Spanish Data Protection Agency (AEPD) No. 128/2007. This document analyzes the legality of an internal reporting system or whistleblowing in accordance with current data protection regulations (former Organic Law 15/1999, of December 13), in view of the processing of personal data contained in the report of an alleged crime.
- Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report infringements of Union law[iii].
The Working Group emphasizes that whistleblowing programs must be established in compliance with European Union data protection rules. The opinion in question stated that the whistleblowing It was designed as a complement to the organization's usual information channels, such as worker representatives, management, quality control personnel or internal auditors, whose function is precisely to report these non-compliances. He whistleblowing It should be seen as a complement, and not as a substitute, for the internal management and communication of the business.
The importance of protecting the identity of the reporting worker lies in ensuring that he or she does not suffer retaliation from his or her immediate superiors or any other person involved in the criminal act that is the subject of the complaint. It is intended that by virtue of the employer's power of control, the report or corresponding investigation of alleged criminal acts should not be omitted, to this end it is advisable to balance the position of the worker so that his duty to preserve social justice predominates over his fear of losing his job. . There are different methods by which a company can protect the reporting channels. On the one hand, it can proceed with the anonymization of the identity of the whistleblowers, so that the Compliance Officer becomes aware only of the irregular event reported. The use of this mechanism, although it is safer with whistleblowers, can generate false reports or the absence of information necessary to continue with a thorough investigation.
Among the various issues addressed by Opinion 1/2006, it is important to note that the Article 29 Group does not favor the use of anonymous complaints in the processes of whistleblowing. And this is because (i) anonymity would not dissuade interested parties from knowing who made the complaint; (ii) the investigation of a matter is more complex if the complainant cannot answer questions in the follow-up of the complaint; (iii) it is easier to organize the protection of the whistleblower against retaliation, especially if such protection is conferred by law, when complaints are made openly; (iv) anonymous complaints can bring attention or focus to who is the whistleblower; (v) there is a risk of developing a culture of making anonymous complaints; and (vi) the social climate could deteriorate if employees warn that they can be reported anonymously at any time.[iv]. For these reasons, the Article 29 Group concludes that the anonymous method conflicts with the essential principle of fair data collection and, consequently, as a general rule it provides that complaints identified in the reporting procedures should be admitted. whistleblowing[v].
That is, taking into account the aforementioned regulations and the pronouncements of the AEPD The following must be taken into account:
- Employees and third parties must be informed of the existence of reporting channels and information systems.
- Access to the data contained in these systems will be exclusive access to the Compliance Officer and/or those who perform internal control functions within the business.
- A guarantee and confidential procedure will be established that does not unnecessarily expose the people involved. This will include the adoption of relevant measures to preserve the identity and minimize the processing of personal data of the affected persons.
[Yo] EUROPEAN DATA PROTECTION SUPERVISOR, Whistleblowing, Retrieved at: https://edps.europa.eu/data-protection/our-work/subjects/whistleblowing_en?page=1, accessed on 09/21/2020.
[ii] REYES HERREROS, Juan and ARLÁ CAPDEVILA, María; “The protection of whistleblowers in the field of Labor Law”, Fiscal & Laboral al día, no. 265, 2018, p. 96-101.
[iii] A detailed list of regulations and comments on this topic can be found in CAPEÁNS AMENEDO, Catarina; Labor Law and New Technologies, Conflict between information and communication technologies and the right to privacy and self-image, 1st edition, Colex 2020, p. 39-40.
[iv] MARTINEZ SALDAÑA, David; MORENO LUCENILLA, Ignacio; “The protection of whistleblowers and labor compliance” in Labor Information Magazine No. 12/2018, Aranzadi editorial.
[v] In this regard, art. 24 LOPDGDD admits the possibility of submitting anonymous complaints, but the criteria maintained by the Group in article 29 must be kept in mind. In any case, confidentiality must be protected, establishing as a general rule the confidentiality of the complainant's personal data.
Do you want to specialize in Compliance Management and data protection?
He Master in Compliance & Data Protection Management will make you a highly qualified professional with the necessary skills to carry out specialized tasks in two of the most relevant areas for both private businesses as for public administrations: data protection and regulatory compliance or Compliance.
