EU Whistleblower Directive: A Primer (Part III of IV) – Data Privacy and Recordkeeping
Hope everyone had wonderful Fourth of July holiday. Alex Cotoia, Regulatory Manager, at the Volkov Law Group rejoins us for Parts III and IV of his series on the EU Whistleblower Directive. If you want to reach Alex, his email is [email protected].
Article 17 of the Directive explicitly incorporates the provisions of Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data (“GDPR”) to the handling of such data in relation to whistleblowing activity. Under Article 17, any exchange or transmission of such data by private sector organizations and competent authorities must be carried out in accordance with the GDPR’s strict requirements.
Article 17 also prohibits the collection of personal data “manifestly not relevant” to the handling of a specific report.[1] If such information is collected notwithstanding that prohibition, the Directive requires the recipient to delete the information “without undue delay.”[2] Although comparatively brief, Article 17 is enormously consequential for organizations that may be required to revisit their data collection, processing, storage, retention and destruction practices in relation to whistleblowing activity. As a best practice, private sector organizations to which the new Directive applies should conduct a Data Protection Impact Assessment (“DPIA”) in accordance with GDPR Article 35[3] to ascertain, among other things: (1) what information is currently collected; (2) how that information is stored; (3) by whom that information is accessible; and (4) when that information is destroyed. As part of the DPIA, organizations should determine if the risk posed by their current practices warrants a revision of the organization’s policies and procedures. For example, an organization may determine that the sheer amount of personal data collected is disproportionate to both the need for that information and the risk involved in collecting that data. In such instances, organizations may wish to revisit their internal reporting intake processes to ensure that only the most pertinent protected data is collected.
Article 18 of the Directive imposes certain recordkeeping requirements on both private and public sector organizations, in addition to competent authorities. The Directive mandates that all such organizations “keep records of every report received”[4] and requires those reports to be retained by those organizations “for no longer than is necessary and proportionate in order to comply with the [Directive’s] requirements.”[5]
Where a recorded telephone line or other form of voice messaging system is utilized, organizations have the right to document oral reporting by either making a recording of the actual conversation in a “durable and retrievable form” or by means of a complete and accurate transcript prepared by staff members responsible for the report.[6] Conversely, where an unrecorded telephone line or voice messaging system is used, organizations have the right to document oral reporting in the form of accurate minutes again written by the staff member responsible for handling the report.[7]
Finally, where an actual meeting occurs between the whistleblower and organization’s staff responsible for handling the report, the recordkeeping requirement may be satisfied by either making a recording of the conversation in a “durable and retrievable form” or by enlisting the staff member responsible for handling the report to take accurate minutes.[8] In all cases where either transcripts or minutes are authorized, however, organizations are required to afford the whistleblower an opportunity to “check, rectify and agree to” such documents by means of signing them.[9]
[1] Directive 2019/1937, Article 17, 2019 O.J. (L 305) 17, 42.
[2] Id.
[3] See Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, On the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), Article 35, 2016 O.J. (L 119) 1, 53-54.
[4] Directive 2019/1937, Article 18(1), 2019 O.J. (L 305) 17, 42.
[5] Id.
[6] Id. at Article 18(2).
[7] Id. at Article 18(3).
[8] Id. at Article 18(4).
[9] Id. at Article 18(2)-(4).