General Data Protection Regulation (GDPR) and Whistleblowing Laws (Part II of II)
Daniela Melendez Garces, Associate at The Volkov Law Group and Alex Cotoia, Regulatory Compliance Manager at The Volkov Law Group
Challenges may arise when conducting an internal investigation related to an underlying disclosure by a whistleblower pursuant to the EU Directive, because companies must strictly comply with the GDPR. Failure to comply with the GDPR can lead to administrative sanctions and high fines by the regulator.
To ensure that the organization is in compliance with the GDPR while conducting an internal investigation, companies must identify a valid legal basis for processing the data by identifying the exact purpose of the investigation, setting forth the specific categories of the data to be processed, and otherwise describing the precise nature and extent of the data involved. Organizations may justify data processing in connection with such investigations only if there is a legitimate interest. Consent to process the data by the person(s) implicated in the internal investigation is also required. Finally, the organization may need to confirm whether a collective bargaining or other form of employment agreement restricts its ability to process data in connection with the disposition of a whistleblower claim.
The GDPR further requires that when a company conducts an internal investigation it must comply with general principles of data processing (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality). Organizations must also be cautious in observing any relevant local data protection laws. In addition, the GDPR requires that organizations inform the data subjects about their processing of their personal data in advance. It is important to note that the GDPR does not provide for an exception to the notification requirement while conducting an internal investigation. Moreover, data processing becomes trickier when the company wants to transfer the data to third parties. Finally, data controllers must perform a data protection impact assessment (“DPIA”) to assess whether the data processing will result in a breach of the freedom and rights of data subjects [Article 24, GDPR].
Therefore, companies should exercise caution when they receive a speak report. Before reviewing the implicated employee’s email, before sending the employee’s personal data out of the European Economic Area or out of the European Union, companies must ensure compliance with local and international Data Protection laws. The above is essential to ensure the internal investigation is not hindered due to non-compliance with data protection laws.