In light of the GDPR, the German data protection authorities (German DPAs) have issued new guidance regarding the implementation of whistleblowing hotlines. The new position of the German DPAs is so fundamentally different from their pre-GDPR position that German companies should review, and likely implement changes to, any existing whistleblowing hotlines offered to their employees.
The general EU position before the GDPR came into effect was that whistleblowers were encouraged to disclose their identity rather than filing anonymous reports. In some EU countries, such as Portugal, anonymous reporting was in fact prohibited. In Germany, this position is now reversed and the new Guidance provides that employees must be encouraged to submit reports anonymously. The Guidance further provides that, when whistleblowers wish to disclose their identify rather than reporting anonymously, they must be informed that their identity will be disclosed to the accused individuals. This reasoning is based on Art. 14 (2)(f) GDPR which provides that where personal data has not been obtained from the data subject, the controller must inform the data subject about the source form which the personal data originated. In addition, the Guidance stipulates that such disclosure of the whistleblower’s identity requires the whistleblower’s consent.
The Guidance raises significant practical challenges and is not in all points convincing as further discussed in our alert here. In particular, it is unclear why the exception in Article 14 (5)(b) GDPR and in the new Federal German Data Protection Act were not considered as they seem to allow keeping the identity of the whistleblower confidential which would then render the whistleblower’s consent unnecessary. It will be interesting to see if the European Data Protection Board will also issue guidance regarding whistleblowing and what position other EU countries take. The German Guidance is avalaible here (in German only).