Whistleblowers and the GDPR — Data Protection in Whistleblowing Systems

The Polish Whistleblower Protection Act of 14 June 2024, which entered into force on 25 September 2024, requires companies with more than 50 employees to implement an internal channel for reporting breaches of law. Since 25 December 2024, external reporting channels to the Commissioner for Human Rights (RPO) and public authorities have also been operational.

Implementing a whistleblowing system involves intensive processing of personal data — data of the whistleblower, the person concerned by the report, witnesses, and persons assisting with the report. This data is often particularly sensitive and requires an elevated level of protection.

This article explains how to process personal data in a whistleblowing system in compliance with the GDPR and the Whistleblower Protection Act — from legal bases, through confidentiality and retention, to DPIAs and data subject rights.

The Whistleblower Protection Act — Key Information

The Act implements Directive (EU) 2019/1937 and introduces three channels for reporting breaches of law:

Internal reports — to the employer (legal entity). The obligation to implement an internal reporting procedure applies to entities employing at least 50 persons. Public entities must implement it regardless of size (with exceptions for municipalities and counties below 10,000 inhabitants).

External reports — to the Commissioner for Human Rights or the relevant public authority. Operational since 25 December 2024.

Public disclosure — as a last resort, if internal and external channels have failed or there is an immediate threat to the public interest.

The whistleblower is protected from retaliation from the moment of making a report, provided they had reasonable grounds to believe the reported information was true.

What Personal Data Is Processed in a Whistleblowing System?

A whistleblowing system generates the processing of multiple categories of personal data:

Whistleblower data — name, position, contact details, relationship with the organisation. This data is subject to special protection — confidentiality of the whistleblower’s identity is a fundamental principle of the Act.

Data of the person concerned — name, position, description of alleged actions. This person has GDPR rights, but their exercise is limited to protect the whistleblower and the integrity of the investigation.

Witness and facilitator data — persons identified in the report or participating in the follow-up investigation.

Report content — the description of the breach, which may contain personal data of multiple individuals.

Investigation data — interview records, documents, correspondence, evidence.

Legal Bases for Processing Whistleblower Data

The Whistleblower Protection Act constitutes an independent legal basis for processing personal data in connection with handling reports. Article 8(4) provides that the legal entity or public authority processes personal data to the extent necessary to accept the report or take any follow-up action.

Under the GDPR, the legal bases are:

Article 6(1)(c) GDPR (legal obligation) — processing is necessary for compliance with a legal obligation. This obligation arises from the Whistleblower Protection Act — entities with more than 50 employees must accept reports and conduct investigations.

Article 6(1)(f) GDPR (legitimate interest) — as a supplementary basis, e.g., for processing data to defend against claims arising from the report.

Article 9(2)(b) GDPR — if the report contains special category data (e.g., health data, sexual orientation, trade union membership) — processing is necessary for compliance with employment and social security law obligations.

Article 9(2)(f) GDPR — processing of special category data is necessary for the establishment, exercise, or defence of legal claims.

Confidentiality of the Whistleblower’s Identity

Article 8 of the Whistleblower Protection Act imposes a duty to maintain the confidentiality of the whistleblower’s identity. Data enabling identification of the whistleblower may not be disclosed to unauthorised persons.

What this means in practice:

Access to whistleblower data should be limited to the minimum — only persons conducting the investigation.

The reporting system must ensure technical protection of confidentiality — e.g., encryption, separate database, access control.

The whistleblower’s identity may be disclosed only with their explicit consent or in cases specified by the Act (e.g., at the request of a court or prosecutor in criminal proceedings).

Breaching the confidentiality of a whistleblower’s identity is subject to criminal sanctions — the Act provides for fines, restriction of liberty, or imprisonment of up to one year.

Confidentiality vs anonymity: The Act distinguishes confidential reports (identity known but protected) from anonymous reports (identity unknown). Entities may, but are not required to, accept anonymous reports. If they choose to do so, this must be specified in the internal reporting procedure.

Data Subject Rights — Special Limitations

In the whistleblowing system, standard GDPR rights are subject to significant limitations:

The person concerned by the report has the right to information about data processing, but this right is limited to the extent that it could jeopardise the confidentiality of the whistleblower’s identity or the integrity of the investigation. Article 14(5)(d) GDPR allows deferral of the information obligation if disclosure could render impossible or seriously impair the objectives of the processing.

Right of access (Article 15 GDPR) — the person concerned may request access to their data, but the controller may limit access to the extent it would reveal the whistleblower’s identity.

Right to erasure (Article 17 GDPR) — limited. The controller cannot delete investigation data before the statutory retention period expires.

Right to rectification (Article 16 GDPR) — the person concerned may request correction of inaccurate data. This right is not limited.

Data Retention — How Long to Keep Reports

Article 8(2) of the Whistleblower Protection Act specifies the retention period:

Data in the internal reports register — retained for 3 years after the end of the calendar year in which follow-up actions were completed, or after the conclusion of proceedings initiated by those actions.

After this period, data must be deleted, unless it is necessary for the establishment or defence of legal claims.

Irrelevant personal data — data that is not relevant to handling the report should be promptly deleted.

DPIA for Whistleblowing Systems

Implementing a whistleblowing system often requires a DPIA due to: processing of highly personal data, data concerning vulnerable individuals (employees in a dependent relationship), potential consequences for individuals, and potentially new technological solutions (dedicated reporting platforms).

The EDPB and UODO recommend conducting a DPIA before launching the reporting channel.

Security of Data in Whistleblowing Systems

Due to data sensitivity, the reporting system must ensure an elevated level of security:

Encryption — of report content at rest and in transit.

Access control — access limited exclusively to persons conducting the investigation.

Data separation — whistleblower identity should be separated from report content where possible.

Access logging — recording who accessed report data and when.

Secure reporting channel — HTTPS, end-to-end encryption for online forms. Avoid accepting reports via ordinary company email.

Encrypted backups with restricted access.

Physical security — paper documents stored in locked cabinets with restricted access.

Whistleblowers and the DPO

The DPO should be involved in implementing and operating the whistleblowing system: consulting on the internal reporting procedure, DPIA, monitoring GDPR compliance, and training persons handling reports. However, the DPO should not be the person handling reports — this could create a conflict of interest.

Most Common GDPR Mistakes in Whistleblowing Implementation

No privacy notice in the reporting procedure.

No DPA with the platform provider.

Excessively broad access to reports.

No encryption of report data.

No retention policy — reports stored indefinitely.

Immediate disclosure of the whistleblower’s identity to the person concerned.

No DPIA before launching the system.

No authorisations for persons handling reports.

Accepting reports via ordinary email without security measures.

Failure to include whistleblowing in the ROPA.

Checklist — Whistleblowers and the GDPR

1. Implement an internal reporting procedure with GDPR elements.
2. Prepare a privacy notice for whistleblowers.
3. Determine the legal basis — Article 6(1)(c) GDPR + Whistleblower Protection Act.
4. Ensure confidentiality of the whistleblower’s identity.
5. Restrict access to reports — authorised persons only, with confidentiality obligations.
6. Implement encryption — of reports, database, and communications.
7. Conduct a DPIA before launching the reporting channel.
8. Consult the DPO on the procedure, DPIA, and security measures.
9. Conclude a DPA with the reporting platform provider (if external).
10. Set retention at 3 years after the end of the calendar year in which follow-up actions concluded.
11. Maintain a reports register with restricted access.
12. Include whistleblowing in the ROPA as a separate processing activity.
13. Train persons handling reports on GDPR and confidentiality.
14. Implement a procedure for deleting irrelevant data promptly.
15. Schedule regular reviews of the system’s GDPR compliance.

Need Support With Implementing a Whistleblowing System?

Implementing a whistleblowing system requires simultaneously meeting the requirements of the Whistleblower Protection Act and the GDPR — from reporting procedures, through DPIAs and privacy notices, to technical security and data retention. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies and institutions implement legally compliant whistleblowing systems — preparing procedures, privacy notices, DPIAs, and training persons responsible for handling reports.