Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Implementation of the Newly Introduced Whistleblowing Law: GDPR Considerations

The new Whistleblowing Law aiming to promote whistleblowing on any sort of violations going against public interests came into force in the Republic of Latvia on May 1^st, 2019.

The Whistleblowing Law requires public institutions and undertakings with more than 50 employees to set up an internal whistleblowing system to process relevant notifications. Any notification made through the whistleblowing system involves processing of the personal data and therefore necessitates compliance with the corresponding provisions of the General Data Protection Regulation (GDPR). Although anonymous notifications are allowed for consideration, it is strongly recommended to ensure strict GDPR compliance of the system to encourage identification of the whistleblowers thus facilitating effectiveness of the subsequent investigations. Therefore, it is critically important to supplement the whistleblowing system with the integrated GDPR instruments ensuring transparency of the personal data processing, such as designated whistleblowing system policy providing data subjects with a detailed description of the information processed via the system, definition of the lawful basis and purpose for processing of the personal data, identification of the recipients and data transfer options, as well as an articulation of the rights of the data subjects mentioned in the notification. Despite being recognised as data subjects within the meaning of GDPR, the rights of the potential violators referred to in the submitted notifications shall be limited to avoid hindering the main purpose of the ongoing processing itself. Thus, the potential violators shall remain uninformed on the submitted notification, details of the notification, identity of the whistleblower, etc.

Apparently the most challenging task for the data controllers will be ensuring safe and secure processing of the personal data received via the whistleblowing system. Besides limiting access to the corresponding information to the individuals actually involved in the initial investigation, a wide range of other technical and organisational measures shall be implemented to prevent disclosure of the processed information. Although neither Whistleblowing Law nor GDPR describe specific technical and organisational measures, the highly confidential nature of the notified information, its potential impact on the reputation of the individuals involved, as well as its importance to the public interests demand high profile security solutions, including pseudonymisation, encryption as well as other technical solutions minimising data exposure risks. In the light of the aforementioned it is reasonable to suggest that introduction of the whistleblowing system is a complex challenge for the public institutions and undertakings in terms of setting up an effective notification system, as well as ensuring its compliance with the GDPR principles. Recent tendencies in applying tough sanctions for the GDPR violations may become a sufficient stimulus for the undertakings to invest heavily into the development and introduction of the sophisticated whistleblowing systems. Whether the same approach will be adopted by the public institutions free from the Damocles Sword of sanctions, remains to be seen.

Contact

Contact Person Picture

Dmitrijs Ņemirovskis, Lawyer and Certified DPO

+371 67 338125

Invia richiesta