The Czech whistleblowing law is finally here: compliance and data protection aspects to keep in mind!

The protection of whistleblowers poses a complex compliance challenge for the private sector. Indeed, obliged entities will face multiple implementation hurdles (against a backdrop of significant fines for non-compliance) and will need to:

Fortunately, the implementation law allows for certain elements of operational flexibility to simplify compliance and reduce costs and administrative burdens for companies. Obliged entities may opt for technical outsourcing (with the adoption of a whistleblowing platform), outsourcing of functions and sharing of resources with another obliged entity (below the threshold of 249 employees). However, the responsibility for the compliance with the law remains with each obliged entity. 

The implementation and use of the internal whistleblowing system undoubtedly constitutes a processing activity involving the processing of personal data (possibly of a sensitive nature) of several categories of data subjects.

Obliged entities, as data controllers under GDPR, must ensure full compliance with all data protection requirements. 

The cornerstone of whistleblowing protection must be adequately considered when designing data protection compliance: the confidentiality of the whistleblower's identity and of the content of the report must be maintained at all times (except when disclosure is based on the whistleblower's consent). 

So how to meet data protection requirements?

In line with the Czech privacy legislation, the regulatory guidance and the implementation guidelines recently issued by the Ministry of Justice (as competent whistleblowing authority) we highlight the following compliance key points. 

The establishment and use of the internal reporting system must comply with the general principles of data protection, including compliance with the statutory retention period. 

Data subjects must be provided with comprehensive information on the data processing associated with the whistleblower system, while the confidentiality of the whistleblower's identity and the report must be maintained.

Prior to the establishment/update of the internal reporting channel, an assessment of the associated privacy risks shall be carried out. Controllers shall design the channel and processes accordingly and adopt appropriate technical and organizational measures to mitigate the privacy risks. 

The Czech transposition law does not introduce a mandatory DPIA requirement, but the processing of data in the context of whistleblowing may pose significant privacy risks due to the nature of the data processed and the possible consequences for data subjects in case of a breach of the confidentiality, availability, and integrity of the data. The need to conduct a Data Protection Impact Assessment (DPIA) should be carefully reviewed (especially for larger organisations).

If different entities are involved in the internal reporting system, the privacy roles must be clarified and, if necessary, data protection agreements must be concluded.

In any case, data subjects must be able to exercise their rights (within the meaning of Articles 15-22 GDPR), but the confidentiality of the whistleblower's identity and of other person mentioned in the notification must not be compromised, and the result of the investigations may not be jeopardized. The exercise of rights should therefore be specifically regulated. 

Internal documentation on data processing (privacy policy, processing register, etc.) should be updated to reflect the processing of personal data through the internal whistleblowing system.

The Czech transposition law does not specifically regulate group companies. However, based on the restrictive interpretation of the EU Commission and in current lack of a different statement from the Ministry of Justice, mother companies should not be considered as third parties for outsourcing purposes. The sharing of resources in group companies should therefore be possible only below the threshold of 249 employees. 

In any case, multi-country group companies will need to conduct a compliance assessment in each jurisdiction of the group subsidiaries to ensure compliance with all local requirements, including data protection laws, guidelines and opinions issued by the local data protection authority.