Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



The Czech whistleblowing law is finally here: compliance and data protection aspects to keep in mind!

PrintMailRate-it

published on 21 July 2023 | reading time approx. 4 minutes


After facing an infringement procedure initiated by the European Commission, the Czech Republic finally adopted the Whistleblower Protection Act (Act. 171/2023 Coll.), which transposes Directive (EU) 2019/1937 and introduces a minimum standard of protection for whistleblowers. 

A complex challenge for the private sector

The protection of whistleblowers poses a complex compliance challenge for the private sector. Indeed, obliged entities will face multiple implementation hurdles (against a backdrop of significant fines for non-compliance) and will need to:
  • implement or adapt existing reporting channels and internal processes to meet the new statutory requirements. 
  • ensure compliance with the relevant data protection legislation at every stage of the whistleblowing process. 
  • meet the tight implementation deadlines set by the law (1.8.2023 for obliged entities with at least 250 employees and 15.12.2023 for obliged entities with at least 50 employees). 

Fortunately, the implementation law allows for certain elements of operational flexibility to simplify compliance and reduce costs and administrative burdens for companies. Obliged entities may opt for technical outsourcing (with the adoption of a whistleblowing platform), outsourcing of functions and sharing of resources with another obliged entity (below the threshold of 249 employees). However, the responsibility for the compliance with the law remains with each obliged entity. 

Whistleblowing and Data Protection Compliance

The implementation and use of the internal whistleblowing system undoubtedly constitutes a processing activity involving the processing of personal data (possibly of a sensitive nature) of several categories of data subjects.

Obliged entities, as data controllers under GDPR, must ensure full compliance with all data protection requirements. 

The cornerstone of whistleblowing protection must be adequately considered when designing data protection compliance: the confidentiality of the whistleblower's identity and of the content of the report must be maintained at all times (except when disclosure is based on the whistleblower's consent). 
So how to meet data protection requirements?

In line with the Czech privacy legislation, the regulatory guidance and the implementation guidelines recently issued by the Ministry of Justice (as competent whistleblowing authority) we highlight the following compliance key points. 

GDPR principles

The establishment and use of the internal reporting system must comply with the general principles of data protection, including compliance with the statutory retention period. 

Information obligation

Data subjects must be provided with comprehensive information on the data processing associated with the whistleblower system, while the confidentiality of the whistleblower's identity and the report must be maintained.

Risk assessment

Prior to the establishment/update of the internal reporting channel, an assessment of the associated privacy risks shall be carried out. Controllers shall design the channel and processes accordingly and adopt appropriate technical and organizational measures to mitigate the privacy risks. 

The Czech transposition law does not introduce a mandatory DPIA requirement, but the processing of data in the context of whistleblowing may pose significant privacy risks due to the nature of the data processed and the possible consequences for data subjects in case of a breach of the confidentiality, availability, and integrity of the data. The need to conduct a Data Protection Impact Assessment (DPIA) should be carefully reviewed (especially for larger organisations).

Privacy Roles

If different entities are involved in the internal reporting system, the privacy roles must be clarified and, if necessary, data protection agreements must be concluded.

Exercise of data subjects' rights

In any case, data subjects must be able to exercise their rights (within the meaning of Articles 15-22 GDPR), but the confidentiality of the whistleblower's identity and of other person mentioned in the notification must not be compromised, and the result of the investigations may not be jeopardized. The exercise of rights should therefore be specifically regulated. 

Update of privacy documentation

Internal documentation on data processing (privacy policy, processing register, etc.) should be updated to reflect the processing of personal data through the internal whistleblowing system.

Group of companies (multi-country)

The Czech transposition law does not specifically regulate group companies. However, based on the restrictive interpretation of the EU Commission and in current lack of a different statement from the Ministry of Justice, mother companies should not be considered as third parties for outsourcing purposes. The sharing of resources in group companies should therefore be possible only below the threshold of 249 employees. 

In any case, multi-country group companies will need to conduct a compliance assessment in each jurisdiction of the group subsidiaries to ensure compliance with all local requirements, including data protection laws, guidelines and opinions issued by the local data protection authority.

Authors:
Monika Gardlíková - Senior Associate
Alice Meier - Associate

 DATA PROTECTION BITES

Author

Contact Person Picture

Monika Gardlíková

Advokátka

Senior Associate

+420 236 163 710

Invia richiesta

 RÖDL & PARTNER CZECH REPUBLIC

Discover more about our offices in Czech Republic. Read more »
Deutschland Weltweit Search Menu