How to protect whistleblowers’ data – summary of the seminar
On 7 August, a seminar was held at the Personal Data Protection Office, during which Mirosław Wróblewski, President of the Personal Data Protection Office, together with employees of the Office, representatives of the Social Team of Experts at the President of the Personal Data Protection Office and external experts, discussed the comments submitted as part of the public consultations and presented proposals for the interpretation of the provisions of the Act on the Protection of Whistleblowers with regard to personal data. The meeting, also available online, was attended by over a thousand people.
As Mirosław Wróblewski pointed out at the beginning: "We would like this seminar to have a practical dimension, to be an aid to all organisations in preparing for the implementation and application of the provisions of the Act on the Protection of Whistleblowers and the real protection of whistleblowers, who are of significant importance. I think that the entry into force of this law is also an important moment in the context of rebuilding the rule of law in our country."
During the seminar, the President of the Personal Data Protection Office announced that he would be in constant contact, inter alia with the Commissioner for Human Rights as a body that has a special role in the implementation of the tasks of the Act. In the opinion of the President of the Personal Data Protection Office, the observation of the practice of this authority will be very important in determining important issues, such as the understanding of the concept of a whistleblower. The President of the Personal Data Protection Office also stressed the need for further education in this area and announced that the office's website will systematically publish explanations on the matters that were discussed at the seminar. In particular, the Office will communicate practices regarding the application of whistleblower protection regulations.
Mirosław Gumularz Ph. D, Chairman of the Social Team of Experts to the President of the Personal Data Protection Office, thanked for sending numerous comments and active participation in public consultations. At the same time, he assured that each comment was thoroughly analysed by the Social Team of Experts in dialogue with the Office and presented the most problematic issues that arose as part of the public consultations. They were discussed in subsequent panels.
Information obligations and data retention
The first panel emphasised that the identity of a whistleblower is not only the name and surname, but any data on the basis of which he/she could be indirectly identified, such as his/her place of work.
The speakers also raised the issue of information obligations and possible exemptions in this respect under The Act on the Protection of Whistleblowers and the GDPR itself (in particular in the context of the implementation of these obligations towards the persons to whom the report relates). Attention was also drawn to the lack of indication in the act of the moment from which the period of personal data retention should be counted.
The panel also pointed out that (as emphasised by inter alia Paweł Litwiński, PhD) Article 8(3) of The Act on the Protection of Whistleblowers is not entirely clear when we realise that one report may contain information about several breaches of the law – then the data retention periods calculated separately for each of the information about a breach of the law may be different. Despite this, it seems that the 3-year retention period should always be counted from the date of receipt of the notification. This also applies to the data contained in the register of reports (Article 29(5) of the Act on the Protection of Whistleblowers) – the register of reports is constructed on the basis of the report (the register includes the number of the report, etc., i.e. information related to the report), and consequently, the date of filing the report will be of fundamental importance for calculating the data retention period.
Procedure for receiving internal reports and conducting investigations
In the second panel, the participants of the seminar discussed the procedures for receiving internal reports and conducting investigations from the perspective of the principles of personal data processing.
Many questions that were submitted to the Office as part of public consultations concerned the possibility of anonymous reports, ways of submitting reports (oral transmission was controversial). The issue of the so-called "false whistleblower" was also raised, because it is only at an advanced stage of the proceedings that it can be determined whether the person reporting the breach falls within the statutory framework of the definition of such a whistleblower.
A large part of the discussion was devoted to capital groups in the context of whistleblowers, reporting channels and what a report should look like. In the context of reporting channels, various options for their implementation by capital companies from a practical perspective and compliance with the law were considered. First of all, attention was paid to the risk of leaving only corporate channels behind. The speakers also considered the practice of receiving telephone reports and consenting to the recording and transcription of the conversation, and whether this is consent within the meaning of Article 7 of the GDPR (the concept of "consent" appeared in Article 26(3) of the Act on the Protection of Whistleblowers).
External reports
The third panel provided an opportunity to obtain information on how the Office of the Commissioner for Human Rights is preparing for the entry into force of The Act on the Protection of Whistleblowers. This is because the Polish legislator has entrusted the CHR with the role of a central body supporting whistleblowers in exercising their rights.
As noted by the representative of the Office of the Commissioner for Human Rights, Director Marcin Malecko, the newly established Whistleblower Team in the Office of the Commissioner for Human Rights still has more questions than ready answers. It is a challenge for the Office of the Commissioner for Human Rights to organise an external reports system and to separate it from the internal reports system.
Technical and organisational security
The last panel discussed the security of selected channels for reporting breaches by ensuring appropriate technical and organisational safeguards.
The need to take into account, in the designed data processing processes, the protection of personal data in accordance with the principles of privacy by design and privacy by default was emphasised - while ensuring the integrity and availability of data and maintaining their confidentiality.
What's next?
As a result of the seminar discussion, written explanations from the Personal Data Protection Office will regularly appear on the Personal Data Protection Office’s website, suggesting the appropriate directions for interpreting the provisions of The Act on the Protection of Whistleblowers with regard to personal data.
Due to the fact that a lot of questions concerned the role of law firms in the context of outsourcing whistleblower reporting activities, Mirosław Wróblewski, President of the Personal Data Protection Office, announced that he would ask the self-governments of attorneys-at-law for a meeting to discuss the role of law firms in supporting clients, taking into account the possibility of concluding an agreement with them to entrust the receipt of internal reports within the meaning of Article 28(1) of the Act on the Protection of Whistleblowers.
The interest in the seminar was very high, exceeding the expectations and capabilities of the Office, so not everyone who wanted to see the broadcast was able to see it, for which we apologize.
If you are interested in the topic, we invite you to read the next issue of the "Bulletin of the Personal Data Protection Office", where you will find an extensive report from the seminar "Practical problems in the application of the provisions of the Act on the Protection of Whistleblowers from the perspective of the GDPR. A contribution to the discussion on the doubts raised during the public consultations". Below you will find a link to subscribe to the Bulletin (in Polish).
Link to subscribe to the "Bulletin of the Personal Data Protection Office"