Browsing by Author "Leskinen, Ida"

Whistleblowing has been on legislators’ and private entities’ agenda for the past decade. EU legislators have introduced industry-specific legislation on whistleblowing and in October 2019 the EU Directive 2019/1937 on the protection of persons who report breaches of Union law (“the Whistleblowing Directive”) was formally adopted. When the Whistleblowing Directive has been implemented in Member States, all private entities with 50 or more employees are obliged to establish safe reporting channels, i.e. whistleblowing channels, for those who in their work related activities come across breaches of EU law. Moreover, companies are interested in setting up whistleblowing channels even without a statutory obligation. Whistleblowing channels are used to implement code of conducts. Through internal whistleblowing channels entities collect information on misconducts in its operations and, if necessary, conduct internal investigations based on that information. When information is collected and handled, there is likely to be processing of personal data involved which is subject to data protection legislation. In 2016 EU’s General Data Protection Regulation (“the GDPR”) entered into force setting renewed data protection framework for the entire EU. Especially more transparent processing of personal data and sharpening data subject’s informational rights was focal points in the reform. Principle of transparency and Article 14 of the GDPR provides that data subjects are informed about processing of their personal data and sources of the personal data collected. Article 14 applies where personal data is not collected directly from the data subject. On the contrary, whistleblowing channels rely on confidentiality. Without confidentiality, the protection of whistleblower and the investigation is jeopardized which can jeopardize the whole purpose of internal whistleblowing. Thus, there seems to be a contradiction between the principle of transparency and confidentiality of whistleblowing. The purpose of this thesis is to assess and determine the scope of the Article 14 of the GDPR when personal data is processed in the context of whistleblowing and to assess how principle of transparency can be reconciled to confidentiality of the whistleblowing schemes. This research is conducted by exploiting legal dogmatic method. It can be concluded that the most problematic aspects of reconciling providing information to the data subject and ensuring confidentiality of the internal investigation and keeping confidentiality of the whistleblower is the timing when the information must be provided and how precise the information shall be as well as applicability of limitations. In order to comply with the obligation set out in Article 14 and principle of transparency in the context of whistleblowing, it is reasoned to apply two-step approach. Firstly, general information shall be provided prior to taking the internal whistleblowing scheme into use and this information should be kept available to employees and other data subjects that may be reported through the whistleblowing channel. Secondly, more precise information shall be provided where something is reported through the whistleblowing channel. If providing the second set of information would jeopardize the internal investigation there are grounds to derogate from the obligation to inform on the grounds of Article 14(5)(2) as providing the information is likely to render impossible or seriously impair the achievement of the objectives of that processing. However, grounds to derogate from the obligation to provide information for purposes of protecting identity of the whistleblower cannot be found in the GDPR or in the national legislation. However, where confidentiality is provided to the data subject on the grounds of statutory obligation, this obligation to keep the identity concealed shall override interpretation that providing the source of data under Article 14 would require providing the exact source, i.e., the identity of the whistleblower. In such case shall be provided more general information. In all cases the procedural safeguards and fair handling of the matter is to be ensured and malicious reporting shall not enjoy any protection.