A new whistleblowing act, the Act on Protection of Persons Reporting Wrongdoings (2021:890) (”the Whistleblowing Act”), came into force on 17 December 2021 replacing the previous act in the area.
The Whistleblowing Act sets requirements that certain operations implement a so-called Whistleblowing system, i.e. a reporting channel for information on wrongdoings and irregularities in the workplace. From 17 July 2022, public sector employers with more than 50 employees and private sector employers with more than 249 employees have an obligation to have whistleblowing channels in place. From 17 December 2023, the requirement also applies for private sector employees with at least 50 employees. More about the Whistleblowing Act can be found in Lindahl's previous review here.
When a whistleblowing system is established, the operation needs to ensure that any processing of personal data that occurs in the reporting system complies with the requirements in applicable data protection legislation. In this article, we will highlight central parts of these regulations, as well as what employers subject to the Whistleblowing Act need to think about with respect to personal data processing.
WHICH REGULATIONS APPLY FOR PERSONAL DATA PROCESSING IN WHISTLEBLOWING CHANNELS?
The General Data Protection Regulation (”GDPR”), the Data Protection Act that supplements GDPR in Swedish law, as well as the regulations issued in connection with the Data Protection Act, apply when processing personal data according to the Whistleblowing Act. In addition, the new Whistleblowing Act contains specific provisions on how personal data should be processed, which supplement GDPR and the Data Protection Act. In other words, both the fundamental principles in GDPR and the concrete requirements that arise from the Whistleblowing Act, e.g. concerning storage period for reports, must be followed.
SIX COMMON QUESTIONS ON PROCESSING OF PERSONAL DATA IN WHISTLEBLOWING CHANNELS
How do we determine the purpose of the processing?
According to the Whistleblowing Act, personal data may only be processed in a whistleblowing system if it is necessary for a follow-up case. According to the Act, the term "follow-up case" refers to a case that consists of
- receiving reports and having contact with the reporting person;
- taking measures to assess the accuracy in the claims that are presented in the report;
- submitting information regarding the claims investigated for continued measures; and
- providing feedback on the follow-up to the reporting person regarding the investigation conducted and the resulting conclusions.
According to the Act, it is consequently possible to process the personal data that is necessary for each of the steps in the follow-up of a whistleblowing matter.
How do we decide on the legal basis for the processing?
According to GDPR, there must always be a legal basis each time personal data is processed. There are six legal bases according to article 6.1 in GDPR. For private operators with at least 50 employees and for authorities that are personal data controllers, the processing can be supported by the legal basis of legal obligation according to article 6.1c in GDPR, provided that the processing of personal data is necessary to fulfil the obligations according to the Whistleblowing Act. As indicated above, this is obviously the case for the purposes that arise from the Act. If the processing is planned for purposes other than those listed above in the system, it must consequently rest on some other legal basis than a legal obligation according to the Whistleblowing Act.
Note that an operator only has a legal obligation when there is an obligation according to the Whistleblowing Act to establish a whistleblowing channel, i.e. 17 December 2023 for private operators with at least 50 employees. Operators with fewer than 50 employees are not obliged to establish whistleblowing channels according to the Act and can therefore not support processing of personal data in voluntarily established whistleblowing channels on the legal basis of legal obligation. With voluntarily established whistleblowing channels, the personal data controller must therefore find another legal basis to support the processing to be permitted according to GDPR.
May we process information on violations of the law in the reporting channel without applying for permission?
Information that concerns violations of the law refers to information about someone having committed a crime, having been found guilty in a court for a crime, having been subject to coercive measures such as detention or suspected of a tangible crime. According to GDPR, the general rule is that it is only those authorities that are tasked to process such information that have a legal basis for the processing.
All operators covered by the obligation to provide whistleblowing channels may process data in relation to violations of the law within the framework of the legal obligation to provide whistleblowing channels. This means that an application for a permit is not required. As a starting point to be able to process data that concerns violations of the law, operators that are not covered by the obligation to provide internal whistleblowing channels must apply for a permit to the Swedish Privacy Protection Authority.
How should we deal with the occurrence of sensitive personal data in whistleblowing channels?
As a general rule, it is not permitted to process sensitive personal data. However, when operations provide whistleblowing services, this means that sensitive personal data can be present in the information provided by employees.
In the light of this, those operators that are covered by the law's requirement to establish a whistleblowing service are exempted from the prohibition on processing sensitive personal data. The processing is then based on a public interest according to article 9.2g in GDPR, which permits exemptions from the general rule prohibiting processing of sensitive data. However, according to the Whistleblowing Act, processing of sensitive personal data must only take place to the extent that it is necessary for a follow-up case.
Processing of sensitive personal data within the framework of a whistleblowing service can also take place with the support of the legal obligation an employer or employee might have, for example, to follow up a statement that an employee has acted wrongly in his or her employment or to exercise his or her rights within labour law according to article 9.2b in GDPR.
How long may we store personal data in whistleblowing channels?
Personal data may only be processed to fulfil the obligations on which the processing is based – in this case, to comply with the requirement to provide a whistleblowing channel. Personal data may therefore not be processed for a longer period than that required to fulfil this purpose.
As a starting point, personal data that is obviously not relevant for the administration of a particular report on whistleblowing may not be collected. If such data is collected by mistake, it must be deleted as soon as possible.
Reports in the follow-up case and the personal data that is present therein may need to be stored for a certain period. For example, there may be a need for administration for a certain period after the drafting of the report and it might therefore also be necessary to store such data after a follow-up has been concluded. The Whistleblowing Act sets requirements that personal data must be deleted in all cases no later than two years after being processed.
Some information on engaging external companies that provide reporting channels
Companies that are engaged by a personal data controller to process personal data on the operator's behalf in order to provide whistleblowing channels are normally to be regarded as a personal data processor. The assessment of who is personal data controller and personal data processor for a certain processing case must however always be made in the light of the circumstances in the individual case. If a company is engaged that is to be regarded as personal data processor, the parties must enter into a personal data processing agreement that regulates the processing.
PRACTICAL CHECKLIST WHEN PROCESSING PERSONAL DATA IN WHISTLEBLOWING CHANNELS
Below is a practical checklist when processing personal data in whistleblowing channels.
✓ Perform an impact assessment. Perform an assessment of the impact of the whistleblowing system according to article 35 of GDPR before you establish a whistleblowing system, i.e. before processing commences.
✓ Sign a personal data processing agreement. Sign a personal data processing agreement with companies that process personal data on your behalf in order to provide whistleblowing services.
✓ Keep a record. Keep a record of your personal data processing. Both personal data controller and personal data processor are obliged to keep a record of their processing of personal data. Regardless of whether you as operator have an internal or external whistleblowing channel, a database register needs to be kept (through a so-called article 30 register).
✓ Apply for a permit. Apply for a permit to process crime data if your operation is not covered by the obligation to provide whistleblowing channels.
✓ Erase the data. Ensure that personal data is deleted no later than two years after a follow-up case has been concluded.
Don't hesitate to contact one of our experts below with questions about personal data processing in whistleblowing channels. You can also read more about our service for establishment of a whistleblowing channel here (in Swedish).