• About us
    • About Lindahl
    • How we work
    • Said about Lindahl
    • Press
    • Find us
    • Privacy
  • Areas
    • Commercial dispute resolution
    • IT/Tech
    • Intellectual property
    • Life Sciences
    • M&A
    • All areas
  • Our people
    • Stockholm
    • Göteborg
    • Malmö
    • Uppsala
    • Helsingborg
    • Örebro
  • Latest news
    • Cases and transactions
    • News
    • Events
    • Knowledge
    • Portraits
  • Offices
    • Stockholm
    • Göteborg
    • Malmö
    • Uppsala
    • Örebro
    • Helsingborg

Six common questions regarding personal data processing in whistleblowing channels

  • Home
  • Latest news
  • Knowledge
  • 2022
  • Six common questions regarding personal data processing in whistleblowing channels

A new whistleblowing act, the Act on Protection of Persons Reporting Wrongdoings (2021:890) (”the Whistleblowing Act”), came into force on 17 December 2021 replacing the previous act in the area.

The Whistleblowing Act sets requirements that certain operations implement a so-called Whistleblowing system, i.e. a reporting channel for information on wrongdoings and irregularities in the workplace. From 17 July 2022, public sector employers with more than 50 employees and private sector employers with more than 249 employees have an obligation to have whistleblowing channels in place. From 17 December 2023, the requirement also applies for private sector employees with at least 50 employees. More about the Whistleblowing Act can be found in Lindahl's previous review here.

When a whistleblowing system is established, the operation needs to ensure that any processing of personal data that occurs in the reporting system complies with the requirements in applicable data protection legislation. In this article, we will highlight central parts of these regulations, as well as what employers subject to the Whistleblowing Act need to think about with respect to personal data processing.


WHICH REGULATIONS APPLY FOR PERSONAL DATA PROCESSING IN WHISTLEBLOWING CHANNELS?

The General Data Protection Regulation (”GDPR”), the Data Protection Act that supplements GDPR in Swedish law, as well as the regulations issued in connection with the Data Protection Act, apply when processing personal data according to the Whistleblowing Act. In addition, the new Whistleblowing Act contains specific provisions on how personal data should be processed, which supplement GDPR and the Data Protection Act. In other words, both the fundamental principles in GDPR and the concrete requirements that arise from the Whistleblowing Act, e.g. concerning storage period for reports, must be followed.


SIX COMMON QUESTIONS ON PROCESSING OF PERSONAL DATA IN WHISTLEBLOWING CHANNELS

How do we determine the purpose of the processing?

According to the Whistleblowing Act, personal data may only be processed in a whistleblowing system if it is necessary for a follow-up case. According to the Act, the term "follow-up case" refers to a case that consists of

  • receiving reports and having contact with the reporting person;
  • taking measures to assess the accuracy in the claims that are presented in the report;
  • submitting information regarding the claims investigated for continued measures; and
  • providing feedback on the follow-up to the reporting person regarding the investigation conducted and the resulting conclusions.

According to the Act, it is consequently possible to process the personal data that is necessary for each of the steps in the follow-up of a whistleblowing matter.

How do we decide on the legal basis for the processing?

According to GDPR, there must always be a legal basis each time personal data is processed. There are six legal bases according to article 6.1 in GDPR. For private operators with at least 50 employees and for authorities that are personal data controllers, the processing can be supported by the legal basis of legal obligation according to article 6.1c in GDPR, provided that the processing of personal data is necessary to fulfil the obligations according to the Whistleblowing Act. As indicated above, this is obviously the case for the purposes that arise from the Act. If the processing is planned for purposes other than those listed above in the system, it must consequently rest on some other legal basis than a legal obligation according to the Whistleblowing Act.

Note that an operator only has a legal obligation when there is an obligation according to the Whistleblowing Act to establish a whistleblowing channel, i.e. 17 December 2023 for private operators with at least 50 employees. Operators with fewer than 50 employees are not obliged to establish whistleblowing channels according to the Act and can therefore not support processing of personal data in voluntarily established whistleblowing channels on the legal basis of legal obligation. With voluntarily established whistleblowing channels, the personal data controller must therefore find another legal basis to support the processing to be permitted according to GDPR.


May we process information on violations of the law in the reporting channel without applying for permission? 

Information that concerns violations of the law refers to information about someone having committed a crime, having been found guilty in a court for a crime, having been subject to coercive measures such as detention or suspected of a tangible crime. According to GDPR, the general rule is that it is only those authorities that are tasked to process such information that have a legal basis for the processing.

All operators covered by the obligation to provide whistleblowing channels may process data in relation to violations of the law within the framework of the legal obligation to provide whistleblowing channels. This means that an application for a permit is not required. As a starting point to be able to process data that concerns violations of the law, operators that are not covered by the obligation to provide internal whistleblowing channels must apply for a permit to the Swedish Privacy Protection Authority.


How should we deal with the occurrence of sensitive personal data in whistleblowing channels?

As a general rule, it is not permitted to process sensitive personal data. However, when operations provide whistleblowing services, this means that sensitive personal data can be present in the information provided by employees.

In the light of this, those operators that are covered by the law's requirement to establish a whistleblowing service are exempted from the prohibition on processing sensitive personal data. The processing is then based on a public interest according to article 9.2g in GDPR, which permits exemptions from the general rule prohibiting processing of sensitive data. However, according to the Whistleblowing Act, processing of sensitive personal data must only take place to the extent that it is necessary for a follow-up case.

Processing of sensitive personal data within the framework of a whistleblowing service can also take place with the support of the legal obligation an employer or employee might have, for example, to follow up a statement that an employee has acted wrongly in his or her employment or to exercise his or her rights within labour law according to article 9.2b in GDPR.


How long may we store personal data in whistleblowing channels?

Personal data may only be processed to fulfil the obligations on which the processing is based – in this case, to comply with the requirement to provide a whistleblowing channel. Personal data may therefore not be processed for a longer period than that required to fulfil this purpose.

As a starting point, personal data that is obviously not relevant for the administration of a particular report on whistleblowing may not be collected. If such data is collected by mistake, it must be deleted as soon as possible.

Reports in the follow-up case and the personal data that is present therein may need to be stored for a certain period. For example, there may be a need for administration for a certain period after the drafting of the report and it might therefore also be necessary to store such data after a follow-up has been concluded. The Whistleblowing Act sets requirements that personal data must be deleted in all cases no later than two years after being processed.


Some information on engaging external companies that provide reporting channels

Companies that are engaged by a personal data controller to process personal data on the operator's behalf in order to provide whistleblowing channels are normally to be regarded as a personal data processor. The assessment of who is personal data controller and personal data processor for a certain processing case must however always be made in the light of the circumstances in the individual case. If a company is engaged that is to be regarded as personal data processor, the parties must enter into a personal data processing agreement that regulates the processing.


PRACTICAL CHECKLIST WHEN PROCESSING PERSONAL DATA IN WHISTLEBLOWING CHANNELS

Below is a practical checklist when processing personal data in whistleblowing channels.

✓ Notify the employees. Provide notification in your privacy policy that personal data processing can occur as a result of the whistleblowing service and which legal basis is applied.

✓ Perform an impact assessment. Perform an assessment of the impact of the whistleblowing system according to article 35 of GDPR before you establish a whistleblowing system, i.e. before processing commences.

✓ Sign a personal data processing agreement. Sign a personal data processing agreement with companies that process personal data on your behalf in order to provide whistleblowing services.

✓ Keep  a record. Keep a record of your personal data processing. Both personal data controller and personal data processor are obliged to keep a record of their processing of personal data. Regardless of whether you as operator have an internal or external whistleblowing channel, a database register needs to be kept (through a so-called article 30 register).

✓ Apply for a permit. Apply for a permit to process crime data if your operation is not covered by the obligation to provide whistleblowing channels.

✓ Erase the data. Ensure that personal data is deleted no later than two years after a follow-up case has been concluded.

 


Don't hesitate to contact one of our experts below with questions about personal data processing in whistleblowing channels. You can also read more about our service for establishment of a whistleblowing channel here (in Swedish). 

Privacy

The digitalisation of society has meant that processing of personal data has become a prerequisite – and an independent value – for the activities of companies, public authorities and other organisations. In parallel with this, requirements regarding protection of employees’ and customers’ privacy have increased significantly.

Visit page

Related

  • 5/17/2022 9:22:10 AM Penalty fee against Klarna – the importance of transparency and clarity in what is referred to as a "personal data policy"
  • 3/11/2022 4:23:45 PM E-trader with sales of goods or services to private individuals? It is time to prepare for a new Consumer Purchase Act that is proposed to enter into force in May 2022
  • 12/13/2021 12:22:49 PM New EDPB guidelines on what constitutes a third country transfer
  • 12/9/2021 5:21:45 PM Reminder: New standard contractual clauses from the European Commission – Time to update contract templates and negotiate existing contracts
  • 11/29/2021 4:06:04 PM The Whistleblowing Act – How to prepare your business

Contact

  • Asta Schulz

    Stockholm

    asta.schulz@lindahl.se +46 733 998 029
  • Pontus Etéus

    Göteborg

    pontus.eteus@lindahl.se +46 731 472 786
  • Felicia Olsson

    Göteborg

    felicia.olsson@lindahl.se +46 731 472 789
  • Max Stenberg

    Malmö

    max.stenberg@lindahl.se +46 723 571 457
  • Gabriel Miller

    Malmö

    gabriel.miller@lindahl.se +46 725 007 004
  • Mikael Olsson

    Uppsala

    mikael.olsson@lindahl.se +46 18 161 826
  • Ida Karlsson

    Örebro

    ida.karlsson@lindahl.se +46 736 721 753
  • Ida Hjorth

    Helsingborg

    ida.hjorth@lindahl.se +46 701 435 850
Pages
  • Start
  • About us
  • Areas
  • Our people
  • Latest news
  • Privacy
Our offices
  • Stockholm reception.stockholm@lindahl.se +46 8 527 70 800
  • Göteborg reception.goteborg@lindahl.se +46 31 799 10 00
  • Malmö reception.malmo@lindahl.se +46 40 664 66 50
  • Uppsala reception.uppsala@lindahl.se +46 18 16 18 50
  • Örebro reception.orebro@lindahl.se +46 19 20 89 00
  • Helsingborg reception.helsingborg@lindahl.se +46 42 17 53 00
Social media
  • Connect with us on social networks: Instagram, Linkedin, Youtube, Facebook,

Disclaimer

The material and information on this site is intended for general informational purposes only and does not constitute legal advice on any specific matter. Please note that all images on Lindahl's website, www.lindahl.se, are subject to intellectual property protection and downloading, publication, copying and/or other use of the images requires the written consent of the rights holder. You'll find Advokatfirman Lindahl KB's general terms and conditions here.

Some cookies are essential, others help us improve your experience by providing insights into how the site is used. For more information, please visit our Cookie Policy.

Essential Cookies

These cookies are necessary for the functionality of the site and cannot be disabled.

Analytics Cookies>

We use Analytics cookies to collect information that gives us insight into how our website is being used. We anonymize IP addresses in Google Analytics. By clicking on Decline we won't save theese cookies.

Decline
We use cookies to get insights on how our site is used and give our visitors the best possible experience