Skip to content
Legislation

Whistleblowing channel and data protection: how to comply with the RGPD

L LapsoWork Team
Whistleblowing channel and data protection: how to comply with the RGPD

Setting up a whistleblowing channel is no longer optional for a large proportion of Spanish SMEs: the Ley 2/2023, which transposes the European whistleblowing directive (Directiva UE 2019/1937), requires companies with 50 or more employees to have an internal reporting system in place. But complying with the whistleblower law is only half the job. The other half, the part that often goes overlooked, is the protection of personal data: a whistleblowing channel handles especially sensitive information (identities, accusations, evidence) and, if it does not comply with the RGPD, it exposes the company to penalties from both the Autoridad Independiente de Protección del Informante and the Agencia Española de Protección de Datos (AEPD). Let’s look at how to reconcile both obligations without the headaches.

Privacy basics in a whistleblowing channel

A whistleblowing channel processes personal data from the very first minute: that of the reporter, that of the person reported and that of any potential witnesses. Before rolling it out, it’s worth being clear about several privacy principles that both the RGPD and the Ley 2/2023 require expressly.

Properly informing the people in the company

Transparency is the foundation of any data processing. The entire workforce must know that the channel exists, what it is for, who manages the information and what rights they have over their data. This prior information —the classic duty to inform under Article 13 of the RGPD— is not a mere formality: it builds trust in the system and encourages people to use it when they spot an irregularity. A channel that no one knows about, or that no one trusts, is a dead channel.

In practice, this translates into an accessible policy on how to use the channel, an information clause on the reporting form itself and, highly recommended, an internal communication when the system launches.

Balancing the privacy of the reported person and the reporter’s rights

This is one of the most delicate points. On the one hand, you must protect the reporter’s identity with reinforced confidentiality guarantees, because it is precisely the fear of reprisals that the law seeks to neutralise. On the other, the reported person retains their rights: presumption of innocence, right of defence and, at the procedurally appropriate moment, access to the information that concerns them.

The key is that the reported person’s right to information cannot be used to reveal the reporter’s identity. The company must design the procedure so that both rights can coexist, deferring notification to the reported person whenever there is a genuine risk of compromising the investigation.

Who can access the data

Access to the channel’s information must be strictly limited. Only the following should be able to consult it:

  • The head of the internal reporting system, a role the Ley 2/2023 requires companies to appoint.
  • Human Resources or compliance staff involved in handling the case.
  • The internal or external legal adviser, when the report requires it.
  • The Data Protection Officer (DPO), if the company has appointed one.
  • Judicial, police or administrative authorities, only when the law requires it.

Any other access is a security breach. That is why it is so important for the channel to log who consults what, and when.

The role of the Data Protection Officer

If your company is required to appoint a DPO —or if you have designated one voluntarily— their involvement in the design and oversight of the channel is highly advisable. The DPO ensures the processing complies with the RGPD, advises on retention periods, reviews the data protection impact assessment (EIPD) where appropriate and acts as the point of contact with the AEPD. In channels that systematically handle sensitive data, having that role in place greatly reduces the risk of mistakes.

Data protection principles in handling reports

Beyond the initial rollout, the day-to-day running of the channel must respect the RGPD’s principles in every case. These are the four that carry the most weight in handling reports.

Purpose limitation

The data collected through the channel may only be used to investigate the reported facts. The Ley 2/2023 limits the scope of the channel to breaches of European Union law and to acts or omissions that may constitute a serious or very serious criminal or administrative offence. It is not a suggestion box, nor a route for ordinary workplace disputes, and the data cannot be reused for other purposes unrelated to the investigation.

The reporter’s anonymity

One of the advances of the Ley 2/2023 is that it expressly permits anonymous reports: the system must allow people to report without identifying themselves. When the reporter does identify themselves, their identity is protected by the legal duty of confidentiality and can only be revealed in the cases set out by law, normally within the framework of a judicial investigation. This anonymity is, once again, what makes the channel work.

Confidentiality of the information

All information in a case must be handled with the utmost confidentiality and stored in a secure environment, with encryption and access controls. This means access logs, technical measures against leaks and training for the staff involved. A leaked report not only destroys trust in the system: it can lead to penalties for breaching the RGPD and liability towards the reporter.

Retention and deletion of the data

The RGPD requires that data is not kept for longer than necessary, and here the Ley 2/2023 is specific: the data from a report may only be kept in the internal reporting system for the time strictly necessary to decide on whether to act on it, and in any case no more than three months from receipt without proceedings having been initiated. If, once that period has elapsed, an investigation is warranted, the information is transferred to a separate file. If it is not, it must be deleted or anonymised. These automatic deadlines are among the first things the AEPD checks in an inspection.

How specialised software solves it

Squaring all of the above by hand —access control, logs, three-month deadlines, reporter confidentiality— is tedious and prone to error. Software that integrates the whistleblowing channel with the rest of people management makes compliance simpler: role-based restricted access, an audit trail of every consultation, forms with the information clause already built in and automatic deletion of cases that have reached their deadline.

In LapsoWork, the whistleblowing channel comes ready to comply with the Ley 2/2023 and the RGPD, and works alongside the document manager to securely safeguard the evidence and case files associated with each matter. This way the channel stops being an awkward obligation and becomes a tool that protects both your workforce and your company.

Conclusion

The whistleblowing channel and data protection are two sides of the same coin. It is not enough to have a mailbox for receiving reports: you have to guarantee the reporter’s confidentiality, respect the reported person’s rights, limit access to the data and meet the retention periods set by the Ley 2/2023. Doing it properly saves you from double penalties and, above all, builds an internal culture in which people dare to speak up. And that trust, in the end, is what makes the system work.

Enjoyed the article? Share it:

Comply with Law 2/2023, hassle-free.

Activate LapsoWork’s whistleblowing channel from €299.99/year + VAT. Encrypted portal, internal policy included and ready in 48 hours.

Get the channel

Prefer a guided tour? Talk to the team

  • From €299.99/year
  • Ready in 48 hours
  • Compliant with Law 2/2023