Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
SPANISH SUPERVISORY AUTHORITY: Privacy in whistleblowing systems

SPANISH SUPERVISORY AUTHORITY: Privacy in whistleblowing systems

The regulation allows for the implementation of whistleblowing systems in organisations respecting a number of basic data protection principles.

Whistleblowing systems are an instrument for exposing acts or conduct contrary to the law or collective bargaining agreements within companies or in the actions of third parties contracting with them. These systems are usually set up through the creation of internal mailboxes, generally online, through which workers can report this type of situation.

Data protection regulations allow the implementation of these systems as long as a series of basic principles are respected. The Agency itself, as part of the commitments set out in its Social Responsibility Action Framework and the provisions of its Code of Ethics, has set up a whistleblowing channel.

If we want to set up a whistleblowing system in our company or organisation, we should pay attention to the following basic aspects related to privacy:

  • Informing employees

It is essential that employees are informed of the existence of the whistleblowing system and the processing of data involved in making a complaint. This can be communicated directly in the employment contract; individually or collectively when implementing or modifying the system, or through information circulars to staff and their representatives.

  • Respect the principle of proportionality and purpose limitation.

Reports should only refer to cases in which the facts or actions have an effective implication in the relationship between the company and the reported party and, likewise, the information obtained in this way may not be used for any purpose other than that envisaged for the implementation of the system.

  • Protection of whistleblower data

The law allows anonymous reporting systems, but in the case of non-anonymous reporting, the whistleblower’s information must be kept secure and the whistleblower’s identification must not be made available to the respondent. This implies implementing reinforced measures of security and confidentiality of the information.

  • Limiting access to information

Access should be limited exclusively to those carrying out internal control and compliance functions or to the data processor designated for this purpose. Access by other persons or disclosure to third parties shall only be lawful when necessary for the purpose of disciplinary measures or legal proceedings, as the case may be.

  • Retention and deletion of data

The data should be kept only for the time necessary for the investigation of the facts, unless the investigation leads to the adoption of certain measures against the accused person, in which case it would be possible to keep the data for a longer period. In any event, the data must be deleted three months after they have been entered into the complaints system.

  • Data protection rights

The rights of access, rectification, erasure and objection of the data subject should be guaranteed, without revealing the identity of the complainant. The reported person should be able to know as soon as possible the fact that he/she is accused in order to be able to duly defend his/her interests, and therefore this information should be provided to him/her after a reasonable period of time during which the preliminary investigation of the facts is carried out.

SOURCE: SPANISH DATA PROTECTION AUTHORITY – AEPD

Recommended to you

Advanced Research