Insight · Internal reporting
The EU Whistleblowing Directive
The Whistleblowing Directive obliges a wide range of organisations to give staff a safe, confidential way to report wrongdoing internally. It is often read as an employment and compliance measure, but the channel it requires is also a stream of sensitive personal data, which puts it squarely inside the GDPR as well.
What it is
A duty to build a reporting channel
Directive (EU) 2019/1937 protects people who report breaches of EU law and requires covered organisations to operate internal reporting channels, handle reports within set timeframes, and shield reporters from retaliation. As a directive rather than a regulation, it takes effect through each member state's implementing law, so the precise thresholds and details vary by country.
The common core is consistent: a confidential channel, acknowledgement of a report within a defined period, diligent follow-up, and feedback to the reporter within a set window. The identity of the reporter must be protected.
Who it applies to
Broadly, private-sector organisations at or above a headcount threshold, most public-sector bodies, and organisations in certain regulated sectors regardless of size. A U.S. company with a European workforce that crosses the relevant national threshold can be caught, and the obligation attaches to the local entity under the member state's transposing law.
Where data protection comes in
A reporting channel collects allegations about identifiable people, sometimes including special-category data, and it does so under strong confidentiality expectations. That makes the GDPR unavoidable.
- A lawful basis and clear purpose limitation for reports and any investigation
- A data protection impact assessment, given the sensitivity and monitoring nature of the processing
- Strict access controls and confidentiality for the reporter's identity
- Defined retention, so reports are not kept longer than the follow-up requires
- Careful handling of any transfer if reports are reviewed outside the EEA
Where a company uses a third-party platform to run the channel, that vendor is a processor, and the arrangement needs a data-processing agreement and a transfer mechanism if the tool sits outside Europe.
What Privello does, and does not do
Privello advises on the design of internal reporting channels: how the process should map to the applicable national law, how the data protection controls should be built, and how the channel fits the wider compliance picture. Privello does not operate reporting channels and does not act as a reporting recipient or case handler. Those functions stay with the organisation or its chosen platform, and where a report raises questions of formal legal advice, Privello coordinates qualified local counsel.
See how representation and reporting obligations fit together
Begin
Design a reporting channel that meets the standard
If your European headcount brings you inside the Directive, tell us how your organisation is set up. We will outline how to design the channel and its data-protection controls.