An internal reporting channel must protect whistleblowers, affected individuals and third parties at the same time. Law 2/2023 (Spain's whistleblower protection law) provides the legal basis and specific rules, but it does not turn the system into an unlimited archive. The organisation must restrict access, separate intake from investigation, inform data subjects without revealing the whistleblower's identity, control retention periods and document every disclosure.
Internal system, channel and case file
Law 2/2023 distinguishes between the internal information system, the reporting channel and the management procedure. From a privacy standpoint, it is worth keeping each piece separate:
- Intake channel: receives the report.
- Restricted register: keeps metadata and status.
- Investigation: case file with need-to-know access.
- Follow-up measures: disciplinary, legal or improvement actions.
- Blocked evidence: retained where liability may be at stake.
Not everything received should flow into the case file, nor be kept for the same retention period.
Controller and governance
The obliged entity is usually the data controller. The governing body sets up the system and appoints the person responsible for the system as defined by the Law.
The following roles must be clearly defined:
| Role | Responsibility |
|---|---|
| Governing body | Policy, resources and independence |
| System manager | Diligent management and controlled access |
| Investigator | Investigation of the assigned case |
| DPO | Independent advice and oversight |
| IT/security | Platform, access and incidents |
| Provider | Operates on the entity's behalf if acting as processor |
The DPO should not automatically act as investigator in every case: doing so could compromise their independence or capacity.
Legal basis and sensitive data
Article 30 of Law 2/2023 governs the processing of personal data within the internal information system. Depending on the obliged subject and the context, the legal basis is linked to compliance with a legal obligation or to the public interest. Consent should never be presented as the basis for a mandatory channel.
Reports may contain health data, trade union membership, sexual orientation, criminal data or intimate information. Requesting unnecessary categories of data should be avoided, and reinforced protection must be applied to any that prove unavoidable.
Data that is manifestly not relevant to processing a report must not be retained. If it arrives on the whistleblower's own initiative, it should be assessed and deleted when unnecessary.
Information and transparency
The channel's policy must explain, at a minimum:
- Identity of the controller.
- Purposes and legal basis.
- Who may report.
- Internal and external channels available.
- Confidentiality and anonymity.
- Recipients and providers.
- Retention periods.
- Rights and their limits.
- DPO contact details.
- Protection against retaliation.
The information must be clear and accessible. Absolute anonymity should not be promised if the technical setup or the investigation cannot actually guarantee it.
Confidentiality of identity
Access to the whistleblower's identity is restricted to authorised personnel. It is not disclosed to the affected person as part of their right of access. Any legally required disclosure must be limited to the strict minimum and documented.
Notifications, calendar entries and file names can indirectly reveal identity. Confidentiality must also cover metadata, voice recordings, writing style, job position and context.
Minimum access
- Individual accounts and multi-factor authentication (MFA).
- Separate profiles for administration and investigation.
- No shared accounts allowed.
- Logs of reads, downloads and changes.
- Temporary access per case.
- Quarterly review of permissions.
- Encryption and restricted copies.
- Immediate deactivation once access is no longer needed.
Management should not have blanket access based on hierarchy alone. Only the persons envisaged by the law and the procedure should have access, on a need-to-know basis.
Intake and acknowledgement
The channel must allow written or verbal reports under the applicable terms. If a report is recorded, the whistleblower must be informed beforehand and the recording must be protected. It can also be documented through a complete and accurate transcript, giving the whistleblower the chance to check, correct and approve it as the Law provides.
The acknowledgement of receipt and subsequent communications should not be exposed through ordinary email. A secure mailbox or a case identifier should be used instead.
Admission and investigation
The initial assessment determines the scope, relevance, possible conflicts of interest, urgency and the protective measures required. If the report is not admitted, only the evidence necessary to support that decision is kept, for the applicable period.
During the investigation:
- The scope of the investigation is defined.
- Information is limited to the relevant facts.
- The presumption of innocence is preserved.
- The right of defence is protected.
- Internal disclosure of the case is avoided.
- The source and the chain of custody are recorded.
- Copying and downloading of documentation is controlled.
The person under investigation is informed at the time and in the manner that does not jeopardise the investigation, respecting the Law and their rights.
Retention
The Law sets specific rules for data held in the system. Information may be kept in the channel only for the time strictly necessary to decide whether to open an investigation, within the applicable legal limit; afterwards it must be deleted from the channel, without preventing it from being kept in the investigation file when necessary.
The retention regime must distinguish, at a minimum, between:
- Reports not admitted.
- Reports admitted and forwarded.
- Evidence of the system's operation.
- Investigations.
- Disciplinary or judicial measures.
- Blocked data.
There is no single retention period nor indefinite storage. Before publishing specific figures, it is advisable to check the article currently in force and the internal procedure.
Rights
The right of access does not allow the whistleblower's identity to be revealed. The rights of rectification or erasure may be limited by legal obligations, by the needs of the investigation, or in defence of legal claims. Each request must be analysed and answered with a reasoned response.
The platform must make it possible to locate the affected data without handing over the complete case file of third parties.
Providers
If a platform operates on the company's behalf, it needs a contract compliant with Article 28 GDPR. Among other aspects, the following should be reviewed:
- Hosting and support.
- Sub-processors.
- Encryption and key management.
- Logs and administrators.
- Technical anonymity.
- Data export.
- Deletion and return of data at contract termination.
- Incident management.
- International data transfers.
The platform does not replace the procedure or the person responsible for the system.
Corporate groups
The Law allows certain shared arrangements, but each entity in the group must define its own responsibility, access and processing. A group-wide channel does not justify the parent company having indiscriminate access to its subsidiaries' cases.
Clear rules must exist for case assignment, conflict management, internal transfers and the use of shared teams.
Security and incidents
Common threats include:
- Improper access by the accused person.
- Notifications that reveal the whistleblower's identity.
- Local download of unencrypted information.
- Providers whose administrators hold excessive permissions.
- Predictable tracking links.
- Recordings without adequate control.
- Ransomware or malicious deletion.
The breach management plan must factor in the particular risk of retaliation. It must preserve evidence, revoke access, assess the affected individuals and decide on notification.
Implementation plan
1. Governance
Policy, system manager, DPO, conflict management and resources.
2. Design
Channels, access, anonymity, procedure, retention and rights.
3. Provider
Due diligence, contract and secure configuration.
4. Testing
Anonymous reporting, conflict management, access control, investigation, closure, export and deletion.
5. Operation
Training, metrics, audit and periodic review.
Sensible metrics
- Acknowledgement and processing times.
- Cases by status.
- Unjustified access attempts.
- Reassigned conflicts of interest.
- Irrelevant data deleted.
- Security incidents.
- Measures adopted and improvements applied.
Statistics that could allow re-identification in small organisations should not be published.
Common mistakes
- Using a shared mailbox.
- Giving access to the entire management team.
- Requesting consent as the basis for the channel.
- Promising anonymity that is not actually guaranteed.
- Keeping everything in the mailbox without curating it.
- Revealing identity through metadata.
- Confusing the channel with the case file.
- Hiring a platform without a procedure in place.
- Failing to manage conflicts of interest.
- Ignoring the rights of the affected person.
Checklist
- Controller and roles defined.
- Policy and procedure approved.
- Clear and accessible information.
- Confidentiality and anonymity tested.
- Minimum access with logs.
- Channel kept separate from the case file.
- Retention set by category.
- Rights handled without revealing the whistleblower.
- Provider and sub-processors assessed.
- Breaches, conflicts and continuity rehearsed.
Frequently asked questions
Can it be anonymous?
Yes, the system must allow anonymous reports under the terms of the Law. The platform and the procedure must protect this technically.
Can the accused person learn the whistleblower's identity?
The right of access does not include revealing the whistleblower's identity.
How long is the information kept?
It depends on the phase and the purpose. The channel and the investigation must be kept separate, applying the specific limits set by the Law and the responsibilities involved in the case.
Can it be managed by a third party?
Yes, with a contract, adequate safeguards, and without this shifting the entity's responsibility.
Official sources consulted
- Law 2/2023.
- AEPD (Spanish DPA): legal report 0054/2023.
- AEPD (Spanish DPA): procedure for managing reports.
- GDPR.
Summum Consultoría can review the governance, privacy, provider and procedure of the channel without taking on decisions reserved for the person responsible for the system.