Whistleblowing Channels and Data Protection

·

An internal reporting channel must protect whistleblowers, affected individuals and third parties at the same time. Law 2/2023 (Spain's whistleblower protection law) provides the legal basis and specific rules, but it does not turn the system into an unlimited archive. The organisation must restrict access, separate intake from investigation, inform data subjects without revealing the whistleblower's identity, control retention periods and document every disclosure.

Internal system, channel and case file

Law 2/2023 distinguishes between the internal information system, the reporting channel and the management procedure. From a privacy standpoint, it is worth keeping each piece separate:

  1. Intake channel: receives the report.
  2. Restricted register: keeps metadata and status.
  3. Investigation: case file with need-to-know access.
  4. Follow-up measures: disciplinary, legal or improvement actions.
  5. Blocked evidence: retained where liability may be at stake.

Not everything received should flow into the case file, nor be kept for the same retention period.

Controller and governance

The obliged entity is usually the data controller. The governing body sets up the system and appoints the person responsible for the system as defined by the Law.

The following roles must be clearly defined:

RoleResponsibility
Governing bodyPolicy, resources and independence
System managerDiligent management and controlled access
InvestigatorInvestigation of the assigned case
DPOIndependent advice and oversight
IT/securityPlatform, access and incidents
ProviderOperates on the entity's behalf if acting as processor

The DPO should not automatically act as investigator in every case: doing so could compromise their independence or capacity.

Legal basis and sensitive data

Article 30 of Law 2/2023 governs the processing of personal data within the internal information system. Depending on the obliged subject and the context, the legal basis is linked to compliance with a legal obligation or to the public interest. Consent should never be presented as the basis for a mandatory channel.

Reports may contain health data, trade union membership, sexual orientation, criminal data or intimate information. Requesting unnecessary categories of data should be avoided, and reinforced protection must be applied to any that prove unavoidable.

Data that is manifestly not relevant to processing a report must not be retained. If it arrives on the whistleblower's own initiative, it should be assessed and deleted when unnecessary.

Information and transparency

The channel's policy must explain, at a minimum:

The information must be clear and accessible. Absolute anonymity should not be promised if the technical setup or the investigation cannot actually guarantee it.

Confidentiality of identity

Access to the whistleblower's identity is restricted to authorised personnel. It is not disclosed to the affected person as part of their right of access. Any legally required disclosure must be limited to the strict minimum and documented.

Notifications, calendar entries and file names can indirectly reveal identity. Confidentiality must also cover metadata, voice recordings, writing style, job position and context.

Minimum access

Management should not have blanket access based on hierarchy alone. Only the persons envisaged by the law and the procedure should have access, on a need-to-know basis.

Intake and acknowledgement

The channel must allow written or verbal reports under the applicable terms. If a report is recorded, the whistleblower must be informed beforehand and the recording must be protected. It can also be documented through a complete and accurate transcript, giving the whistleblower the chance to check, correct and approve it as the Law provides.

The acknowledgement of receipt and subsequent communications should not be exposed through ordinary email. A secure mailbox or a case identifier should be used instead.

Admission and investigation

The initial assessment determines the scope, relevance, possible conflicts of interest, urgency and the protective measures required. If the report is not admitted, only the evidence necessary to support that decision is kept, for the applicable period.

During the investigation:

The person under investigation is informed at the time and in the manner that does not jeopardise the investigation, respecting the Law and their rights.

Retention

The Law sets specific rules for data held in the system. Information may be kept in the channel only for the time strictly necessary to decide whether to open an investigation, within the applicable legal limit; afterwards it must be deleted from the channel, without preventing it from being kept in the investigation file when necessary.

The retention regime must distinguish, at a minimum, between:

There is no single retention period nor indefinite storage. Before publishing specific figures, it is advisable to check the article currently in force and the internal procedure.

Rights

The right of access does not allow the whistleblower's identity to be revealed. The rights of rectification or erasure may be limited by legal obligations, by the needs of the investigation, or in defence of legal claims. Each request must be analysed and answered with a reasoned response.

The platform must make it possible to locate the affected data without handing over the complete case file of third parties.

Providers

If a platform operates on the company's behalf, it needs a contract compliant with Article 28 GDPR. Among other aspects, the following should be reviewed:

The platform does not replace the procedure or the person responsible for the system.

Corporate groups

The Law allows certain shared arrangements, but each entity in the group must define its own responsibility, access and processing. A group-wide channel does not justify the parent company having indiscriminate access to its subsidiaries' cases.

Clear rules must exist for case assignment, conflict management, internal transfers and the use of shared teams.

Security and incidents

Common threats include:

The breach management plan must factor in the particular risk of retaliation. It must preserve evidence, revoke access, assess the affected individuals and decide on notification.

Implementation plan

1. Governance

Policy, system manager, DPO, conflict management and resources.

2. Design

Channels, access, anonymity, procedure, retention and rights.

3. Provider

Due diligence, contract and secure configuration.

4. Testing

Anonymous reporting, conflict management, access control, investigation, closure, export and deletion.

5. Operation

Training, metrics, audit and periodic review.

Sensible metrics

Statistics that could allow re-identification in small organisations should not be published.

Common mistakes

  1. Using a shared mailbox.
  2. Giving access to the entire management team.
  3. Requesting consent as the basis for the channel.
  4. Promising anonymity that is not actually guaranteed.
  5. Keeping everything in the mailbox without curating it.
  6. Revealing identity through metadata.
  7. Confusing the channel with the case file.
  8. Hiring a platform without a procedure in place.
  9. Failing to manage conflicts of interest.
  10. Ignoring the rights of the affected person.

Checklist

Frequently asked questions

Can it be anonymous?

Yes, the system must allow anonymous reports under the terms of the Law. The platform and the procedure must protect this technically.

Can the accused person learn the whistleblower's identity?

The right of access does not include revealing the whistleblower's identity.

How long is the information kept?

It depends on the phase and the purpose. The channel and the investigation must be kept separate, applying the specific limits set by the Law and the responsibilities involved in the case.

Can it be managed by a third party?

Yes, with a contract, adequate safeguards, and without this shifting the entity's responsibility.

Official sources consulted

Summum Consultoría can review the governance, privacy, provider and procedure of the channel without taking on decisions reserved for the person responsible for the system.