General Data Protection Regulation (GDPR) and Whistleblowing Laws (Part II of II)

Alexander Cotoia
The Volkov Law Group
Contact
LinkedIn
Facebook
X
Send
Embed

The Volkov Law Group

[coauthor: Daniela Melendez]*

Challenges may arise when conducting an internal investigation related to an underlying disclosure by a whistleblower pursuant to the EU Directive, because companies must strictly comply with the GDPR. Failure to comply with the GDPR can lead to administrative sanctions and high fines by the regulator.

To ensure that the organization is in compliance with the GDPR while conducting an internal investigation, companies must identify a valid legal basis for processing the data by identifying the exact purpose of the investigation, setting forth the specific categories of the data to be processed, and otherwise describing the precise nature and extent of the data involved. Organizations may justify data processing in connection with such investigations only if there is a legitimate interest. Consent to process the data by the person(s) implicated in the internal investigation is also required. Finally, the organization may need to confirm whether a collective bargaining or other form of employment agreement restricts its ability to process data in connection with the disposition of a whistleblower claim.

The GDPR further requires that when a company conducts an internal investigation it must comply with general principles of data processing (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality). Organizations must also be cautious in observing any relevant local data protection laws. In addition, the GDPR requires that organizations inform the data subjects about their processing of their personal data in advance. It is important to note that the GDPR does not provide for an exception to the notification requirement while conducting an internal investigation. Moreover, data processing becomes trickier when the company wants to transfer the data to third parties. Finally, data controllers must perform a data protection impact assessment (“DPIA”) to assess whether the data processing will result in a breach of the freedom and rights of data subjects [Article 24, GDPR].

Therefore, companies should exercise caution when they receive a speak report. Before reviewing the implicated employee’s email, before sending the employee’s personal data out of the European Economic Area or out of the European Union, companies must ensure compliance with local and international Data Protection laws. The above is essential to ensure the internal investigation is not hindered due to non-compliance with data protection laws.

* The Volkov Law Group

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© The Volkov Law Group | Attorney Advertising

Written by:

The Volkov Law Group
The Volkov Law Group
Contact
more
less

The Volkov Law Group on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide