GDPR and whistleblower reporting: what you need to know #
Every whistleblower report contains personal data. The reporter may include their name. The report will likely name the person accused of wrongdoing. The handler’s actions are logged. All of this is personal data under GDPR.
This creates a tension that compliance officers deal with every day: the Whistleblower Directive (2019/1937) requires you to collect and store reports, and GDPR requires you to have a lawful basis for doing so, minimize what you collect, and delete it when you no longer need it.
Here is how the two frameworks interact, and what it means in practice.
What personal data does a whistleblower report contain? #
More than you might think:
| Data | Source | GDPR category |
|---|---|---|
| Reporter’s name (if provided) | Voluntary | Personal data |
| Reporter’s contact details (if provided) | Voluntary | Personal data |
| Name of the accused person | Report content | Personal data (third party) |
| Details of the alleged misconduct | Report content | May include special category data (Art. 9) or criminal offence data (Art. 10) |
| Uploaded files (documents, photos) | Reporter | May contain metadata (GPS, author, timestamps) |
| Handler actions and notes | Case management | Personal data (handler) |
| Timestamps and audit trail | System | Personal data |
If a report describes harassment, discrimination, or health issues, it may contain special category data under GDPR Article 9 — which triggers stricter processing conditions. Reports involving criminal allegations fall under Article 10 (criminal convictions and offences), which has its own restrictions.
What is the legal basis for processing? #
You need a lawful basis under GDPR Article 6 to process personal data in whistleblower reports. The most commonly used bases:
Article 6(1)(c) — Legal obligation #
This is the primary basis. EU Directive 2019/1937 and its national transpositions impose a legal obligation to operate a reporting channel. Processing personal data is necessary to comply with that obligation.
This covers:
- Receiving the report
- Storing it securely
- Investigating the allegations
- Communicating with the reporter
- Maintaining an audit trail
Article 6(1)(f) — Legitimate interest #
Some organizations use legitimate interest as a secondary basis, particularly for processing that goes beyond the Directive’s minimum requirements (e.g., internal analysis, trend reporting). This requires a legitimate interest assessment (LIA) and balancing test.
Article 6(1)(e) — Public interest (public sector) #
Public sector organizations may rely on the public interest basis, particularly where national law explicitly authorizes processing for whistleblower protection.
What about consent? #
Do not rely on consent. The reporter-employer power imbalance means consent is unlikely to be freely given (GDPR Recital 43). A reporter cannot meaningfully consent when their job may depend on the outcome. Use legal obligation (Art. 6(1)(c)) instead.
Anonymous reports and GDPR #
This is the question compliance officers ask most: if a report is truly anonymous, does GDPR apply?
If the reporter is unidentifiable: GDPR does not apply to them #
GDPR applies to personal data relating to an identified or identifiable person (Art. 4(1)). If a reporter submits without providing a name, email, or any identifying information — and the system does not log their IP address or any other identifier — the report content is not personal data with respect to the reporter.
However:
- The accused person named in the report is still identifiable. GDPR fully applies to their data.
- If the report content contains details that could indirectly identify the reporter (“I am the only woman on the third floor”), it may still constitute personal data.
What “anonymous” requires technically #
For anonymity to hold up under GDPR scrutiny, your reporting tool must:
- Not log IP addresses. Any IP logging makes the reporter pseudonymous, not anonymous.
- Not require an account or email. If the reporter authenticates, they are identifiable.
- Strip file metadata. Uploaded photos and documents contain EXIF data (GPS coordinates, author name, device information) that can identify the reporter.
- Not use analytics or tracking cookies on the reporting portal.
If your tool does any of these things, you are collecting pseudonymous data, not anonymous data, and GDPR applies in full.
Data minimization (Art. 5(1)(c)) #
The Directive requires a reporting channel. It does not require collecting more data than necessary.
In practice:
- Reporter identity must be optional. The reporter should be able to submit without providing their name or contact details.
- Intake forms should collect only what is needed. A description of the misconduct, the category, and optional supporting files. Do not require department, employee ID, or other identifiers unless the reporter chooses to provide them.
- Handler notes should be relevant to the investigation. Do not log extraneous personal details about the reporter or accused.
The accused person’s rights #
This is where it gets complicated. The person accused in a whistleblower report has GDPR rights — including the right to be informed (Art. 14), the right of access (Art. 15), and the right to erasure (Art. 17).
But exercising those rights cannot compromise the reporter’s confidentiality (Directive Art. 16).
Right to be informed (Art. 14) #
Under GDPR, you must inform people when you process their data. But Directive Art. 16(1) requires protecting the reporter’s identity. The solution:
- You may inform the accused person that a report has been made — but only when doing so does not risk identifying the reporter.
- Timing matters. Many member states allow delaying notification until it would no longer jeopardize the investigation. Germany’s HinSchG explicitly restricts disclosure during the investigation period.
- National data protection authorities generally accept that the Directive’s confidentiality requirements override the immediate notification obligation.
Right of access (Art. 15) #
The accused person can request access to data held about them. You must provide it — but you must redact any information that would identify the reporter. This includes the reporter’s name, but also contextual details that could reveal them indirectly.
Right to erasure (Art. 17) #
The accused person cannot demand deletion of a report that is part of an ongoing investigation or that must be retained under legal obligations. GDPR Art. 17(3)(b) and (e) provide exceptions for legal obligations and legal claims.
Retention periods #
The Directive (Art. 18) requires maintaining records of reports. GDPR (Art. 5(1)(e)) requires not keeping personal data longer than necessary.
How long should you retain reports? #
The Directive does not prescribe a specific retention period. National transpositions vary:
| Country | Retention period | Source |
|---|---|---|
| France | 5 years after case closure | Decree 2022-1284 |
| Italy | 5 years from date of report | D.Lgs. 24/2023, Art. 14 |
| Germany | 3 years after case closure (unless ongoing proceedings) | HinSchG §11 |
| Spain | Not specified (general GDPR minimization applies) | Law 2/2023 |
Best practice #
- Set a configurable retention period (e.g., 12, 24, 36, or 60 months after case closure).
- Automatically delete closed cases when the retention period expires.
- Allow manual deletion by admins for cases where retention is no longer necessary.
- Document your retention policy and be prepared to justify it to a regulator.
International data transfers #
Whistleblower data must stay in the EU unless you have a valid transfer mechanism under GDPR Chapter V.
This matters when choosing a reporting tool:
- EU-hosted platforms (data stored in Germany, France, Netherlands, etc.): no transfer issue.
- US-hosted platforms or platforms using US cloud providers (AWS US, Azure US, Google Cloud US): require reliance on Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework — both of which have been legally challenged.
The simplest path: choose a platform that hosts all data in the EU. This eliminates the transfer question entirely.
Data Protection Impact Assessment (DPIA) #
GDPR Article 35 requires a DPIA when processing is “likely to result in a high risk to the rights and freedoms of natural persons.”
Whistleblower reporting likely qualifies because:
- It involves sensitive allegations about identified individuals
- Reports may contain special category data (Art. 9)
- There is an inherent power imbalance between reporter and organization
- Confidentiality failures could lead to retaliation
Most data protection authorities recommend conducting a DPIA before implementing a whistleblower reporting system.
What your reporting tool must do #
Based on the GDPR requirements above, your whistleblower software should:
| Requirement | Why |
|---|---|
| Optional reporter identity | Data minimization (Art. 5(1)(c)) |
| No IP logging | Preserve anonymity, avoid creating pseudonymous data |
| File metadata stripping | Prevent accidental identification via EXIF/GPS data |
| Encryption at rest | Integrity and confidentiality (Art. 5(1)(f)) |
| Configurable retention periods | Storage limitation (Art. 5(1)(e)) |
| Automatic deletion of expired cases | Storage limitation enforcement |
| Role-based access controls | Confidentiality (Directive Art. 16) |
| Immutable audit trail | Accountability (Art. 5(2)) |
| EU data hosting | Avoid international transfer complications (Chapter V) |
| Privacy notice on the reporting form | Transparency (Art. 13/14) |
How EthicsPortal handles GDPR #
EthicsPortal was designed with both the Directive and GDPR as constraints from day one:
- Legal basis: Processing is based on legal obligation (Art. 6(1)(c)) — compliance with EU Directive 2019/1937.
- Anonymity by default: No IP logging, no accounts, no tracking. File metadata (EXIF, GPS, author) stripped automatically.
- Data minimization: Reporter name and contact are optional fields. Only essential data is collected.
- Encryption at rest: All report descriptions, names, contact details, and messages encrypted in the database.
- Configurable retention: Organizations set their own retention period (12, 24, 36, or 60 months). Expired closed cases are deleted automatically.
- EU hosting: All data stored on Hetzner servers in Nuremberg, Germany. No data leaves the EU. No US cloud providers.
- Access controls: Only admins and assigned handlers can view reports. Handler names are never revealed to reporters.
- Audit trail: Immutable log of every action for accountability and regulatory review.
- DPA available: GDPR Article 28 Data Processing Agreement available for all customers.
For the full article-by-article compliance breakdown, see our compliance page.