Skip to main content Required by EU law for organizations with 50+ employees

Data Protection Impact Assessment (DPIA) for whistleblowing #

Last updated: 2026-06-20.

Operating an internal reporting channel is, for most organizations, the first time they process highly sensitive, high-risk personal data as a matter of routine. Under Article 35 GDPR, processing that is likely to result in a high risk to the rights and freedoms of individuals requires a Data Protection Impact Assessment (DPIA) before it begins. Whistleblowing channels sit squarely in that category, and most national supervisory authorities list them on their mandatory-DPIA lists.

This page is a pre-filled DPIA you can adapt for your deployment of EthicsPortal. It follows the structure of Article 35(7) GDPR and the EDPB DPIA template , and it is populated with the technical and organizational measures EthicsPortal provides as your processor.

This is input, not a finished assessment. The Controller — your organization — owns the DPIA and signs it. EthicsPortal is the processor and supplies the information below to assist you, in line with Article 28(3)(f) GDPR and Section 6.7 of our DPA . It is not legal advice. Your Data Protection Officer or counsel should review and adapt it to your context before relying on it.


Who does what #

RolePartyResponsibility for the DPIA
ControllerYour organizationOwns, completes, and signs the DPIA. Determines purposes, retention, and who handles reports.
ProcessorEthicsPortalProvides the processing description and the technical and organizational measures below, and participates in the assessment on request.
AssessorYour DPO (or a person with insight into the processing, ideally not the person responsible for it)Carries out and signs off the assessment.

How to use this template #

  1. Copy the sections below into your own DPIA record (or the EDPB template ).
  2. Adjust the scope, retention, and recipients rows to match your configuration in EthicsPortal.
  3. Add any organization-specific risks (for example, sector regulation or works-council obligations).
  4. Have your DPO record the residual-risk decision and sign off.
  5. To keep a copy, use your browser’s Print → Save as PDF.

Part A — Description of the processing #

(Article 35(7)(a) GDPR — nature, scope, context, and purpose)

ItemDescription
PurposeReceiving, handling, and following up on reports of breaches, in compliance with EU Directive 2019/1937, its national transposition, and internal ethics standards.
Lawful basisCompliance with a legal obligation (Article 6(1)(c) GDPR) under the national transposition of Directive 2019/1937; for special-category data, Article 9(2)(g) GDPR (substantial public interest).
Nature of processingCollection, storage, secure two-way communication, case management, and time-bound deletion of report data.
Personal data categoriesOptional reporter identity (name, email, phone — never mandatory); report content; messages between reporter and handler; file attachments; case-handler and administrator account data; one-way hashed access codes. See DPA §3 .
Special-category / sensitive dataMay incidentally appear in free-text reports (e.g. health, trade-union membership, criminal allegations). Cannot be predicted in advance; mitigated by access control, encryption, and minimization.
Data subjectsWhistleblowers (may be anonymous), persons named in a report, case handlers, administrators. See DPA §4 .
RecipientsDesignated case handlers; optionally an external investigator (e.g. law firm) the Controller adds. No other recipients.
RetentionController-configured: 12, 24, 36, 48, or 60 months after case closure, then automatic permanent deletion. See DPA §5 .
Data location / transfersHosted entirely in the EU (Hetzner, Nuremberg, Germany). No report data leaves the EU. See subprocessors .
Automated decision-making / AINone. Report content is never sent to any AI or LLM service; no profiling or automated decisions. See DPA §6.10 .

Part B — Necessity and proportionality #

(Article 35(7)(b) GDPR)

The processing is necessary because operating an internal reporting channel is a legal obligation for in-scope organizations under the national transposition of Directive 2019/1937. It is proportionate because EthicsPortal is engineered to collect the minimum data and to strengthen data-subject rights:


Part C — Risks and measures #

(Article 35(7)(c) GDPR — risks to the rights and freedoms of data subjects, and the measures addressing them)

Likelihood and severity are assessed before measures; the final column is the residual risk after the measures EthicsPortal provides. Adjust these to your own configuration.

#Processing activityRisk to data subjectsLikelihoodSeverityMeasures in EthicsPortalResidual risk
1Submitting a reportA reporter who wishes to stay anonymous is re-identifiedMediumHighNo mandatory contact fields; reporter IP never stored; file metadata stripped; voice recordings irreversibly anonymized and the original purgedReduced
2Receiving a reportExcessive or incorrect personal data about third parties is submittedMediumMediumMinimization guidance on the form; access restricted to designated handlers; configurable retention with auto-deletionReduced
3Reporter follow-upSomeone other than the reporter reads the case messagesLowHighReturn access requires two factors — case reference plus a reporter-chosen 6-digit passcode stored only as a hash; session-gated inboxReduced
4Assigning to a handlerA person other than the designated handler accesses the caseLowHighRole-based access control; per-report assignment; two-factor authentication for handler/admin accounts; full audit log; automatic session expiryReduced
5Involving an external party (e.g. law firm)An external investigator over-accesses dataLowHighRead-only auditor role; explicit per-account provisioning by an admin; all access audit-loggedReduced
6Handler notes and case data at restStored report content is exposed in a breachLowHighNon-deterministic encryption at rest for report content, identity, and messages; EU-only hosting on ISO/IEC 27001 infrastructureReduced
7Conflict of interestThe person named in a report is also a handler/admin and can suppress itMediumHighMulti-handler assignment; append-only audit log of every action; read-only auditor seat for oversight; onboarding guidance to grant access to more than one personReduced
8File attachmentsMalware or hidden metadata enters the systemMediumMediumAntivirus scanning (ClamAV) of every upload with signature updates; automatic EXIF/GPS/author strippingReduced
9Retention and deletionData kept longer than lawfulMediumMediumController-set retention (12–60 months) with automatic permanent deletion after closure; inactive cases auto-close so the clock startsReduced
10Hosting and sub-processorsData transferred outside the EU or to an undisclosed partyLowHighAll report data hosted in the EU; named subprocessor list; 30-day notice and right to object to changes (DPA §6.4 ); no AI sub-processorReduced
11BreachA breach goes unreported to the ControllerLowHighContractual breach notification without undue delay and within 72 hours (DPA §6.6 )Reduced

Part D — Outcome and sign-off #

For a standard deployment with the measures above applied, the residual risk for each activity is reduced to an acceptable level, and a prior consultation with the supervisory authority under Article 36 GDPR is generally not required. If, after applying these measures, your own assessment still rates a residual risk as high — for example because of sector-specific processing you have added — you must consult your supervisory authority before processing begins.

FieldEntry
Assessment carried out by_________________________
Role_________________________
Date_________________________
DPO opinion_________________________
Residual-risk decision☐ Accepted ☐ Reduced further ☐ Prior consultation required
Review date_________________________

Reference templates #


Last updated: