Data Protection Impact Assessment (DPIA) for whistleblowing #
Last updated: 2026-06-20.
Operating an internal reporting channel is, for most organizations, the first time they process highly sensitive, high-risk personal data as a matter of routine. Under Article 35 GDPR, processing that is likely to result in a high risk to the rights and freedoms of individuals requires a Data Protection Impact Assessment (DPIA) before it begins. Whistleblowing channels sit squarely in that category, and most national supervisory authorities list them on their mandatory-DPIA lists.
This page is a pre-filled DPIA you can adapt for your deployment of EthicsPortal. It follows the structure of Article 35(7) GDPR and the EDPB DPIA template , and it is populated with the technical and organizational measures EthicsPortal provides as your processor.
This is input, not a finished assessment. The Controller — your organization — owns the DPIA and signs it. EthicsPortal is the processor and supplies the information below to assist you, in line with Article 28(3)(f) GDPR and Section 6.7 of our DPA . It is not legal advice. Your Data Protection Officer or counsel should review and adapt it to your context before relying on it.
Who does what #
| Role | Party | Responsibility for the DPIA |
|---|---|---|
| Controller | Your organization | Owns, completes, and signs the DPIA. Determines purposes, retention, and who handles reports. |
| Processor | EthicsPortal | Provides the processing description and the technical and organizational measures below, and participates in the assessment on request. |
| Assessor | Your DPO (or a person with insight into the processing, ideally not the person responsible for it) | Carries out and signs off the assessment. |
How to use this template #
- Copy the sections below into your own DPIA record (or the EDPB template ).
- Adjust the scope, retention, and recipients rows to match your configuration in EthicsPortal.
- Add any organization-specific risks (for example, sector regulation or works-council obligations).
- Have your DPO record the residual-risk decision and sign off.
- To keep a copy, use your browser’s Print → Save as PDF.
Part A — Description of the processing #
(Article 35(7)(a) GDPR — nature, scope, context, and purpose)
| Item | Description |
|---|---|
| Purpose | Receiving, handling, and following up on reports of breaches, in compliance with EU Directive 2019/1937, its national transposition, and internal ethics standards. |
| Lawful basis | Compliance with a legal obligation (Article 6(1)(c) GDPR) under the national transposition of Directive 2019/1937; for special-category data, Article 9(2)(g) GDPR (substantial public interest). |
| Nature of processing | Collection, storage, secure two-way communication, case management, and time-bound deletion of report data. |
| Personal data categories | Optional reporter identity (name, email, phone — never mandatory); report content; messages between reporter and handler; file attachments; case-handler and administrator account data; one-way hashed access codes. See DPA §3 . |
| Special-category / sensitive data | May incidentally appear in free-text reports (e.g. health, trade-union membership, criminal allegations). Cannot be predicted in advance; mitigated by access control, encryption, and minimization. |
| Data subjects | Whistleblowers (may be anonymous), persons named in a report, case handlers, administrators. See DPA §4 . |
| Recipients | Designated case handlers; optionally an external investigator (e.g. law firm) the Controller adds. No other recipients. |
| Retention | Controller-configured: 12, 24, 36, 48, or 60 months after case closure, then automatic permanent deletion. See DPA §5 . |
| Data location / transfers | Hosted entirely in the EU (Hetzner, Nuremberg, Germany). No report data leaves the EU. See subprocessors . |
| Automated decision-making / AI | None. Report content is never sent to any AI or LLM service; no profiling or automated decisions. See DPA §6.10 . |
Part B — Necessity and proportionality #
(Article 35(7)(b) GDPR)
The processing is necessary because operating an internal reporting channel is a legal obligation for in-scope organizations under the national transposition of Directive 2019/1937. It is proportionate because EthicsPortal is engineered to collect the minimum data and to strengthen data-subject rights:
- Data minimization — no reporter contact field is mandatory; fully anonymous reporting is the default path.
- Identity protection — reporter IP addresses are never stored; file metadata (EXIF, GPS, author) is stripped; in-portal voice reports are irreversibly pitch-shifted.
- Storage limitation — retention is configurable and enforced by automatic deletion (Article 5(1)(e) GDPR).
- Data-subject rights — access, rectification, erasure, restriction, portability, and objection are supported in-product; the Controller can export the full dataset. See DPA §6.5 .
- Transparency — a privacy notice is shown on the reporting form.
- Processor safeguards — a published DPA , a named subprocessor list (all EU), and the security measures below.
Part C — Risks and measures #
(Article 35(7)(c) GDPR — risks to the rights and freedoms of data subjects, and the measures addressing them)
Likelihood and severity are assessed before measures; the final column is the residual risk after the measures EthicsPortal provides. Adjust these to your own configuration.
| # | Processing activity | Risk to data subjects | Likelihood | Severity | Measures in EthicsPortal | Residual risk |
|---|---|---|---|---|---|---|
| 1 | Submitting a report | A reporter who wishes to stay anonymous is re-identified | Medium | High | No mandatory contact fields; reporter IP never stored; file metadata stripped; voice recordings irreversibly anonymized and the original purged | Reduced |
| 2 | Receiving a report | Excessive or incorrect personal data about third parties is submitted | Medium | Medium | Minimization guidance on the form; access restricted to designated handlers; configurable retention with auto-deletion | Reduced |
| 3 | Reporter follow-up | Someone other than the reporter reads the case messages | Low | High | Return access requires two factors — case reference plus a reporter-chosen 6-digit passcode stored only as a hash; session-gated inbox | Reduced |
| 4 | Assigning to a handler | A person other than the designated handler accesses the case | Low | High | Role-based access control; per-report assignment; two-factor authentication for handler/admin accounts; full audit log; automatic session expiry | Reduced |
| 5 | Involving an external party (e.g. law firm) | An external investigator over-accesses data | Low | High | Read-only auditor role; explicit per-account provisioning by an admin; all access audit-logged | Reduced |
| 6 | Handler notes and case data at rest | Stored report content is exposed in a breach | Low | High | Non-deterministic encryption at rest for report content, identity, and messages; EU-only hosting on ISO/IEC 27001 infrastructure | Reduced |
| 7 | Conflict of interest | The person named in a report is also a handler/admin and can suppress it | Medium | High | Multi-handler assignment; append-only audit log of every action; read-only auditor seat for oversight; onboarding guidance to grant access to more than one person | Reduced |
| 8 | File attachments | Malware or hidden metadata enters the system | Medium | Medium | Antivirus scanning (ClamAV) of every upload with signature updates; automatic EXIF/GPS/author stripping | Reduced |
| 9 | Retention and deletion | Data kept longer than lawful | Medium | Medium | Controller-set retention (12–60 months) with automatic permanent deletion after closure; inactive cases auto-close so the clock starts | Reduced |
| 10 | Hosting and sub-processors | Data transferred outside the EU or to an undisclosed party | Low | High | All report data hosted in the EU; named subprocessor list; 30-day notice and right to object to changes (DPA §6.4 ); no AI sub-processor | Reduced |
| 11 | Breach | A breach goes unreported to the Controller | Low | High | Contractual breach notification without undue delay and within 72 hours (DPA §6.6 ) | Reduced |
Part D — Outcome and sign-off #
For a standard deployment with the measures above applied, the residual risk for each activity is reduced to an acceptable level, and a prior consultation with the supervisory authority under Article 36 GDPR is generally not required. If, after applying these measures, your own assessment still rates a residual risk as high — for example because of sector-specific processing you have added — you must consult your supervisory authority before processing begins.
| Field | Entry |
|---|---|
| Assessment carried out by | _________________________ |
| Role | _________________________ |
| Date | _________________________ |
| DPO opinion | _________________________ |
| Residual-risk decision | ☐ Accepted ☐ Reduced further ☐ Prior consultation required |
| Review date | _________________________ |
Reference templates #
- EDPB DPIA template (2026) — the official EU-wide template.
- Your national supervisory authority may publish its own template; where it does, use that as the canonical form.
Related #
Last updated: