Abstract

This article examines specific data protection issues in conjunction with the functioning of internal reporting schemes that have not been satisfactorily addressed in the existing Article 29 Working Party’s opinions. It seeks to clarify the allocation of responsibilities between multiple actors that may be involved in the processing, such as parent companies, their affiliates, and third-party helpline providers. It also contemplates applicable legal bases for the processing of personal data, including criminal convictions and offences, as well as special categories of data.