Abstract

Every system of reporting violations developed under the provisions implementing Directive 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law shall be covered by the European personal data protection law providing it is at least partly based on automatic processing or manual processing of data organised e.g. chronologically and refers to activities carried out in the EU or people staying in the EU. Data controllers processing data under such systems shall be the authorities competent to receive reports established in accordance with Art. 11 of Directive 2019/1937.From the viewpoint of entities involved in personal data processing under breach reporting systems most favourable would be the situation whereby data processing would be legally obligatory under the domestic regulations. It would be so because so-called legitimate interest as a basis for data processing carried too much legal uncertainty. At the same time, without a statutory legal basis processing of so-called sensitive data would be impossible. From the viewpoint of protecting a whistleblower’s rights of key importance is the adequate limitation in national laws of of-called information duties arising under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR). It will be so because giving information about the source to the person whose personal data have been reported by the whistleblower would lead to disclosing their identity. Also the rights of persons the data refer to, described in Art. 16-22 of the GDPR, may in practice remain in conflict with striving to ensure effective personal data processing for the needs of breach of law reporting systems, hence their adequate statutory limitation needs to be considered. It is also necessary to remember the need to observe the privacy by demand and privacy by default rules when designing breach of law reporting systems. Therefore, when implementing solutions for reporting breaches of law in international relations which assume relaying data to third countries it is absolutely necessary to develop adequate data transfer solutions, and if it is impossible to ensure transfer compatibility with the principles of the GDPR, transfer should be waived.