Whistleblower protection and the right of access on a collision course – challenges in the parallel application of whistleblower protection and Art. 15 GDPR

The enactment and applicability of the German implementation law (“German Whistleblower Protection Act”) for the Whistleblowing Directive (Directive (EU) 2019/1937) is in sight even though the law was not passed yet because the “Bundesrat” did not agree to the text adopted by the “Bundestag”. It might still take some time until the two parliaments agree on a final text. However, there is time pressure due to Germany already falling far behind the deadline for the implementation of the European Directive. This also means that the legal obligation to set up an internal reporting channel is getting closer for very many German companies (all with generally at least 250 employees). Only private sector employers with generally between 50 and 249 employees will likely still have until 17^th December 2023 to do so. At least, that is the timeline foreseen in the current draft of the law. Even before the final text of the German Whistleblower Protection Act is adopted, it is clear that there is an area of tension between the rights of data subjects under data protection law on the one hand and the protection of whistleblowers and confidentiality obligations and interests on the other hand. In particular, the right of access under Art. 15 GDPR, which has long been of special practical relevance in many areas, is almost predestined for conflict potential. This has already been made clear by a ruling made by the Regional Labor Court Baden-Württemberg in 2018 (LAG Baden-Württemberg, judgment dated 20^th December 2018 - 17 Sa 11/18). At the relevant case, a company had unsuccessfully invoked only very general, unspecified confidentiality interests of third parties, which should have lead to the exclusion of the right of access of a person mentioned in a report.

If whistleblower protection and the right of access collide, then both the access to the individual data and the provision of the information from Art. 15 (1) (a) to (h) GDPR may be excluded in some cases. In the context of the information to be provided pursuant to Art. 15 (1) (g) GDPR on "any available information as to their source", the question arises, for example, whether a person mentioned in a whistleblower's report has a right to receive the name of the whistleblower. If a company does not want to or is not allowed to share the name of a whistleblower, then it needs an exception to legitimately not share the name when a request is made under Art. 15 GDPR. The forthcoming adoption of the Whistleblower Protection Act and the already generally high practical relevance of Art. 15 GDPR provide an opportunity to take a look at selected aspects of access rights in the context of whistleblower protection.

Exceptions to the right of access with particular relevance to the area of whistleblower protection

Because the right of access to data under Art. 15 GDPR applies to all personal data and all data processing carried out by the controller in relation to a person making a request, the scope of application of this right is extremely broad. In the area of whistleblower protection, however, the provision of the information required under Art. 15 GDPR can sometimes violate confidentiality obligations or undermine the entire investigation of a reported incident. It is therefore all the more important for companies to have a comprehensible justification for why the right of access in the area of whistleblower protection does not exist at some points in time and with regard to some data and further information. The fact that conflicts can arise between the rights of data subjects under the GDPR and the requirements for whistleblower protection was also expressed by the issuer of the Directive in recital 84 third Sentence Whistleblowing Directive. In this recital, the Member States are requested to ensure that the Directive is effective "where necessary, by restricting, by legislative measures, the exercise of certain data protection rights of persons concerned." The required restrictions have a content component ("to the extent (…) necessary") and a temporal component ("as long as, necessary") and should therefore be provided for in relation to some data and information to the extent necessary and for a certain period of time.

Unfortunately, it currently looks as if the German legislator will not enact any exceptions to data subject rights specifically for the area of whistleblower protection. This is particularly unfortunate in view of the lack of exceptions in the German Federal Data Protection Act (BDSG) and the GDPR with reference to a time component. According to the explanatory memorandum, the German government is of the opinion that the necessary exceptions have already been included in the German Federal Data Protection Act (“BDSG”). The balancing of interests required under Section 29 (1) BDSG could be used to establish the necessary balance between confidentiality protection on one hand and information obligations and rights of access under data protection law on the other hand. From the perspective of companies operating within the scope of the BDSG, Section 29 (1) Sentence 2 BDSG will therefore be particularly relevant as an exception to the right of access. In addition, Art. 15 (4) GDPR provides for a general requirement to weigh the rights and freedoms of other persons. Whether Art. 15 (4) GDPR also applies to the "access to the personal data" from Art. 15 (1) GDPR or only to the copy according to paragraph 3 of the provision is frequently discussed. In Guidelines 01/2022, the EDPB takes the view that Art. 15 (4) GDPR does not apply to information pursuant to Art. 15 (1) (a) to (h) GDPR. If one follows this view, then there is only Section 29 (1) Sentence 2 BDSG as an exception for the information to be provided pursuant to Art. 15 (1) (a) to (h) GDPR in the context of whistleblower protection.

Challenges in the parallel applicability of the German Whistleblower Protection Act and the GDPR

The parallel applicability of requirements from a whistleblower protection law to be adopted in the future and from Art. 15 GDPR is associated with major challenges for companies. If too much data or information are provided, then there is a risk of violations of the duty of confidentiality and fines or possible claims by data subjects about whom data has been disclosed. If too little data and information are provided with the access pursuant to Art. 15 (1) (a) to (h) GDPR, the party providing the information may be subject to claims for damages and fines. It is therefore all the more important that companies carefully check whether they have an exception for the information to be provided under Art. 15 GDPR in the already generally sensitive area of whistleblower protection.

a) Challenges in providing the access to or a copy of the actual data

In many conceivable constellations, the provision of access to the data (Art. 15 (1) GDPR) or the provision of a copy of the personal data (Art. 15 (3) GDPR) is problematic. In this context, it should be considered, for example, that a person mentioned in a report, who does not yet know anything about the accusation, asserts his or her right of access. However, even if a person is aware of the existence of an accusation, it is conceivable that he or she would like to receive more information by means of Art. 15 GDPR and that this may at the same time affect the company's follow-up measures (e.g., interviews, investigations of the incident, etc.). In addition, requests for access to data by witnesses and other third parties mentioned in whistleblowing reports are also possible. Furthermore, in the course of investigations, a person reporting a potential violation may also come up with the idea of asserting his or her right of access to data and to obtain more information on the course of the investigation.

In all of the cases just mentioned, companies must simultaneously comply with the requirements of the German Whistleblower Protection Act and the GDPR. The future German Whistleblower Protection Act will impose confidentiality obligations on companies and it must also be possible to take the follow-up measures without these being impossible to implement due to information provided per Art. 15 GDPR. When applying Section 29 (1) Sentence 2 BDSG, companies must ensure that, unlike the defendant company in the judgment of the Regional Labor Court Baden-Württemberg, they can justify precisely which types of data cannot be provided as part of the right of access because of whose secrecy interests or in order to properly carry out the investigation and other follow-up measures. Companies will also have to be able to prove that their confidentiality interests prevail. In the current draft of the German Whistleblower Protection Act, only information that reveals the identity of reporting persons, persons concerned of the potential violation or other persons mentioned in whistleblowing reports are classified as confidential by law. In such cases, companies can refer to Section 29 (1) Sentence 2 BDSG in the variant "which by law (...) must be kept secret" without carrying out a separate balancing of interests. The legislator has then already weighed up the interests in a legal provision within which the disclosure of information is prohibited.

Usually, however, the identity of another person will not emerge from all the data available on a person requesting access to information in connection with a whistleblowing report. For this reason, Section 29 (1) Sentence 2 BDSG in the variant "information which (…) by its nature must be kept secret" is also relevant in the area of access to the actual data and copies of the data. Here, just as with Art. 15 (4) GDPR, a balancing of interests must be carried out. The result of the balancing process should be identical for both Section 29 (1) Sentence 2 BDSG and Art. 15 (4) GDPR. On one side, the legitimate interest of a person requesting access in obtaining the data relating to him or her must be weighted. On the other side, the confidentiality interest and risks associated with the disclosure of data to other persons and the proper investigation of the reported incident must be weighted.

In this regard, a combination of a standardized approach and a case-by-case approach is advisable. On one hand, it is possible to determine in a standardized manner in which cases at which points in time of the investigation requests for access to which types of data relating to which groups of persons (reporting persons, person concerned, etc.) are excluded. On the other hand, in individual cases, possible special circumstances should also be taken into account. This can best be done by comparing the assumptions for the exclusion of the right of access with the actual circumstances in the individual case. For example, in a constellation with a reporting person and a person concerned without third parties involved, any information about the incident may already lead to a person concerned by a reported potential violation knowing who the reporting person was and which incident is being referred to. In any case, both the content (which data cannot be provided as part of the information) and the temporal (how long certain information cannot be provided) components should be considered. In some cases, it is harmless to provide certain information under Art. 15 GDPR despite ongoing investigations. If providing information no longer puts investigations and other follow-up measures at risk, and if the identity of other persons can also be kept secret when providing information, then Section 29 (1) Sentence 2 BDSG usually cannot be invoked.

b) Challenges in providing information on the origin of the data

When applying Art. 15 (1) (g) GDPR in the context of whistleblower protection, it is obvious that there is a conflict of objectives between the requirements of the GDPR on one hand and the requirements for protecting the identity of whistleblowers and other persons named in whistleblowing reports on the other hand. While data protection law aims to create transparency for the data subject when data is collected from another person, the German Whistleblower Protection Act, which will apply in the future, pursues the goal of keeping the identity of whistleblowers and other persons secret. If such confidentiality obligations did not exist, then whistleblowers and other parties involved would be even more hesitant to file a report. However, this is not in line with the objectives of the Whistleblowing Directive.

The confidentiality obligations apply not only to whistleblowers, but also to any other persons mentioned in whistleblowing reports. There is potential for conflict especially in cases where accused persons or whistleblowers exercise their right to information during ongoing investigations. The same applies to other groups of persons mentioned in whistleblowing reports. For companies, the question therefore arises in view of Art. 15(1)(g) GDPR as to how a non-disclosure of the name of a whistleblower or witness or of other persons involved can be justified if they are the "source" of the data on the person requesting information. This applies in particular in cases where disclosure of the name would make further investigation impossible or would violate confidentiality obligations under the future German Whistleblower Protection Act. In the current draft, Section 9 (1) provides that whistleblowers will only not enjoy protection guaranteed by the German Whistleblower Protection Act if they intentionally or grossly negligently report incorrect information about violations. However, even in these cases, an overriding interest in secrecy when applying Section 29 (1) Sentence 2 BDSG in the variant "information which (…) by its nature must be kept secret" could in individual cases result in there being no entitlement to receive the name of the "source" of the data. Only in the case of completely anonymous reports, which are now to be possible according to the current draft, it would be conceivable that the name of the whistleblower is not even known to the company and therefore could not become part of information provided to fulfill Art. 15 GDPR.

As mentioned above, the EDPB does not apply Art. 15 (4) GDPR to the information pursuant to Art. 15 (1) (a) to (h) GDPR. In the activity report of the Hessian data protection authority for 2021, it becomes apparent on page 112 that at least this supervisory authority does indeed apply Art. 15 (4) GDPR to Art. 15 (1) (g) GDPR. Referring to Art. 15 (4) GDPR, the authority writes the following in this regard(translation by the author): "The interest of the other person in keeping his or her identity as a 'source' secret outweighs the interest in information being provided (under Art. 15 (1) (g) GDPR), at least as long as there are indications that the disclosure of the identity of the informant could lead to legal or actual disadvantages for the 'source'". Therefore, if one wants to apply Art. 15(4) GDPR to Art. 15(1)(g) GDPR in accordance with the view of the Hessian supervisory authority, there is a reference in the activity report for this.

Apart from this, the result of applying Section 29 (1) Sentence 2 BDSG is likely the same as for Art. 15 (4) GDPR. If a legal provision stipulates that information must be kept secret, then, as already mentioned above and in contrast to when Art. 15 (4) GDPR is invoked, there is no need to weigh conflicting interests when applying Section 29 (1) Sentence 2 BDSG. It is therefore not apparent why companies should complicate matters and think of Art. 15 (4) GDPR instead of Section 29 (1) Sentence 2 BDSG in the "by law" variant. Section 8 of the current draft of the German Whistleblower Protection Act stipulates that information on the identity of the reporting person, persons concerned or other persons mentioned in whistleblowing reports must be kept confidential. Due to a lack of exceptions in the German Whistleblower Protection Act, this also applies in the event of a request for information pursuant to Art. 15 GDPR, in the context of which "any available information as to their source" must be provided. Section 29 (1) Sentence 2 BDSG is the exception to the right of access under Art. 15 (1) (g) GDPR in such cases. As a result, the names of whistleblowers, accused persons and other parties involved are generally not to be provided as part of the information that must be provided pursuant to Art. 15 (1) (g) GDPR. This does not apply, for example, if a whistleblower is not protected by the German Whistleblower Protection Act because false information about an incident was reported intentionally or through gross negligence. In such constellations, it must be determined on the basis of a balancing of interests whether the exception from Section 29 (1) Sentence 2 BDSG in the variant "information which (…) by its nature must be kept secret" justifies the decision not to disclose the name. It should also be noted here that a data subject can only exercise his other possible rights under the GDPR against the "source" of the data if the identity of the source is known.

Hints for the implementation of the requirements for whistleblower protection and from the GDPR

In the area of whistleblower protection, companies are not only affected by new obligations arising from the German Whistleblower Protection Act, which is to be adopted in the foreseeable future. There are many challenges when the scope of application of the German Whistleblower Protection Act and the GDPR overlap. In the area of Art. 15 GDPR, companies should define criteria for weighing interests in advance and should have identified and examined standard cases. The data protection impact assessment, which must be carried out in any case for data processing in connection with a whistleblower system, is particularly suitable for this purpose. In the individual case, it should then be checked whether the assumptions for the rejection of the request for access correspond to those that actually apply in the individual case under consideration. If the German Whistleblower Protection Act prohibits the disclosure of certain information, companies can refuse to provide information, for example, pursuant to Art. 15 (1) (g) GDPR without weighing interests separately and with good reason.