← Back to posts overview

German Whistleblower Protection Act and Data Protection: Insights and Reflections

Martin Meng
Martin Meng
December 03, 2023 · 6 minutes read time
HinSchG and data protection

Whistleblower Protection Act and data protection:

insights and considerations The link between the Whistleblower Protection Act and data protection is a complex issue that requires much discussion and consideration. The Whistleblower Protection Act, often abbreviated as HinSchG, has important implications for the processing of personal data, particularly in relation to Whistleblowers and those who are reported on.

1 The special protection needs of whistleblowers

Whistleblowers are individuals who expose internal wrongdoing or unlawful conduct within an organization. They are often at risk of retaliation or reprisals, which is why protecting their identity is of the utmost importance. The individuals being reported on also have a particular need for protection due to the context of the data processing. According to the confidentiality obligations under Section 8 HinSchG, the identity of the reporting person, the persons who are the subject of a report (accused) and other persons named in the report (these may be witnesses or affected persons) must be protected. The HinSchG recognizes that whistleblowing systems require the processing of personal data within the meaning of Art. 4 No. 1 GDPR (receipt and documentation of incoming reports, further processing of personal data, for example to carry out internal investigations or as part of follow-up measures), even if a whistleblower remains anonymous. The processing of personal data is "authorized" insofar as it is carried out in fulfillment of obligations under the Whistleblower Protection Act. The Whistleblower Protection Act contains a corresponding authorization standard (Section 10). This means that reporting offices may process personal data if this is necessary to fulfill their duties in accordance with Sections 13 and 24 of the Whistleblower Protection Act. If a report is made outside of the area of application of the HinSchG, a case-by-case examination under data protection law is required. The general legal requirements of the GDPR and the Federal Data Protection Act apply here.

2 Compliance with the GDPR and the Federal Data Protection Act

Due to the sensitivity of the processed data, compliance with the GDPR already plays an important role when setting up the reporting office. A data protection impact assessment (Art. 35 GDPR) with the involvement of the data protection officer is recommended. In addition, the internal reporting office or the controller must provide data protection information to whistleblowers or potential whistleblowers (Art. 13 GDPR): At the time of collection, the data subject, i.e. the person whose data is being processed, must be informed or notified. This is usually done on the landing page of the internal reporting office. In addition, the whistleblowing system requires the application of an opening clause in the subsequent processing process. In most cases, the processing of personal data is based on Art. 6 para. 1 lit. c GDPR in conjunction with Section 10 HinSchG (less than 50 employees: Art. 6 para. 1 lit. f GDPR (balancing of interests)).

3 Processing of special categories of personal data

Certain exceptions must be made for the processing of special categories of personal data in accordance with Art. 9 para. 2 GDPR. Two main exceptions are relevant here: Defense against own legal claims or defense against third-party claims (letter f). The processing serves a particular public interest pursued by the HinSchG. The aim is to promote the rule of law and encourage people to report abuses (letter g). Personal data of employees may only be processed to uncover criminal offenses if there are *factual indications to be documented that justify the suspicion* that the person concerned has committed a criminal offense in the employment relationship, the processing is necessary for detection and the employee's legitimate interest in the exclusion of processing does not prevail, in particular the type and extent are not disproportionate with regard to the reason. (§ 26 para. 1 sentence 2 BDSG).

woman hands over file
woman hands over file

4 Information obligations and data protection: Information of the accused and involved parties

The HinSchG and the GDPR stipulate certain information obligations. At the time of data collection, the person concerned ("accused", but also witnesses) must be informed. However, these information obligations can be delayed or withheld under certain conditions, in particular if the investigation would be jeopardized (clarification of the facts would not or no longer be possible, civil law claims would be impaired or the work of law enforcement authorities would be made considerably more difficult (Section 29 (1) sentence 1 and sentence 2 BDSG)). These exceptions also apply to information obligations when processing data and when asserting data subject rights (Section 15 GDPR), but only as long as it does not jeopardize (further) investigations. According to current case law, it is generally necessary to subordinate the whistleblower's concern for anonymity to the desire for information or the data subject's interest in information, provided that the whistleblower has intentionally or grossly negligently provided false information (exception to the confidentiality requirement under HinSChG § 9, para. 1).

5 Retention and deletion periods

The HinSchG stipulates that data and documentation must be deleted no later than three years after the end of the procedure. However, there are exceptions that allow data to be stored for longer. However, the exact conditions and dates are still the subject of discussion and will have to be clarified by case law. ##6 The advantages of tool-based solutions Tool-based solutions offer many advantages for data protection reasons. The HinSchG requires that documentation must be retrievable. With a solution using whistleblower software, data can be retrieved more easily and securely. In addition, whistleblowing software supports the requirement of the Whistleblower Protection Act that case-related data must be deleted three years after the case has been closed. Good software explicitly asks whistleblowers whether this should be done automatically, and if not, the software requires them to provide valid reasons - exactly as required by the Whistleblower Protection Act.

Final thoughts

The interplay between whistleblower protection and data protection is complex, but crucial to safeguarding the rights of both whistleblowers and accused persons. It is important to always keep an eye on current case law and legislation and ensure that all processing activities are lawful and appropriate.

← Back to posts overview