In February 2023, Spain implemented Directive (EU) 2019/1937 (although it did not become fully applicable until December of that year) by means of Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory violations and the fight against corruption (the “Law”). The Law, which requires all public and private organizations (with more than 50 employees or simply operating in certain sectors, even if they have fewer employees) to implement a whistleblowing system, has raised some doubts from a data protection perspective.
In particular, many have inquired about the lawfulness of processing personal data collected by the system for purposes other than meeting the Law’s main goals (to enable the reporting of regulatory violations, and to provide adequate protection against retaliation that may be suffered by natural persons who make a report).
In this regard, the Spanish Data Protection Agency (“AEPD” for its acronym in Spanish), in a response (hereinafter, the “Report”) to a specific consultation (the AEPD does not provide any details of the inquirer), clarifies that all information received in the internal information system is subject to the same guarantees and safeguards for processing and that any information that, after examination by the controller, is considered to fall outside the scope of the Law must be deleted. This stems from Article 32(2) of the Law, which reads “[…] all personal data that may have been communicated and that refers to conduct that is not included in the scope of application of the law will be deleted.” The AEPD clarifies that this is in line with the provisions contained in Article 32(3) and Article 32(4), which set forth that the information collected by the system can be kept only for the time necessary to decide whether or not to open an investigation into the reported facts and that, in any case, once three months have elapsed since the receipt of the communication, if no investigation has been opened, it must be deleted, unless the purpose of keeping it is to provide evidence of the operation of the system.
With regard to this final reference to the need to retain the information as evidence of the operation of the system, and although it is not explicitly stated in the Report, we assume that the AEPD considers this processing to be compatible with the purpose for which the information is collected.
Our assumption is based on the final section of the Report, in which the AEPD analyzes whether the possible processing of this information (which falls outside the substantive scope of the Law) to improve the efficiency, transparency and governance of the system would also be compatible with the statutory purposes for which it is collected.
The AEPD concludes that, given the sensitivity of the information and the limited context in which the data is collected, such processing would not be compatible with the statutory purposes for which the information is primarily collected.
However, the analysis of the AEPD and its restrictive approach to the processing of personal data provided by the whistleblower or collected by the whistleblowing system raises new doubts and concerns that may also need to be addressed. Is it not lawful to retain this information for purposes such as defending against legal claims (e.g., the reporter seeing his complaint rejected)? Would it be any different if the information related to reports about matters within the scope of the Law? If the controller (the company providing the whistleblowing system) informs AEPD about the use of log information or similar to ensure the cybersecurity of the system, would this processing also be prohibited?