Whistleblowers GDPR compliance is an area where data protection obligations and reporting system requirements overlap directly. In Poland, the Act on the Protection of Whistleblowers entered into force on 25 September 2024, with external reporting channels becoming operational on 25 December 2024.

Implementing a reporting system is not merely an organisational matter — it is also an area where GDPR applies with particular intensity. The personal data of the whistleblower, the person named in the report as the alleged wrongdoer, witnesses, and related parties all require strict protection. Errors in this area can simultaneously constitute a violation of whistleblower protection legislation and a breach of GDPR.

In this article we explain:

• what personal data is processed within a reporting system,
• what GDPR obligations the whistleblowing legislation introduces,
• how to protect the whistleblower’s identity in line with the rules,
• and what to update in your GDPR documentation after implementing a reporting procedure.

Whistleblowers GDPR — who is subject to the legislation

The obligation to implement an internal reporting procedure applies to legal entities for which at least 50 people perform paid work — assessed as of 1 January or 1 July of a given year. This threshold covers both employees and individuals working under civil law contracts.

Violations that may be the subject of a report span a broad catalogue of legal areas — including, explicitly, the protection of privacy and personal data, and the security of networks and information systems. This means the reporting system can itself become a tool for flagging GDPR violations within the organisation.

What personal data is processed in a reporting system

Receiving and handling reports involves processing the personal data of several categories of individuals:

The whistleblower — the person making the report. Their identity is subject to special protection. The legislation permits anonymous reports, though it does not mandate them — each organisation decides independently whether to accept anonymous submissions.

The person named in the report — the individual identified as the alleged wrongdoer. Their data is processed during the follow-up investigation.

Third parties — witnesses, victims, and other individuals mentioned in the report whose data may appear in the documentation.

The legislation explicitly states that the organisation processes personal data only to the extent necessary to receive the report or take follow-up action. Data irrelevant to the case must not be collected, and any data accidentally collected must be deleted within 14 days of establishing that it is not relevant. This is a direct application of the data minimisation principle under Article 5 GDPR.

The obligation to protect the whistleblower’s identity

This is one of the central requirements where whistleblower protection legislation and GDPR converge most strongly. The organisation must guarantee that the internal reporting procedure prevents unauthorised persons from accessing the information contained in the report and ensures the confidentiality of the identity of the whistleblower, the person named in the report, and any third parties.

Confidentiality protection covers not only the name and surname of the whistleblower, but all data from which their identity could be indirectly inferred — such as their job title, department, workplace, or the specific nature of the event described.

Only individuals holding a written authorisation may be permitted to receive, verify, and process data contained in reports. Those individuals are bound by a duty of confidentiality even after the end of their employment or other working relationship.

Disclosing a whistleblower’s identity without a legal basis may simultaneously constitute a violation of whistleblower protection law and a personal data breach requiring notification to the supervisory authority.

GDPR information obligations towards participants in the reporting process

The data controller — the organisation operating the reporting system — must fulfil information obligations towards three groups of individuals:

The whistleblower — under Article 13 GDPR, i.e. before or at the point of data collection. In practice, this is achieved by including a privacy notice in the internal reporting procedure or in the reporting form itself.

The person named in the report — under Article 14 GDPR, since their data was not collected directly from them. The legislation introduces an important exception here: the obligation to inform the data subject of the source of their data (Article 14(2)(f) GDPR) does not apply where doing so could reveal the identity of the whistleblower. This deliberate carve-out protects the confidentiality of the reporting system.

Third parties — witnesses and other individuals named in the report, towards whom Article 14 GDPR also applies, with the same exception regarding the source of data.

The report register as a controller obligation

The legislation requires the maintenance of an internal report register. It explicitly states that the entity keeping such a register is the data controller of the personal data contained within it.

The report register should include, among other things: the report reference number, the date of the report, a description of the subject matter, information on follow-up actions taken, and the date of case closure.

From a GDPR perspective, the report register is a separate processing activity that should be recorded in the record of processing activities with a defined legal basis, purpose, data categories, and retention period.

Legal basis for processing data in the reporting system

Processing personal data within an internal reporting procedure rests primarily on Article 6(1)(c) GDPR — compliance with a legal obligation — since maintaining the reporting system is a statutory requirement.

Where special category data appears in the content of a report — such as health data or trade union membership — Article 9(2)(b) GDPR applies: processing necessary for the performance of obligations in the field of employment law.

The legal bases for processing should be clearly stated in the privacy notices provided to all participants in the process.

What to update in your GDPR documentation

Implementing a whistleblower reporting system requires a review and update of the organisation’s GDPR documentation. In practice this means:

Record of processing activities — add a new processing activity: “Handling of whistleblower reports”, with the applicable legal basis, purposes, data categories, recipients, and retention period. Use the record of processing activities module to keep this up to date.

Risk assessment — a reporting system processes potentially sensitive and specially protected data, which requires a risk assessment and, in justified cases, a full DPIA.

Authorisations — only individuals with a written authorisation may access reports and the personal data contained in them. The list of authorised persons should be maintained and kept current.

Data processing agreements — if the operation of the reporting system is outsourced to an external provider (e.g. a whistleblowing platform), a data processing agreement must be in place.

Retention policy — data from reports is retained for three years after the end of the calendar year in which follow-up action was taken, or for a longer period where required by separate legislation.

The role of the DPO in the reporting system — an important note

The supervisory authority has highlighted the risk of a conflict of interests when the Data Protection Officer is directly involved in handling whistleblower reports. Reports may concern GDPR violations — which is precisely the subject matter the DPO assesses as part of their statutory role. Full impartiality is difficult to maintain in such a situation.

The recommended approach: the DPO plays an advisory and oversight role in relation to the reporting system but should not be the person receiving or processing individual reports.

Summary

Whistleblower protection legislation and GDPR are mutually reinforcing and place overlapping obligations on data controllers regarding the protection of personal data. Implementing a reporting procedure without updating GDPR documentation is an incomplete implementation.

Key principles:

• the whistleblower’s identity is subject to special protection — disclosing it may simultaneously breach whistleblower law and GDPR,
• access to report data is restricted to individuals holding a written authorisation,
• GDPR information obligations apply to the whistleblower, the person named in the report, and third parties,
• the report register is a separate processing activity requiring an entry in the record of processing activities,
• the DPO should not process individual reports — their role is supervisory, not operational.

If your organisation has implemented a reporting system, verify that your GDPR documentation — the record of processing activities, risk assessment, authorisations, and data processing agreements — has been updated accordingly.