In nine recommendations, the EDPS has laid down rules on how the protection of internal and external whistle-blowers can be improved. This includes the establishment of secure communication channels for reporting that preserve the confidentiality of the information received as well as of the identity of the whistle-blower and all other persons involved. The Guidelines also consider it necessary that the principle of data minimisation is applied, which means that only personal information which is adequate, relevant and necessary for the specific case may be processed. This also implies, as another recommendation highlights, that there is a need to define what personal information means in this context and who the affected individuals are, in order to be able to grant them their rights to information, access and rectification.
In a two-step procedure, the different groups of individuals involved – the whistle-blowers themselves, witnesses, the wrongdoer and third persons – were to be informed about the way their data are processed: on the one hand, by publicly accessible information, e.g. the making available of a data protection statement on the website, on the other hand, by an individual notification of the affected persons, e.g. by email.
Moreover, the EDPS claims that, when responding to an access request, no personal information about individuals other than the requesting party should be revealed. In general, information should only be transferred if it is necessary for the legitimate performance of tasks covered by the recipient’s competence.
Furthermore, conservation periods needed to be defined in a proportionate way, in consideration of the outcome of each individual case. Finally, the EDPS recommends that technical and organisational measures be taken, based on a risk assessment, to ensure that personal information is processed lawfully and securely in the context of a whistleblowing procedure.