Spanish Data Protection Agency publish their position on whistleblowing


The Spanish Data Protection Agency (the “SDPA”) has just published its position regarding the implementation of whistleblowing schemes in companies. Although the position was released in response to a specific query made by an undisclosed pharmaceutical company and not a formal guideline, it reflects the SDPA’s position regarding the implementation of whistleblowing schemes in multinational companies and therefore should be used for reference.

The opinion states that:

  • Reporting schemes are lawful provided that the processing relates to parties to a contract (for instance a company and its employees) and are necessary for the maintenance or performance of the contract. Please note that, in addition to identifying the wrongdoings, the reporting scheme must rely on wrongdoings which could actually affect the contractual relationship between the company and the employee incriminated (in accordance with article 7b. of the Data Protection Directive and the equivalent provisions in 6.2 and 11.2 of the Spanish Law on Personal Data Protection (“LOPD“));

  • The whistleblowing scheme should not include the possibility of reporting anonymously. However, the system must guarantee the confidentiality of the subject of the report;

  • The data related to the incriminated subject shall not be kept for longer than is necessary to proceed to the relevant internal audits or no longer than the period necessary to carry out any judicial proceedings resulting from an investigation. In any case, the policy must set out a maximum retention period for the data;

  • The whistleblowing process must respect the rights of access, rectification, erasure and opposition in article 5d. of the LOPD. The SDPA also affirms that the subject of a whistleblowing report must be specifically informed by the company that the report exists as soon as possible and, in any case, within three months;

  • The company must implement the relevant security measures in accordance with Royal Decree 994/1999 (11 June), on Security Measures. The SDPA also confirmed in relation to the scheme submitted to it for analysis, that security measures must be applied at the highest level, because:

    • it is not possible to know the categories of data which will be processed through the whistleblowing schemes and therefore sensitive data could be processed;

    • if an employee belongs to a union, the company has to inform the union of the proceedings initiated against its members.

Therefore, the company may decide to include data related to Trades Union memberships (which is considered sensitive in accordance with the LOPD) in the data file.

As the company connected to the enquiry was a member of the pharmaceutical sector the SDPA stated that a report could be linked, for instance, to situations related to clinical trials (which could imply the processing of data related to health).

We understand that this is a very strict approach and that there are legal grounds to support the argument that high security measures should not be implemented for all whistleblowing schemes as a rule. There are reasonable legal grounds to support the argument that security measures would not need to be implemented at the highest level if (i) the reporting system did not involve processing of sensitive data and (ii) the company did not include data related to the trade union affiliation of its employees in the relevant file.

The company is obliged to notify the SDPA of processing. The Company must also ask for authorisation to transfer the data, if part of the data is to be transferred to a company located in a country which does not provide an equivalent level of security (unless any of the exceptions provided by the LOPD applies).

The position paper is available in its Spanish version at the SDPA website in the following link