Privacy impact assessment for whistleblower systems?

Have you set up an internal reporting office in accordance with the Whistleblower Protection Act (HinSchG)?

Did you also conduct a data protection impact assessment before setting up the internal reporting office?

There is currently a dispute as to whether a data protection impact assessment (DPIA) must be carried out before an internal hotline is set up and operated.

According to Art. 35 of the GDPR, a so-called data protection impact assessment (DPIA) must always be carried out if data processing entails a high or very high risk for the rights and freedoms of a person. In that case, the data controller must conduct a DSIA before implementing the data processing and determine what consequences a planned processing would have for the protection of data subjects' data. The DSFA is intended to describe, assess and reduce the risks of data processing.

Therefore, the first question is whether the General Data Protection Regulation (GDPR) applies at all to a whistleblower protection system?

This is at least the case if the report in the whistleblower protection system is not anonymous. In this case, personal data is often processed with the report and therefore the GDPR must also be applied.

Is the processing of personal data in a whistleblower protection system likely to result in a high or even very high risk to the rights and freedoms of individuals?

There is guidance from the Conference on Data Protection (DSK) which states that "a whistleblowing procedure is subject to a data protection impact assessment because of the particularly high risk to the rights and freedoms of natural persons".

This is an opinion, but not an argument. I also doubt that this assumption is so sweepingly correct.

However, it must be acknowledged that reports in whistleblower protection systems can contain sensitive content, violations and criminal acts that can have serious consequences for the person affected by the report.

When reading the legal literature on this subject, the vast majority of authors therefore assume that a DSFA must or at least should be carried out before the internal hotlines are set up and operated.

I, too, advise my clients to conduct a DSFA before implementing a whistleblower protection system, so that you will have it "just in case". Better safe than sorry. Or as a colleague wrote. "in dubio pro DSFA".