1. Introduction

Following our previous articles published on July 30 and September 25, we conclude our brief analysis of the Whistleblowing Reporting System (hereinafter “Whistleblowing”) focusing our attention on the prescription under the privacy law linked to the related reporting system. For a better understanding of this matter, it should be noted that by Whistleblowing we intend an employee’s reporting of illicit deeds committed inside of the company where they are employed.

It should be noted that the Italian Data Protection Authority’s most recent six-month inspection plan, published on 12 September 2019, indicates the verifications to be carried out by the Italian Authority in the same period, specifically citing the processing of personal data carried out for the management of the reporting of unlawful conduct (so-called whistleblowing). The following indications, therefore, may be useful in view of possible Inspections by the Italian Data Protection Authority with regard to such processing.

2. Requirements under privacy law: privacy notices, authorization for the processing of personal data, record of processing activities.

Alongside the prescription set forth by Italian Legislative Decree n. 231 of 2001 (hereinafter the “Decree”), the Whistleblowing system must also be compliant with Regulation EU 679/16 (hereinafter “GDPR” or “Regulation”).

Firstly, it is necessary to write a notice according to what is established in Article 13 of the GDPR, which informs the reporting agent about the processing of their personal data as well as the retention of the data included in the report. This notice should be available to all employees (for example, when the policy about Whistleblowing is communicated to employees) and, if possible, the notice should be published on the corporate intranet.

At the same time, it is necessary to adequately instruct the authorized persons and therefore the recipients of the reports (receiving agents), providing them with an authorization to process personal data pursuant to Article 2 quaterdecies of the Privacy Code as amended by Italian Legislative Decree 101/2018. This authorisation is supplementary to and not a substitute for the so-called “general” authorisation that the employees receive during the hiring phase.

In this context, however, there is another issue, namely that of correctly framing the privacy roles of the recipients of the report, in the event that they are “internal” to the company (e.g. they work in the Compliance Department, Internal Audit Department, Legal Department of the company, etc.) or are “external” (e.g. external members of the Supervisory Body, consultants, etc.). This is because, if the recipient is an employee of the company, what is illustrated above applies, since the latter acts according to the instructions given by the data controller (hereinafter “Data Controller”) and with the organisational means provided by the latter.

In the other hand, if the receiving agent is an individual external to the company, he/she may be defined as a processor of personal data (hereafter “data processor”). According to the Regulation, data processor “shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.” Such definition is the same as that included in Opinion 1/2010 of the Article 29 Working Party (hereafter “A29WP”), which today is known as the European Data Protection Board.

The Article 29 Working Party Opinion 1/2010 provides useful elements to distinguish the role of data controller from that of data processor which lies in the distinction of the party that has the power to “determine” the “purpose” and “essential means” of the processing. According to the A29WP the data controller is the figure that determines the purposes and the essential means of the processing of data and such competence must be verified through an analysis of factual circumstances, rather than formal elements (e.g. contracts). In order to determine whether an individual is the data controller, in other words, it is necessary to analyse the specific processing activities and to ask why the processing takes place and who has decided to implement it.

For the Opinion mentioned above, the capacity to “determine the purposes and the means” may stem from different legal and/or factual circumstances: (i) a legal competence, when the law determines the controller or confers a task or duty to collect and process certain data; (ii) common legal provisions or existing traditional roles that normally imply a certain responsibility within certain organisations (for example, the employer in relation to data of its employees); (iii) factual circumstances and other elements (such as contractual relations, actual control by a party, visibility towards data subjects, etc.).

With specific reference to the “purpose and the essential means of the processing”, the A29WP Opinion established that “purpose” is “an anticipated outcome that is intended or that guides your planned actions” and “means” is “how a result is obtained or an end is achieved” and so the “purpose” can be understood as the result that is intended to be achieved or that guides the actions that are undertaken, while the “means” are understood as the way in which the result is obtained. In other words, the purposes and the means amount to determining the “why” and the “how” of certain processing activities.

Determination of the “means” therefore includes both technical and organizational questions where the decision can be delegated to processors and essential elements which are traditionally and inherently reserved to the determination of the controller, such as “which data shall be processed?”, “for how long shall they be processed?”, “who shall have access to them?”, and so on.

There are presently conflicting opinions with respect to the role of the Supervisory Board as a data controller or a data processor and we look forward to seeing what the Italian Data Protection Authority has to say on the matter in due time. In the meantime, we suggest following what is outlined in the Opinion cited above.

Finally, in order to be compliant with the GDPR, it is advisable to dedicate a specific section of the Article 30 GDPR records of processing to Whistleblowing-related processing activities.