(Foto: AEPD)

The regulations allow the implementation of reporting systems in organizations respecting a series of basic data protection principles.

Complaint systems or ‘whistleblowing’, in its English term, are an instrument to reveal the commission of acts or conduct contrary to the law or the collective agreement within companies or in the actions of third parties who contract with them. These systems are usually configured by creating internal mailboxes, generally online, through which workers can communicate this type of situation.

Data protection regulations allow the implementation of these systems provided that a series of basic principles are respected. The Agency itself, within the commitments set out in its Social Responsibility Action Framework and the provisions of its Code of Ethics, launched a reporting channel.

If we want to implement a reporting system in our company or organization, we must pay attention to the following basic aspects related to privacy:

Inform workers

It is essential that workers are informed of the existence of the complaint system and the processing of data that the formulation of a complaint entails. It can be communicated directly in the employment contract; individually or collectively when implementing or modifying the system, or through informative circulars to staff and their representatives.

Respect the principle of proportionality and limitation of purpose

Complaints must refer only to cases in which the facts or actions have an effective implication in the relationship between the company and the accused and, in the same way, the information obtained in this way may not be used for a purpose other than that foreseen for the commissioning of the system.

Protection of the complainant’s data

The law allows anonymous reporting systems but, in the event that this is not the case, the information of the reporting person must be safe and not facilitate the identification of the denounced. This implies implementing reinforced information security and confidentiality measures.


Limitation of access to information

Access must be limited exclusively to those who carry out internal control and compliance functions or to the person in charge of the treatment designated for this purpose. Only the access of other people or their communication to third parties will be lawful, when it is necessary for the adoption of disciplinary measures or the processing of the legal procedures that, where appropriate, proceed.


Conservation and deletion of data

The data should be discussed only for the time necessary for the investigation of the facts, unless it follows from that time the adoption of certain measures against the accused, in which case it would be possible to keep the data for a longer period. In any case, the data must be deleted three months after its introduction in the complaints system.


Data protection rights

The rights of access, rectification, deletion and opposition of the denounced must be guaranteed, without this implying revealing the identity of the denouncer. The defendant should be able to know in the shortest time possible the fact that is imputed to him in order to be able to properly defend his interests, so this information must be provided to him after a reasonable time in which the preliminary investigation of the facts is carried out.

You can expand the information on privacy, reporting systems and other issues related to the work environment in the guide “Data Protection in the Agency’s Labor Relations”.

Link https://www.aepd.es/es/prensa-y-comunicacion/blog/privacidad-en-sistemas-de-denuncia-o-whistleblowing