A reporter who submitted an anonymous complaint two months ago writes back through the case channel: “Please delete my report and all related data.” GDPR Article 17 grants a right to erasure. Article 18 of the EU Whistleblower Directive requires retention of records. The two rules collide directly. The resolution exists but is not in either text on its own. This piece sets out the three patterns national DPAs have converged on and what to write into the channel procedure.
Direct answer
GDPR Article 17(3)(b) explicitly preserves processing necessary “for compliance with a legal obligation”. The legal obligation under EU Directive 2019/1937 Article 18 to retain records of reports overrides the reporter’s right to erasure for the duration of the investigation and for the retention period set by national law (typically 1-10 years post-closure). The reporter cannot compel deletion mid-investigation. They can, however: (a) withdraw active participation in the case, (b) exercise the right to restriction under Article 18 GDPR pending verification of the conflict, (c) require deletion at the end of the statutory retention period. The procedure must say this explicitly.
Why this conflict exists
The two regimes pursue different goals. GDPR Article 17 puts data subjects in control of their own data; the regime is data-subject-centric. EU Directive 2019/1937 Article 18 puts the integrity of the reporting record above the convenience of any party; the regime is whistleblower-protection-centric, but it values the long-term value of the record over short-term comfort. When the same person is both data subject (under GDPR) and reporter (under the Directive), the regimes give them conflicting rights.
This is not unique to whistleblower channels. Tax records, accounting records, and AML records have similar conflicts and are similarly resolved: a legal obligation to retain overrides the right to erasure.
What Article 17 actually says
GDPR Article 17(1) lists six grounds for erasure: the data is no longer necessary, the data subject withdraws consent (where consent was the basis), the data subject objects, the data was unlawfully processed, erasure is required by Union or Member State law, or the data relates to a child and was collected in an information-society service.
Article 17(3) lists five exceptions where the right does not apply. The relevant one is paragraph (b): “for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject”. The legal obligation here is the national whistleblower act transposing Directive 2019/1937, which all in-scope employers are subject to.
The European Data Protection Board’s Guidelines 5/2019 on the right to erasure confirm this analysis: where retention is mandated by other Union or Member State law, the right to erasure is constrained until the retention period expires.
What Article 18 of the Directive requires
Article 18 of Directive 2019/1937 requires Member States to ensure that competent authorities and legal entities in the private and public sector “keep records of every report received”. The records must be retained for the period necessary and proportionate to comply with the Directive and other applicable Union or national law, including requirements relating to imposing sanctions and to the right to defence of persons concerned.
National transpositions vary on the exact retention period:
- Germany (HinSchG §11(5)): 3 years from closure for routine cases.
- France (Décret n° 2022-1284): closure of the case + 3 years for files closed without follow-up.
- Italy (D.Lgs. 24/2023 Art. 14(2)): “necessary period” interpreted by ANAC to mean at least 5 years for closed cases.
- Spain (Ley 2/2023 Art. 9): 10 years where the case involves criminal proceedings; 3 years otherwise.
- Netherlands (Wbk): no explicit period; aligned with the AVG general principle.
- Ireland (Protected Disclosures (Amendment) Act 2022): 5 years recommended in the Code of Practice.
The three resolution patterns DPAs have converged on
National DPAs have addressed individual cases in 2024-2025 and a clear pattern has emerged.
Pattern 1: Erasure refused, retention rule cited
The reporter requests erasure. The controller refuses, citing Article 17(3)(b) and the national whistleblower act. The controller explains the retention period and commits to deletion at its expiry. This is the dominant pattern (the German LDI NRW addressed several cases in 2024 and confirmed this approach).
Pattern 2: Partial erasure: identifiers but not record
The reporter requests erasure. The controller cannot delete the case record (Article 18 retention) but can delete identifying information that is not necessary to the record. Where the reporter had voluntarily provided a pseudonym, an email, or other identifying detail, the controller deletes those while keeping the substantive content and the audit trail. The Italian Garante endorsed this pattern in a 2024 enforcement decision and made it the default expectation.
Pattern 3: Restriction under Article 18 GDPR
The reporter requests erasure and pending resolution exercises Article 18(1)(d) GDPR right to restriction. Processing pauses on the contested data; the controller documents the dispute and the resolution. This is rarely the long-term answer but is the right interim response while the controller analyses the request.
What the procedure should say
The internal channel procedure should address erasure explicitly. A model paragraph:
Where a reporter submits a request for erasure under GDPR Article 17, the controller will respond within one month. The response will set out the legal basis for any continued retention, the retention period applicable to the case, and the date by which deletion will be performed. Where the request also covers identifying information that is not necessary to the retention of the report itself, that information will be deleted promptly on receipt of the request and an audit-log entry recorded. The reporter may also exercise the right to restriction under Article 18 GDPR; processing will pause on the contested data pending resolution.
The procedure should also address what happens at the end of the retention period: the case is deleted from active systems, the audit-log stubs (timestamps and event types only, no content) are retained for the further period required to demonstrate Article 18 compliance, typically 7 years.
Common pitfalls
Three frequent compliance officer mistakes.
Mistake 1: Treating every erasure request as a denial. Some erasure requests are valid (the reporter is not the data subject of the contested data; the data is not subject to the retention rule; the retention period has expired). Each request requires a substantive analysis, not a templated denial. The DPA expects to see this analysis if asked.
Mistake 2: Confusing erasure with closure. A reporter sometimes asks to close their case rather than to delete it. Closure is the case-workflow concept; erasure is the data-protection one. Confidly’s case interface distinguishes them and prompts the case handler to clarify before responding.
Mistake 3: Forgetting to delete at the end of retention. A retention period that is never tested becomes infinite. The procedure must trigger an automated review at the end of each retention period and either delete or document the legal basis for further retention. Auditors expect to see the deletion log.
What this means in operations
The conflict between GDPR Article 17 and Directive Article 18 is more theoretical than operational. In the typical month a compliance officer will see one erasure request per few hundred cases, and almost always it is resolved within the three patterns above. The work is to have the procedure written, to handle requests substantively rather than by template, and to record the rationale in the audit log so the next regulator inspection sees an organisation that thought about the rule rather than one that ignored it.
Erasure requests, properly handled, are a positive indicator: they show that data subjects know their rights and engage with the controller. Channels that never see one are likely either fielding zero traffic or failing to communicate rights to data subjects.