Glossary
GDPR
Regulation (EU) 2016/679, the General Data Protection Regulation, governs processing of personal data of EU residents. Whistleblowing channels process personal data of the reporter, the person reported on, and third parties named in the report. Key articles: Art. 6 (legal basis), Art. 5 (minimisation), Art. 9 (special categories), Art. 17 (erasure), and Art. 30 (records).
Full definition
Regulation (EU) 2016/679, the General Data Protection Regulation, applies to all processing of personal data of EU residents. Whistleblowing channels process personal data of (a) the reporter, (b) the person reported on, and (c) any third parties mentioned in the report. GDPR Articles 5, 6, 9, 17, and 30 are particularly relevant: lawfulness (Art. 6: legal obligation under EU Directive 2019/1937), data minimization (Art. 5), special category data restrictions (Art. 9), right to erasure tempered by the recordkeeping obligation (Art. 17), and the record-of-processing requirement (Art. 30). EU-only hosting is best practice but not legally required.
Related terms
- Confidentiality The legal obligation to protect the identity of a whistleblower and any third party named in a report. EU Directive 2019/1937 Article 16 prohibits disclosure beyond authorised staff and persists after the case closes. Disclosure is permitted only with the reporter's consent or where required by national law in criminal or judicial proceedings.
- DPIA A Data Protection Impact Assessment is a GDPR-mandated risk analysis for high-risk data processing, required by Article 35. Whistleblowing typically triggers a DPIA because it involves systematic employee monitoring and special-category data such as allegations of criminal conduct. The DPIA documents purposes, data categories, risks, mitigation measures, and the DPO's opinion.
- RoPA A Record of Processing Activities is the GDPR-mandated inventory of every personal-data processing activity in an organisation. Article 30 requires every organisation (with limited small-org exemptions) to maintain a written RoPA. For a whistleblowing channel, the entry must include purpose, data categories, recipients, retention, security measures, and any third-country transfers.
- Data Residency The geographic location where personal data is stored and processed. For EU whistleblowing channels, EU-only data residency is strongly preferred because it avoids GDPR Chapter V transfer complications, aligns with national whistleblower laws like Loi Sapin II, and simplifies the Article 6 legal-basis analysis. Confidly hosts all data in EU data centres.