Glossary
Recordkeeping
The legal obligation to retain documentation of every whistleblower report and its handling. EU Directive 2019/1937 Article 18 requires records be kept as long as necessary and proportionate. National transpositions vary: Germany sets 3 years, France sets case duration plus 3 years, Spain sets 10 years for criminal cases. The obligation justifies derogation from GDPR erasure.
Full definition
EU Directive 2019/1937 Article 18 requires that records of every report be kept for as long as necessary and proportionate, balanced against the right to erasure under GDPR Article 17. National transpositions vary: Germany's HinSchG sets 3 years, France's Loi Sapin II sets case-duration plus 3 years, Spain's Ley 2/2023 sets 10 years for cases involving criminal proceedings. The recordkeeping obligation justifies derogation from GDPR's right to erasure: the reporter cannot demand deletion mid-investigation. Confidly's audit log meets the recordkeeping requirement out of the box and is exportable for regulator inspection.
Related terms
- Audit Log An append-only record of every action taken on a whistleblower case, used to demonstrate compliance to regulators. Existing entries cannot be modified or deleted, only new entries added. Auditors at competent authorities such as Germany's Bundesamt für Justiz typically request the audit log first when inspecting a channel for EU Directive 2019/1937 Article 18 compliance.
- GDPR Regulation (EU) 2016/679, the General Data Protection Regulation, governs processing of personal data of EU residents. Whistleblowing channels process personal data of the reporter, the person reported on, and third parties named in the report. Key articles: Art. 6 (legal basis), Art. 5 (minimisation), Art. 9 (special categories), Art. 17 (erasure), and Art. 30 (records).