Whistleblower Protection and the Right of Access
Description
This brief addresses the contested relationship between an individual's right of access to his or her personal data under data protection law and the protection of a whistleblower's identity. Both rights turn out to be cornerstones in their relevant fields. Balancing said rights can be a challenging endeavour, in particular for corporations in practice as an improper balancing could lead to severe sanctions.
The right of access has become the most basic of all rights that an individual has under the General Data Protection Regulation (GDPR). An individual must be given proper access to his or her personal data in order to enable him or her to exercise control over that data and decide upon claiming further rights such as the right of rectification or the right of erasure. It is not surprising that the right of access has turned out to be contentious and it continues to be at the core of numerous European Court of Justice (ECJ) decisions.
The protection of whistleblowers has by now evolved into an equally important right. Whereas snitches had been frowned upon in several cultures for a long time, the crucial role of whistleblowers has been acknowledged by now under human rights law as well as prominently by the European Whistleblower Protection Directive. Probably the most essential right for the functioning of the whistleblower mechanism is the proper handling of the whistleblower's identity. The confidentiality of the whistleblower's identity is the foundation for the whole reporting system, as otherwise retaliation against the whistleblower is likely to follow.
However, there may be instances where the individual's right of access and the whistleblower's right to his or her protection collide. Balancing these rights can become extremely challenging for an employer when faced with following up on a whistleblower's allegations while the accused perpetrator claims access to all information on him or her and particularly the whistleblower's name. This brief describes the development of both rights and offers solutions as well as practical advice to the employer's quandary when it tries to comply with both data protection law and whistleblower protection.
More details
Other editions
Additional editions
Person
Stephan Koloßa is a practicing attorney based in Germany and also serves as an in-house-counsel for a multinational corporation including. He specialises in data (protection) and IT law and acts as data protection officer. Currently, he is associated with the Technical University of Munich (TUM) and the Technical University of Braunschweig (TUB), where he conducts research focused on the challenges of the GDPR's practical applicability as well as that of other regulations in the areas of data and information law. He is involved in numerous projects relating to the digitalisation of the public administration.
Content
1 Introduction.- 2 Protection of Whistleblowers' Confidentiality under European Law.- 3 The Right of Access under European Data Protection Law.- 4 Synthesizing the Confidentiality of Whistleblowers and the Right of Access.- 5 Conclusion and Outlook.
