The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?

The Belgian Parliament recently approved the Act implementing EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, commonly known as the Whistleblowing Directive, in the private sector (“Whistleblowing Act”). It was published in the Belgian Official Gazette on 28 December 2022 (available in French/Dutch) and will enter into force today. If you missed the deadline to implement the whistleblowing scheme, or if it is still work in progress, it’s never too late to check if your scheme complies with data protection rules.

How are data protection rules related to the whistleblowing scheme?

In a nutshell, the Whistleblowing Act imposes a set of new obligations, with the most important, being the implementation of an internal channel for receiving and dealing with complaints.

Data protection rules are important for protecting whistleblowers. When you have a whistleblowing program, you’ll need to follow these rules because the General Data Protection Regulation ("GDPR") usually applies. This means that you’ll need to be careful when handling personal data about your current or former employees, workers, or trainees.

The information processed in whistleblowing procedures may be sensitive. Leaks or unauthorised disclosure of data may have adverse consequences for both whistleblowers and the accused. Therefore, special care must be taken over that information. All obligations stemming from the GDPR, and Belgian data protection legislation, will need to be respected when establishing an internal reporting procedure. Depending on your sector of activity, your company will also have to take into account specific applicable provisions (such as article 46bis of the law of 2 August 2002 on the supervision of the financial sector and financial services).

Can a breach or abuse of the gdpr be reported?

Yes. The Whistleblowing Act lists a wide range of violations that should be reportable through the whistleblowing schemes, including actual or suspected violations of data protection and information security obligations.

How to set up a whistleblowing scheme that complies with the gdpr implemented?

The most effective way to encourage your staff to report concerns is to ensure that their identity will be protected. Therefore, clearly defined channels for internal and external reporting and the protection of the information received should be in place. In other words, the management of a whistleblowing case requires an appropriate corporate culture which reflects your organisation’s intention to handle personal data and whistleblowing reports confidentially and with the utmost security.

Your organisation needs to make sure that the whistleblowing scheme is compliant with the data protection principles (lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality). This includes the following:

  • Implement defined channels for internal and external reporting and specific rules where the purpose is clearly specified.
  • Be transparent. Inform the data subjects of the processing activities, the personal data processed in them, the purposes they serve, and the legal basis on which each of the processing activities relies. For instance, the processing activity may be implemented to collect and process warnings aimed at revealing a breach of a specific rule. When a processing activity has several purposes, each of them must have a legal basis (which may be distinct from each other). Your company must therefore determine the most appropriate legal basis for each purpose of processing implemented (e.g. in a table format to explain what data is used, for what purpose and the relevant legal basis).
  • Inform and/or consult the competent bodies when setting up the whistleblowing channels.
  • Ensure confidentiality of the information received and protect the whistleblower’s identity and all other persons involved.
  • Ensure when responding to right of access requests that personal data of other parties is not revealed.
  • Define proportionate retention periods for personal data processed in connection with whistleblower reports.
  • Update your records of processing activities.
  • Where you use an external service provider to assist you in receiving and handling whistleblower reports, sign a data processing agreement with such provider and make sure they have a good knowledge of all data protection requirements.
  • Implement measures to protect confidentiality, integrity, and availability of data. Ensure you grant internal access on a strictly need-to-know basis.

Can the whistleblowing officer be the dpo?

At first sight, this would be an effective solution.

The EU Whistleblower Directive specifies that, depending on the structure of a company, the choice of the most appropriate persons (or departments) to be designated as Whistleblowing Officer may be a dual function, such as a Chief Compliance Officer, Human Resources Officer, Legal Officer or a Privacy Officer.

Although the Directive seems to conclude that the Data Protection Officer (DPO) may at the same time be the Whistleblowing Officer, such a dual role is likely to give rise to a conflict of interest according to the Belgian legislator. It therefore seems inadvisable to appoint the DPO to this position. Also, note that not every private entity is obliged to appoint a DPO. Nevertheless, the DPO and the Whistleblower Officer should work together closely.

What is the deadline for employers regarding internal reporting channels?

The Whistleblowing Act was published in the Belgian Official Gazette on 28 December 2022 and enters into force today. On 31 January 2023, the Royal Decree was also published which designates the authorities entitled to receive external whistleblower reports (in French/Dutch). The Belgian Data Protection Authority will oversee external whistleblower reports about alleged violations of data protection rules and, where founded, for imposing sanctions.

By way of exemption, the obligation to establish internal reporting channels and internal reporting procedures will apply to legal entities in the private sector that have between 50 to 249 employees as from 17 December 2023. This will however not be the case for entities that fall within the scope of the provisions on financial services, products and markets and the provisions referred to in Article 4, 1° (in the field of prevention of money laundering and terrorist financing).

Tom De Cordier - Partner, Brussels

Thomas Dubuisson - Senior Associate, Brussels