European Data Protection Supervisor
European Data Protection Supervisor

Data protection and Whistleblowing in the EU Institutions

Data protection and Whistleblowing in the EU Institutions


Data protection and Whistleblowing in the EU Institutions

Confidentiality is the most effective incentive to encourage staff to report wrongdoing at work said the European Data Protection Supervisor (EDPS) today as he published his Guidelines on Whistleblowing Procedures.

Wojciech Wiewiórowski, Assistant EDPS, said: "Whistleblowing procedures are meant to provide safe channels for staff or other informants to report fraud, corruption or other serious wrongdoing in organisations. Given that the information processed in whistleblowing procedures is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistleblowers and the accused, special care must be taken over that information. The EDPS Guidelines can help the EU institutions and bodies to mitigate the risks." 

Corruption can harm the economy and undermine the trust of citizens in public institutions. Whistleblowing plays a key role in the public interest but while it may help the institution to uncover serious wrongdoing, it is not always in the best interests of the whistleblower.

EU institutions and bodies are obliged by the EU Staff Regulations to have clear whistleblowing procedures in place. The Staff Regulations also oblige officials who become aware of possible illegal activity to report it without delay. Unfortunately people tend to be reluctant to do so and often fear retaliation.

The most effective way to encourage staff to report serious concerns is to ensure that their identity will be protected. Special care must be taken over technical and organisational measures so that the risks of leaking information are reduced and data security is ensured in all whistleblowing cases.

The EDPS Guidelines are designed to help EU institutions and bodies prepare and implement their whistleblowing procedures so that they comply with the obligations set out in the data protection Regulation (REG 45/2001) applicable to the EU administration. In particular, the Guidelines recommend how EU bodies define safe channels for staff to report fraud, ensure the confidentiality of information received and protect the identities of the whistleblower, the accused and anyone else connected to the case.

These guidelines build on the years of practical experience through the EDPS' supervision work, on previous EDPS decisions and Opinions (on administrative consultations, prior checks and complaints). The Guidelines also take into account feedback from Data Protection Officers in the EU institutions, who were consulted so that the Guidelines could be tailored to work effectively in practice.

The EDPS Guidelines address the whistleblowing procedures in EU Institutions and bodies, prior to any investigation by the European Anti-Fraud Office (OLAF).

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8)

Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.

EDPS Reference Library: For more information on Whistleblowing, read the note in our Reference Library.