Bulgaria: Whistleblowing and data protection - how to strike the balance?
In this Insight article, Violetta Kunze and Lilia Kisseva, from Djingov, Gouginski, Kyutchukov & Velichkov, explore whistleblowing and the need for protection. They discuss key points of the Bulgarian Law on the Protection of Persons who Report or Publicly Disclose Information about Breaches (the Whistleblowing Law), confidentiality, data protection challenges, and striking a balance between public interest and privacy.
What is whistleblowing? Why is there a need for protection for speaking the truth?
The whistleblowing set of rules aims to establish a legal and cultural tradition that provides protection for whistleblowers, including company employees (former or present), shareholders or board members, job applicants, contractors, or subcontractors. These rules also seek to ensure responsible business management that is intolerant to breaches of Bulgarian or EU law, regardless of whether they were committed by companies, their employees, or other personnel.
On one hand, the whistleblowing legal framework enhances the opportunity for each business to shed light on its own practices and gain a better understanding of its operations. On the other hand, it addresses the dilemma whistleblowers often face between loyalty to the company and the public interest, as well as concerns about negative attitudes or inactivity when trying to report misconduct internally. To overcome these challenges, the new rules ensure confidentiality and protect whistleblowers against retaliation measures, creating a safer environment for individuals to come forward with information about misconduct.
Brief overview of the key points of the Bulgarian whistleblowing law
The Whistleblowing Law was recently adopted to comply with the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) (the Whistleblowing Directive). The Whistleblowing Law came into effect on May 4, 2023, with the exception of internal reporting obligations for private sector employers with between 50 and 249 employees, which will become effective on December 17, 2023.
Scope of application
The Whistleblowing Law applies to reports and public disclosure of information regarding breaches of Bulgarian legislation or EU law within specific sectors, including public procurement, financial services and prevention of money laundering and terrorist financing, transport safety, environment protection, products safety, foods safety, public health, consumer protection, and personal data protection. A noteworthy local deviation is that the scope of the Whistleblowing Law is broader than that of the Whistleblowing Directive, as it also covers reports about crimes of general nature (e.g., those investigated by the prosecution authorities ex officio) and breaches of Bulgarian employment legislation. It is important to note that anonymous reporting and reporting of breaches that occurred more than two years ago are not allowed under the Law.
Reporting can be done through two channels: internal reporting and external reporting. Internal reporting involves using an established internal reporting channel within the company or public entity. On the other hand, an external reporting channel is facilitated through a reporting channel set up by the Bulgarian Commission for Personal Data Protection (CPDP). The CPDP is the central national authority responsible for receiving and handling external reports, among other functions that will be discussed later.
Entities obliged to establish an internal reporting channel
Entities falling under the following categories are obliged to establish an internal reporting channel and procedure for the internal filing of reports:
- all employers with 50 or more employees, and
- all employers, regardless of the number of employees, if their activities fall within specific sectors mentioned in the Whistleblowing Law These sectors include, among others, financial services, prevention of money laundering and terrorism financing, transport safety, product safety, environment protection, foods safety, public health, and consumer protection. (Both categories of entities are collectively referred to as the Obliged Private Entities)
Obligations of the Obliged Private Entities
The Obliged Private Entities have the following obligations, among others:
- establish an internal reporting channel in accordance with specific requirements outlined in the Whistleblowing Law. They must designate one or more employees within their organization as reports administrators. These administrators are responsible for receiving, registering, investigating, and following up on internal reports. The reports administrator can be appointed data protection officer (DPO), if such a role exists within the organization;
- maintaining a register of submitted reports, containing the information as prescribed by the law. To register reports, the Obliged Private Entities must use forms with minimum contents specified by the Whistleblowing Law, following templates approved by the CPDP. The register's format should align with a model approved by the CPDP, and the terms and conditions for record-keeping should be defined by the CPDP in a regulation to be adopted by August 4, 2023;
- adopt rules for internal reporting that should be reviewed and updated at least once every three years; and
- provide clear and easily accessible information about the internal reporting procedure on their official webpages and in their offices and work premises.
Protection of Whistleblowers
The Whistleblowing Law protects individuals who report or publicly disclose information about breaches that they acquired in a work-related context. This protection covers various categories of individuals, including but not limited to:
- persons with the status of a worker or a civil servant, whether current or former;
- persons with a self-employed status;
- shareholders or persons who are members of the management or supervisory body of a company;
- job applicants;
- volunteers or trainees; and
- contractors or subcontractors, and others (collectively, Whistleblowers).
The protection also extends to facilitators and third persons connected with the Whistleblower who could face retaliation as a result of the disclosure. This includes colleagues or relatives who might be affected. Furthermore, legal entities owned, worked for, or otherwise connected to the Whistleblower within a work-related context are also covered by this protection.
Role of the CPDP
The CPDP was designated as the central national authority responsible for receiving and following up on reports as the established external reporting channel. Additionally, the CPDP serves as the central national authority for the protection of Whistleblowers.
For the purposes of investigation and follow-up actions, the CPDP is responsible for forwarding external reports to the respective competent national authorities. These authorities include the Competition Protection Commission, the Financial Supervision Commission, the Consumer Protection Commission, the Chief Labour Inspectorate, and the National Revenues Agency.
The CPDP is also empowered to coordinate and oversee the activities of all obliged entities under the Whistleblowing Law concerning the review of received reports. It can provide instructions to these obliged entities and conduct training for their officers responsible for reviewing reports. As previously mentioned, the Commission approves sample forms for registering internal reports and a model for the register of reports.
Additionally, the CPDP maintains a register of all reports, conducts analyses and summaries of whistleblowing practices, and provides the European Commission with necessary statistical data.
Challenges in implementing the Whistleblowing Law from a data protection perspective
The Whistleblowing Law explicitly states that any processing of personal data carried out under its provisions, including the exchange or transmission of personal data by competent authorities, must adhere to the General Data Protection Regulation (GDPR), Regulation (EU) 2018 / 1725, and the Bulgarian Protection of Personal Data Act. However, the interaction between the different sets of rules and ensuring proper implementation of the data protection laws present certain challenges for data controllers, particularly during the initial stages of the Whistleblowing Law's operation.
The Whistleblowing Law does not allow for anonymous reporting; thus, the focus lies on the Obliged Private Entities to implement suitable technical and organizational measures to safeguard the non-disclosure of personal data belonging to the Whistleblowers throughout the reporting and investigation process. The Obliged Private Entities should utilize appropriate encrypted software to ensure a sufficient level of protection for the data disclosed in the report. The whistleblowing system must be designed in a manner that guarantees the completeness, integrity, and confidentiality of the information and prevents unauthorized access to data. It should also enable the storage of information recorded on a durable medium for the purposes of verifying the report and conducting further investigations.
Data minimization and purpose limitation
The processing of data under the Whistleblowing Law is subject to all GDPR principles and rules. Given the specifics of preserving the anonymity of the whistleblower and the potential disclosure of personal data of third parties when reporting alleged breaches, the principles of purpose limitation, data minimization, storage limitation, and confidentiality are particularly important.
To adhere to these principles it is essential to process only the information relevant to the alleged breach while refraining from collecting or storing any non-relevant data. Implementing a procedure for initial checks of the reported information and retaining only the data pertinent to the specific case would be crucial in achieving the objectives of the Whistleblowing Law and ensuring compliance with applicable data protection rules.
Right of information
In the context of whistleblowing, various categories of data subjects may have their personal data involved in reported alleged breaches. Whistleblowers may disclose the personal data of third parties as part of the evidence that they provide or the information they report. However, informing any third party about the collection of data related to the whistleblowing report may jeopardize the results of the investigation. Therefore, it may be necessary to restrict the right of information and defer the provision of information to the individuals concerned.
The Obliged Private Entities can follow the recommendation of the European Data Protection Supervisor, which suggests that the deferral of information should be determined on a case-by-case basis, and the reasons for any restriction should be documented.
In order to strike a balance between the public interest of whistleblowing and data protection, a well-drafted Privacy Notice is also required.
Additional rights of the data subjects
Similarly, certain other data subjects' rights may be limited with respect to the persons concerned in order to preserve the anonymity of the identity of the Whistleblower, including the right of access. Granting access to the report to the persons concerned would reveal the identity of the Whistleblower. In such a scenario, the controller would face a dilemma between the right of the person concerned to access their data and the fulfillment of one of the most important obligations imposed by the Whistleblowing Law – ensuring the anonymity of the Whistleblower. In this situation, priority must be given to preserving the Whistleblower's anonymity.
Moreover, the right to erasure may not be exercised to delete data of the minimum content required for the regularity of the report or any other data essential for the investigation of the case, among other reasons.
Engaging external service providers
The functions of receiving and registering reports (excluding following up on reports) may be delegated to an external provider, whether a natural person or legal entity. Obliged Private Entities have the option to use an internal reporting channel established by the economic group they belong, as long as it meets the requirements specified in the Whistleblowing Law. However, engaging external service providers can raise certain considerations that must be addressed.
When collaborating with external service providers, it is essential to ensure that the data collected during the whistleblowing process is properly protected. The external service providers must also comply with the requirements outlined in the Whistleblowing Law.
Engaging external service providers entails formal data processing agreements. These agreements should cover aspects such as data ownership, data processing obligations, confidentiality, liability, and the termination of services.
If the whistleblowing system operates across different jurisdictions, engaging external service providers may involve transferring data across borders. In such cases, organizations must adhere to GDPR requirements regarding the transfer of personal data and take measures to ensure the secure transfer of data.
In conclusion, finding the right balance between whistleblowing and personal data protection requires a thorough consideration of both the public interest in exposing misconduct and the privacy rights of individuals. Implementing the recommendations discussed above can enable data controllers to enhance the confidentiality of the whistleblowing process while adhering to data protection principles. Future guidance from competent bodies such as the CPDP and the Bulgarian courts will play a key role in ensuring a successful implementation of the Whistleblowing Law while safeguarding individuals' data privacy.