Minimum data protection checklist on future law on whistleblowing protection


Author: Mădălina Bucur


The Romanian transposition law of the Whistleblowing Directive (EU) 2019/1937 is currently under parliamentary legislative procedure. Transposition deadline: 17 December 2021

  • Assess and understand the future law on whistleblowers’ protection and all areas with (possible) implications thereof, e.g., data protection, employment, corporate governance
  • Involve all relevant stakeholders from the beginning of the assessment and keep the management informed
  • When budgeting the project, take into consideration the cost for configuring the internal reporting channel to comply with data protection requirements
  • Check if there is an internal reporting channel already implemented.

if yes:

  • assess the reporting channel against the new requirements and the data protection ones (see below)
  • conclude on whether the reporting channel meets the new requirements and the data protection ones and identify the areas that need improvements / further developments

if no:

  • assess if the required reporting channel under the future law will be developed internally or if your organization prefers to contract the specialized services of a third party
  • in the latter case, conduct a market research, identify the third party whose services correspond to the needs of your organization and start the procurement process


  • Assess and establish the essential elements of the processing activities, such as:
    • how and when will the personal data be collected, e.g., whether it is possible to collect the personal data by recorded calls, only be e-mail or through a dedicated platform
    • who are or who could be the individuals whose personal data will be collected (e.g., employees, collaborators, contractual partners)
    • what personal data need to be collected and in what form
    • whether there could be cases for processing special categories of personal data
    • what are the specific purposes for which the personal data will be processed
    • what legal basis apply and (if the case) what safeguard for processing special categories of personal data apply
    • for how long will the personal data need to be stored
    • who shall have access to the personal data (both internal and external), from where (country and method) and under what circumstances
    • if, when and how will the data subjects be informed on the processing of their personal data
  • Check the need to and carry out the specific assessments from a data protection perspective, e.g.:
    • data protection impact assessment
    • legitimate interest assessment
    • data transfer assessment
  • If a third party will be involved, e.g.,:
    • establish its roles and responsibilities from a data protection perspective
    • conduct a due diligence process to ensure the third party offers sufficient guarantees for protecting the personal data
    • check in which country will the third party store the personal data or access the personal data from
    • begin the negotiation process for concluding the contract
    • agree with the third party mechanism to periodically check the guarantees implemented by the third party for protection the personal data
  • Identify / check / implement the necessary measures/ controls to ensure:
    • access to the personal data on a need to know basis
    • confidentiality, availability and integrity of the personal data from the collection date until the deletion, through measures such as:
      • encryption and hashing techniques for storage operations and data transmission
      • back-ups and logs
      • periodical vulnerability and penetration tests
      • training of persons having accessto the personal data
      • data breach drills
    • rectification of the personal data when necessary
    • automatically deletion of the personal data without delay, upon request or upon the expiration of the storage periods
    • restriction of the processing of personal data, except of their storage
    • learning, handling, reporting and learning about security incidents / implement such
    • possibility to generate a copy of the personal data in order to comply with right of access and right to portability