Major scandals have evidenced that whistleblowers face vulnerability, and that corruption, wrongdoing and malpractice have caused serious harm to the public interest. It was therefore no surprise that the EU legislature approved a legal framework intended to protect the reporting persons. Indeed, on 23 October 2019, Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of European Union law was finally published. However, the Directive cannot be seen in isolation but must rather be considered in relation to different fundamental rights and societal values. Accordingly, the purpose of this paper is to address a few remarks from a data protection standpoint that could possibly affect the implementation of the new Whistleblower Protection Directive. The principles enshrined in the GDPR are the starting points for the discussion. Furthermore, the paper also seeks to provide more guidance for data controllers to implement reporting channels that comply with the GDPR. Finally, it is drawn up a three-tier model to give effect to a set of obligations deriving from the transparency principle.
