September 15, 2022
There are several reasons why you should host your whistleblower system within the EU. One of the strongest reasons is clearly the GDPR, which since 2018 ensures that all collection of personal data must be handled correctly.
The equivalent in the USA, namely the “Privacy Act”, sets up rules for how the government can handle personal data. However, there is no regulation in place for how private companies can, or need to, handle personal data in the United States.
This is one of the main reasons why data storage within the EU is preferred. Namely, it ensures that personal data is not shared with other companies, governments, or third parties. Below, we go through this in more detail, as well as other reasons why you should host your whistleblower system within the EU.
Secure data storage with GDPR
Within the EU, all personal information must be processed and stored in accordance with the General Data Protection Regulation (GDPR). It is important that any whistleblowing practice considers the obligations of both the GDPR and the Whistleblower Act coming into force within the EU, as well as the areas where the two may conflict. Given the nature and sensitivity of the reports that come through a whistleblower system, data protection and secure data storage are paramount.
When a report comes in from a whistleblower, it will almost always contain personal information in one form or another. If not regarding the person making the report, it could, for example, concern other people involved. The EU whistleblower directive requires such processing to comply with EU data protection legislation, including the GDPR.
The GDPR does not exclusively include or specifically mention whistleblowing, but whistleblowing, like all other personal data, falls under the GDPR's regulations. The potential risks to people who report, and people named in a report cannot be overstated, and therefore, data protection is important for all parties involved.
When you choose to host your whistleblower system within the EU, it means that all personal data must be handled in accordance with the GDPR. This ensures that the entire whistleblower system is safer to use and you, as a company, avoid the long and complicated process of quality assurance of the whistleblower system.
The dangers of hosting outside the EU
According to the GDPR, personal information may only be transferred between countries within the EU, which means countries that abide by the GDPR.
From this perspective, all nations outside the EU/EEA territory are considered “third countries." Personally identifiable information may not generally be transferred to third countries. This also includes the use of a third-party source to handle or store personal data.
GDPR protection must therefore be applied when personal data is transferred to nations outside the EU, which in numerous instances can cause serious problems. Your company may only export data to third-party countries in exceptional cases.
There is currently no complete solution for the legal processing of personal data in the United States or any other third country. Nor are the conventional contractual provisions sufficient on their own. In each individual case, those responsible must decide whether clause additions are necessary or not.
It is therefore clear that there is a risk that the data transfer is prohibited if you use services that store or transfer personal information to the United States, (for example through various cloud services). This also applies if the transfer takes place through a subcontractor.
Although it can sometimes be tempting to choose to host outside the EU due to, for example, price differences. It is often a much better idea to pick hosting in a country within the EU, where the data is not transported to a “third country”.
It can be summed up by simply pointing out that the EU is a leader when it comes to the secure storage of personal data. This is something that actors in other parts of the world constantly have problems with. Meta, formerly Facebook, is an example of a company that continually encounters difficulties with GDPR.
Ultimately, the whole reason personal information is stored and handled under these guidelines is to ensure the safety and privacy of the population. Therefore, it is also logical to host your whistleblower system within the EU.