From September 1st, the Independent Whistleblower Protection Authority (AINPI) is operational.
- Whistleblower Protection, responsible for managing the external reporting channel and applying support and protection measures.
- Monitoring and Sanctioning Regime, in charge of handling proceedings and proposing recommendations to improve prevention.
- Management, dedicated to internal administration, from human resources to the electronic systems that support the body.
Among its additional functions, it is noteworthy the design of crime prevention models in the public sector, as well as the ability to impose sanctions in matters of whistleblower protection.
In addition, entities that already have a reporting channel have until November 1st to notify the designation of the Person Responsible for the Internal Reporting System (SII), one of the first concrete obligations with set deadlines.
No reporting channel without data protection
With the launch of the AINPI, both the public and private sectors must review and strengthen their internal reporting channels, many of them required by the so-called “whistleblowing law” to implement such channels (for example, if the entity has 50 or more employees). This entails compliance with the requirements of Title VI of Law 2/2023, regarding privacy and the protection of personal data, as well as the General Data Protection Regulation (GDPR).
In practice, this translates into the following:
- Ensuring that the channel is secure, confidential, and accessible, in compliance with the principles of the GDPR:
Particularly relevant are the principles of proactive accountability and integrity and confidentiality, which require not only implementing appropriate measures to secure information but also being able to effectively demonstrate compliance. - Carrying out a Data Protection Impact Assessment (DPIA) and configuring the system by applying the principles of privacy by design and by default. In a reporting channel, highly sensitive information is involved, and unauthorized access can result in significant moral, economic, or social consequences, both for the whistleblower and the individuals involved.
- Clearly defining who can access the information, under what conditions, and with what guarantees. It is essential to have a documented protocol for managing the channel that protects confidentiality, availability, and integrity of the data, as well as traceability, ensuring that only authorized personnel can access it in accordance with the provisions set out in internal codes.
- Establishing appropriate retention periods, in line with the provisions of Article 24 of the national data protection regulations (LOPDGDD) and best practices required for compliance with the principle of storage limitation (GDPR).
AINPI’s supervision and sanctions will encourage internal channels to be effective and to foster genuine trust among employees, suppliers, and citizens.
The key is that the whistleblower feels their identity and data are protected. Without privacy, the risk of distrust and retaliation increases, rendering the channel useless. For this reason, the AINPI not only safeguards against fraud but is also a fundamental ally in promoting a culture of protection and respect for privacy, and entities must rise to this challenge.
Article written by:
Lawyer – Privacy and Intellectual Property
About Metricson
We are a leading firm in legal services specialized in innovative companies and the technology sector, with a particular focus on privacy and intellectual property. Since our foundation in 2009, we have had the privilege of advising more than 1,400 companies in 14 countries, including startups, investors, corporations, universities, public institutions, and governments.
If you need support in any area of legal advice, don’t hesitate to write to us at contacto@metricson.com. We will be happy to help you!