whistleblower-data

Installation
SKILL.md

Whistleblower Data Protection

Overview

The EU Whistleblowing Directive 2019/1937 (Directive on the protection of persons who report breaches of Union law) establishes mandatory internal reporting channels for organisations with 50 or more employees. The Directive creates a fundamental tension with GDPR: whistleblowing channels collect sensitive allegations about identified individuals (the accused), while simultaneously requiring confidentiality protection for the whistleblower. The data protection framework must balance the whistleblower's right to protection, the accused person's right to be informed and to defend themselves, and the organisation's obligation to investigate while complying with data minimisation, purpose limitation, and storage limitation principles.

This skill provides a data protection compliance framework for whistleblowing systems that satisfies both the Directive and GDPR requirements, incorporating guidance from CNIL, the Article 29 Working Party (WP117), and national transposition laws.

Legal Framework

EU Whistleblowing Directive 2019/1937

Scope: Applies to reporting of breaches of EU law in areas including public procurement, financial services, product safety, transport safety, environmental protection, food safety, public health, consumer protection, data protection, and competition law.

Organisational requirements:

  • Organisations with 250+ employees: internal reporting channel operational since 17 December 2021
  • Organisations with 50-249 employees: internal reporting channel required since 17 December 2023 (with possible national extensions)
  • Public sector entities regardless of size
Installs
9
GitHub Stars
187
First Seen
Jun 9, 2026
whistleblower-data — mukul975/privacy-data-protection-skills