Internal Reports: Protection of the Whistleblower’s Identity or the Investigated Person’s Right to Defence?
Commentary on the sanction imposed by the AEPD in case EXP202411409: a fine of €120,000.00 for revealing the identity of the informant through an ethical channel.
From the Internal Investigations teams, we often find ourselves in the position of managing internal communications in contexts where it is particularly difficult to preserve the identity of the informant (whistleblower). The paradigmatic case usually arises in investigations stemming from interpersonal conflicts within small teams or closed work environments, as, due to the nature of the fact under investigation, it is very difficult to prevent the identification of the informant.
In this context, a serious wake-up call was recently received through the sanction imposed by the Spanish Data Protection Agency (hereinafter, AEPD, for its acronym in Spanish) on a company operating and managing funeral homes, which was fined €120,000.00 for violating the confidentiality principle by revealing the identities of the complainants in an internal harassment procedure. The disclosure of their names, surnames, and job positions among several employees—via mass emails and attached resolutions—caused additional harm to the affected individuals, including emotional consequences and sick leave.
This precedent demonstrates that, even when reports originate in bodies such as works councils or without an explicit invocation of anonymity, the duty of confidentiality does not disappear. The protection of identity must be active, proactive, and structural. In this regard, organisations are legally obliged to ensure the confidentiality of the personal data they process, in accordance with current data protection regulations—specifically, Article 5.1.f) of Regulation (EU) 2016/679, General Data Protection Regulation (hereinafter, GDPR). Additionally, Law 2/2023, of 20 February, regulating the protection of individuals who report regulatory breaches and fight against corruption (hereinafter, Law 2/2023), reinforces this obligation by explicitly establishing the duty to safeguard the identity and integrity of those using internal reporting channels.
Moreover, this dual regulatory coverage provides a double guarantee of protection for the informant, as two authorities with sanctioning powers coexist in the case of a breach: on the one hand, the AEPD with regard to breaches in the processing of personal data; and on the other, the Independent Whistleblower Protection Authority (A.A.I, for its acronym in Spanish), specifically created by Law 2/2023 to safeguard the rights of whistleblowers in the context of the fight against corruption and protection against reprisals.
Strengthening privacy protocols, training investigation teams, and raising awareness throughout the organisation are not optional measures, but indispensable ones. At the Internal Investigations team at Molins Defensa Penal, we work precisely to ensure that every step in an investigation respects the rights and well-being of all involved. It is essential to remember that the guarantee of confidentiality is not an added value, but one of the cornerstones that supports the very possibility of uncovering the most sensitive issues within the organisation. Without it, reports diminish. And without reports, there is no enduring ethical culture.
Internal Investigations Department, Molins Defensa Penal