Processing of personal data
Directive on the protection of persons who report breaches of Union law · UE 2019/1937
Processing of personal data
Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, shall be carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680. Any exchange or transmission of information by Union institutions, bodies, offices or agencies shall be undertaken in accordance with Regulation (EU) 2018/1725.
Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay.
In Luxembourg, the reporting channel applies from 50 employees for public and private organisations, with no threshold for public bodies. The law of 16 May 2023 on the protection of whistleblowers aligns data processing with the GDPR under CNPD supervision, while the OFRS is the cross-sector external authority. Breaches expose to criminal fines of 1,250 to 25,000 EUR, doubled in case of recidivism, plus civil compensation.
Luxgap practice: document the retention period and purge of irrelevant data in your reporting channel, as this is the first point checked during a combined CNPD/OFRS review.