The Guarantor for the protection of personal data has shared his opinion on two draft resolutions from the ANAC regarding whistleblowing (Guarantor for the protection of personal data, note 27 November 2025, no. 540). During these proposed resolutions, the Privacy Guarantor reviews the whistleblowing process and the approval of guidelines for internal and external reporting.
Among the primary objectives pursued is ensuring the full protection of the confidant of the whistleblower’s identity and the content of the report, in addition to protecting the data of people involved in various capacities.
While expressing his opinion on adopting the above-mentioned guidelines, the Guarantor focused on several points, including: potential risks from using e-mail as a reporting channel; the need for a prior impact assessment on data protection, with possible support from technology providers; the retention period of the report and related documentation; and the possibility of sharing the reporting channel in certain circumstances, given the need to adopt technical and organizational measures to ensure each entity has access only to reports within their competence.
Continuing with the Guarantor’s orientation on the matter, the internal reporting channels’ guidelines provide directions and principles employers may keep in mind when activating their acquisition and report management channels. This also applies to the technical and organizational measures that, respecting the principle of accountability, public and private employers and other obligated entities, may adopt to protect people’s data during the process of acquiring and managing the report. An example of this is taking precautions to prevent the tracking of the reporting person who accesses the internal reporting channels from the internal data network of the employer’s organization.
