Breach of confidentiality in the management of workplace harassment cases: an analysis from the perspective of data protection

Reports5 February 2026

Identifying whistleblowers and accused persons without appropriate measures violates the GDPR and can lead to responsibilities regarding data protection and labour law.

1. Key points of the AEPD Resolution

The Resolution analyzes the enhanced duty of confidentiality that must govern the processing of personal data in internal whistleblowing channels and, in particular, in workplace harassment procedures.

In the examined case, the company communicated internal resolutions that expressly identified whistleblowers and the accused, which allowed for widespread and unnecessary access to especially sensitive information. In total, the incident affected 15 people (5 whistleblowers and 10 accused).

The AEPD upheld the complaint and concluded that the company infringed the principle of integrity and confidentiality by not adopting effective measures to limit access and preserve anonymity, thereby violating Article 5.1.f) of the GDPR. The Agency emphasizes that, in this type of procedure, the level of diligence required from the data controller is especially high.

Among the most relevant aspects, the Resolution highlights:

The obligation to preserve anonymity in internal communications, avoiding unnecessary identification of the interested parties.
There is no justification based on internal protocols or prior knowledge, as confidentiality is an objective obligation of the data controller.
Requirement of enhanced diligence in harassment procedures and in the use of the internal whistleblowing channel, given the sensitivity of the data processed.

2. Applicable regulatory framework

Internal information systems find their legal basis in Article 24 of the LOPDGDD and in Law 2/2023, on the protection of whistleblowers. Data processing is protected by public interest (art. 6.1.e GDPR), without exempting compliance with the principles of minimization, proportionality, confidentiality, and limitation of processing.

The AEPD Guide on data protection in employment relations establishes clear criteria for these systems, particularly regarding:

Limitation of access to data, restricted to internal control staff, compliance staff, or designated personnel.
Exceptional access by Human Resources, only when essential for processing a specific disciplinary procedure.
Strict retention periods, with the deletion of data within a maximum period of three months, except for anonymous retention or to demonstrate the operation of the system.

3. Legal and labour relevance of the Resolution

3.1. Breach of the duty of protection regarding health and safety

The revelation of identities in a harassment procedure can create a hostile work environment and cause psychological harm, which constitutes a violation of Articles 14 and 15 of the LPRL. In the analyzed case, a whistleblower suffered an anxiety episode and took leave on the same day that the information was revealed.

3.2. Breach of the enhanced duty of confidentiality

The AEPD considers that this constitutes a serious violation of the level of due diligence required, aggravated by the circulation of information in workplace WhatsApp groups and the undue intervention of third parties. The existence of internal protocols is insufficient if not accompanied by effective mechanisms to ensure compliance.

3.3. Risk of violation of fundamental rights

The analyzed conduct can affect the privacy, dignity, moral integrity, and right to compensation of workers, with possible very serious labour sanctions under LISOS, with fines of up to €225,018.

4. Corrective measures and consequences

The AEPD can order the adoption of technical and organizational measures to bring processing into compliance with the GDPR, with a maximum period of three months from the date the decision becomes enforceable. Non-compliance with these orders can lead to new disciplinary proceedings, regardless of the payment of the initial penalty.

5. Conclusions

The ruling reinforces a clear message: the management of internal whistleblowing channels and workplace harassment procedures requires the utmost diligence and confidentiality. The identity of whistleblowers and the accused must be strictly protected, even when it is practically possible to deduce it.

From a dual perspective —data protection and labour law—, the case demonstrates that the mere existence of protocols is not sufficient. It is essential to implement effective measures that limit access, control internal communications, and minimize the risks of undue disclosure of sensitive information.

The AEPD's resolution therefore consolidates a demanding standard that requires companies to review and strengthen their internal information systems, integrating privacy, harassment prevention, and psychosocial risk management as central elements of their regulatory compliance.

Informative note prepared by the Data Protection and Labour Law Department of ECIJA Madrid.