A compliant voice hotline intake under France’s Loi Waserman, the act that modernised Sapin II to transpose EU Directive 2019/1937, is one pipeline, not three. Capture audio in the browser via the MediaRecorder API, encrypt and upload it into the same report bundle as the text fields using libsodium SealedBox to the recipient’s Curve25519 public key, produce a draft transcript on the recipient side using a self-hosted STT model, and let the reporter verify, rectify, and approve through an anonymous one-time receipt code (never an email or phone re-prompt). The same five-stage pipeline satisfies Article 9(2) and Article 18 of the directive, France’s verify/rectify/approve cycle, and Italy’s D.lgs. 24/2023 oral-report rule. The only deltas across regimes are the consent UX wording and the retention period.

A compliant whistleblowing operation runs two SLA clocks per case: 7 days from intake to acknowledgement, then up to 90 days from acknowledgement to substantive feedback. Both timers come straight from Articles 9 and 11 of EU Directive 2019/1937, and they are mirrored verbatim in every Member-State transposition: France’s Loi Waserman, Italy’s D.lgs. 24/2023, and Germany’s HinSchG. Lay them on top of the ISO 37002:2021 four-stage management cycle (Receive, Assess, Address, Conclude), add a parallel 12-month retaliation watch, and you have a workflow that satisfies the directive, the international standard, and the operational reality of running an investigation. A platform that does not surface both clocks per case as countdown badges (rather than as background retention settings) is non-compliant by design.

A whistleblowing platform handles allegations of wrongdoing, names identifiable third parties, and routinely captures special-category data such as harassment, discrimination, or criminal-conduct claims. It is inside GDPR scope, and three mistakes show up on almost every implementation review. Calling pseudonymous receipt-coded reports “anonymous” and assuming GDPR no longer applies; selecting consent as the lawful basis even though the freely-given test fails under the employer/employee power imbalance; and treating encryption as an exemption from breach notification when Article 33’s 72-hour clock keeps running regardless. This post walks each pitfall, ties it to a specific GDPR article, and shows what the platform must do in product terms.

EU Directive 2019/1937 obliges every private legal entity with 50 or more workers, and most public-sector entities, to operate an internal reporting channel that accepts written and oral reports, acknowledges receipt within 7 days, and gives feedback on action taken within 3 months (extendable to 6 in duly justified cases). The channel must protect the identity of the reporter and any third party named in the report, allow third-party operation under the same safeguards, support an in-person meeting on the reporter’s request, and avoid any form of retaliation as defined in Article 19. Translating those legal obligations into product requirements yields a 12-row engineering checklist that any reporting platform must satisfy before it can be considered compliant. As of April 2026, every clause below is still load-bearing under the directive’s text on EUR-Lex and the European Commission’s transposition page.