A compliant whistleblowing operation runs two SLA clocks per case: 7 days from intake to acknowledgement, then up to 90 days from acknowledgement to substantive feedback. Both timers come straight from Articles 9 and 11 of EU Directive 2019/1937, and they are mirrored verbatim in every Member-State transposition: France’s Loi Waserman, Italy’s D.lgs. 24/2023, and Germany’s HinSchG. Lay them on top of the ISO 37002:2021 four-stage management cycle (Receive, Assess, Address, Conclude), add a parallel 12-month retaliation watch, and you have a workflow that satisfies the directive, the international standard, and the operational reality of running an investigation. A platform that does not surface both clocks per case as countdown badges (rather than as background retention settings) is non-compliant by design.

A whistleblowing platform handles allegations of wrongdoing, names identifiable third parties, and routinely captures special-category data such as harassment, discrimination, or criminal-conduct claims. It is inside GDPR scope, and three mistakes show up on almost every implementation review. Calling pseudonymous receipt-coded reports “anonymous” and assuming GDPR no longer applies; selecting consent as the lawful basis even though the freely-given test fails under the employer/employee power imbalance; and treating encryption as an exemption from breach notification when Article 33’s 72-hour clock keeps running regardless. This post walks each pitfall, ties it to a specific GDPR article, and shows what the platform must do in product terms.

EU Directive 2019/1937 obliges every private legal entity with 50 or more workers, and most public-sector entities, to operate an internal reporting channel that accepts written and oral reports, acknowledges receipt within 7 days, and gives feedback on action taken within 3 months (extendable to 6 in duly justified cases). The channel must protect the identity of the reporter and any third party named in the report, allow third-party operation under the same safeguards, support an in-person meeting on the reporter’s request, and avoid any form of retaliation as defined in Article 19. Translating those legal obligations into product requirements yields a 12-row engineering checklist that any reporting platform must satisfy before it can be considered compliant. As of April 2026, every clause below is still load-bearing under the directive’s text on EUR-Lex and the European Commission’s transposition page.