21 September 2021

Whistleblowing – Attention data protection

  • Articles
  • Legal
  • Data / Technology / IP

Anyone who introduces a whistleblowing system must comply with strict data protection requirements. The implementation is considered to be extremely challenging - especially if people in the EU are affected - as there are several hurdles with regard to data protection. The legally compliant introduction of a whistleblowing platform therefore requires thorough preparation.

I. Whistleblowing system: definition und obligation

A whistleblowing system (also known as a whistleblowing platform) gives employees and outsiders in a company the opportunity to (anonymously) report violations committed by colleagues, superiors, suppliers, etc. The whistleblowing system can also be used to report violations of human rights (e.g. child labor, conflict materials). Specifically, this involves criminal offences in connection with the organization in question (e.g. corruption, export control, insider trading, fraud), human rights violations (e.g. child labor, conflict materials) and other violations that are incompatible with the culture or philosophy of the organization (e.g. ESG and CSR criteria, environmental protection, equal treatment). The purpose of such a platform is to provide a gateway for reports, to conscientiously investigate reported violations and to subsequently end them. Whistleblowing platforms have proven to be an effective means of preventing discrimination, bribery, nepotism, etc. in numerous companies.

In Switzerland, there is no obligation to introduce a whistleblowing platform. However, in the context of internal corporate compliance efforts, the practical importance has increased significantly, especially in connection with the Anti-Money Laundering Act, the fight against corruption, export control regulations and the control of supply chains and ESG criteria. Whistleblowing platforms are now considered best practice in big companies.

For EU subsidiaries it is necessary to consider whether the EU Whistleblowing Directive (EU Directive 2019/1937; to be implemented by December 17, 2021) applies to them. Companies are required to establish reporting channels for systematic and anonymous compliance reporting. This applies to companies with more than 250 employees, or €10 million in annual turnover. From 2023, the limit is to be lowered to 50 employees.

Companies listed on US stock exchanges have similar obligations under the Sarbanes-Oxley Act.

II. Whistleblowing and data protection

Whistleblowing is delicate from a data protection perspective. Sensitive personal data (personal data of accused persons; possibly personal data of the whistleblower) are processed on the platform, which can cause great harm to the parties involved.

1. Whistleblowing data flows

When reporting breaches of conduct rules, personal data are processed. The data collection includes information about the accused person, the (alleged) breaches of conduct as well as the relevant facts. If a reporting procedure stipulates that reports can be made anonymously, no personal data is collected about whistleblowers unless they themselves state otherwise. Otherwise, personal data such as the name of the reporting person, his or her position in the company and, if applicable, the circumstances of his or her observation may be considered. Depending on the design of the reporting procedure, there is the possibility of further internal processing by the designated department (for example, Internal Audit, Compliance, Legal Services). In the case of affiliated companies, the transfer of personal data to the parent company or other companies belonging to the group and also abroad is conceivable.

2. Admissibility under data protection law

In Switzerland, processing is permitted, but the legal principles must be adhered to (lawfulness, good faith, proportionality, purpose limitation, recognizability; Art. 4 FADP; correctness of the data, Art. 5 FADP; data security, Art. 6 FADP).

In the EU, the processing of personal data requires a legal basis (prohibition with reservation of permission). For Germany, the Data Protection Conference of the Federal Government and the Länder concludes in the "Orientierungshilfe der Datenschutzbehörden zu Whistleblowing-Hotlines: Firmeninterne Warnsysteme und Beschäftigtendatenschutz" that consent is required for the disclosure of personal data of the whistleblower.

3. Anonymity or personal notification

If the whistleblower can make his report anonymously, the reports must remain anonymous. This must be set up accordingly in the system (anonymity by design), e.g. through encryption, encrypted channels, secure IT environment. If anonymity is violated and the person making the report suffers damage, this may result in liability consequences for the company.

As far as a person wishes to make a report using such a procedure, knowingly and willfully revealing his or her identity, he or she should be informed in advance when first using the system (disclaimer) that his or her identity will be kept confidential during all internal or extrajudicial steps of the procedure, but that the accused person must be informed for reasons of transparency (Art. 4 para. 3 and 4 FADP). In the EU, the accused person must in principle be informed of the identity of the whistleblower no later than one month after the report (Art. 14 para 3(a) GDPR).

If, despite these indications, the whistleblower knowingly and willfully wishes to reveal his or her identity and the information is to be processed, consent from that person comes into question under EU law. Before consent is given, the data subject must be informed that he or she can withdraw consent, but that this can only be effectively done up to one month after the notification has been made. The data subject's consent to the disclosure of his or her identity must be proven by the employer or the external body in accordance with Article 7 para 1 of the GDPR.

In the EU, sensitive data cannot be taken into account without detailed consideration and ensuring a sufficient legal basis. Numerous regulations must be observed in the context of the development of the system. In addition, constellations may arise that make it even more difficult to ensure data protection.

4. Group data protection

Another issue is data protection within a group as soon as whistleblowing data is exchanged across the borders of individual group companies. Depending on the company, it must be noted that the data transfer takes place across national borders - possibly even to third countries with insufficient data protection. Particularly in such environments, complex legal interrelations must be taken into account in the intra-group data transfer agreements so that there is no risk of data protection violations and thus no threat of fines or other consequences.

5. Rectification, blocking and deletion

According to Art. 5 FADP in conjunction with 15 para. 2 FADP and Art. 5 para. 1 lit. d GDPR, personal data must be factually correct and, if necessary, up to date. All adequate measures must be taken to ensure that personal data which are inaccurate in relation to the purposes of the processing are erased or rectified without delay. Art. 18 GDPR also gives the data subject the right to request the restriction of processing under certain conditions. In principle, data should be deleted within two months after the investigation has been completed. Storage beyond this is only permissible for the duration of the clarification of necessary further legal steps such as disciplinary proceedings or the initiation of criminal proceedings. Personal data related to reports, which the organizational unit responsible for processing the report considers groundless, should be deleted without delay.

III. Practical advice for the implementation

1. Restriction of a group of persons

In accordance with the principle of proportionality (Art. 4 para 2 FADP) and data minimization (Art. 5 para 1 (c) FADP), the controller must consider the extent to which the group of persons eligible to make a report to a whistleblowing hotline can be as limited and specific as possible. The company implementing a whistleblowing procedure should also carefully consider whether it would be appropriate to limit the number of people who can be reported through the procedure, particularly given the seriousness of the alleged breaches reported. However, it is the circumstances of the individual case that are crucial.

2. Technical Anonymity

Implement a digital whistleblowing system. In this way, you can guarantee comprehensibly the anonymity of a whistleblower to 100% and still have the possibility of a further anonymous dialogue (two-way communication).

If you already have a digital whistleblowing system in place, you should add a disclaimer to the reporting process. This disclaimer must clearly state the obligation to disclose the identity of the whistleblower to the accused if the whistleblower decides to make a non-anonymous report. In this case, consent for the processing of personal data must be explicitly obtained. In addition, the whistleblower should be made aware that this consent can be effectively withdrawn within 30 days. In order not to miss the 30-day deadline for informing the accused, it is also advisable to set up automatic reminders to the processing persons.

3. TOM

A whistleblowing platform must be set up technically and organizationally in such a way that the privacy of the whistleblowers is guaranteed. We recommend documenting these technical and organizational measures (so-called TOM). In order to fulfil the security of processing (Art. 7 FADP; Art. 32 GDPR), suitable technical and organizational measures must be taken. This applies in particular because of the assured confidentiality and for the deletion obligation. In the case of internal data processing, it is recommended that the whistleblowing hotline is not organized and operated within the HR department. In this regard, the reporting process should be strategically planned and the process requirements would need to be communicated internally. To ensure that unauthorized persons cannot use data processing systems, in addition to an authorization concept and a password policy, encryption procedures are also advisable in view of the sensitivity of the data. Measures also include logging of data entries and deletion routines.

4. External Provider

Many companies rely on external providers who provide the corresponding tools or platforms - on premise or in the cloud (SaaS). These providers should be carefully selected and have TOMs and certifications (e.g. ISO 270001).

A commissioned data processing agreement must be concluded with the external providers in accordance with Art. 10a FADP (applicable Swiss law) or Art. 28 GDPR.

5. Data protection impact assessment

In the EU, the introduction of a whistleblowing platform requires a data protection impact assessment (Art. 35 GDPR) with a prior check by the data protection officer. In general, it is advisable to involve the data protection officer in the planning process from the beginning so that a system is created that promises appropriate legal certainty. Later involvement is of course also possible, but it may then be necessary to make significant adjustments with the corresponding costs.

6. External data protection officer

The processing of whistleblowing cases is associated with delicate discretionary decisions under data protection law (e.g. in the case of requests for information, deletion, disclosure to third parties). If the necessary know-how is not in-house, it is possible to hire an external data protection officer or, alternatively, to engage an experienced consultant who can support the company specifically with his expertise.