Data Protection & Compliance: Requirements for Whistleblowing Systems

Among the standard elements of effective compliance systems are whistleblowing systems, through which alleged breaches of rules, usually anonymously, can be reported to the responsible department in the company, usually the compliance or legal department, but also to external third parties. The most recent guidance of the Conference of the Independent Data Protection Authorities of the Federal Government and the State Governments ("Data Protection Conference", DPC) on the interpretation of the General Data Protection Regulation (GDPR) deals with the data protection requirements for such whistleblowing systems or hotlines. This results in important findings for their design.

Data protection relevance and admissibility

Personal data are processed when reporting non-compliant behavior in the company, on the one hand with regard to the reported person and his (alleged) violation, and on the other hand - insofar as no anonymous reporting system has been set up - with regard to the whistleblower and his observation. Against this background, a report requires statutory permission under data protection law.

Data processing is permitted in this regard if the company has a legal obligation to set up a whistleblowing system, for example, in the banking sector (Section 25a para. 1 sentence 6 no. 3 KWG - "German Banking Act"). If data processing is necessary to fulfill a legal obligation, it is also permissible under data protection law pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR.

In addition, the permissibility of whistleblowing systems under data protection law must regularly be assessed according to the "general clause" of Art. 6 para. 1 sentence 1 lit. f GDPR. The reporting of grievances may in principle be considered necessary for the realization of "legitimate interests" which exist both with the company and with third parties to whom data may be transmitted (e.g. injured parties). However, data processing to safeguard legitimate interests is only permissible if the interests or fundamental rights and freedoms of the persons concerned do not predominate. In this respect, the DPC differentiates between different types of infringements:

• In the case of conduct which constitutes a criminal offence against the interests of the company (e.g. fraud, corruption, money laundering, insider trading) or which violates human rights or environmental protection concerns (so-called "hard factors"), the interest of the accused person in protecting the right to informational self-determination will regularly be outweighed by the interests of the company.

• In the case of conduct that impairs internal company ethics rules (so-called "soft factors", e.g. "friendliness in customer care"), on the other hand, it will generally be assumed that the accused person has an overriding interest and that data processing is therefore inadmissible.

As far as the protection of whistleblowers is concerned, the DPC expressly recommends that violations should generally be reported anonymously; there is no legal basis for processing information on the identity of whistleblowers, unless the whistleblower has consented to the disclosure of the identity.

Data protection design and information obligations

In order to design a whistleblower system compliant with data protection regulations, a number of other requirements must be met in addition to the anonymous reporting option. This applies in particular to the information of the accused person, which according to Section 14 of the GDPR must be provided at the latest one month after notification with regard to storage, data types and purpose. In this respect, there is an obvious stress ratio with the company's interest in first comprehensively investigating an allegation and collecting any necessary evidence. Against this background, the DPC correctly assumes that the information need not be disclosed as long as it would seriously impair the realization of the processing objectives or as long as there is an interest in secrecy.

Furthermore, according to the DPC, the relevant data must be deleted within two months after completion of the investigation. Longer storage is only permissible for the duration of the clarification of necessary further legal steps such as disciplinary proceedings or the initiation of criminal proceedings. Any irrelevant data collected must always be deleted immediately.

Moreover, a procedure for reporting rule violations is subject to a data protection impact assessment because of the particularly high risk to the rights and freedoms of the accused persons. In addition, the data protection officer must be properly involved at an early stage in all questions relating to the protection of personal data.

Conclusion

Internal whistleblowing systems can be set up and operated in accordance with data protection regulations. However, companies must review their reporting procedures in the light of the GDPR so that the whistleblowing system itself does not become a case of non-compliance. The guidance provided by the DPC on November 14, 2018, provides valuable information on the permissibility and limits of whistleblowing hotlines under data protection law and on how to deal with the new data protection information obligations.