EU Whistleblower Directive: Companies need to take action

According to the provisions of the WBD, not only employees, but also shareholders, suppliers, customers and certain business partners should be able to report breaches using the company’s internal channels.

The WBD further provides that the reporting channels may be operated by an internal person or department designated for this purpose or may also be provided externally by a third party, such as an ombudsman, an external commercial reporting platform provider or a trade union or employee representative.

The reporting channels must be designed in such a manner as to ensure that the confidentiality of the identity of the reporting person is protected, the receipt of the report is acknowledged to the reporting person within seven days, an impartial person or department is competent for following up on the reports, the designated person/department diligently carries out such follow-up, the reporting person receives feedback within three months from the acknowledgement of receipt or within three months from the expiry of the period during which receipt should have been acknowledged, and clear and easily accessible information is provided regarding the procedures for external reporting.

In groups of companies, establishing a reporting system exclusively at the level of the group’s parent company is not sufficient. As a rule, each obliged legal entity must have its own reporting channel.

An exception is, however, made for companies in the private sector with a workforce of 50 to 249, who may share resources for the receipt of reports and any investigations to be carried out regardless of whether or not they belong to a group of companies. The WBD further provides that companies may also entrust a third party with the receipt of reports. In practice, ways are therefore being sought that will allow one reporting system resource to be used by several legal entities despite the restrictive provisions of the WBD, which were expressly confirmed by the EU Commission in two statements in mid-2021. An important element to the use of resources by multiple entities will be the provision of a landing page where the reporting person can (e.g. by means of a button) choose the company in respect of which a report is intended to be made.

An exception is, however, made for companies in the private sector with a workforce of 50 to 249, who may share resources for the receipt of reports and any investigations to be carried out regardless of whether or not they belong to a group of companies. The WBD further provides that companies may also entrust a third party with the receipt of reports. In practice, ways are therefore being sought that will allow one reporting system resource to be used by several legal entities despite the restrictive provisions of the WBD, which were expressly confirmed by the EU Commission in two statements in mid-2021. An important element to the use of resources by multiple entities will be the provision of a landing page where the reporting person can (e.g. by means of a button) choose the company in respect of which a report is intended to be made.

Prospectively, also smaller companies may have to deal with the question, also with regards to the efficient use of resources, whether the whistleblower system can be used at the same time as a reporting system under the German Act on Corporate Due Diligence in Supply Chains (Supply Chain Act). Such a combined use would not conflict with the statutory provisions (WBD and Supply Chain Act). However, the two reporting channels differ in terms of group of obliged companies (size of the workforce), potential reporting persons and issues relevant for reporting. Whether reporting channels may be combined in practically has to be examined on a case-by-case basis. Because of the differing requirements as to size, there will in any case be significantly more whistleblower systems than reporting systems under the Supply Chain Act.

In principle, anyone is eligible to receive reports. The WBD requires the designation of “impartial persons or departments”. As a further prerequisite under the Draft Whistleblower Protection Act, the responsible persons must perform their activities “independently”. Compliance officers could perform the function as reporting system administrators; however, data protection or other special officers in the company should also be taken into consideration. In addition to the aforesaid persons, members of the legal department or of the internal audit team would also be qualified to perform the function of reporting system administrator.

There are numerous providers in the market who offer digital products to operate a reporting system. These products differ in terms of, for example, target customer group (products for medium-sized businesses, products for large companies with a workforce of several thousand or, at the other end of the scale, simple small-scale solutions for comparatively small businesses), functionalities (text input option, uploading attachments on the landing page, voice recording), usability (customisation of back-end and front-end, additional functions for communicating with the reporting person, configuration options, etc.) and, last but not least, pricing. When choosing a product, the requirements under data protection law should be borne in mind (see below), and it might also be wise to involve the company’s data protection officer and, if already designated, the persons responsible for the reporting system in the selection process.

When establishing a whistleblower system, the works council should be involved at an early stage. A whistleblower system will normally be operated using an IT-based solution (see above). In this case, it might be a measure that is subject to co-determination under Section 87 (1) no. 6 German Works Constitution Act. In addition, it may be necessary to observe the co-determination right under Section 87 (1) no. 1 German Works Constitution Act regarding what is referred to as “rules of conduct” if the employer wishes to introduce a whistleblower system in the company on a mandatory basis.

One possible approach worth considering would be to combine any content about the whistleblower system that is not subject to co-determination, e.g. a description of the corporate philosophy and of the legal situation, into a policy while dealing with all elements that are subject to co-determination in a works agreement. The core elements of such a works agreement would then be, for example, the reporting procedure, the responsible contact persons and an outline of how reports will be further handled.

Reporting systems must be established in a data protection compliant way, i.e., in accordance with the General Data Protection Regulation (GDPR). This requires, amongst other things, that the Data Protection Officer is involved as early as possible.

When introducing and operating a whistleblower system, companies generally act as the “controllers” for the purposes of data protection law. In addition to formal requirements (see check list below), the responsibility as controller also includes responsibility for compliance with the data processing regulations in terms of content. In this respect, companies are obliged to provide proof of compliance.

Third parties such as providers of software for internal reporting systems generally act as “processors”. In this  case, the company and the processor are required to enter into a Data Processing Agreement (DPA)  pursuant to Article 28 GDPR. Where lawyers or auditors become active without being subject to instructions, they are generally considered as controllers. In that context, an arrangement between joint controllers determining their respective responsibilities may be required, cf. Article 26(2) GDPR. Whether a processing relationship or a joint controller relationship exists between the parties  involved must, however, be examined separately in each particular case.

According to the GDPR, data may only be processed if and to the extent a legal basis exists. In the present context, the implementation provisions of Article 8 WBD could be the legal basis. It should be taken into account, however, that this legal basis only applies to the breaches covered by the WBD and/or the German transposition standard of the Directive, i.e., the material scope of the legislation. If companies want their internal reporting systems to be used to report other breaches as well, for example, breaches of the company’s ethical guidelines, another legal basis is required (for example, Article 6(1)(f) GDPR). For this reason, and also for the general purpose of structuring and channelling the receipt of reports, companies should determine the types of breach that can be reported. A legal basis for reporting types of behavior which, even though socially undesired, do not constitute an unlawful conduct generally does not exist (see the guidance provided by the German data protection supervisory authorities with regard to whistleblowing hotlines)^[2].

According to the purpose limitation principle, the reported data may only be used for pre-defined purposes that are covered by the legal basis. In concrete terms, this means, for example, that if unfriendly behaviour towards customers is reported via the whistleblower system, the recorded report may not be used for a negative assessment of the employee’s work performance. Furthermore, data may only be stored to the extent necessary for the relevant purpose. In other words, data that is irrelevant for an investigation into the accusations made must not be recorded or stored along with the other data. In addition, companies must provide for deletion concepts. According to the national data protection authorities and the European Data Protection Supervisor data must regularly be deleted within two months after the relevant procedure has been closed.

In addition to the above, companies as controllers have comprehensive  information,  notification and  disclosure obligations with respect to the persons involved. Both the reporting person and the accused persons and witnesses are data subjects within the meaning of the GDPR in relation to the company. The obligations under data protection law are supplemented by, and overlap with, the requirements under the WBD to inform the reporting person of the receipt of his/ her report and the further course of the procedure. These requirements will be adopted in the upcoming German Whistleblower Protection Act.

• Duly involving the data protection officer at an early stage
• Creating a record of processing activities
• Implementing technical and organisational measures (TOMs)
• Carrying out a data protection impact assessment^[3]
• If necessary, entering into a data processing agreement or into an arrangement between joint controllers determining their respective responsibilities pursuant to Article 26(2) GDPR
• If necessary, drawing up a whistleblower policy for the company

When establishing a whistleblower system, you should not merely follow the statutory provisions. Instead, you should involve all relevant stakeholders (works council, data protection officers, HR, etc.) already at an early stage and be careful choosing the right words when communicating the introduction or relaunch of such reporting channels. This is because employees often have reservations in this regard. The intention is not to create a culture of mistrust, but to ensure that your company is able to cope with a rising level of regulation and higher demands on compliance, as well as to create a culture where mistakes are appropriately dealt with (and eliminated), whilst avoiding to make excessive demands on your employees.

This leaflet only contains a limited number of conceivable aspects that should be taken into consideration in connection with the introduction or adaptation of a whistleblower system. It should not be taken as, and does not constitute and cannot replace, legal advice.

If you have any further questions, please do not hesitate to contact us.

^[1] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

^[2] www.datenschutzkonferenz-online.de/media/oh/20181114_oh_whistleblowing_hotlines.pdf

^[3] The data protection authorities, at least, continue to consider such an assessment to be necessary.