Data protection

Get ready for the GDPR – Part 4: Whistleblower arrangements

18 April 2018

The General Data Protection Regulation will apply as of 25 May 2018. The new Regulation is important to companies that already have or are considering establishing a whistleblower arrangement as it places new requirements upon the data controllers and data processors. In this newsletter, we focus on the new rules and how your company can be prepared.

Under the new Regulation the obligation to notify the national Data Protection Agencies is removed. This means that companies are no longer obliged to report whistleblower arrangements prior to establishing them. However, this does not mean that all requirements to the arrangements cease to apply.

Continued Requirements

The Danish Data Protection Agency has determined a number of requirements relating to whistleblower arrangements, which under the existing rules must be met to obtain the approval of the Agency. Most of these requirements are based on general principles of good data processing practice, objectivity and proportionality and are therefore carried forward under the new Regulation.

These requirements include:

  • Only persons affiliated with the company can file a report, and reports shall only concern individuals with connection to the company, e.g. employees, board members, suppliers.
  • Reports may only be filed in case of suspicion of serious misconduct that can impact the company as a whole or the lives or health of individuals, such as serious financial crime, serious breach of safety at the workplace or serious offence aimed at an employee, e.g. violence or sexual assault.
  • Minor offences cannot be reported under the arrangement. In such cases the company’s usual means of communication must be used, e.g. in case of violation of the internal guidelines.
  • Access must be limited to an independent unit, which receives and handles the reports. This unit must live up to certain requirements, such as training.
  • Finally, the company must meet requirements relating to data security and develop internal guidelines on safety precautions, which are subject to an examination at least once a year.

New requirement: Records

With the GDPR the notification obligation is replaced with a requirement to keep internal records of all processing activities, placed upon the data controller and the data processor. As the activities include sensitive data, this requirement equally applies to smaller companies with whistleblower arrangements.

The record must contain a description of the character, extent, context and purpose of the processing activity as well as the likelihood of risks connected with the processing. This aims to ensure that the company can prove that the arrangement is administered in accordance with the GDPR. In principle, this means that your company must document every processing activity.

Possible Requirement: Impact Assessments (DPIA)

The Danish Data Protection Agency recommends that a company in general prepares an impact assessment when a new system or processing activity is applied. The GDPR only requires that an analysis is conducted if there is a “high risk” that the processing activity may violate the rights of the data subject. Neither the new provisions nor the guidelines offer any indication as to whether a whistleblower-arrangement by definition results in such a risk.

First of all, a “high risk” is likely to occur if a company applies a new technology in their processing activities. But, even if this is not the case, a whistleblower-arrangement is likely to require an impact assessment, because a number of elements in the processing activities combined constitute such a “high risk”. This is due to the fact that the arrangements involve processing of sensitive data, aimed at employees, which under the new rules must be considered as a vulnerable group. Moreover, the company must be aware that cross-border data transfers to a third country or an anonymous whistleblower arrangement will increase the existence of a “high risk” and as a result, an impact assessment should be made.

In conclusion, it is likely that the data protection authorities will require an impact assessment to be conducted when a company establishes a whistleblower arrangement. As for the existing arrangements, there is no explicit requirement to complete an impact assessment, but following the new rules a company must reassess its risk analysis every third year. This will most likely affect all companies, which currently have whistleblower arrangements in place.

IUNO’s Opinion

The obligation to notify the Danish Data Protection Agency is replaced with a number of new requirements, which is in agreement with the general principle “data protection by design” in the GDPR. It is to a large extent up to the companies to ensure that these new rules are incorporated and complied with – and especially that this is documented. With the new requirements to keep records and conduct impact assessments the original goal of limiting the administrative and economic burden for companies by removing the obligation to notify, has not been met, as the new requirements also causes a lot of administrative work.

IUNO recommends that companies, as part of their processing procedures, thoroughly assess if their whistleblower arrangements comply with the new rules, especially in relation to the new requirements to keep record and the possibility that an impact assessment may be required.

Under the new Regulation the obligation to notify the national Data Protection Agencies is removed. This means that companies are no longer obliged to report whistleblower arrangements prior to establishing them. However, this does not mean that all requirements to the arrangements cease to apply.

Continued Requirements

The Danish Data Protection Agency has determined a number of requirements relating to whistleblower arrangements, which under the existing rules must be met to obtain the approval of the Agency. Most of these requirements are based on general principles of good data processing practice, objectivity and proportionality and are therefore carried forward under the new Regulation.

These requirements include:

  • Only persons affiliated with the company can file a report, and reports shall only concern individuals with connection to the company, e.g. employees, board members, suppliers.
  • Reports may only be filed in case of suspicion of serious misconduct that can impact the company as a whole or the lives or health of individuals, such as serious financial crime, serious breach of safety at the workplace or serious offence aimed at an employee, e.g. violence or sexual assault.
  • Minor offences cannot be reported under the arrangement. In such cases the company’s usual means of communication must be used, e.g. in case of violation of the internal guidelines.
  • Access must be limited to an independent unit, which receives and handles the reports. This unit must live up to certain requirements, such as training.
  • Finally, the company must meet requirements relating to data security and develop internal guidelines on safety precautions, which are subject to an examination at least once a year.

New requirement: Records

With the GDPR the notification obligation is replaced with a requirement to keep internal records of all processing activities, placed upon the data controller and the data processor. As the activities include sensitive data, this requirement equally applies to smaller companies with whistleblower arrangements.

The record must contain a description of the character, extent, context and purpose of the processing activity as well as the likelihood of risks connected with the processing. This aims to ensure that the company can prove that the arrangement is administered in accordance with the GDPR. In principle, this means that your company must document every processing activity.

Possible Requirement: Impact Assessments (DPIA)

The Danish Data Protection Agency recommends that a company in general prepares an impact assessment when a new system or processing activity is applied. The GDPR only requires that an analysis is conducted if there is a “high risk” that the processing activity may violate the rights of the data subject. Neither the new provisions nor the guidelines offer any indication as to whether a whistleblower-arrangement by definition results in such a risk.

First of all, a “high risk” is likely to occur if a company applies a new technology in their processing activities. But, even if this is not the case, a whistleblower-arrangement is likely to require an impact assessment, because a number of elements in the processing activities combined constitute such a “high risk”. This is due to the fact that the arrangements involve processing of sensitive data, aimed at employees, which under the new rules must be considered as a vulnerable group. Moreover, the company must be aware that cross-border data transfers to a third country or an anonymous whistleblower arrangement will increase the existence of a “high risk” and as a result, an impact assessment should be made.

In conclusion, it is likely that the data protection authorities will require an impact assessment to be conducted when a company establishes a whistleblower arrangement. As for the existing arrangements, there is no explicit requirement to complete an impact assessment, but following the new rules a company must reassess its risk analysis every third year. This will most likely affect all companies, which currently have whistleblower arrangements in place.

IUNO’s Opinion

The obligation to notify the Danish Data Protection Agency is replaced with a number of new requirements, which is in agreement with the general principle “data protection by design” in the GDPR. It is to a large extent up to the companies to ensure that these new rules are incorporated and complied with – and especially that this is documented. With the new requirements to keep records and conduct impact assessments the original goal of limiting the administrative and economic burden for companies by removing the obligation to notify, has not been met, as the new requirements also causes a lot of administrative work.

IUNO recommends that companies, as part of their processing procedures, thoroughly assess if their whistleblower arrangements comply with the new rules, especially in relation to the new requirements to keep record and the possibility that an impact assessment may be required.

Receive our newsletter

Anders

Etgen Reitz

Partner

Søren

Hessellund Klausen

Partner

Kathrine

Skøtt Jespersen

Senior associate

Similar news

logo

13 December 2018

New guidelines on data protection in employment relationships

logo
Data protection

15 May 2018

Get ready for the GDPR – Part 5: E-mails

logo
Data protection

22 February 2018

Get ready for the GDPR – Employees’ right of access

logo
HR Legal Data protection

23 January 2017

Data security challenged in the home office

logo
HR Legal Data protection

5 November 2013

Mandatory whistleblower systems just around the corner

logo
HR Legal Data protection

21 December 2012

Financial services sector might introduce whistleblowing system

Events

logo
HR Legal Data protection
18 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Stockholm)

logo
HR Legal Data protection
17 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Oslo)

logo
HR Legal Data protection
11 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Copenhagen)

logo
HR Legal Data protection
10 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Helsinki)