Mandatory whistleblower systems just around the corner

As described in our newsletter of 2 December 2012, the EU has been planning to introduce a requirement forcing companies in the financial sector to implement a whistleblower system. Based on an EU directive, the Danish Ministry of Business and Growth is now about to introduce a legislative proposal requiring some companies in the financial sector to implement a whistleblower system during the first quarter of 2014.

The substance of the legislative proposal

According to the proposal, the new whistleblower system shall give employees and board members the right to submit confidential reports on actual and possible breaches of different statutes, depending on the type of company. Furthermore, the rules will protect the whistleblower against negative consequences of any reports on such breaches.

The whistleblower system may be established internally in the company or externally through collective arrangements.

The legislative proposal will apply to the following companies:

• Financial companies
• Operators of regulated markets, clearing houses or central securities depositories
• Alternative investment fund managers
• Pension funds
• Investment associations and SICAV’s (investment companies with variable capital)
• Insurance and reinsurance broker’s (if more than 5 employees)
• Payment institutions
• Financial advisors (if more than 5 employees)
• Mortgage companies (if more than 5 employees)
• LD (“Lønmodtagernes Dyrtidsfond”)
• ATP (“Arbejdsmarkedets Tillægspension”)
• AES (”Arbejdsmarkedets Erhvervssygdomssikring”)

The new rules are expected to come into force during the first quarter of 2014.

Requirements to the application to the Danish Data Protection Agency

Establishing a whistleblower system will result in processing of personal data, especially data concerning criminal offences. Therefore, the system must be established and administrated in accordance with the Act on Processing of Personal Data. In this connection, the Danish Data Protection Agency requires that both the company’s general HR administration and its new whistleblower systems are approved by the Agency before the systems may be applied. Companies are required to apply and obtain permission for processing of personal data in connection with their general HR administration, before they can apply for establishing a whistleblower system.

The Danish Data Protection Agency has set 8 November 2013 as the deadline for submission of the request for permission to process personal data in connection with general HR administration. If the application is submitted after 8 November 2013 it will probably not be possible to obtain permission by 1 January 2014.

The deadline for submitting applications to implement the whistleblower system is 15 January 2014. Companies that have not applied by this date should not expect to be able to obtain permission until after the new legislation has come into force.

Typically, each application may take until 6 months to process. This means that it may take until one year before a company has obtained permission to implement a whistle blower system, if the company does not comply with the deadlines described above.

According to the legislative proposal, financial penalties may be imposed on companies that fail to implement an approved whistleblower system.

IUNO's opinion

The requirement for financial companies of having a whistleblower system follows from an EU directive and is expected to come into force during the first quarter of 2014.

IUNO therefore suggests that financial companies check whether the new rules apply to them.

Companies affected by the new rules should apply to the Danish Data Protection Agency for approval of their general HR administration as soon as possible and not later than 8 November 2013, if such permission has not already been obtained. Furthermore, companies should prepare their application for approval of their new whistleblower systems, which must be submitted no later than 15 January 2014.

IUNO have advised many companies about the establishment of whistleblower hotlines. We are able to assist with the application to the Danish Data Protection Agency, and we can also handle the practical and technical establishment and manning of the hotline.