On December 17, 2021, the Whistleblower Policy in force. High time for small and medium-sized companies to take a look at the implications of the directive!
We provide an overview of what the whistleblower guideline means for companies:
What are whistleblowers?
Whistleblowers are natural persons who uncover legal violations in a company. In German they are called whistleblowers. They came into the public eye through well-known whistleblowers such as Edward Snowden.
Whistleblowers, while acting socially desirable, face many disadvantages: If grievances are uncovered, there is a risk of reprisals ranging from disadvantages in the workplace to dismissals. In some cases, whistleblowers also use confidential information from their employment relationship as part of their discoveries and thus violate obligations under the employment contract.
The main content of the whistleblower guideline
The whistleblower guideline sets limits to this reprisal. She prescribes that Companies have to set up internal reporting channels for reporting legal violations. These channels are intended for reports from the areas of public procurement, financial services, product safety and data protection, among other things. When employees use an internal reporting channel, companies are not allowed to retaliate.
The internal channel must be designed securely and the Whistleblower anonymity keep in the process. Very few employees who process incoming notices are allowed to access the information. Your experts at heyData will be happy to provide advice on choosing the right system!
When companies receive a report, they must strictly adhere to two deadlines. First, the receipt of the report must be confirmed within seven days. Second, the company has three months to provide feedback on the content. An extension of the deadline can only be considered in justified exceptional cases.
HeyData tip: Keep an eye on these deadlines! It is best to track the deadlines electronically so as not to miss them.
In addition, the whistleblower guideline stipulates that the state must set up external reporting channels. These are parallel to internal reporting channels and can also be used to report violations.
The whistleblower policy applies to these companies
The guideline will initially take effect from December 17, 2021 Companies with more than 250 employees Application. These should have internal reporting channels from this date. From 2023, companies with at least 50 employees will also be required to set up a reporting system.
The implementation of the whistleblower guideline in Germany
As an EU directive, the regulations still have to be implemented in German law in order to be fully applicable. It won't happen in time. The consequences of the delay are unclear. It is likely that the protection for employees will already apply from December 17, 2021: If you report legal violations in companies directly to the authorities because there are no internal reporting channels, you may not be warned or terminated.
Recommendation from heyData: We therefore recommend that you follow the guidelines before they are implemented and that you set up an internal reporting system in good time.
After a German implementation law has been passed, there will be additional fines for companies that do not set up an internal reporting system.
What are the consequences for data protection?
The Whistleblower Directive is important because data protection is an area of law for which whistleblowers can report legal violations. So the directive is another reason why companies should comply with data protection regulations. It will result in data protection violations moving further into the focus of the public.
At the same time, data protection plays a role in the implementation of the systems:
- Whistleblower systems must be technically designed in such a way that they protect the confidentiality and in particular the identity of the whistleblower.
- Only those employees who process the reports may have access to them. You are to be bound to strict confidentiality.
- Since personal data is processed during implementation in a technical system, employees must be informed about this in accordance with general data protection regulations.
- The data minimization requirements from Art. 5 GDPR must be observed for the facilities. A whistleblower system in particular should technically only process the personal data that is absolutely necessary.
If you have any questions about the new whistleblower obligations, your data protection experts at heyData will be happy to help.