EU Whistleblowing Policy - New obligations for companies
What are whistleblowers?
Whistleblowers are natural individuals who uncover legal violations in a company. Well-known whistleblowers such as Edward Snowden have raised public awareness of them.
Although they act in a socially desirable way, whistleblowers are exposed to many disadvantages: If wrongdoings are uncovered, there is a threat of reprisals ranging from discrimination in the workplace to dismissal. In some cases, whistleblowers also make use of confidential information from their employment relationship in the course of their disclosures and thus violate obligations arising from their employment contract.
The most important aspects of the Whistleblower Policy
The Whistleblower Policy sets limits to these reprisals. It stipulates that companies must set up internal reporting channels for reporting breaches of the law. These channels are intended for reports in areas such as public procurement, financial services, product safety, and data protection. If employees use an internal channel for reporting, companies may not take reprisals.
The internal channel must be secure and protect the anonymity of the whistleblower in the process. Only a very small number of employees who process incoming reports may access the information. Your experts at heyData will be happy to advise you on choosing the right system!
When companies receive a report, they must strictly adhere to two deadlines. Firstly, receipt of the report must be confirmed within seven days. Secondly, the company has three months to provide substantive feedback. An extension of the deadline can only be considered in justified exceptional cases.
heyData tip: Keep a close eye on these deadlines! It is best to track the deadlines electronically so that you don't miss them.
The Whistleblower Policy also stipulates that the state must set up external reporting channels. These exist alongside internal reporting channels and can also be used to report breaches.
The Whistleblower Policy applies to the following companies
The directive will initially apply to companies with 250 or more employees from December 17, 2021. They should have internal reporting channels in place from this date. From 2023, companies with at least 50 employees will also be obliged to set up a reporting system.
Implementation of the Whistleblower Directive in Germany
As an EU directive, the regulations still need to be transposed into German law to be fully applicable. This will not happen in time. The consequences of the delay are unclear. Likely, the protection for employees will already apply from December 17, 2021: if they report legal violations in companies directly to the authorities because there are no internal reporting channels, they may not be warned or dismissed.
Recommendation from heyData: We, therefore, recommend complying with the directive even before its implementation and setting up an internal reporting system in good time.
Once a German implementation law has been passed, companies that do not set up an internal reporting system will face additional fines.
Take a look at heyData's latest product mattersOut, which offers a digital compliance procedure for adhering to legal standards as well as many other benefits, including for your employees.
What consequences does this have for data protection?
The Whistleblower Policy is important because data protection is an area of law for which whistleblowers can report legal violations. The directive is therefore another reason why companies should comply with data protection regulations. It will lead to data protection breaches being brought further into the public eye.
At the same time, data protection plays a role in the implementation of the systems:
- Whistleblowing systems must be technically designed to protect the confidentiality and, in particular, the identity of the whistleblower.
- Only those employees who process the reports may have access to them. They must be bound to strict confidentiality.
- As personal data is processed in a technical system during implementation, employees must be informed of this by general data protection regulations.
- The data minimization requirements of Art. 5 GDPR must be observed during setup. A whistleblowing system in particular should technically only process the personal data that is necessary.
If you have any questions about the new whistleblowing obligations, your data protection experts at heyData will be happy to help you. Find out more about our mattersOut product, which helps with the implementation of the policy, or contact us directly at mattersout@heydata.eu
Compliance Newsletter
Subscribe to our newsletter now and stay updated with the latest insights on data protection, GDPR, cybersecurity, and other important compliance frameworks like revDSG, NIS 2, and ISO 27001. Get expert tips, exclusive resources, and access to regular webinars. Don’t miss out on crucial news and developments!
More articles
GDPR or SOC 2: Navigating the Seas of Compliance
Navigating the complexities of data compliance can be daunting. In today's digital age, GDPR in Europe and SOC 2 in North America are key frameworks for data security and privacy. GDPR acts as a robust guardian of personal data in the EU, while SOC 2 ensures cloud-based data security in North America. Understanding their differences helps businesses achieve compliance, protect sensitive information, and build customer trust. For organizations expanding into the EU, mastering GDPR is essential.
Learn more
5 Powerful Alternatives to Passwords for Business Security
As cyber-attacks surged by 30% in 2024, businesses are turning to passwordless authentication to enhance security. Traditional password-based methods, which are vulnerable to credential theft, phishing, and human error, are increasingly insufficient. In contrast, passwordless methods offer enhanced protection and convenience. Some alternatives include biometric authentication, hardware-based solutions, token-based methods, Public Key Infrastructure (PKI), and mobile device authentication. These approaches improve security, reduce costs, and provide better user experiences.
Learn more
Webinar Recap: GDPR and Marketing
Are compliance regulations turning your marketing strategies into a headache? Our latest webinar, led by Arthur Almeida, LL.M., Privacy Success Manager at heyData, is designed to help you tackle these challenges head-on. Focused on addressing your specific concerns, this live Q&A session provided direct access to an expert who understands the nuances of GDPR compliance in the marketing world.
Learn more