Whistleblowing hotlines: potential obstacles

This article sets out key issues in relation to whistleblowing hotlines in Belgium, France, Germany, Hong Kong, Italy,  Netherlands, the People’s Republic of China, Spain and the UK. If you would like any further information please contact the relevant individual indicated above.

Belgium

• Belgian data protection laws must be complied with in respect of any whistleblowing hotline.
• According to the Belgian Commission for the protection of privacy, anonymity is permitted but discouraged - anonymous reports should be accepted only in exceptional cases and under certain circumstances.
• Data subjects have rights of access, rectification and opposition. There are also requirements regarding the obligation to inform employees that their data may be processed in the context of a whistleblowing system.
• Disclosure of all data processing to Belgian Commission for the protection of privacy is required.

France

• Whistleblowing systems must be authorised by the French Commission nationale de l’informatique et des libertés (CNIL).
• Possible to benefit from a self-certification procedure  put in place by CNIL if hotline complies with conditions set out in CNIL Deliberation 2005-305 of 08 December 2005, as amended by Deliberation 2010-369 and Deliberation 2014-042. Individual authorisations must be obtained in all other circumstances.
• To benefit from the self-certification procedure, the nature of reports through the hotline must be limited to financial, accounting, banking, anti-bribery, anti-competitive, discrimination, harassment, health & safety and environmental matters and only specific categories of data may be processed. The authorisation may only be relied upon by companies which are subject to specific French legal or regulatory provisions which require the implementation of a whistleblowing system. In addition, companies which are required under either the US Sarbanes-Oxley Act (SOX) or Japan’s Financial Instruments and Exchange Law (known as Japanese SOX) to implement such systems may also qualify for self-certification, as may companies which implement systems intended to prevent anti-competitive behaviour within an organisation.
• Anonymous reports should not be encouraged and organisations should not advertise the right to remain anonymous. Specific measures must be put in place to protect a whistleblower from any form of retaliation.
• Data subjects have rights of access, rectification and opposition. There are also reinforced requirements regarding the obligation to inform employees that their data may be processed in the context of a whistleblowing system.
• Data must be deleted or archived immediately if no action is taken upon receipt of the report, or within two months following the completion of an investigation. Where the investigation results in disciplinary or judicial proceedings, the data may be held until the end of the procedure.

Germany

• German data protection laws must be complied with in respect of any whistleblowing hotline.
• Under German labour law, co-determination rights must be complied with - case law has made it clear that approval of the works council is required to incorporate a whistleblowing policy into a code of conduct.
• Anonymity is permitted but discouraged - anonymous reports should be accepted only in exceptional cases.
• Disclosure of all data processing to data protection supervisory authority required unless a data protection officer is appointed.
• Scope of incidents usually to be reported: criminal acts and other unlawful behaviour. Other topics like the acceptance of gifts or discriminatory behaviour may be acceptable. Whistleblowing policies can invite employees to report “conduct which adversely affects company ethics”, but cannot impose an obligation on employees to report such conduct.

Hong Kong

• Need to comply with the Hong Kong Personal Data (Privacy) Ordinance in respect of data collection and processing but no specific requirements in relation to whistleblowing hotlines.

Italy

• Implementation of whistleblowing hotlines may cause potential conflicts with the Italian Data Protection Code.
• Limited right to process personal data without data subject’s consent. Data subjects have rights of access, rectification and opposition.
• Notice of the existence of whistleblowing procedures should be displayed in a public place and/or employees should be notified.
• Reports relating to general ethical breaches, employees’ grievances and minor breaches are not permitted. Scope of reports under whistleblowing systems should be restricted to events that may put the company at risk (eg financial, accounting, banking and anti-bribery matters).
• Anonymity is permitted but highly discouraged – anonymous reports should be accepted only in exceptional cases.
• Disciplinary action cannot be taken only on the basis of an anonymous report.

Netherlands

• Need to comply with the Dutch Data Protection Act in respect of data processing but, otherwise, no specific requirements in relation to whistleblowing hotlines.

PRC

• There is no legal requirement to set up a whistleblowing hotline save for companies listed in China.
• If information collected through a whistleblowing hotline is stored on, or processed through, an information system (which includes any type of computer system), the employer may need to take into account some data protection guidelines. 

Spain

• Potential privacy and labour law issues.
• It is not necessary to obtain the consent of employees in order to handle their personal data provided that they are fully aware that the hotline exists. The hotline must relate only to employment concerns, and must specify the actions that are the subject of complaint as well as the laws, internal rules or codes of ethics to which the accusations refer.
• The accused must be informed about (i) the processing of all his or her details (ii) the organisation responsible for the hotline (iii) what he or she is accused of (iv) which departments and services within the company or group that might receive the report and (v) how to exercise his or her rights of access, cancelation and correction.
• The hotline must be registered with the Data Protection Agency 
• Organisations should inform trade unions of any proceedings against their members as well as of the implementation of the hotline. This is just a right to be informed not a right of consultation.

UK

• Need to comply with UK Data Protection Act 1998 in respect of data processing but no specific requirements in relation to whistleblowing hotlines.

Further information relating to the legal provisions governing whistleblowing in these jurisdictions is available in our microsite International Employment Issues.