Whistleblowing & Data Protection: The Contradiction. What if that was a misconception in the compliance organization system?
Recent scandals such as Wirecard show how essential it is to implement an appropriate and effective compliance management system (CMS) in the company to ensure the timely detection and punishment of violations of the law. One component of such a CMS is a whistleblowing system that enables employees or external parties to report violations of the law anonymously.
Companies with more than 50 employees as well as legal entities in the public sector and municipalities with a population of 10,000 or more will be required to set up an internal whistleblowing system in the future. Companies with 250 or more employees must comply with this requirement by December 17, 2021, and companies with between 50 and 249 employees by December 17, 2023. This is required by the European Union’s Whistleblower Directive (WFD), which came into force in December 2019 and has yet to be transposed into national law by German lawmakers.
When implementing such a whistleblowing system, there are a number of things to consider for the companies concerned. Data protection in particular presents a special challenge. This is because the processing of personal data is to be carried out in accordance with the EU General Data Protection Regulation (GDPR) (Art. 17 GDPR).
This means that: employees who are named or accused in reports have a right to information about the content of the report concerning them in accordance with Art. 15 GDPR. However, this can lead to the identity of the whistleblower being revealed.
Do you find this topic interesting and you would like to know more about it from a business owner/manager´s point of view? Contact us. We are compliance law experts.