Background and requirements
As a result of the EU Whistleblowing Directive’s transposition across Europe, whistleblower protection measures are becoming mandatory and these include the establishment of internal reporting channels, the facilitation of regular dialogue with individuals speaking out, effective case management and the prevention of all forms of retaliation, such as demotion or dismissal.
Understandably, the tough requirements of the new legislation have raised questions in organisations such as how to cope where resources are limited, the possible impact on subsidiaries or how to roll out a whistleblowing system across multi-country groups.
According to article 8, paragraph 6 of the EU Whistleblowing Directive, companies with between 50 and 249 workers have the option of sharing resources for the receipt of whistleblowing reports and to facilitate investigations without jeopardising confidentiality. The majority of national laws transposed in Europe upheld this provision without extending it to larger organisations and their subsidiaries. Some laws have even failed to mention group matters entirely.
Shared whistleblowing systems for groups: the interpretation in EU member states
The member states that transposed the EU Whistleblowing Directive implemented their own interpretation of the legislation and in the majority of cases, their national laws closely align with its requirements. However, there are exceptions with regards to groups and subsidiaries in a handful of countries:
Denmark
Denmark was the first country in Europe to get the Directive transposed and its iteration of the law opens up the possibility of companies operating common group channels regardless of their size. This was not the case with initial drafts and Danish legislators made adaptations following objections from interest groups and large companies. According to Danish law, a group can set up a shared whistleblowing scheme covering all subsidiaries within that group. The parent company would act as the whistleblowing hub for the subsidiaries and would process reports, engage in dialogue with whistleblowers and carry out all necessary investigations.
France
Likewise in France, the law states that a whistleblowing system can be common to several or all companies in a group, though it does not specify the employee thresholds necessary to proceed with a shared system. An October 2022 decree was supposed to offer more clarity in this area but it unfortunately failed to provide the necessary details.
Austria
Austria’s HSchG allows all legal entities to transfer the tasks of the internal reporting body, regardless of their size, and this differs from the EU Whistleblowing Directive where only organisations with 250 employees are facilitated. It remains to be seen if this will be changed in the final version of Vienna’s law.
Estonia
Estonia’s legislation also states that group companies may share or jointly manage internal whistleblowing channels and that those channels may be managed by an external third party.
Spain
Spain is another country that has granted companies the right to work in group structures. Article 11 of its law states that the internal information system can be the same for an entire group or for each company within a group of companies. The management of the internal information system can be carried out within the entity itself or by a third party, though only with confidentiality, security and privacy guarantees in place.
Germany
While Germany’s law prevents companies with more than 249 employees from operating a joint channel, it does make it possible for one group company within a larger organisation to establish a centralised whistleblowing channel regardless of its size. Through a service agreement, this centralised unit can work with several independent entities within the corporate group while the overall responsibility lies with the respective mandating group company.
Finland
In Finland, new legislation allows for group implementation but without intragroup solutions such as the documentation of employee consent or the allocation of liability.
Italy
In Italy, companies in a group employing an average of no more than 249 employees under permanent or fixed-term employment contracts in the past year can share and manage internal whistleblowing channels.
Data protection considerations
Companies and groups of companies have to be aware that whistleblowing involves the processing of personal data which requires compliance with some specific aspects of the GDPR. With regard to a multi-country group, the privacy role of each party involved must be taken into consideration. The company that the whistleblower has an employment relationship with – whether he or she is an employee, former employee or supplier – is ultimately responsible for upholding privacy and remaining compliant with the GDPR.
Depending on the specific activities carried out, other group companies involved in the receipt and management of whistleblowing reports could cover supporting privacy roles such as acting as independent data controllers or joint investigators. In the case of the independent ownership of a group company, it is necessary precisely outline the purposes and means of data processing while also guaranteeing that personal data is being protected.
When it comes to the co-ownership of processing, companies can share resources for the phase of sending, receiving and forwarding reports. They must jointly decide on the means and purposes of processing, whether there is sharing of data as well as the security measures in place. For the latter, security principles such as access limitation, segregation of duty and need-to-know principles must be in place and guaranteed whereby those handling a case can only access the data required for processing.
A group company can also act on behalf of another entity during a specific stage of processing such as the receipt and forwarding or a report or IT support. In this case, relations should be regulated through an intra-group agreement and the creation of a suitable position should be made. It is also necessary to analyse and appropriately regulate the presence of possible additional parties that may intervene in processing and come into contact with confidential data.
If data is transferred beyond EU borders, the legality of that activity must be proven pursuant to Article 44 of the GDPR. For multi-country groups with offices outside the EU, the third country destination of data should be analysed and its local legislation checked in order to ensure all transfers are lawful in the absence of an adequacy decision pursuant to Article 45 of the GDPR. This is regarding the Schrems II ruling of the EU Court of Justice on 16 July 2020 and the European Data Protection Board guidelines of January 2021.
That judgement actually sanctioned the invalidity of Privacy Shield for data transfers to the United States and ruled that third countries that are not covered by an adequacy decision from the European Commission under Article 45 of the GDPR and the measures guaranteeing transfers under Article 46 of the GDPR. This is deemed adequate if the third country where the data is being transferred can guarantee the same data protection framework as that provided by the GDPR.
To ascertain the level of data protection in place, the data importer must conduct a preliminary assessment in the form of a checklist before signing an appropriate agreement between the parties involved. If Standard Contractual Clauses (SCC) are applicable as a measure to safeguard non-EU transfers, the new SCCs adopted by the European Commission on 04 June 2021 should be referenced.
The fulfilments to be implemented when processing the personal data of whistleblowing reports are as follows:
- Compliance with the principle of “privacy by design and default” pursuant to Article 25 of the GDPR whereby the treatment must be foreseen from the outset in compliance with the general principles referred to in Article 5 of the GDPR.
- An impact assessment must be carried out due to the sensitivity of the information process and level of risk involved as well as the possible retaliatory effects and discriminatory measures that could be levied against the whistleblower.
- Adequate security measures must be implemented such as a secure network protocol, end-to-end encryption and strong authentication mechanisms.
- Appropriate organisational measures should be put in place such as the introduction of an expert whistleblowing services provider and the appointment of a suitable authority for processing personal data.
Best practice
Despite the inconsistencies in national legislation and an increasingly complex international legal landscape, groups of companies should nevertheless take some form of action such as re-structuring or updating their own whistleblowing channels regardless. To that end, they should take a number of steps. A preliminary investigation should be conducted into the local regulations where the parent organisation has its subsidiaries in order to verify differences in transposition regulations. Whistleblowing systems can then be organised in a uniform way guaranteeing the highest standards of protection.
A detailed whistleblowing policy should be established where the process of managing the report is outlined while the subjects in charge of investigations are identified. This should be communicated to all relevant stakeholders and they should also be trained in the correct use of the whistleblowing system while also being informed of the sanctions for possible violations. Reports should be treated confidentially and documented while the whistleblowing system should be aligned with privacy, data protection and cybersecurity requirements.
Digital whistleblowing systems can prove to be a powerful tool for group companies provided that they allow for the segregation of the channels used by different subsidiaries. Some of the advantages include universal access to a full suite of compliance modules, straightforward audit checks across the entire group, minimised bureaucracy between the different subsidiaries and a comprehensive overview of the entire compliance spectrum in real-time. In addition, management can define processes and handle rights management, defining who within the organisation gets informed in the case of a report.
These digital solutions are also easy to set up and maintain. Some software providers can implement completely independent reporting channels for each subsidiary whereby whistleblowers can avail of company selection and intelligent case routing.
Conclusion
While EU lawmakers took the limited resources of SMEs into account when drafting the legislation and this was echoed at national level, there is no similar allowance at subsidiary level or for larger groups of companies. In countries such as Austria, Denmark, France and Estonia, the law’s approach seems to reflect the practical reality of managing internal whistleblowing systems. Experience has shown that large organisations prefer to centralise their whistleblowing channels and optimise the resources available.
The European Commission’s decentralised approach is at odds with the preferences of larger organisations and it requires all companies with more than 50 workers to establish individual local reporting channels, even if they belong to a group. While there are a number of national exceptions, large corporate groups (and especially multinationals) will have to rethink their current reporting policies, carefully analyse the complex legal situation and consider how to best create a system where whistleblowers feel comfortable sharing their concerns with the parent organisation.
Whistleblowing Laws in the European Union
A glance at the implementation of the EU Whistleblowing Directive in EU Member States