Whistleblowing
Contributing Editors
In this new age of accountability, organisations around the globe are having to navigate a patchwork of new laws designed to protect those who expose corporate misconduct. IEL’s Guide to Whistleblowing examines what constitutes a protective disclosure, the scope of regulations across 24 countries, and the steps businesses must take to ensure compliance with them.
Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.
Choose countries
Select specific jurisdictions to filter on
Choose questions
Choose the questions you would like answering, or choose all for the full picture.
02. Which companies must implement a whistleblowing procedure?
03. Is it possible to set up a whistleblowing procedure at a Group level, covering all subsidiaries?
04. Is there a specific sanction if whistleblowing procedures are absent within the Company?
05. Are the employee representative bodies involved in the implementation of this system?
06. What are the publicity measures of the whistleblowing procedure within the company?
07. Should employers manage the reporting channel itself or can it be outsourced?
- (-)
08. What are the obligations of the employer regarding the protection of data collected related to the whistleblowing procedure?
09. What precautions should be taken when setting up a whistleblowing procedure?
12. What is the legal definition of a whistleblower?
13. Who can be a whistleblower?
14. Are there requirements to fulfil to be considered as a whistleblower?
15. Are anonymous alerts admissible?
16. Does the whistleblower have to be a direct witness of the violation that they are whistleblowing on?
17. What are the terms and conditions of the whistleblowing procedure?
18. Is there a hierarchy between the different reporting channels?
19. Should the employer inform external authorities about the whistleblowing? If so, in what circumstances?
20. Can the whistleblower be sanctioned if the facts, once verified, are not confirmed or are not constitutive of an infringement?
21. What are the sanctions if there is obstruction of the whistleblower?
22. What procedure must the whistleblower follow to receive protection?
23. What is the scope of the protection?
24. What are the support measures attached to the status of whistleblower?
25. What are the risks for the whistleblower if there is abusive reporting or non-compliance with the procedure?
08. What are the obligations of the employer regarding the protection of data collected related to the whistleblowing procedure?
08. What are the obligations of the employer regarding the protection of data collected related to the whistleblowing procedure?
Flag / Icon
Brazil
Brazil
- at CGM
- at CGM
- at CGM
Any person whose personal data is collected and used in the context of a whistleblowing procedure – starting with the whistleblower him or herself – benefits from the guarantees of Law 13709/2018 (Brazilian General Data Protection Law – the LGPD):
- They must be properly informed about the processing of their data, from the very beginning of the whistleblowing process.
- They can exercise the right to confirm the existence of data-processing activities, access, correction, anonymisation, blocking elimination and deletion in specific circumstances, portability, information on public and private entities with which the controller shared the data, information on the possibility of not giving consent and on the consequences of refusal, and withdrawal of consent, guaranteed to them by the LGPD.
Information that could identify the whistleblower (and other data subjects) may only be processed under a lawful basis provided by the LGPD. The assessment or analysis on the lawful bases must be done on a case-by-case basis, but in general, the legal bases that can better fit the purposes of a whistleblowing procedure are the exercise of rights in judicial, administrative or arbitration proceedings; the protection of life or for the personal safety of the data subject or a third party; and the legitimate interests of the data controller or a third party.
The requirements are tougher if the processing involves sensitive data (ie, racial or ethnic origin, religion, political opinions, membership of a trade union or of religious, philosophical or political organisations, health and sexual data, and genetic or biometric data, when related to an individual). For example, sensitive data cannot be processed based on legitimate interests.
Data relating to alerts may be kept only for as long as is strictly necessary and proportionate to process the alert, without prejudice to the other principles provided by the LGPD, aiming to protect the authors, concerned persons and any third parties mentioned in the alerts, taking into account the time required for any further investigations.
Also, when personal data relating to alerts is collected, it must always be kept and processed under the provisions of the LGPD, except if such data is subject to anonymisation procedures, in which case the data is exempt from the requirements of the LGPD.
Flag / Icon
Germany
Germany
- at Oppenhoff
- at Oppenhoff
The internal reporting office implemented by the employer is, initially, authorised to process personal data insofar as this is necessary for the fulfilment of its task under the Whistleblower Protection Act (10 HinSchG). The wide-ranging processing authority allows the personal data contained in the reports to be both received and analysed by the reporting office. In addition, new personal data may be recorded and further processed during the implementation of the follow-up measures.
The employer's obligation to protect the data collected in the course of the whistleblowing procedure is then directly based on the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act. This means, for instance, that data processing has to be limited to the extent necessary to fulfil the tasks of the internal and external reporting channel – data minimisation principle, (article 5 (1) lit. c) GDPR).
Finally, the processing of personal data is complemented by the confidentiality requirements of internal (and external) offices, (section 8 HinSchG).
Download your results as a PDF
Download as pdf link
Contributors
Australia
Pinsent Masons
Austria
GERLACH
Belgium
Van Olmen & Wynant
Brazil
CGM
Croatia
Babic & Partners
Denmark
IUNO
France
Proskauer
Germany
Oppenhoff
India
Khaitan & Co
Ireland
Arthur Cox
Italy
Zambelli & Partners
Japan
City-Yuwa
Latvia
Ellex Klavins
Lithuania
Ellex Valiunas
Luxembourg
Castegnaro
Malta
Camilleri Preziosi
Nigeria
Bloomfield LP
Poland
Baran Książek Bigaj
Portugal
Cuatrecasas
Romania
STALFORT Legal. Tax. Audit.
Singapore
Braddell Brothers LLP
Spain
Cuatrecasas
Sweden
Lindahl
United Kingdom
Proskauer
United States
Proskauer
Contributors
Brazil
CGM
Germany
Oppenhoff