Whistleblowing
Contributing Editors
In this new age of accountability, organisations around the globe are having to navigate a patchwork of new laws designed to protect those who expose corporate misconduct. IEL’s Guide to Whistleblowing examines what constitutes a protective disclosure, the scope of regulations across 24 countries, and the steps businesses must take to ensure compliance with them.
Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.
Choose countries
Select specific jurisdictions to filter on
Choose questions
Choose the questions you would like answering, or choose all for the full picture.
02. Which companies must implement a whistleblowing procedure?
03. Is it possible to set up a whistleblowing procedure at a Group level, covering all subsidiaries?
04. Is there a specific sanction if whistleblowing procedures are absent within the Company?
05. Are the employee representative bodies involved in the implementation of this system?
06. What are the publicity measures of the whistleblowing procedure within the company?
07. Should employers manage the reporting channel itself or can it be outsourced?
- (-)
08. What are the obligations of the employer regarding the protection of data collected related to the whistleblowing procedure?
09. What precautions should be taken when setting up a whistleblowing procedure?
12. What is the legal definition of a whistleblower?
13. Who can be a whistleblower?
14. Are there requirements to fulfil to be considered as a whistleblower?
15. Are anonymous alerts admissible?
16. Does the whistleblower have to be a direct witness of the violation that they are whistleblowing on?
17. What are the terms and conditions of the whistleblowing procedure?
18. Is there a hierarchy between the different reporting channels?
19. Should the employer inform external authorities about the whistleblowing? If so, in what circumstances?
20. Can the whistleblower be sanctioned if the facts, once verified, are not confirmed or are not constitutive of an infringement?
21. What are the sanctions if there is obstruction of the whistleblower?
22. What procedure must the whistleblower follow to receive protection?
23. What is the scope of the protection?
24. What are the support measures attached to the status of whistleblower?
25. What are the risks for the whistleblower if there is abusive reporting or non-compliance with the procedure?
08. What are the obligations of the employer regarding the protection of data collected related to the whistleblowing procedure?
08. What are the obligations of the employer regarding the protection of data collected related to the whistleblowing procedure?
Flag / Icon
Germany
Germany
- at Oppenhoff
- at Oppenhoff
The internal reporting office implemented by the employer is, initially, authorised to process personal data insofar as this is necessary for the fulfilment of its task under the Whistleblower Protection Act (10 HinSchG). The wide-ranging processing authority allows the personal data contained in the reports to be both received and analysed by the reporting office. In addition, new personal data may be recorded and further processed during the implementation of the follow-up measures.
The employer's obligation to protect the data collected in the course of the whistleblowing procedure is then directly based on the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act. This means, for instance, that data processing has to be limited to the extent necessary to fulfil the tasks of the internal and external reporting channel – data minimisation principle, (article 5 (1) lit. c) GDPR).
Finally, the processing of personal data is complemented by the confidentiality requirements of internal (and external) offices, (section 8 HinSchG).
Flag / Icon
Poland
Poland
- at Baran Książek Bigaj
- at Baran Książek Bigaj
A legal entity must ensure that the internal procedure and related processing of personal data prevent unauthorised persons from gaining access to the information covered by the report and ensure that the confidentiality of the identity of the person making the report and the person to whom the report relates is protected. Confidentiality protection applies to any information from which such persons can be directly or indirectly identified.
Only persons authorised in writing by the employer may receive and verify reports, take follow-up action, and process the personal data of the whistleblower or the subject of the report. Authorised persons must maintain secrecy, even after the termination of the employment relationship or other legal relationship under which they performed such work.
The whistleblower’s personal data and other identifiable data may not be disclosed except with the express consent of the reporter. It does not apply where disclosure is necessary and proportionate under the law in the context of investigations or judicial proceedings carried out by public authorities or the courts, including to ensure the right of defence of the reported person. A legal entity, upon receipt of a notification, may collect and process the personal data of a person to the extent necessary to fulfil the purposes of the Bill. Personal data that is not relevant to the processing of the notification will not be collected, and if accidentally collected, will be deleted immediately. Also, the GDPR applies, with some exceptions specified in the Bill (eg, if the applicant does not meet the conditions indicated in article 6 or has expressly consented to the disclosure of his or her identity).
The legal entity must keep a register of internal reports, including:
- the number of the notification;
- the subject of the violation;
- the personal data of the reporter and the person affected by the report, necessary to identify them;
- the contact address of the reporter;
- the date of the initial internal report;
- information on follow-up actions taken; and
- the date on which the case was closed.
Personal data and other information in the register of internal reports should be retained for three years after the end of the calendar year in which the follow-up actions were completed or after the completion of the proceedings initiated by these actions.
Download your results as a PDF
Download as pdf link
Contributors
Australia
Pinsent Masons
Austria
GERLACH
Belgium
Van Olmen & Wynant
Brazil
CGM
Croatia
Babic & Partners
Denmark
IUNO
France
Proskauer
Germany
Oppenhoff
India
Khaitan & Co
Ireland
Arthur Cox
Italy
Zambelli & Partners
Japan
City-Yuwa
Latvia
Ellex Klavins
Lithuania
Ellex Valiunas
Luxembourg
Castegnaro
Malta
Camilleri Preziosi
Nigeria
Bloomfield LP
Poland
Baran Książek Bigaj
Portugal
Cuatrecasas
Romania
STALFORT Legal. Tax. Audit.
Singapore
Braddell Brothers LLP
Spain
Cuatrecasas
Sweden
Lindahl
United Kingdom
Proskauer
United States
Proskauer
Contributors
Germany
Oppenhoff
Poland
Baran Książek Bigaj