Whistleblowing

The reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports as well as the persons assisting them in fulfilling these tasks have access to the incoming reports. It must, therefore, be ensured that no unauthorised persons have access to the identity of the person making the report or to the report itself. This has implications for the technical design of the internal reporting channel.

Also, the persons entrusted with running the internal reporting office must indeed be independent in the exercise of their activities and the company must ensure that such persons have the necessary expertise. Therefore, smaller or medium-sized companies should especially assess whether it will be more efficient to assign an experienced external ombudsperson to receive and initially process incoming reports. However, the ombudsperson who takes the call in this case is a witness bound to tell the truth, even if this is, for example, a company lawyer.

According to the German Whistleblower Protection Act, the internal whistleblowing reporting office is not obliged by law to accept or process anonymous reports; however, they “shall” be processed.  Companies should therefore assess carefully whether they provide systems that enable anonymous reports, as this may increase the number of abusive reports and make enquiries impossible. On the other hand, some ISO standards require the receipt of anonymous reports. Therefore, should a company seek certification according to these ISO standards, the whistleblower procedure to be set up must allow for the processing of anonymous reports.

When drafting a whistleblowing policy, employers should ensure that the whistleblowing procedure guarantees the impartial and confidential treatment of reports. It must also ensure that the whistleblowing procedure is operated securely and prevents access to reports by non-authorised staff members.

The obligation to adhere to the principle of data protection by design and default means that the whistleblowing procedure itself must be designed to be GDPR-compliant from the start. The employer would need to have a privacy notice that covers any processing of personal data carried out in connection with the whistleblowing procedure. Any processing of personal data carried out in the context of the obligation to establish a whistleblowing procedure under the Act must be documented to demonstrate compliance with the GDPR – the accountability principle.