In the following guest post, Frank Hülsberg, partner and member of the board of directors of Grant Thornton Germany, and Burkhard Fassbach, a D&O-lawyer in private practice in Germany, take a look at key whistleblower considerations relating to GDPR compliance. I would like to thank Frank and Burkhard for allowing me to publish their article. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
Employee data protection in whistleblowing procedures inevitably leads to a conflict of interest between whistleblower protection and the right of the accused to information. Data protection in the context of internal whistleblower systems is like a combat zone. On the one hand, the protection of the whistleblower and the employer’s interest in secrecy, on the other hand, the accused employee’s interest in information. In this context, a weighing of interests must always be carried out based on the concrete circumstances of the individual case. The article provides practical advice for data protection officers and persons responsible for GDPR compliance.
Whistleblowing is an indispensable element of a functioning compliance management system. According to the EU Whistleblower Directive adopted on October 7, 2019, all companies with more than 50 employees as well as financial service providers and municipalities with more than 10,000 inhabitants will in future be obliged to set up whistleblower systems.
According to the EU Directive, whistleblower reporting channels must be designed, set up and operated in such a secure manner that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is maintained and unauthorized employees are prevented from accessing them. The Directive leaves it up to Member States to decide whether companies are obliged to receive and follow up anonymous reports. Even without a legal obligation to set up anonymous reporting channels, these will continue to be used in practice in the future. Whistleblowers who cannot rely on their anonymity being maintained will very rarely report legal infringements (“wall of silence”).
The whistleblower’s understandable need for protection is counterbalanced by an equally understandable interest of the accused, who naturally wants to know the accusations in detail for his defence and always has at least as great an interest in the question “from which corner this comes”. This area of tension has been investigated by the data protection authorities of the German Federal Government and the States and has been provided with guidance on some questions; almost at the same time, the Regional Labour Court of Baden-Württemberg handed down a highly regarded judgment on the right of an accused employee to information.
In the following, the main findings from the meeting of the data protection authorities and the ruling will be examined and recommendations for practice will be derived from them.
Guidance from data protection authorities
On November 14, 2018, the Conference of the Independent Data Protection Authorities of the Federal and State Governments published an orientation guide on whistleblowing hotlines. The notification of breaches of obligations of conduct goes hand in hand with the processing of personal data. The groups of persons affected are primarily the whistleblowers and the persons accused. Whistleblowing systems are procedures in which, in accordance with Art. 38 (1) GDPR, the data protection officers must be properly and promptly involved in all matters relating to the protection of personal data.
Insofar as a person wishes to make a whistleblowing report, he or she should be informed in advance, when first contacting the system, that his or her identity will be treated confidentially, but also that the accused person must in principle be informed of the identity of the whistleblower no later than one month after the report (Art. 14 (3) lit. a GDPR). If the whistleblower wishes to disclose his or her identity in spite of this information, the consent of this person is possible. Therefore, before giving consent, the person concerned must be informed of his or her right under Art. 7 (2) GDPR to revoke consent, but this is only effectively possible up to one month after notification.
According to Art. 14 GDPR, the accused person must be informed of the storage, nature of the data, the purpose, processing and identity of the controller and, if applicable, the whistleblower. If the risk were significant that such information would jeopardise the company’s ability to effectively investigate the allegation or collect the necessary evidence, the information to be provided to the accused person may be postponed for as long as this risk exists. The basis for this is Art. 14 (5) lit. b GDPR, according to which the information need not be provided if the achievement of the objectives of the processing would at least be seriously impaired. Permanent secrecy should be ruled out in view of a possible impairment of the personal rights of the accused person and his or her rights of defence. As a measure to protect the legitimate interests of the accused person, the information must then be provided as soon as the reason for postponement no longer applies.
According to Art. 15 GDPR, the accused person has the right to be informed of the data stored about him or her, including insofar as these relate to the origin and recipient. However, there is no obligation to provide information under Section 29 (1) sentence 2 Federal Data Protection Act (BDSG) if the information would disclose information which must be kept secret because of the overriding legitimate interests of a third party.
Recitals 84 and 85 of the EU Whistleblower Directive also deal with this issue. According to these recitals, the Member States shall ensure the effectiveness of the Directive and, to this end, are also to be able to restrict the data protection rights of the persons concerned in accordance with Article 23 GDPR by means of legislative measures. This is intended to prevent attempts to establish the identity of whistleblowers or to obstruct reports.
If the information provided by a whistleblower gives rise to conclusive suspicions of violations of the law, the management must initiate internal investigations. The investigations are usually conducted by independent investigators. These are best placed to assess whether the information provided to the accused person or a claim for information would jeopardise the investigation. Persons responsible should obtain the investigator’s opinion for the weighing of interests. According to the guidance of the data protection authorities, data should in principle be deleted within two months of the conclusion of the investigation. Storage beyond this period is only permissible for the duration of clarification of necessary further legal steps such as disciplinary proceedings or the initiation of criminal proceedings. With regard to guidance, it should be critically noted that investigations can also be reopened, for example, by new evidence.
Balancing of interests under data protection law
The concrete interest of the accused employee in the provision of information must be determined in each individual case and weighed against the employer’s operational interest in refusing to provide information or the legitimate interests of third parties. In its judgment of 20 December 2018, the Higher Labor Court of Baden-Württemberg (Landesarbeitsgericht Baden-Württemberg) made the following considerations for the weighing of interests under data protection law:
It can be a legitimate interest in the confidentiality of a source of information if the employer guarantees anonymity to whistleblowers for the purpose of clarifying internal misconduct. If the company has assured whistleblowers of anonymity, information that allows conclusions to be drawn about the whistleblower’s identity may not be included in the file or must be blacked out. If such information does become part of the file or the case, it must be disclosed to the person concerned.
However, the employer cannot make a general reference to the need for protection of whistleblowers. If the right to information is denied with reference to the interests of third parties worthy of protection, the employer is responsible for the relevant circumstances. It is sufficient and necessary to state to which precise information the overriding legitimate interest in secrecy should relate.
In the specific case of the Regional Labor Court, this was a completed process of an internal investigation. A threat to the success of the investigation could be excluded.
As a result, the State Labour Court of Baden-Württemberg ordered the employer to provide the accused employee “with a copy of his personal performance and conduct data which are the subject of the processing carried out by it”. The appeal is pending before the Federal Labour Court.
In this regard, it is critically noted in the literature that the wording of Article 15 (3) sentence 1 GDPR can be understood to mean that a copy of every e-mail that the person concerned has ever written or received must be returned to him. Every document, every note and every annotation in which the person concerned is mentioned by name can be subsumed under the wording of Article 15 (3) sentence 1 GDPR.
Data protection authorities also oppose an excessively broad interpretation of Article 15 (3) sentence 1 GDPR. The Bavarian State Office for Data Protection (BayLDA) writes in its Activity Report 2017/2018: “The right of access to stored personal data does not establish a general right to copies of documents or files”. In this respect, the BayLDA refers to the wording of Art. 15 GDPR and to the relevant case law of the European Court of Justice. Other German data protection authorities hold similar views.
Ensuring anonymity through digital platforms and ombudsman
Practical solutions for employee data protection in whistleblowing cases can only be derived from the modality of the reports. A distinction must be made between open, confidential and anonymous whistleblowing. In the case of open whistleblowing, the whistleblower reveals his or her own identity from the outset. In the case of confidential whistleblowing, the addressee of the report should not share this with third parties. In anonymous whistleblowing, the whistleblower keeps his or her own identity secret from all parties involved.
In the case of anonymous reports by telephone or by post, feedback with the whistleblower is not possible. Internet-based whistleblower systems, on the other hand, allow the whistleblower to be involved in the further course of the investigation without having to reveal his identity. Whistleblowers and case handlers access the server from their respective locations. Only the content of the reports is stored, but not the IP address or other metadata. A technical tracing of the tip based on the stored data is therefore impossible. The data transfer between user and server is encrypted, but beyond that it is not subject to the technology provider’s sphere of influence, which is why the user should take special care to make his requests from a secure terminal. Anonymous communication between whistleblowers and case handlers takes place via a protected mailbox. To set up the mailbox, the whistleblower only needs to select a pseudonym and a password. The whistleblower himself must ensure that he does not disclose any information that might allow conclusions to be drawn about his person.
In organisational terms, the whistleblowing channel can also be directed to external lawyers as ombudsman. As attorneys of confidence appointed by the company, they accept these reports and check plausibility and validity. The guarantee of anonymity by lawyers of confidence was called into question by a decision of the Bochum Regional Court on 16 March 2016. The court allowed the public prosecutor’s office to confiscate the information from the ombudsperson for the purpose of investigating the identity of a whistleblower. There is no mandate or quasi-mandate relationship between the whistleblower as witness and the ombudsperson. According to the prevailing opinion, the prohibition of seizure only protects the relationship of trust between the person entitled to refuse to testify and the accused in the specific criminal proceedings. The Federal Constitutional Court confirmed this view in the “Jones Day” decision of 27 June 2018.
In summary, some practical advice for those responsible: It is advisable to link the ombudsperson’s institute with an internet-based anonymous whistleblower system. The ombudsperson himself does not obtain knowledge of the identity of the whistleblower, but can, if necessary, clarify unjustified accusations in advance and be a confidant for the whistleblower in case of justified accusations worth pursuing. If the allegations are pursued, it should be noted that the persons responsible will make the weighing of interests under data protection law after obtaining a statement from the investigator and a recommendation from the data protection officer and that the decision based on the weighing of interests will be documented in writing.