The millions of dollars awarded to former UBS employee Bradley Birkenfeld, the $30 million reward given in 2014 to an anonymous whistleblower, the media coverage about Edward Snowden: these and similar cases created headlines in Germany as elsewhere. While whistleblowing has long been an accepted practice in Anglo-Saxon countries, whistleblowing programmes have only recently become more prevalent in Germany.

Companies introduce whistleblowing programmes for a number of reasons: sometimes in response to demands by the Group parent company based in another jurisdiction and as a result of that jurisdiction’s requirements, sometimes for (unwritten) compliance reasons, and sometimes in order to meet specific statutory provisions, such as those applicable to banks.

Recommended course of action

By having such programmes, employers provide their employees with a recommended course of action and a person to contact, so that any wrongdoing or abuse can be notified to internal or external bodies and eliminated. As there is no comprehensive statutory framework for whistleblowing or its requirements and consequences, a whistleblowing programme has the advantage of creating clarity and therefore legal certainty for both employees and employers.

Employment law implications

From the standpoint of employment law, it is important, when introducing a whistleblowing programme, to stipulate that the employee first notify an internal body (or one established by the employer) of any grievance or wrongdoing. Work can then be undertaken to eliminate the abuse or wrongdoing while, at the same time, the employee will not be in breach of their duty of confidentiality and good faith toward their employer. In order to protect both whistleblower and suspect, the conditions around a report of wrongdoing should be made very clear, the reporting procedure should be defined, and the consequences of abuse of that procedure or of presenting a deliberately false report, or a false report amounting to gross negligence, should be clearly stated.

If the company has a Works Council, it will have a codetermination right where reporting obligations are concerned and in the capture and evaluation of data using IT-based systems. A whistleblowing programme will normally be introduced in the form of a company agreement.

Data protection law implications

There are also legal implications around data protection which must be taken into account. In a whistleblowing case, there is disclosure of data relating to the alleged offender and to the whistleblower. This requires justification – primarily through specific consents or a company agreement. Data processing would also be justified if, on weighing the conflicting interests of the company and the individual concerned, the company’s interests prevail. Additional requirements come into play if data are to be passed to or processed by third parties, such as a foreign parent company or an external service provider.

Data protection legislation requires that competing interests be considered. This raises the question of which set of interests should prevail – the company’s or the individual’s whose data are used. The nature of the infringement is pivotal in deciding this: where criminal offences have occurred or there have been breaches of human rights or serious matters involving the protection of the environment, then data protection for any individual is secondary to the requirement to investigate the matter. On the other hand, where infringements are deemed ‘nonmaterial’, as with, for example, infringements of internal ethical guidelines, then the interests of the individual will prevail.

A company agreement is also sensible for borderline cases, even if there is no mandatory right of co-determination. However, no company agreement will justify the use of data which obviously conflicts with the principles of data protection law. But a company agreement often provides useful grounds for the legitimacy of data processing. This applies in particular if the data protection law principles of necessity, transparency and eligibility for data storage are observed.