On December 5, 2008, the Austrian data protection authority (DPA) issued its first decision on the implementation of a whistleblowing hotline as required by the Sarbanes-Oxley Act (SOX), to be administered by the Austrian subsidiary of a US-based company. The DPA partly approved the data transfers from the Austrian entity to the US entity for the purpose of enabling it to prosecute “serious incidents” caused by the behaviour of executive managers. The DPA ordered the Austrian subsidiary to implement a contract guarantying data subjects the ability to exercise their rights through the service provider managing the hotline. The DPA did not consider SOX to provide a legal basis for the transfer, but rather found that the legal basis was provided by the legitimate interests of the Austrian subsidiary, as conveyed by instructions of the employer, admissible in the context of an employment relationship, including a Code of Conduct. The conditions placed on the hotline are based on the recommendations issued by the Article 29 Working Party in its Working Paper 117. The full text of the decision (in German) is available here