From January 2014, new whistleblowing law will be introduced for employers and/or their parent companies in Hungary.
The new law, which replaces 2009 legislation, will particularly affect the processing of personal data under such procedures and the employers’ disclosure obligations. It also incorporates the practice of NAIH (the Authority for Data Protection and Freedom of Information) on whistleblowing hotlines.
The key changes are:
- The whistleblowing system must be based on the employer’s publicly available code of ethics.
- The employer must publish on its website (in Hungarian) a detailed description of its procedural rules for whistleblowing.
- Employers must register their whistleblowing procedure with NAIH.
- The law allows the transfer of personal data to the competent authorities, courts and any entity involved in the investigation.
- Personal data can be transferred outside the EEA only if a written data transfer agreement is concluded and the personal data has an ‘adequate level of protection’ (as required by EU law).
- No sensitive data may be processed as part of the whistleblowing procedure.
- Before reporting, whistleblowers must declare that they make their report in good faith.
- Before reporting, whistleblowers must be informed of (i) the consequences of reporting in bad faith, (ii) the procedural rules of the investigation, (iii) that their identity will remain confidential, and (iv) the investigation of anonymous reports may be refused.
- Employers can refuse to investigate reports of events which became known to the whistleblower more than 6 months earlier or where the damage in the public interest or justified private interest is not proportionate to the potential restriction of the rights of the persons affected.
- The subjects of the report must be notified of the report (except for information relating to the whistleblower that is treated as confidential), and their data privacy rights and remedies once the investigation commences. The notification may, in exceptional cases, be delayed if the investigation would be jeopardised by the subject being notified promptly.
- The subject of the report must have the right to provide statements and evidence (also through a lawyer).
- Reports must be investigated within 30 days (which can be extended to a maximum of 3 months in exceptional circumstances where the report is not made anonymously and the whistleblower is notified at the same time).
- The whistleblower shall be notified of the conclusion and consequences of the investigation.
- The employer must notify the relevant criminal authorities if its investigation concludes that criminal proceedings are necessary.
- The employer must destroy all data relating to the investigation within 60 days if it concludes that the report is baseless, or that no action is necessary. Otherwise, it may process data by closing the investigation (in a binding and enforceable manner).
- The operation of the whistleblowing system can be outsourced to external legal advisors, subject to preconditions set out in the law.
Companies operating whistleblowing procedures must ensure that they comply with the new law by 1 January 2014. If they violate data privacy rules, NAIH can fine them between HUF 100,000 (c. €370) and HUF 10,000,000 (c. €37,037).
Laws: Act CLXV of 2013 on Complaints and Public Interest Disclosure; Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information; repeal of Act CLXIII of 2009 on Fair Proceedings