Specific Data Security Requirements
The use of appropriate security measures to protect personal data from unauthorised use or loss is a key requirement of EU data protection law. This general obligation has been developed into a set of detailed security requirements in a number of EU countries, including Italy and Poland. In many cases, both the corporation rolling out the hotline to its employees and any external service provider must comply with these detailed security measures, and it will be the employer’s responsibility to ensure that the service provider complies.
Hotlines are often run by external providers. Another key requirement of EU law is for the company engaging the service provider to ensure that it enters into a written agreement which both restricts the service provider’s use of the personal data it may receive in operating the hotline and imposes an obligation on it to use appropriate measures to keep the data secure. The company will be liable under EU data privacy law for any breaches committed by the service provider in relation to personal data reported to the hotline.
Most large hotline service providers are well aware of this obligation and should not object to signing the required written agreement. If they do, find another provider! However, this agreement should ideally be signed before or at the same time as the main service agreement is executed, as afterwards the leverage to procure signature is obviously reduced. The more sophisticated service providers may include a clause dealing with these obligations in the service agreement itself.
Works Councils are common in many EU countries and steps must be taken in some cases to notify them of the proposed implementation of a hotline, and in others, to obtain their consent. Depending on the strength of the relationship which your company has with its Works Councils in a particular territory, this can add significant delays to implementation. There can be several Works Councils in one territory, each usually needing to be dealt with individually.
General Data Compliance
As the introduction of a hotline often triggers the requirement to notify or register with the local Data Privacy Authority, there is a risk that this communication may alert the Authority to the issue of the organisation’s basic data protection compliance on a broader basis. This may flag up more fundamental compliance steps that may have been overlooked by the employer and the resolution of which may become a pre-condition of any consent for proceeding with the hotline programme, and/or which may result in unwelcome attention from the Authority.