German authorities have issued new whistleblower guidelines, which allow U.S. companies to implement hotlines in Germany. The guidelines permit not only Sarbanes-Oxley hotline compliance by U.S. public companies, but also use of whistleblower mechanisms by privately held companies with branches in Germany.
This development is one more step in the direction of a Pan-European whistleblower model for companies operating in the E.U.
Compared to the French CNIL whistleblower guidelines, the German ones are less onerous and detailed, and approval is not necessary by the German data protection authority to implement the program. The regional German data protection authorities’ working group, referred to as Düsseldorfer Kreis (or “Düsseldorf Circle”) met in late April 2007 and issued the guidelines, which are now translated into English. See “Finally: German Whistleblower Guidelines Released” under ARTICLES at http://www.eapdlaw.com/newsstand.
The new guidelines note that the German Data Protection Act does impose certain obligations on the company, which include:
- limitations on the subject matter of reporting (accounting, fraud, financial controls, corruption, insider trading and human rights breaches);
- confidential reporting, but allowance for anonymous reporting;
- notice to employees of the program;
- notice to the accused person of facts alleged, with delays in same if evidence needs to be preserved;
- rights of correction of inaccurate data by the accused person;
- permitted use of third parties as data processors for the program;
- limitations on unnecessary internal data transfer or to third parties unless criminal proceedings;
- security processes and procedures to protect unauthorized access to the data;
- data storage limitations, including deletion/archiving (generally two mos. after close of investigation unless discipline, litigation or criminal proceedings).
These obligations are generally consistent with previous whistleblower guidance issued by the E.C. Art. 29 Working Party on Data Protection (W.P. 117) last year. Like most E.U. countries, consultation with the works council, if the company has one, will be necessary because of German labor law, including the right of co-determination. If a corporation operating in Germany has already developed whistleblower documents consistent with the French data protection law, similar processes in German can likewise be adopted. See “New E.U. Compliance Changes for Anonymous Whistleblower Hotlines and Codes of Conduct of Multi-National U.S. Companies” under CLIENT ADVISORIES at http://www.eapdlaw.com/newsstand.