There are more developments in the direction of a pan-European whistleblower model for U.S. companies operating in the E.U. This is a welcome advance for American employers with facilities in the E.U. that also need to comply with E.U. country data protection laws while having a confidential complaint mechanism.
The goal for many U.S. entities is to have a consistent compliance program in the E.U., even if it is somewhat different or narrower in scope than in the U.S.
One step in this direction is the new German whistleblower guidelines, which allow U.S. companies to implement hotlines in Germany. The guidelines permit not only Sarbanes-Oxley hotline compliance by U.S. public companies, but also use of whistleblower mechanisms by privately held companies with branches in Germany.
Compared to the French CNIL whistleblower guidelines, the German ones are less onerous and detailed, and approval is not necessary by the German data protection authority to implement the program. The regional German data protection authorities’ working group, referred to as Düsseldorfer Kreis (or “Düsseldorf Circle”) met in late April 2007 and issued the guidelines, which are now translated into English. See “Finally: German Whistleblower Guidelines Released” under ARTICLES at http://www.eapdlaw.com/newsstand.
The new guidelines note that the German Data Protection Act does impose certain obligations on the company, which include:
- imitations on the subject matter of reporting (accounting, fraud, financial controls, corruption, insider trading and human rights breaches);
- confidential reporting, but allowance for anonymous reporting;
- notice to employees of the program;
- notice to the accused person of facts alleged, with permitted delays in notice if evidence needs to be preserved;
- rights of correction of inaccurate data by the accused person;
- permitted use of third parties as data processors for the program;
- limitations on unnecessary internal data transfer to third parties unless criminal proceedings occur;
- security processes and procedures to protect unauthorized access to the data;
- data storage limitations, including deletion/archiving (generally two months after close of investigation unless discipline, litigation or criminal proceedings occur).
These obligations are generally consistent with previous whistleblower guidance issued last year by the E.C. Art. 29 Working Party on Data Protection (W.P. 117). As in most E.U. countries, consultation with the works council, if the company has one, will be necessary because of German labor law, including their right of co-determination. In addition, company registration for routine employee data collection, which is a separate set of obligations, cannot be ignored in E.U. countries; in Germany it can be avoided if the company has appointed a privacy officer.
If a corporation operating in Germany has already developed whistleblower documents consistent with the French data protection law, similar processes in Germany can likewise be adopted. See “New E.U. Compliance Changes for Anonymous Whistleblower Hotlines and Codes of Conduct of Multi-National U.S. Companies” under CLIENT ADVISORIES at http://www.eapdlaw.com/newsstand.