Anonymous Whistleblowing.
Who needs an anonymous Whistle-blowing scheme?
↔
- Reporting persons working in the private or public sector
- Persons who have acquired information about infringements in a work-related context.
- Workers
- Self-employed persons
- Shareholders and persons of the administrative, management, or supervisory organ of an undertaking.
- Non-executive members, volunteers, and trainees (paid and unpaid)
- Any person working under the supervision and direction of contractors, subcontractors, and suppliers.
- Persons whose working conditions have ceased or have not yet begun.
- Others, e.g. intermediaries.
Why you must have a Whistleblowing scheme to your business.
↔
Violations scheme
Actions or exceptions:
1. There is illegal and concerns EU acts and the areas regulated by EU law.
2. Actions or exceptions that make it possible to circumvent the purpose of point 2.
↔
Information about infringements
Any information, including reasonable suspicion, of actual or potential infringements which have occurred or are likely to take place in the place of work or previous place of work of the reporting person, or in another organisation with which the reporting person was in contact through his or her work, as well as on attempts to conceal such infringements.
↔
Follow-up
Follow-up upon any action taken by the recipient of an alert or any competent authority to assess the accuracy of the allegations made to the alert shall: And where appropriate, to counter the reported violation, including through actions such as internal investigation, an investigation, prosecution (..)
↔
Whistleblower Directive
Whistleblower Directive Central commitment: Legal entities in the private sector with or more employees shall establish an internal reporting channel in accordance with Article 8(3).
And all public sector legal entities within the same time as Article 8(9). Nb: exemption can be chosen for municipalities with fewer than 10,000 inhabitants or fewer than 50 workers. Denmark can still introduce stricter national rules when implementing it.
An example, the obligation to WB scheme if fewer than 50 employees under Article 8(7).
↔
Basic distinction
Internal reporting channels (within the private and public sector legal entity) External reporting channels (competent authorities) General Principle: Encouraging internal reporting channel in the alternative via external reporting channel.
↔
Internal reporting
Information on infringements may be reported through internal reporting channels and procedures in accordance with Article 7.
Obligation to establish:
Legal entities in the private sector with or more employees and, as a general rule, all public legal authorities shall establish a WB scheme in accordance with Article 8(3) and (9).
No formal requirements for the notification. – there is freedom of choice between: Written reporting channels: Post, physical complaint boxes or online platform (either intranet or Internet platform) Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party.
Joint reporting: Legal entities with 50-249 employees and municipalities can share resources.
↔
Reprisals
Reprisals
Any direct or indirect act or omission that takes place in a work-related context is the result of internal or external reporting or publication and causes or may cause unwarranted harm to the reporting person. See Article 5(9) of the WB Directive
↔
Reporting step by step The reporter shall make an alert.
Reporting step by step The reporter shall make an alert.
- The alert is screened Within or outside the scope of the scheme Investigation into the whistleblower’s association with the company/ authority.
- Examination/ processing of the report
- Further examination of the substance of the alert.
- Information to the reporter and the reported company/authority – possibly postponement.
- Handling the reported person’s right of access to information about the person concerned.
- The investigation is closed Notification to police or other authorities
- Possible employment law sanctioning
- Any retention of information in the reported personnel file.
- Deleting data
.
↔
Internal or external model
Internal:
A director, compliance officer or genral counsel processes employee reviews.
The Management Board shall examine notifications of the Director.
External
(lawyer/ legal adviser) deals with reviews on the Board of Directors External:
External company administration Requirement for written data processor agreement.
For example, external legal adviser processes all notifications. Possible with delegation option for internal dedicated employee.
↔
Benefits of external model
Benefits of external model Internal model is resource-intensive, especially in connection with establishment due to security requirements. Experience shows that there is greater confidence from the reporter in relation to the Respect for anonymity.
↔
Whistleblower policy
Whistleblower policy Companies with a WB scheme must have an internal procedure for follow-up on reports = an internal WB policy.
Internal provisions on security measures Provisions on organisational conditions and physical security Safety organisation Management of access control systems
Authorisation schemes
Authorization check Internal instructions defining responsibility for and describing the processing and destruction of input and output material.
Guidelines for monitoring compliance with the safety measures laid down.
The Danish Data Protection Agency says:
“Internal regulations must be reviewed at least once a year”
↔
Internal procedure requirements
Internal procedure requirements
Confidentiality:
Channels for receiving alerts shall be operated in such a way that the confidentiality of the identity of the reported person and any third party mentioned in the alert is protected.
Confirmation:
A confirmation of receipt of the alert must be sent within seven days.
Impartial investigator:
An impartial person or department competent to follow up the reports shall be appointed. Careful follow-up.
Anonymity:
Careful follow-up with regard to anonymous reports (if provided for in national law) Feedback: A reasonable time limit to provide feedback that does not exceed 3 months from the acknowledgement of receipt.
Information:
Clear and easily accessible information on the procedures for reporting externally to competent national and EU institutions. See Article 9 of the WB Directive.
↔
Processing of personal data.
Processing of personal data.
Any processing of personal data under the WB Directive shall be carried out in accordance with Article 17 of the Data Protection Regulation.
Information which is manifestly not relevant to the processing of a specific alert shall not be collected and shall be deleted immediately if it has been collected.
The company/authority responsible for the WB scheme must comply with the requirement for good data processing practice.
↔
Accountability
Accountability – Undertakings and authorities should have a procedure for observing the obligation to provide information.
Obligation to provide information to the reporter: The obligation to provide information laid down in Article 13 of the Data Protection Regulation shall be observed.
Obligation to provide information to the reported person: Since information is not collected directly from the data subject, the obligation to provide information referred to in Article 14 shall apply. 3 exceptions: Crucial private/public interests are opposed, including criminal investigations, pursuant to Article 22 of the Data Protection Act Where disclosure of the information is likely to make it impossible or would seriously impede the achievement of the objectives of the processing, cf.
GDPR Article 14(5)(b) (e.g. if the reported is investigated for offences) Where personal data are to remain confidential as a result of professional secrecy within the meaning of Article 16 of the WB Directive, see GDPR Article 14(5)(d).
Any derogation (postponement) of the obligation to provide information may only be made after a specific assessment.
↔
REQUIREMENTS for IT Security and Compliance
REQUIREMENTS for IT Security and Compliance ISO/IEC 27001 certified by Intertek Group plc. Our solution can anytime be auditet by client according to OSO27001.
ISAE 3000 Type 1 Statement of Assurance in relation to gdpr (PWC) will be a type 2 in May 2021 (see Article 17) Compliant with the Web Accessibility Act and the WCAG 2.1 standard.
Complies with the requirements of the WB Directive, in particular the obligation to register in accordance with Article 18 – audit log and retention of interviews Complies with country-specific legislation
↔
Signup - easy compliance today
In our basic solution you recieve:
1. Link for whistlblowing to add to your site.
2. Legal support.
3. Procurement support
Ongoing updates and needs to comply are all included in your membership.