Challenge of Addressing New EU Updates to Whistleblowing Laws
Two of Europe’s largest economies are embracing anonymous whistleblowing for the first time – forcing organisations operating in those countries to review and evaluate their internal reporting and investigations practices. In early 2018, data protection authorities in Germany issued guidance on whistleblowing hotlines, which broke with the country’s previous stance that whistleblowers should be strongly encouraged to disclose their identities. Under the new guidance, if a whistleblower does wish to disclose their identity, the individual must be informed that it will be kept confidential during the investigation – but that the accused person will be informed of their identity, at the latest, within a month after notification. The only exception comes if notifying the accused could put the investigation at significant risk.
Spain is also opening up to anonymous whistleblowing via the new Spanish Data Protection Act (Spanish DPA), including changes to whistleblowing legislation permitting anonymity among whistleblowers for the first time. While there are a handful of obligations laid out in the Spanish DPA around whistleblower report management, it notably sets out a maximum retention period for personal data collected in reporting systems. This retention period is three months unless the purpose for preservation is to leave evidence for a legal entity. Thus, any organisation operating in Spain that wants to stay in compliance with changes to whistleblowing law must be able to scrub personal data from its reporting system after three months.
Learn How We Can Help You With Whistleblower Protection Compliance