Roschier Insights Seminar, key takeaways: Whistleblowing and internal investigations II
Recently, our experts Johanna Lilja, Ami Paanajärvi, Laila Sivonen and Mari Mohsen, together with WhistleB’s Vera Nilsson, addressed the key issues relating to the Whistleblower Protection Directive at a seminar. They discussed the national implementation of the Directive in Finland, its scope of application, reporting channels in group companies and data protection. In this article, we provide a brief overview of the key issues discussed in the seminar.
In October 2019, the Whistleblower Protection Directive was adopted, aimed at enhancing the protection for whistleblowers. Since then, the legislative process has moved forward, and the working group responsible for preparing the national legislation issued a draft Government Bill. Based on the draft Government Bill, the working group received a vast amount of feedback.
The working group is still in the process of examining the feedback received and, even though the Directive is required to be implemented nationally by 17 December 2021, it is now clear that the national legislation implementing the Directive will not enter into force by that date.
There are still many open questions, but what we do know is that the working group will introduce changes (or at least clarifications) before it issues the actual Government Bill to be presented to the Finnish Parliament.
The national implementation of the Whistleblower Protection Directive – Where are we now?
The national legislation implementing the directive will not enter into force by 17 December 2021 as required, partly due to the extensive feedback received on the draft Government Bill. Thus, amendments and clarifications to the draft Proposal are still expected.
The Finnish Ministry of Justice’s interpretation is that the Directive does not allow for a transitional period for companies with 250 or more employees, even if the national legislation does not enter into force before the implementation date. Thus, companies with 250 or more employees will have to comply with certain requirements in the directive as of 17 December 2021. For companies employing between 50 and 249 employees, the transitional period is two years, i.e. until 17 December 2023.
Scope of the legislation
Both EU and national employment law will most likely be excluded from the scope of the legislation, which is relevant to take into consideration in the communication and practices relating to the implementation of the reporting channels. As reporting related to individual employment is excluded from the scope of the legislation (as far as we know at this point), companies must themselves consider how to organize a reporting channel related to employment e.g. notifications relating to harassment in the workplace.
One option is to set up two separate reporting channels, one for reporting on matters falling within the scope of the legislation and another for matters related to HR and employment. As an alternative, a company can also set up a single reporting channel for all matters.
Regardless of the way in which reporting channels are organized, it is clear that all matters reported must be properly investigated, including those not within the scope of the legislation. According to the draft Government Bill, the individuals to whom matters are reported will be responsible for ensuring that they are brought to the attention of the correct body within the company so that they can be investigated.
Required reporting channels in group companies
The European Commission’s starting point is that group companies with 50 or more employees should have a channel of their own and that, consequently, group companies cannot continue to have solely a centralized whistleblowing procedure.
Originally, the working group preparing the new Finnish legislation had the same approach as the Commission i.e. each group company should have a channel of their own. However, based on the feedback received from a number of group companies, the working group changed their approach.
Now, the Finnish draft Government Bill specifically provides that group companies may establish group-level reporting channels and make such channels available within the group. According to the working group, details and the exact wording relating to this so-called group company question are still subject to change.
Data protection and the reporting channels
Taking a whistleblowing channel into use will require several data protection compliance measures, such as e.g. updating privacy policies and guidelines and entering into data processing agreements with service providers. Furthermore, a data protection impact assessment must be carried out before implementing the channel.
The processing principles in the EU Data Protection Regulation (GDPR) and the whole life cycle of personal data must be considered, as well as questions regarding, for example, who has access to the data, which systems are being used in the reporting, what kind of security measures are required, what the legal bases for processing the personal data are, and when to archive, pseudonymize, anonymize or delete the data. The processing of personal data should also undergo so called co-operation proceedings (Fi. yt-menettely).
As to the lifecycle management of personal data, the Directive and the draft Government Proposal do unfortunately not contain any specific time limits for storing information collected through the reporting channels, which has been criticized by local companies. The Directive merely states that information may be retained for as long as “is proportionate and necessary.” It is therefore unclear for how long personal data contained in the reports and gathered during the investigation must or may be stored.
In the absence of any mandatory time limits for storing information, the general principles on retention periods in the General Data Protection Regulation (GDPR) apply, such as the principles of purpose limitation, data minimization, data accuracy and storage limitation.
One benchmark for an appropriate storage period is the limitation period in which claims relating to the issues relevant to the case must be brought by or against the organization. Similarly, the reversed burden of proof provision relating to the prohibition against retaliation may be a relevant factor in the assessment.
Some guidance on how long the documentation should be kept could also be sought from the five-year storage period under Chapter 12, Section 3 of the Securities Markets Act for MAR-related whistleblowing reports.
Checklist for setting up a reporting channel under the Directive
- Does the legislation apply to the organization and, if so, does the transition period apply?
- Whether or not to use the reporting channel for notifications other than those within the scope of the legislation.
- Whether to allow anonymous reporting or not – decision of the company/employer.
- Whether to allow external reporting or not – decision of the company/employer.
- If anonymity is allowed, how will communication with the anonymous reporters be arranged?
- Planning internal processes for implementing and maintaining reporting channels and creating principles for documentation.
- Ensuring that the organization is able to meet the deadlines laid down in the Directive.
- Designating the individual, department or service provider responsible for processing the notifications and follow-up measures, and providing training for them.
- Assessing whether the organization has sufficient and competent resources for possible further actions (including investigations) or whether external expertise is required.
- Choosing a potential service provider and contracts for implementing the reporting channel (including a personal data processing agreement).
- Remembering to carry out a Data Protection Impact Assessment (DPIA) and to update necessary Data Protection Documentation accordingly.
- Providing sufficient information and necessary training for personnel before implementing reporting channels.
- Conducting co-operation proceedings.
- Assessing whether considerations relating to group-level reporting are relevant and, if so, deciding whether a centralized channel is a viable solution or needs to be supplemented with local channels.