According to the Dutch Data Protection Authority, foreign law obligations (such as obligations under US Sarbanes-Oxley legislation) do not constitute a sufficient legal basis for processing and transferring personal data as part of international whistle-blowing schemes used by multinational companies. However, such processing can be allowed if all relevant interests, particularly the interest of the company, the seriousness of the wrongs and the implications for the individuals involved, are balanced in a proper and careful manner. If the data is transferred to a country that does not provide for an adequate level of protection, a data export permit is required.
Although the Authority has not yet issued official guidelines regarding whistle-blowing schemes it did publish a decision about the processing and transfer of personal data by a multinational company for whistle-blowing scheme purposes. In this decision, dated 16 January 2006, the Authority sets out a number of conditions that have to be complied with in order to get a data export permit for the transfer of the data.
In September 2004 a multinational company, whose identity is not disclosed, applied for a data export permit. In its application this company indicated that US Sarbanes-Oxley legislation requires that its employees have the opportunity to inform the company's "Audit Committee" on a confidential, anonymous basis about irregularities or corruption in the company. With respect to this, the company did emphasise that employees must first try to raise the problem within their own business unit before resorting to the whistle-blowing scheme. Additionally, the company had indicated that the Works Council consented to the implementation of this whistle-blowing scheme.
In order to comply with these requirements, the whistle-blowing scheme implemented by the company allowed anonymous notifications by employees both through a specific toll free telephone number and by e-mail. Through these channels the employees could notify wrongs within the organisation, such as discrimination issues, intimidation, fraud, issues with respect to internal screening, violation of the ethical guidelines and code of conduct, theft, irregular accounts or audit of the financial administration.
The notifications made through these channels were collected and processed by a third party, a processor called InTouch. Both the Audit Committee and InTouch were located in the United States. Therefore the personal data was transferred to a third country that did not have an adequate level of protection. In this instance for such transfer, under the Dutch Data Protection Act, a data export permit was required. In order to assess whether this permit should be provided, the Authority had to assess whether the processing of personal data within the scope of the whistle-blowing scheme is lawful.
According to the Authority, and different from what the company had asserted, the mere fact that the standard contract clauses, approved by the European Commission, had been employed was not decisive in this respect. Further, the Authority is of the opinion that the legal basis for the processing cannot be the statutory obligation pursuant to SOX, but only the legitimate interest of the company balanced against the individuals' rights and interests.
In this respect, the Authority formulates a number of conditions or guidelines:
- A whistle-blowing scheme like the one used by the company is only justified if it concerns substantial wrongs within the company. This assumes a certain degree of seriousness of the notified facts or situations. The employee who notifies any wrongs must have a presumption based on reasonable grounds that such wrongs are imminent or exist.
- Although SOX demands whistle-blowing schemes, there has to be a processing ground within the meaning of the Dutch Data Protection Act. This can be the legitimate interests of the controller or the US-based parent company. However, normally any notification about misconduct should be done through the usual channels (i.e. local management, Works Councils etc.).
- As a general rule, the identity of the person who notifies misbehaviour has to be known. Anonymous notifications should not be encouraged. However, the Authority acknowledges that this person's data has to be treated confidentially and that the identifying data is not provided to the individual mentioned in the notification, (also not within the scope of access rights used by the individual who is subject of the notification).
- The individuals mentioned in the notification have to be informed at the time the notification is included in the system - only in exceptional instances can this obligation be temporarily suspended, e.g. if it is necessary to secure evidence or for other interests of the controller. However, this exception to the obligation to inform must be interpreted in a restrictive way.
- The notifications made through the whistle-blowing scheme must be dealt with by a specifically appointed part of the organisation. The Authority recommends using an external third party to handle the notifications first by determining their relevance based upon an examination of the data and consideration of the scope of the whistle-blowing scheme and the other requirements for a lawful processing.
- The access to the notifications and accompanying data must be restricted. The employees who have access must be bound to an obligation to observe secrecy.
- The processing of data within the scope of an unfounded notification must be ceased immediately and the data must be removed. Data relating to an inquiry may not be stored longer than two months after the end of the inquiry, unless disciplinary measures are taken against the notifier (false notification) or the person about whom a notification was made (well-founded notification).
- The transfer of data to a third country, such as the US, in the context of a whistle-blowing scheme is only allowed if it concerns personal data regarding wrongs which cannot be dealt with on a local (i.e. the Netherlands or EU) level. Generally, this implies that the data has to be about serious misbehaviour by (higher) management.
- The Works Council has to approve the policy regarding the whistle-blowing schemes, if and to the extent that these involve the processing of employees' data.
In addition, the Authority makes a few remarks about the obligations, pursuant to the Dutch Data Protection Act, to inform individuals about the processing and transfer of their data. The company has to provide for clear and transparent communications to its employees about the working of the whistle-blowing scheme. It must be made clear who the controller of the processing is and what the purposes of the processing are. Furthermore, it must be communicated that abuse of the system may lead to disciplinary measures. Obviously, this does not apply to notifications made by a whistle-blower with honest and sincere intentions but which eventually turned out to be unfounded.