The Belgian Privacy Commission (the “Commission”) has issued a recommendation on internal whistleblowing schemes (the “Recommendation”). The Recommendation provides guidance to organisations on how to implement and operate whistleblowing schemes in accordance with data protection law.
Following queries from various organisations and a first complaint, the Commission examined the compatibility of whistleblowing schemes with the Data Protection Act of 8 December 1992. The Commission’s view was that whistleblowing schemes are compatible with data protection law if a) there is an obligation under Belgian law to provide such a scheme or b) it is in the organisation’s legitimate interests to have a whistleblowing scheme (provided that the fundamental rights of an individual are not breached). The fact that there is an obligation to comply with foreign law, such as Sarbanes Oxley, is not sufficient to justify the implementation of a whistleblowing scheme. However the Commission recognises that when an organisation’s legitimate interests to set up a scheme were assessed, the risks connected with non-compliance with a foreign law obligation could be taken into account.
In its Recommendation the Commission also sets out the data protection principles that have to be complied with in order for the scheme to be legitimate. The main principles are:
- fair and legal processing (e.g. no anonymous reporting, no obligation to report, designation of a person dedicated to handle the reports confidentially);
- proportionality of the procedure (e.g. limiting the scope of the scheme in terms of purposes of the scheme; types of reports that can be made; facts that can be reported; and categories of persons concerned);
- accuracy of the processed data;
- transparency (e.g. the obligation to provide adequate information about the scheme to the personnel at collective and individual level);
- security of the process (e.g. separate databases; no transfer of whistleblowing data to non-EU holding companies unless strictly required);
- data subject rights (right of information; access and rectification for all individuals concerned, including the incriminated person);
- prior notification of the whistleblowing scheme to the Privacy Commission.
The Commission’s view is that whistleblowing schemes should be an additional mechanism to report misconduct internally through a specific channel. The scheme should only supplement an organisation’s regular information and reporting channels where these would appear to be insufficient to detect and handle irregularities within the organisation.
The principles set out above must be adopted as a minimum standard in order to be compliant with Belgian data protection law. Non-compliance with this law may lead to criminal sanctions and liabilities in addition to the risk of complaints to the Privacy Commission.