Exploring Legal Obligations, Confidentiality, and Impact Assessment.
Data protection in the context of the Hinweisgeberschutzgesetz (HinSchG), the German implementation of the EU Whistleblower Directive.
When highly sensitive data is being collected, it’s crucial to determine who can access it. Data subjects have a right to access, but does this mean I have to disclose everything to them? This raises several follow-up questions.
1: Legal Foundations for Data Processing
The legal basis for data processing is the HinSchG, specifically § 10, in conjunction with Art. 6 para. 1 lit. c GDPR – “processing is necessary for compliance with a legal obligation to which the controller is subject”.
At this point, it is also relatively simple: Anything that’s not allowed or required by the HinSchG has no basis in data protection law, so we’re out. Logical, so stick to the law.
2: Implementing Protective Measures
Appropriate protective measures must be implemented, as extended by § 22 para. 2 BDSG in Germany. This action should be undertaken regardless. Certain data ought to be pseudonymized, among other steps. Whilst familiar to data protection officers, it’s essential to emphasize their importance in this context once more. It is also important to ensure that the hotline staff, as well as the investigators—who may vary depending on the report—are sensitized and trained accordingly. This is also mandated by German legislation. Training constitutes a key element in this regard.
3: Safeguarding Data Subject Interests
The data concerning allegations, especially those of misconduct or criminal offenses, are typically highly sensitive. Consequently, safeguarding the personal data of the data subjects is imperative.This is because the notification of a breach “entails an initial risk of stigmatization and victimization of the person concerned within the organization to which he or she belongs, even before the person concerned becomes aware that he or she has been accused and that the alleged facts have been verified”.
Art. 5 para. 1 GDPR sends “special greetings” at this point. A data protection impact assessment must be conducted, necessitating the implementation of specific and appropriate measures to safeguard the interests of the data subjects. Naturally, the documentation requirements (Art. 6 (2) Accountability) also come into play, including the maintenance of records of processing activities. The GDPR is fully applicable, encompassing the information obligations as well. It’s noteworthy that individuals reporting breaches in good faith are protected, thus absolving any associated information obligations.
4: Handling Whistleblower Information
If the identity of a whistleblower or other circumstances that allow conclusions to be drawn about his or her identity is disclosed, the HinSchG regulates the information obligations of the hotline towards the whistleblower. In this respect, the hotline must inform the informant in advance of the transfer (§ 9 HinSchG). The information must be provided in the individual case prior to the disclosure. Information on the identity of persons who are the subject of a report and other persons named in the report may be passed on to the competent authority under certain strict conditions. However, the hotline may also be obliged to disclose information.
5: Right of Access and Confidentiality
In the case of the right of access, the situation differs. If the “accused person” — who has been implicated, potentially to their disadvantage, and who seeks correction, for instance — approaches the hotline and requests information about the complainant. However, as the accused individual, I am required to demonstrate that the whistleblower has made false accusations against me in bad faith. This poses a challenge because I am unaware of the identity of the accuser. Thus, proving the conditions will be difficult. While there exists a right of access, the accused must substantiate the circumstances. The whistleblower’s right to confidentiality remains in force. The controller, i.e., the company, bears responsibility for data protection. While the controller possesses a right of access, the hotline also carries the obligation of maintaining confidentiality.
Section 8: Imposing Fines and Legal Framework
The law does not specify who imposes fines. In Germany, the general provisions of the Administrative Offenses Act (OWiG) are likely to apply. We are talking about a fine of EUR 50,000.
Conclusion: Navigating the Complex Terrain of Data Protection Under HinSchG
The national implementation requires improvement, possibly not only in Germany, but initially through court rulings as well. Given that the law is new, its efficacy will become evident over time. Nevertheless, for the benefit of all parties involved, the implementation of the details should not be unduly delayed.
In the meantime, as data protection officers, we should remember, particularly concerning the questions I have listed here and which are still open, that the purpose of the GDPR is to protect natural persons regarding the processing of personal data – that is, all those involved. Then we will get it right.
Author: Regina Mühlich, Data Protection Expert, Business Laywer, CEO AdOrga Solutions GmbH, Member of the Board of Berufsverband der Datenschutzbeauftragten Deutschland (BvD) e.V.