It is advisable to start preparing a whistleblowing channel now
The government proposal for the whistleblower legislation obligates large and medium-sized enterprises as well as public sector actors to establish an internal reporting channel through which, for example, the personnel can report suspected misconduct. The legislation is based on the EU Whistleblowing Directive.
As a general rule, the whistleblowing channel must be established in companies that employ at least 50 people
The new whistleblower legislation that is being drafted mainly obligates companies or public sector actors that employ at least 50 people to establish an internal reporting channel. Through the channel, the company’s employees, for example, can report suspected misconduct that concerns the violation of certain legislation, such as consumer protection, environmental protection, data protection or public procurement. When submitting a report, the whistleblower is protected in the manner required by the Act. The Act also provides a period during which the company can exclusively examine the reports.
At the moment, the Act is being discussed by Parliament, and it is to enter into force within three months from its approval. By then, companies that employ at least 250 people will have to adopt an internal whistleblowing channel. The government bill, however, includes a transitional period under which private sector organisations that regularly employ 50–249 people must adopt a whistleblowing channel by 17 December 2023 at the latest.
The whistleblower legislation is based on the EU Whistleblowing Directive, which must be implemented into national legislation by the EU Member States. In Finland, the drafting of the whistleblower legislation has been delayed from the original timetable. In some EU Member States, the Directive has already been implemented into national legislation.
Establishing an internal whistleblowing channel
The main purpose of the new regulation is to protect the whistleblower from retaliation and to provide the organization receiving the report an opportunity to appropriately investigate the suspected misconduct internally. Furthermore, the new legislation will set minimum requirements for the establishment of the whistleblowing channel and for the procedures for processing notifications, such as the processing times and confidentiality. The organisation can largely decide the technical implementation itself, and under certain boundary conditions, it is also possible to outsource the maintenance of the channel to a service provider. According to the proposal, companies that belong to the same group can under certain conditions establish a common reporting channel.
The regulation also creates new obligations to inform for the organisations. Stakeholders that are entitled to report suspected misconduct must, among other things, be informed of the internal whistleblowing channel, the possibility to report through an external reporting channel maintained by the authorities and of the requirements for protecting the whistleblower. In addition, the persons responsible for processing the reports must be appointed and trained in the processing.
Data protection obligations must be taken into account
Requirements based on data protection legislation and, with respect to the personnel, also on the Co-operation Act, must be taken into account so that the reports submitted through the reporting channel and personal data included in them can legally be processed. A whistleblowing channel that meets data protection obligations along with proper data protection documentation are key tools for an organisation to demonstrate that they are in compliance with legislation.
The processing of personal data collected through the whistleblowing channel is subject to the same privacy obligations as the processing of other personal data. For example, the legal basis and purposes for processing personal data as well as how long the data is stored must be defined in accordance with statutory requirements and any unnecessary personal data must be deleted. The individuals whose data is processed must also be informed of the processing, and the organisation must make sure that the statutory data subjects’ rights are respected. It is important to keep in mind that the new legislation sets certain exceptional limits to the rights of the data subjects. In addition, the Finnish data protection authority: Data Protection Ombudsman has ruled that controllers must conduct a data protection impact assessment on data processing relating to whistleblowing channels.
How to prepare for the new obligations?
A whistleblowing channel that meets the requirements of the new legislation protects the company as well as the whistleblower, because a whistleblowing channel makes it possible for the company to uncover misconduct and provides a period during which the company can exclusively process reports. Though the legislation is still being drafted, it is advisable to prepare for the adoption of a channel now. First, it is advisable to make an assessment of the necessary measures.
- Map out the existing reporting practices and processes and any relating needs for change. It is particularly worth assessing whether a new whistleblowing channel can be built on top of existing processes, systems and resources.
- Plan the technical implementation of the reporting channel, the processing procedure of the reports and the necessary instructions and training for the personnel.
- Prepare a draft of the data protection impact assessment and other data protection documentation.
- Plan how the personnel and other groups that fall under the scope of the reporting channel are properly informed of processing of personal data, for example, by drafting a privacy notice and updating other data protection information.
- Be prepared to comply with the statutory obligations relating to the legal consultation procedures before you can make the decision to adopt a whistleblowing channel and to process employee personal data through the channel.
- If the group, for example, has companies in several EU Member States, the potential additional requirements set by the national legislation must be assessed separately with respect to each country. If you are contemplating common reporting channel for the group, you should also make sure that legislation in the country in question allows establishing a common reporting channel. Please note that some Member States may already require a reporting channel. Thus, it is possible that a group that has headquarters in Finland and subsidiaries in several Member States may already have an obligation to maintain a reporting channel with respect to a subsidiary located in another Member State.