29.11.2023

Whistleblowing and data protection – frequently asked questions

The Act on the Protection of Persons Reporting Infringements of European Union and National Law, based on the EU Whistleblowing Directive and known as the Whistleblower Act entered into force on 1 January this year. The Whistleblower Act, obligates large and medium-sized enterprises as well as public sector actors to establish, within certain transitional periods, an internal reporting channel through which the personnel and certain other stakeholders, among others, can report suspected abusive practices. The transitional period for establishing a reporting channel will come to an end on 17 December 2023, which means it is high time to start implementing a channel or to ensure that the one already adopted fulfils the requirements of the Whistleblower Act.

The Whistleblower Act lays down some new requirements, for example with respect to the handling of reports, the protection of the reporting person and providing information about the reporting channel. In this blog, we will answer some typical data protection questions that have surfaced in organisations when establishing an internal reporting channel.

In addition to fulfilling the requirements of the Whistleblower Act, it is also important that the reporting channel is implemented and the reports handled in accordance with the data protection legislation. The requirements of data protection regulation must be complied with already when implementing the channel so that the reports and the personal data included therein can be handled legally in the first place. A reporting channel that meets data protection obligations along with proper privacy documentation are key tools for an organisation to demonstrate compliance.

What data protection matters should be kept in mind when establishing a reporting channel?

When planning the implementation of the reporting channel and the report handling process, the organisation must define the grounds and purposes for processing personal data. The purposes of use and the grounds for processing will vary based on whether the channel is intended for reports concerning only infringements in the scope of the Whistleblower Act or whether it will also be used for reporting other suspected abusive practices, such as employment relationship matters or breaches of the organisation’s internal guidelines. The purposes and grounds for processing must be included, for example in the records of processing activities, data mapping documentation or other similar internal data protection documentation.

All those subject to processing of personal data must be informed of the processing as required by law, and the  da subjects’ legal rights under data protection legislation must be ensured. These obligations must be fulfilled not only for the reporting person but also for the person concerned and anyone who participates in the investigation. When planning the internal processes concerning the rights of the data subjects, it should be noted that the Whistleblower Act restricts these rights in some respects, for example by restricting the right to request access to one’s own personal data.

Organisations must also prepare a data protection impact assessment under data protection legislation before implementing a reporting channel. This assessment is a type of internal risk assessment in which the organisation must describe the processing of personal data within the context of the reporting channel, assess whether the processing is necessary and proportionate and, in particular, assess the risks caused by the processing and the necessary actions to mitigate these risks.

If the organisation falls under the scope of the Act on Co-operation, the processing of personal data within the context of the reporting channel must be handled with the personnel in a dialogue procedure under the Act on Co-operation before the implementation of the channel can be decided on. This dialogue also provides a good opportunity to discus with the personnel on the data protection documentation of the reporting channel.

Which data protection obligations apply to report handling?

The report handling process and the storage of related data must be organised in such a way that the access is restricted by means of technical and organisational safeguards to only the parties entitled to handle the reports. In addition to the reports, this applies to all data related to investigations, such as any internal emails and interview notes. The data storage locations and the measures to restrict access must be included in the data protection and data security documentation.

Pursuant to the Whistleblower Act, reports can, as a rule, only be handled by pre-designated persons who must be both impartial and independent. However, during the investigation it might become necessary to include other internal or external experts in the process. The Act makes this possible, as more handlers or external experts can be assigned to a report on a case-by-case basis.

Under the Whistleblower Act, the persons responsible for the handling of the report have an obligation to keep confidential the identity and any information that can directly or indirectly reveal the identity of the reporting person and the person concerned. This confidential information cannot be disclosed without the express consent of the person it concerns, unless the recipient is a party expressly specified in the Act, such as a competent authority. The reporting person must receive prior notification that their identity will be revealed, unless providing this notification would compromise the investigation of the report or the related pre-trial investigation or trial.

In practice, the sharing of data concerning reports must be restricted to a minimum, and the legal basis for data sharing must be ensured on a case-by-case basis. The report handling process and resources should be defined in a way that minimises the need to disclose reports and the related personal data to parties others than the pre-designated persons, the case-specific experts who participate in the investigation and the other recipients defined under the Whistleblower Act. Those in charge of handling the reports must have sufficient skills and the autonomy to investigate the matter independently. Insofar as possible, they should also have the authority to decide on the necessary follow-up. It is good practice to document the report handlers’ tasks and authority with respect to the investigation and follow-up in the handling process description.

Can a report be disclosed to the management?

The Whistleblower Act does not explicitly provide for the conditions under which reports can be disclosed to the management or board of directors, among others. As a general rule, the Act does not prevent disclosing anonymous information. The regular reporting on infringements should be done in an anonymous format. However, the requirements concerning confidentiality and report handling may limit the possibilities for disclosing information that may reveal the identity of the reporting person or the person concerned. Disclosing such information should be assessed on a case-by-case basis.

The Whistleblower Act does not prevent designating a person who is part of the organisation’s management as one of the persons responsible for handling reports, provided that the person can act independently and impartially. It is also possible for the person responsible for handling reports to refer the matter concerning a suspected infringement to a stakeholder in the organisation who is in charge of deciding on follow-up actions. In individual cases, this can make it possible to disclose the report to senior management if it is the management’s responsibility to decide on such actions.

For how long can reports be stored?

Personal data included in the reports and investigation data can be retained only as long as necessary for the purposes of use defined by the organisation. The retention periods of reports are based on the type of suspected infringement and the possible follow-up, for example. As the situations are varied, it is often impossible to set a clearly defined retention period that would apply to all reports.

A report under the Whistleblower Act must be deleted no later than five years after the report was received, unless its storage is necessary for the purposes of protecting legal rights or complying with legal obligations or for a trial. If the report concerns a suspected infringement unrelated to the Whistleblower Act, the retention period is determined on different grounds.

The retention periods and their criteria for reports and other investigation data must be defined as accurately as possible and included in the data protection documentation. Furthermore, organisations should adopt a practice in which any unnecessary personal data which clearly bears no significance to the handling of the report is removed when the report is received. Another good practice is to assess the retention need regularly during and after the investigation so that any unnecessary data can be deleted. The procedure for deleting unnecessary data should be assigned internally, for example to the persons responsible for the handling of reports.

 

For more information, read our previous blogs on whistleblowing channels:

It is advisable to start preparing a whistleblowing channel now

The new Whistleblower Protection Act is approved – here’s how to prepare for investigating reports

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We advised Exsitec Holding AB in a transaction whereby it acquired all the shares in M-flow Finland Oy. M-flow Finland Oy is a Finnish company engaged in reselling Medius B2B standard S2P software-as-a-service solutions in Finland. Exsitec Holding AB is a Swedish company part of the Nordic Exsitec group, which has over 20 offices in the Nordics. Exsitec delivers digital solutions to improve its customers’ businesses.
Case published 4.7.2024
We are acting as Finnish legal advisor to Prevas Aktiebolag in its acquisition of approximately 92 percent of the shares in NMAC Group Oy (‘Enmac’). This acquisition marks Prevas’ entry into the Finnish market and is aligned with its growth strategy, enabling future market synergies. Swedish Advokatfirman Lindahl KB is acting as lead legal counsel to Prevas Aktiebolag in this deal. Enmac was founded in 1983 and is a prominent player in the Finnish market offering advanced services in production process development, including advanced technical calculations, industrial automation, product development, as well as process and piping design. With approximately 200 employees and 8 locations in Finland, Enmac achieved a turnover of MEUR 23 in 2023. The transaction is subject to approval from the Finnish Ministry of Economic Affairs and Employment.
Case published 23.5.2024