Whistleblowing Officer: A New Opportunity for GDPR DPOs?
Ale? Pilny
Za?ídím vám vstupenku do extraligy, business extraligy. A umíme i Premier League. Certifikáty TAYLLORCOX jsou ?ádané v?ude!
The obligation to introduce whistleblowing in your company is coming soon. Whistleblower is someone who draws attention to illegal, unethical, or corrupt practices within an organization. The EU directive is also based on the law on the protection of whistleblowers, which protects employees who have pointed out a suspicious act or crime.
Who, how and why must deal with Whitsleblowing
The obligation of most private and public entities to implement a whistleblowing process is coming soon. The draft of a new Czech law on the protection of whistleblowers, which transposes the relevant EU directive No. 2019/1937 into our law, was forwarded to the second reading in the Chamber of Deputies in mid-May.
Private organizations with more than 25 employees and all contracting authorities, with the exception of small municipalities, will be obliged to implement a whistleblowing process from at the end of 2021.
If they do not do so or do not implement any of the components of the whistleblowing process, they will face a fine of up to CZK 1 million or 5% of net turnover for the last accounting period.
Areas in which you must receive whistleblowing notifications
In the first place, all obligated entities will have to set up a so-called internal notification channel, which will enable their employees, external collaborators or employees of their suppliers to submit confidential notifications of possible infringed rights, especially in the following areas:
· Environmental Protection
· Privacy Policy (GDPR)
· Safety of transport and transportation of persons and goods
· Fulfillment of tax obligations of legal entities
· Protection of internal order and safety, life and health
· Privacy in electronic communications (ePrivacy)
· Consumer protection, including specific requirements for different product groups
· Protection of competition, public procurement and public auctions
· Provision of financial services, including the fulfillment of obligations in the prevention of money laundering or terrorist financing (AML)
Whistleblowing Officer vs. Data Protection Officer
An essential part of the internal whistleblowing process will be the appointment of a Whistleblowing Officer, i.e. an investigator of notifications made in all the above areas.
Whistleblowing Officer, the person responsible under the law, will have a strong position, will report notifications independently and without instructions from the organization's management, will be responsible for communication with whistleblowers and for recording all investigated cases.
The position and role of the Whistleblowing Officer will thus be largely similar to that of the Data Protection Officer.
However, we will also find differences in their position and agenda. For example, Whistleblowing Officer will be personally responsible for the performance of his competencies. In the event that a notification is not properly investigated or unjustifiably reveals the identity of the notifier, he will receive a fine of up to CZK 100,000.
Similarities and differences between the legal regulations of a Whistleblowing Officer (WO) and Data Protection Officer (DPO)
Who needs to appoint a WO/DPO in the private sector
WO - Private company with more than 25 employees
DPO - Organizations carrying out regular and systematic monitoring of persons + Organizations carrying out extensive processing of sensitive data
Who needs to appoint a WO/DPO in the public sector
WO - Each contracting authority (except small municipalities)
DPO - Every public entity, including regions and municipalities
Candidate Requirements - Hard Skills
WO – Clean record, legal age, legal capacity
DPO - Expert knowledge of law and practice of personal data processing
Candidate Requirements - Soft Skills
WO – Personal integrity, knowledge of processes, knowledge of risk management or compliance management system
DPO - Personal integrity, knowledge of processes, knowledge of risk management or compliance management system
Can the role be performed externally?
WO – Yes
DPO – Yes
Confidentiality
WO – obliged to maintain the confidentiality of notifications and notifiers
DPO - obliged to maintain the confidentiality of all facts established during the performance of duties
Independence
WO – may not accept or request instructions regarding the investigation of individual notifications
DPO - may not receive or request instructions regarding the performance of duties
Reports to
WO – company management
DPO – company management
Main responsibilities
WO – Receive notifications, investigate notifications, propose corrective actions, record notifications, and investigate results
DPO – Check the organization's compliance with the requirements of the GDPR, propose corrective measures in case of non-compliance, business consulting, communication with the Office for Personal Data Protection
Personal responsibility
WO – Penalties of up to CZK 100,000 for poor performance
DPO - No penalty, only recovery of damages by the controller or processor
Access to information within the organization
WO –must have full access to the information and documents necessary to investigate the notification
DPO - must have full access to the information and documents necessary to monitor compliance with the GDPR
Responsibility for communication with the persons concerned
WO - Yes
DPO – Yes
Obligation to publish contact details on the organization's website?
WO - Yes
DPO - Yes
Whistlebowing and GDPR synergy
The requirements for Whistlebowing Officer and the Data Protection Officer are largely similar.
We find a number of the same or similar features in their inclusion in the structure of the organization, the activities they are to perform, or the requirements for independence. Both will also use their experience with risk management, compliance management and implementation of ISO standards.
The use of existing processes in the organization, e.g. compliance with the GDPR, is an effective solution to the facilitation of whistleblowing process implementation.
It is also possible to entrust this agenda to an existing Data Protection Officer, who is familiar with the organization and internal processes, has the trust of management and employees and is able to properly combine the new agenda of investigating notifications of possible violations with the activities of DPO.
From the point of view of a mandatory organization, this would be a clearly more effective solution. The solution would not require the cost of finding a new employee, and the trustee could begin his new role as Whistleblowing Officer almost immediately after the necessary training.
Risk? Yes.
Merging the position of Data Protection Officer and Whistleblowing Officer also brings about questions that every organization must answer before deciding on this solution.
The basic ones include:
Does the current GDPR compliance system meet the requirements of the whistleblowing process? Will it need to be strengthened?
Is sufficient information and contact details available on the mandatory organization's website, or is it necessary to supplement the information?
Does the Data Protection Officer have access to all the information and documents necessary to investigate whistleblowing notifications?
Will the current Data Protection Officer have sufficient capacity, especially time, to perform the new Whistleblowing Officer function, or will it need to be strengthened?
Does the current Data Protection Officer meet the requirements for integrity? Does the officer have enough soft skills to investigate whistleblowing notifications consistently and impartially?
In our course you will learn about who will be obliged to implement the whistleblowing process and for which areas, what the necessary parts of the process are, and what will be the role of the Whistleblowing Officer.
Does the organization already have a whistleblowing process described in its internal regulations, does it include a Data Protection Officer? If not, it is necessary to complete the internal regulations and acquaint all employees with them.