This is the second part of my series of posts looking at traps for the unwary when setting up a hotline for whistleblowers in your European operations. Read Part 1.
Notifications and Authorisations
Some EU Data Privacy Authorities, for example in France, require their prior authorisation to be sought before a hotline is implemented. Many require at least a written notification to be filed before implementation. If certain categories of personal data, termed “sensitive” or “special”, will be processed in the operation of the hotline (see below), then the number of Authorities requiring prior authorisation significantly increases.
If hotline reports containing personal data are to be exported from the EU to an entity (even another group company) located outside the European Economic Area, this can also trigger the need to seek prior authorisation. It can take up to three months to obtain authorisation in some EU territories.
Permitted Scope of the Hotline
There are significant restrictions on the subject matters of reports that whistle-blowers can be invited to make in a number EU territories. In France, for example, a hotline dealing with any issues other than accounting, financial, antitrust and anticorruption issues is highly unlikely to be authorised by the Data Privacy Authority. Germany has similar restrictions and in the Netherlands reports are limited to “substantial offences”. The fact that the permitted scope varies from one EU state to another can cause significant administrative challenges and costs for a company rolling out a global hotline.
The law in some EU countries requires employees’ consent to be sought for the data processing that will ensue as a result of a hotline. This is an alarming prospect for companies with a large, fluctuating or transient population of employees. The requirement to obtain individual consent can be triggered by, among other things, the proposed transfer of personal data outside the country of origin. This may be the case even where the data is to be transferred to another group company located within the EEA. Consent will also be required in certain territories if sensitive personal data is processed. In Russia, individual consent is the cornerstone of the data privacy laws. In countries where a company’s employees are organised in Works Councils, still further complications can arise.
In contrast, however, there are a number of EU countries in which employee consent is not usually relied on as there is significant doubt that it will have been provided freely due to the unequal balance of power between an employee and an employer. In countries such as France, Germany and the Netherlands, reliance on employee consent is seriously frowned upon. Consent which is not truly freely given would be deemed to be invalid under EU data privacy laws. What is less clear is how far consent can be inferred merely from the use of a voluntary hotline. One might think that provided that the employer can show that the employee knew that a consequence of his ringing the hotline would be processing of personal data relating to him (for example by using a pre-recorded message to that effect when the hotline number is dialled), then this should be sufficient. However, the advice received about countries where consent was needed is that it needs to be written, explicit consent. This is partly due to the fact that this implied consent could not apply to the person reported as he obviously does not phone up. It is a very complex issue, especially when considering different countries and the different reasons for needing consent.
Transfers Outside the EEA
If the hotline reports are to be sent from within the EU to a group company located outside the EEA, such as a Head Office located in the US, then this will increase the level of compliance that needs to be followed and, in some countries, may cause significant difficulties. See our post concerning transfers to the US of personal data following the PRISM scandal there.
Sensitive or Special Personal Data
Certain categories of personal data are treated with additional caution under EU data privacy law. What is included in these categories varies from country to country, but examples include data relating to racial or ethnic origin, health, religious or political opinions and criminal records. If it is likely that this type of data will be processed as part of hotline reports, then many countries will require a higher level of compliance. Additional steps, such as obtaining employees’ consent and/or obtaining the prior authorisation of the data privacy authority, may be required unless it is made clear that hotline reports should not include that sort of information.
The next and last post in this series looks at some further key considerations for European or international disclosure hotlines.