Roxana Ionescu, Madalina Bucur, Flavia Lungu and George Trandafir
- Background
Companies operating in EU may already be aware that on December 2019 the Whistleblowers Directive[1] came into force. The Whistleblowers Directive aims at establishing a framework with common minimum standards for ensuring whistleblowers’ protection across all EU Member States.
The transposition deadline almost knocks on the door since it expires in December 2021.
In this context, Romania recently closed the public consultation process for the law proposed for transposing the Whistleblowers Directive (“Proposal Law”).
Once adopted, the Proposal Law[2] will repeal the existing Romanian law[3] on the whistleblowers’ protection (applicable only to the public sector) and will complement the existing sectorial legislation.
- Brief presentation on the main areas of interest of the Proposal Law
As expected, once the Proposal Law is adopted, the entities falling within its scope will be forced to take multiple actions, in several areas, in order to have adjusted the measures already implemented in this field or to adopt new ones to ensure compliance with the law.
While the Proposal Law regulates obligations for entities both in private and public sector, we focus herein on the key implications for companies in the private sector (“Concerned Companies”).
Pursuant to the initiators’ approach, among others, the Proposal Law provides that:
- all Concerned Companies with 250 employees or more must ensure immediate compliance with the law, including the setting up of policies and infrastructure (such as internal channels for reporting any breaches of the law, deontology rules, and/or rules governing regulated professions);
- Concerned Companies from 50 to 249 employees are granted a one-year transition period for identifying or implementing internal reporting and follow-up channels and procedures;
- internal reporting channels must be made available not only for the Concerned Companies’ employees (meaning either candidates, current or former employees), but also for their independent contractors and suppliers’ employees, if during their performance of contracts or supplying of services they obtain access to information regarding breaches. Concerned Companies must also keep record of the received reports;
- Concerned Companies generally have the obligation to maintain confidentiality, to give feedback, and to address the reported breach. However, reports on breaches made anonymously should be dismissed without any analysis on their merits. As a specific remedy, if the Concerned Companies identify an anonymous whistleblower, legal protection would extend to identified whistleblower (and related persons) upon suffering retaliation;
- employees (except for those knowingly reporting false breaches) may benefit from protection against retaliation, ranging from specific requirements in connection with the carrying out of the disciplinary investigations to the possibility of obtaining the nullification of the measures unlawfully taken against the whistleblower, including dismissals or measures of a disciplinary nature. The natural person who ordered, in bad faith, the measure taken in retaliation, is jointly and severally liable with the employer for damages;
- other individuals listed in the Proposal Law may access similar protection under the whistleblowers’ law and the rights under this law cannot be waived.
For a more in-depth analysis of the scope of this new whistleblower’s law, you may want to access the following article available on our website: Romanian Approach to the Whistleblowers’ Directive.
- Brief presentation of some data protection and privacy implications arising from the Proposal Law
Among the implications in other areas, the ones in the data protection and privacy field play a significant role. This is since, to put it briefly, the ultimate purpose of the Whistleblowers Directive and, consequentially, of the Proposal Law is to ensure the whistleblowers and other individuals’ protection against retaliation.
No proper protection could be achieved in lack of keeping the personal data confidential, available and integral.
This brings us to the inevitable conclusion that the Concerned Companies need to observe and comply with the general data protection requirements[4].
Whether the Concerned Companies already have internal whistleblowing tools in place or need to implement new ones, they need to consider some basic data protection compliance steps.
Here are some thoughts on this matter.
- The Concerned Companies need to make sure they have a valid legal basis for the processing they will carry out
Since Romania will adopt a legal framework regulating this area, one may argue the processing activities performed in the context of the future law would be necessary for compliance with a legal obligation – Article 6 para. 1 (c) of the GDPR.
This interpretation could actually work to some extent, since the Proposal Law (at least in the current version), clarifies the essential elements of the processing necessary to be performed in order to comply with its standards.
While there is a relatively minimum degree of discretion left to the Concerned Companies in deciding how they will practically implement the legal provisions, they would not have a choice on whether or not to fulfill these.
This is however applicable as long as the processing would be necessary, in an objective meaning, to comply with the legal obligations.
For the processing that would not pass the necessity test, but would rather be helpful for the Concerned Companies or incidental due to technical and/or organizational restrictions, it is necessary to assess what is the appropriate legal basis, if any, from the ones under Article 6 of the GDPR.
When doing so, a closer and critical look should be taken on the Proposal Law’s provisions, as there might be restrictions on the Concerned Companies free choice.
Let’s take an example. Under the Proposal Law, the person appointed by the Concerned Companies for handling whistleblowers’ reports shall not disclose the whistleblower’s identity or any other data that may identify, directly or indirectly, him/her, except if the disclosure is required by the law or with the whistleblower’s consent.
No distinction is made under the Proposal Law as regards the recipients to whom such data can be disclosed based on the whistleblower’s consent, in lack of a legal obligation to do so.
If such provision will remain the same, the Concerned Companies might experience some obstacles, since we all know how consent usually complicates things. In most cases, it is rather difficult to ensure compliance with all the validity conditions of consent. This is very much applicable in this area, since the whistleblower may experience a great fear for retaliation, in which context he/she might be boosted to consent to anything as long as this will ensure his/her protection.
You may want to see the article on our blog – How much stress does it take to ruin a consent? – for more insights on the validity condition of the consent to be freely given.
- In case of processing special categories of data, the Concerned Companies need to assess, besides the applicable legal basis, what condition under Article 9 of the GDPR applies
No express provisions exist under the Proposal Law on special categories of data or on the specific guarantees for processing such data, even if such processing is very likely to occur. For example, if the Concerned Company acts in the health services sector, the whistleblowing may cover sensitive data processed by the company.
One may argue that the processing of such personal data is necessary for reasons of substantial public interest, based on the law to be adopted – Article 9 para. 2 (g) of GDPR.
Even if no express mention is made in this respect, the name of the Proposal Law refers to the protection of whistleblowers in public interest. This should be enough, provided also that the competent authorities will conclude that such processing is proportionate to the aim pursued by the law and the measures under the Proposal Law are sufficient to safeguard the fundamental rights and the interests of the data subjects.
- When choosing or configuring the internal reporting tool/channel, the Concerned Companies need to ensure they collect and further process only personal data that are adequate, relevant and limited to the envisaged purposes
For this requirement, the Proposal Law helps the Concerned Companies only halfway.
While it makes clear that anonymous reports do not fall under the Proposal Law (with the specific remedy mentioned above), there is no exhaustive list of the categories of data that should be collected. There is however, a list of minimum categories of data the whistleblower must provide within the report in order for such to be assessed.
In case the whistleblower would provide personal data that is not necessary for handling the report, such data being thus collected incidentally, the Concerned Companies have the obligation according to the Proposal Law to delete the un-necessary data without undue delay. In order to do so, the Concerned Companies’ internal procedure need to set out roles and responsibilities for achieving such deletion, as well as timeline for the same.
You may find helpful the article on our blog – We received unwanted data. How do we handle them? – for brief suggestions on how to deal with incidental personal data.
- The Concerned Companies need to take steps to ensure the transparency of the processing or, in case of indirect collection of personal data, to document if an exception to inform data subjects applies
In order to see if, when and how it would be necessary to inform the individuals about the processing of their personal data in the context of the whistleblowing scheme, the Concerned Companies need to first assess some key elements. These include determining: who the individuals (the so-called, data subjects under GDPR) are, if and how the Concerned Companies would interact with them and from what sources it would be possible to collect the personal data.
After having cleared such elements, the Concerned Companies have to assess if the existing privacy notices are sufficient or if it is necessary to revise them or to adopt new ones. For example, it is probable that whistleblowing reports include the personal data of Concerned Companies’ employees and that such employees already received privacy notices on how their personal data are processed. Hence, in this case, the first step is to check if the existing notice is sufficient. But the whistleblowing report may also contain information about third parties with whom the Concerned Companies do not have any content. In this case, the practical question is how can the Concerned Companies ensure proper information, as required by GDPR?
At least in some cases, it is likely that one or more exceptions under Article 14 of the GDPR would apply, thus, the Concerned Companies would not have the obligation to inform data subjects whose personal data are indirectly collected.
The assessment on the incidence of these exceptions should be made with care and on a case-by-case basis and the decision to not inform a data subject must be documented, in view of the accountability principle.
In all cases, it is recommended for Concerned Companies to have in place a privacy notice/policy describing the general framework of the processing to be undergone in the context of the new law and to have communicated such to the entire organization and to have published it on the Concerned Companies’ websites.
- Ensuring compliance with the rest of the data protection principles and requirements is crucial
In particular, the Concerned Companies are required to identify and implement the technical and organizational measures to ensure the security of the personal data, with a specific care for protecting the whistleblowers’ identity.
When discussing about whistleblowing schemes, most companies will focus on the need to ensure data confidentiality. But Concerned Companies should not lose focus of the need to also ensure the integrity and availability of personal data.
As regards the purpose limitation requirement, the Concerned Companies should make sure the personal data collected in the context of the whistleblowers’ reports are processed only for specified, explicit and legitimate purposes and that no further processing will take place in an incompatible manner. Where further processing is envisaged, compatibility tests need to be undergone.
In respect of the storage limitation principle, the Proposal Law imposes a five years term for storing the whistleblowers’ reports. It is unclear at this moment whether this storage term would cover also other records generated by the Concerned Companies in course of solving the reports. One may argue that some data need to be retained longer, insofar it has been used in disciplinary procedures. So it is important to look at the entire process in correlation with the possible outcomes of the management of whistleblowing reports and corresponding retention periods.
The Concerned Companies should not miss on documenting the actions they will take following the adoption of the Proposal law, in view of the accountability principle.
To the extent the Concerned Companies would conclude processing is likely to result in a high risk to the rights and freedoms of the data subjects, the Concerned Companies must carry out a data protection impact assessment, prior to the processing, or review the existing one to assess any potential new risks.
Last, but not least, Concerned Companies should consider the need to ensure data protection by design and by default when implementing any new process aimed at ensuring compliance with the Proposed Law. Luckily, sufficient guidance already exists on how to achieve this. See our article on the blog Balancing the push for technology driven solutions with privacy requirements on the data protection by design & default requirement.
And the list may go on.
But before anything else, the legislative procedure of the Proposal Law needs to come to an end. The longer it takes, less time will Concerned Companies have to implement the internal procedures and ensure compliance with data protection requirements. For now, we can monitor the developments and be on alert.
[1] Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law (“Whistleblowers Directive”)
[2] The Proposal Law analyzed in this article may suffer certain changes in course of the legislative procedure. You should keep this in mind while reading this article
[3] Law No. 571/2004 on the protection of personnel from public authorities, public institutions and other units that report violations of the law
[4] According to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) and the local legislation in this field.