The Spanish Data Protection Agency (hereinafter SDPA) has just published its position regarding the implementation of whistleblowing schemes in companies. Although the paper released is the response to a specific consultation made by a pharmaceutical company (identification undisclosed) for its particular case and not a formal guideline, it reflects the SDPA position regarding the implementation of whistleblowing schemes in multinational companies and therefore should be taken as a reference.
Basically, the aforementioned opinion states that:
- Reporting schemes are lawful provided that the processings implied by them relate to the parties to a contract (for instance any company and its employees) and are necessary for the maintenance or performance thereof. Please note that, apart from identifying the wrongdoings, the reporting scheme must necessarily rely on wrongdoings which could actually affect the contractual relationship between the company and the employee incriminated (in accordance with article 7. b) of the Data Protection Directive and correlatives 6.2 and 11.2 of the Spanish Law on Personal Data Protection –LOPD-).
- The whistleblowing scheme should not include the possibility to report anonymously. Nonetheless, the system must guarantee the confidentiality of the subject of the report.
- The data related to the incriminated subject shall not be kept for more time than that necessary to proceed to the relevant internal audits or, at the latest, the period necessary to carry out the procedures for judicial proceedings resulting from an investigation. In any case, the policy must set out a maximum retention period for the data.
- The whistleblowing procedure must respect the rights of access, rectification, erasure and opposition mentioned, amongst others, in article 5.d) of the LOPD. The SDPA also affirms that the subject of a whistleblowing report must be specifically informed by the company about the existence of such report as soon as possible and, in any case, within three months.
- The company shall implement the relevant security measures in accordance with the Royal Decree 994/1999, 11 June, on Security Measures. The SDPA affirms regarding the specific case/scheme submitted to it for analysis, that security measures must be applied at the highest level, because:
- it is not possible to know a priori the categories of data which will be processed through the whistleblowing schemes and therefore sensitive data could be processed;
- If an employee belongs to a union, the company has to inform the union of the proceedings initiated against its members. For this purpose, the company could decide to include the data related to such affiliation (which is considered sensitive in accordance with the LOPD) in the data file;
- The company belongs to the pharmaceutical sector and the SDPA states that a report can be linked, for instance, to situations related to clinical trials (the SDPA deduces that this could imply the processing of health data).
We understand that this is a very strict approach and that there are legal grounds to support that high security measures should not be implemented for all whistleblowing schemes as a rule. Indeed there are reasonable legal grounds to support that security measures would not need to be implemented at the highest level if (i) the reporting system could not involve processing of sensitive data and (ii) the company does not include data related to the affiliation of its employees in the relevant file.
- The company is obliged to notify before the SDPA of the processing of data and, in addition, if part of the data shall be transferred to a company located in a country which does not provide an equivalent level of security and unless any of the exceptions provided by the LOPD applies, ask for authorisation to transfer the data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
