The implementation of joint whistleblowing systemsWhistleblower Protection Act (HinSchG), The Act on Corporate Due Diligence Obligations in Supply Chains (LkSG) and internal company guidelines in a single source?
Since 2 July 2023, the Whistleblower Protection Act (HinSchG) applies in Germany to companies with 250 or more employees; companies with 50 - 249 employees benefit from a transitional period until 17 December 2023. Whilst the most crucial questions on implementation have been clarified or at least widely discussed, the implementation of a joint whistleblower system for reports under the HinSchG, the Act on Corporate Due Diligence Obligations in Supply Chains (LkSG) as well as any existing internal company guidelines on reporting compliance violations has remained below the radar. Special attention must be paid to the permissibility of processing reports under data protection law.
Advantages of a joint reporting system
A joint reporting system for companies that, apart from the HinSchG, also fall under the LkSG due to a workforce size of more than 3,000 or, as of 1 January 2024 more than 1,000 employees, is neither provided for nor prohibited by law. The supervisory authority responsible for the LkSG, the Federal Office of Economics and Export Control, explicitly advises to use the opportunity to build on existing whistleblowing mechanisms when setting up a reporting procedure under the LkSG and to adapt them if necessary. From our practical experience, a reporting system that is standardised and comprehensible to employees strengthens the trust of users, as they are not confronted with several systems with different requirements and access barriers. Different reporting systems, on the other hand, are more of an incentive to use external reporting channels, as internal reporting channels are perceived as non-transparent. This, in turn, can prevent internal and timely mitigation of damages and foster any reputational damage.
Focus on data protection law
The legal basis for data processing must be laid down in the regulations on the reporting procedure, for example in a works agreement. For notices under the HinSchG, the legal basis for data processing is section 10 HinSchG. The LkSG itself does not provide a legal basis for data processing, and the explanatory memorandum to the law presumes without further explanation that data protection is to be guaranteed. Reports that do not contain information relevant under either the HinSchG or the LkSG but are made on the basis of a company's internal ethics policy, also cannot be processed under section 10 HinSchG. The basis for data processing is Art. 6 lit. f General Data Protection Regulation (GDPR) as well as collective agreements pursuant to Art. 88 para. 1, 2 GDPR.
View of the data protection authorities
In principle, the data protection authorities accept the option of concluding works agreements pursuant to Art. 88 para. 1, 2 of the GDPR for the processing of employee data that does not relate to the implementation of the employment contract. Such employee data includes notifications pursuant to the HinSchG, the LkSG and internal company guidelines. An advisory note of the data protection supervisory authorities on whistleblowing hotlines published before the HinSchG came into force explicitly mentions works agreements as well as collective agreements as a legal basis for data protection. Since the introduction of the HinSchG, however, there have been no official announcements by the data protection authorities on the specific question of the legal basis on which whistleblowing systems can process information outside of the HinSchG.
It is advisable to examine the possibility of a joint whistleblowing system because of the above-mentioned advantages and to have the implementation examined by labour law and data protection law experts. The pending discussion of the data protection authorities on these issues should be monitored in order to implement any guidelines as soon as they have emerged.