Compliance with both US and EU rulesWhistleblowing plans were presented in the EU as a result of the Sarbanes-Oxley Act (SOX) adopted by the United States Congress in 2002 following various business financial scandals. Public companies which fail to put into location whistleblowing schemes might be subject to penalties supplied by the Nasdaq, NYSE or the SEC. In addition, voluntary implementation of codes of conduct offering for whistleblowing schemes has actually ended up being a relatively widespread practice amongst private business, particularly global companies having entities in the EU.


The application of whistleblowing schemes will, most of the times, lead to the collection, processing and transfer of personal information (e.g., name of the charged individual). Within the EU, personal information collection, processing and transfer is regulated by the Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the security of individuals with regard to the processing of personal data and on the free movement of such data (the Directive). The Directive has been transposed into the national laws of all the EU nationwide countries. In this regard, carrying out whistleblowing schemes in United States Companies European subsidiaries or branches will need compliance with EU information protection guidelines, with the threat of facing sanctions from EU information protection authorities if they cannot adhere to such rules.

Whilst whistleblowing is not codified in the EU (there are no statutory responsibilities to carry out whistleblowing plans, nor any specific security rules versus retaliation of the whistleblower), whistleblowing procedures should comply with EU data protection rules supplied by the Directive, and the national laws having implemented the Directive (i.e., the French Data Protection law2, the German Federal Data Protection Act (BDSG)).

Authenticity of Whistleblowing Schemes and Compliance with the Principles of the Directive

In order to be legal, whistleblowing plans have to be legitimate and please among the reasons set out in Article 7 of the Directive, in order for personal data to be processed, such as compliance with a legal commitment to which the information controller is subject to3. Such commitments exist in a lot of EU Member States: in the banking sector for instance financial institutions are required to proclaim suspicious financial operations.

Personal data have to be gathered for specific, explicit and legitimate purposes and processed relatively and lawfully. Processed data must be sufficient, relevant and not excessive in relation to the purpose for which they are gathered and further processed. Suitable procedures have to be required to ensure that information which are inaccurate or insufficient can be erased or rectified4. Personal information should just be kept for the duration of time strictly needed for the function for which the data was gathered or further processed.

Certain EU countries will also need that the company notify the presence of the whistleblowing scheme and data collection and processing with the local data protection authority.

Compliance with Local Employment Laws

n2Whistleblowing plans within business located in the EU needs to comply further with the requirements of local employment law. In France and in Germany, the employer needs to notify and seek advice from the works council in advance of the execution of whistleblowing schemes. A French works council will need to render a non-binding opinion, whereas in Germany, the employer and works council will need to agree on a works contract to execute a whistleblowing system because of co-determination rights.

In most EU nations, employers might not need that their workers blow the whistle; they can only welcome them to do so. Whistleblowing plans in Europe will for that reason have to be appropriately adjusted.

Rights of the Incriminated Person

Whistleblowing schemes need to guarantee the information subject’s rights, which means that the person accused in a whistleblower’s report should be notified when information concerning him/her is recorded. In particular, the charged worker needs to be notified of5:

the entity accountable for the whistleblowing scheme,

the actions /he is charged off and associated realities,

the department which may get the report within the company or in other entities, and

how’s/he might exercise his/her rights of access, correction and deletion6.

Anonymous whistleblowing is typically not permitted in numerous EU nations (evidence gotten from confidential whistleblowing will be inadmissible), so that United States business will often need to customize the schemes slightly for their European entities.

The confidentiality of personal data must be guaranteed when it is gathered, divulged or stored7.

Clear and Complete Information about the Whistleblowing Scheme

Workers must be provided with clear and total info about the existence, function and functioning of the whistleblowing scheme, the recipient of the reports and their rights of access, rectification and erasure for reported person.

Information Transfer Outside the EU

Whilst information transfers within the EU would be acceptable due to the balanced level of security throughout the EU Members State, cross-border information transfers, in particular to the US which is ruled out as a country offering an appropriate level of protection in regards to personal data need to comply with the provisions of the Directive. In practice, such transfers will easily happen if the management of the whistleblowing scheme has actually been outsourced to a company situated in the United States or if the US head office need to be informed of any alerts made by employees located in the EU.

In order to move personal information outside the EU, the information exporter located in the EU and the information importer (located outside the EU) will need to have actually taken into place protective measures to allow the transfer of data and its security, such as getting in into a data transfer arrangement based on the Standard Contractual Clauses approved by the EU Commission, embracing group-wide Binding Corporate Rules authorized by the qualified national information defense authorities or obtaining the specific data subject s unambiguous consent; however, authorization would not normally be allowable as an option, as numerous Member States do not consider approval given up an employer-employee context to have been freely provided.
As far as the United States Department of Commerce Safe Harbor certification is concerned, the European Court of Justice s decision in Schrems vs. Data Protection Commissioner revoked the EU Commission’s choice recognizing Safe Harbor accreditation in its judgment dated October 6, 20158. The EU considered that Safe Harbor did not abide by the arrangements and guarantees of the Directive on the security of information, so for the time being, Safe Harbor is no more an acceptable solution. Making use of the ECJ Commission authorized Standard Contractual Clauses or the Binding Corporate Rules regime, likewise approved by the Commission, are still readily available to permit such transfers, as is specific consent by the Directive on the defense of personal information topic to the data transfer (except perhaps in an employer-employee relationship).