The Serbian Whistleblowers Protection Act (“Whistleblower Act”), which applies from 5th of June, focuses on the protection of whistleblowers, by stipulating a number of safeguards that should encourage potential whistleblowers to report on unlawful activities in their working environments without fearing retaliatory consequences.
To the extent the functioning of a whistleblower scheme involves processing of personal data concerning the accused employees, the whistleblower himself or other persons, provisions of the Data Protection Act (2008) (“DP Act”) apply. It is not immediately clear, however, whether each and every aspect of the DP Act may be directly transposed into the realm of whistleblowing. It does not seem, for example, that an employer must notify the Serbian data protection authority (Poverenik) (“DPA”) of the intended introduction of a whistleblowing scheme. There may also be difference in opinion with regard to an obligation, if any, to report to the DPA an assembled set of data (filing system) derived from the whistleblowing scheme.
No obligation to notify the DPA of the intended implementation of a whistleblowing scheme?
During the past seven months since the adoption of the Whistleblower Act, the Serbian DPA has not made any statement suggesting that employers should notify the DPA before setting up a whistleblowers mechanism. This silence may well reflect a DPA’s stance that no notification obligation in fact exists.
One may think of a couple of arguments for why employers with a whistleblowing scheme in place would not have to notify the DPA about it. The general rule under the DP Act is that data controller must notify the DPA prior to commencement of a data processing, i.e. prior to establishing a filing system (art. 49, para. 1). However, as an exception to the rule, there is no need to notify if a specific regulation determines the purpose of the processing, the type of data to be processed, the categories of users with access to the data, and the period during which such data will be retained (art. 49, para. 2).
In the case of whistleblowing, the conditions justifying an exception arguably do exist. The Whistleblower Act itself is a specific regulation which prescribes the purpose of data processing (divulging information about unlawful conduct and preventing harm), the type of data processed (data pointing to infringement of law, abuse of public authority, or threat to life, health, security or environment), and the categories of users (employer, government agencies).
While the Whistleblower Act is silent on the determination of the retention period – the fourth condition for exempting the controller from the obligation to notify – the Act requires from employers with more than ten employees to regulate the internal whistleblowing procedures in a bylaw. Presumably, bylaws will as a rule set forth the period during which the data will be stored, so the last condition for not having to notify the DPA would be fulfilled.
Because the Whistleblowing Act requires from every employer to establish a whistleblowing mechanism – by designating a person in charge of receiving and processing the complaints, and, in the case of businesses with ten or more employees, enacting a bylaw regulating the whistleblowing mechanism in detail – notifying the DPA that a scheme was about to be established would be redundant.
Another potential argument against a notification obligation is that no personal data is collected as a result of the operation of a whistleblowing scheme, so a whistleblowing scheme needs not to be reported to the DPA. The Slovenian DPA took this position in 2007, arguing that as a result of a functioning whistleblowing mechanism “allegations, opinions, suspicions and observations” are collected , and they “could hardly be treated as personal data” because they “do not constitute facts about the individual – until they have been rightfully investigated”. Only if the employer has thoroughly examined the allegations from the complaints received and thus transformed allegations into facts, the mechanism needs to be reported to the DPA.
Assuming that the interpretation of the Serbian law under the statutory exception from art. 49, para. 2, is correct, the legal setup in Serbia concerning the notification of whistleblowing schemes differs from the prevailing – albeit not uniform – approach in the EU. In most member states, prior notification is mandatory.
Hungary is a rare EU member state with a whistleblowing law. The Act CLXV of 2013 on Complaints and Public Interest Disclosures came into effect on 1 January 2014, and it explicitly requires that controllers notify the data processing operations relating to the whistleblowing system to the data protection register maintained by the national DPA (article 14(1)).
However, most jurisdictions within the EU – including France, Germany, Belgium, Austria, and Denmark – lack specific whistleblowing statutes. The data protection authorities have inferred from the general data protection laws that controllers must notify the DPA (or the so-called data protection officer) prior to setting up a whistleblowing scheme. The common argument in those jurisdictions is that, because a whistleblowing mechanism involves personal data related to offences punishable by the courts or administrative authorities, or sensitive data (e.g. health), or that the data processing operations may exclude reported individuals from a right, benefit or contract, such data processing requires some kind of supervision. Processing within the framework of implementing a whistleblowing scheme is no exception to the rules pertaining to processing of such data in other contexts.
The differences among jurisdictions exist with respect to who should be in charge of supervision: in most EU member-states it is the DPA, and in fewer jurisdictions it is the so-called data protection officer, appointed at the level of the company/data controller.
- In Austria, for example, implementation of a whistleblowing system generally requires prior checking and approval from the DPA.
- The DPA in Denmark has taken a very similar approach.
- The DPA in France (CNIL) issued a decision in 2005 in which it took a position that prior notification is mandatory and the processing requires approval by CNIL. This and subsequent decisions by CNIL have clarified that companies can meet that requirement by means of self-certifying, if the whistleblowing scheme is implemented in any of the following areas: finance, accounting, banking and anti-corruption; the fight against anti-competitive practices; the fight against discrimination and harassment in the workplace; health, hygiene and security in the workplace; protection of the environment; and, whistleblowing schemes implemented to comply with Section 301(4) of the Sarbanes-Oxley Act or the Japanese Financial Instrument and Exchange Act.
- The Belgian DPA has issued a recommendation (01/2006, of 29 November 2006) in which it took a position that prior notification is mandatory.
Germany has taken a specific approach. A private (non-State) data controller does not have to notify the DPA of a whistleblowing scheme if the controller has appointed a data protection officer and the officer is convinced of the conformity of the system (art. 4d, para. 2, of the Federal Data Protection Act). This rule also applies to the filing systems containing data derived from the operation of a whistleblower scheme.
Reporting to the DPA a filing system derived from whistleblowers’ complaints
When the operation of a whistleblowing hotline results in an assemblage of allegations of misconduct by specifically named individuals, has thereby a filing system been established and must the employer report such system to the DPA?
General rule under the DP Act is that data controller must furnish a filing system to the DPA no later than 15 days after establishing it (art. 51, para. 1). This is a sweeping rule and knows of no exception. While a controller does not have to notify the DPA of the intended data processing in the exceptional situation provided for in art. 49, para. 2, there is no statutory provision enabling a controller to circumvent the obligation to register a created filing system.
In Serbia, therefore, notification of an intended data processing and registration of a filing system emerged from the processing are two distinct actions, involving the use of two different DPA forms by a data controller, although much of the content entered into the forms is identical or highly similar. It is possible, then, that even if an employer does not have to notify the DPA about a whistleblowing scheme, the filing system derived from whistleblowing must be registered with the DPA.
When an employer collects, by virtue of receiving the whistleblowers’ complaints, personal data regarding individuals who are suspected of wrong-doing, such assemblage of data does not seem to differ from any other collection of data that constitutes a “filing system”, within the meaning of that term under data protection law. Therefore, legal rules applicable to filing systems in general should apply to the filing systems created in the context of whistleblowing.
A correct interpretation of the law would appear to be the following: while there is no obligation to notify the DPA of the intended operation of a whistleblowing scheme, created filing systems must be registered with the DPA. Here, an analogy with another filing system created in the context of employment is instructive. The Employment Files Act allows for an exemption from the obligation to notify the DPA on the intended processing of data, according to art. 49, para. 2 of the DP Act. However, employers who process employees’ personal data only to the extent mandatory under the Employment Files Act are nevertheless required to register the created filing system – in order to meet their obligation under art. 51, para. 1, of the DP Act.