Implementing Secure Reporting Channels and Handing the Reports
Under the Romanian Whistleblowing Law, private legal entities having at least 50 employees have to identify and implement internal reporting channels for whistleblowers. These channels must be accessible, user-friendly, and ensure confidentiality; they should enable individuals to report in writing (on paper or via electronic means), orally by phone or other voice messaging systems or, upon the whistleblower's request, by means of meetings in person.
Additionally, these companies must appoint/establish a function responsible for receiving, recording, examining, performing subsequent actions and resolving the report, i.e. the "designated person", which can be a person, a department or a third party. . Similar to the function of data protection officer, the designated person must act impartially and be independent in the exercise of their duties.
As one can see, there is not a complete overlap neither (i) between the notion of "channel" (which can be broader) and a reporting tool (app/software) used by a company nor (ii) between the notion of "channel" and the "designated person".
Organizations must therefore establish and implement technical and organizational measures based on a risk assessment of the chosen whistleblowing channel(s) and designed whistleblowing processes for handling the reports. The target would be to ensure a lawful and secure data processing, while effectively mitigating potential risks.
The Romanian Whistleblowing Law allows whistleblowers to report anonymously and, provided that the reporting contains the minimum level of information, organizations are obliged to analyze the report. Specifically, the Romanian law specifies that anonymous reporting is to be assessed only if it contains indications on the alleged breaches of the law.
It seems that in the case of anonymous reporting, the public interest in reporting law violations takes precedence over the personal interests of the individuals (the person targeted by the report, third persons identified in the report) in the processing of their personal data.
Ensuring confidentiality is essential when designing a reliable internal reporting system
As a rule, organizations are obliged to keep the whistleblower's identity confidential. By exception, the whistleblower's identity may be disclosed when:
- Whistleblower has expressly consented to the disclosure of his/her identity;
- Disclosure of whistleblower's identity is an obligation imposed by law, subject to written prior information of the whistleblower (unless such information would jeopardize the related investigations or judicial proceedings);
- Whistleblower has intentionally revealed his/her identity in the context of a public disclosure.
Furthermore, according to the Romanian Whistleblowing Law, the reported person and the third parties identified in the report, have the same right as the whistleblower to have their identity kept confidential.
In order to ensure the confidentiality of the data processed in the context of the wihistleblowing report, organizations should create the best possible conditions to preserve confidentiality, such as the implementation of organizational measures: clear reporting policies/procedures, execution of non-disclosure agreements by the employees who have access to the data in the framework of whistleblowing reporting, limited access to the data, disciplinary sanctions for the employees who violate their confidentiality obligations, etc.).
Apart from any potential liability that may arise at the employer level, the Romanian Whistleblowing Law provides for the personal administrative liability (sanctioning by fine) of the individuals breaching their confidentiality obligations.
Applying the principle of data minimization
Personal data processed within the whistleblowing procedure must be limited only to the data that is relevant to solving the report; collection of additional personal data (i.e. which is not necessary for resolving the report) must be avoided. The data inadvertently collected should be promptly deleted.
The Romanian Whistleblowing Law outlines specific guidelines for the storage duration of whistleblowing reports and settlement resolutions. These records must be consolidated in an electronic register and kept for a period of five years.
There is obviously a deep and relevant interplay between the Romanian Whistleblowing Law and the GDPR. To the extent the reporting is made internally, organizations have certain obligations to safeguard to the maximum extent possible the personal data of the involved individuals.The implementation process (procedures and reporting channels) creates a valuable opportunity for organizations to also enhance their data processes and systems, mainly by optimizing data flows and maintaining a robust and secure operational framework.
Article provided by INPLP member: Adelina Iftime-Blagean and Nina Lazar (Wolf Theiss, Romania)
Dr. Tobias Höllwarth (Managing Director INPLP)