HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

Similar documents
Ethical hotlines and whistleblowing ensuring businesses are not in conflict with local laws

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

INTERNATIONAL EMPLOYMENT GROUP. Employment Services in Oman

ICC Guidelines on Whistleblowing

Employment and Human Resource - Working With You

Employment. CMS Cameron McKenna Supporting your needs

BIG DATA AND THE INTERNET OF THINGS

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

EMPLOYMENT & IMMIGRATION LAW - MAKE IT TOP OF YOUR AGENDA. Employment & Immigration Law Make it Top of Your Agenda

Employment Law Make it Top of Your Agenda

Employment Law Services

SMIC Business Ethics Statement

Big Data for Mutuals. Marc Dautlich 25 November 2013

EAGLE PARENT, INC EPICOR SOFTWARE CORPORATION ACTIVANT SOLUTIONS, INC. UK ANTI-BRIBERY AND CORRUPTION POLICY. (As Adopted July 2011)

WHISTLE BLOWING POLICY & PROCEDURES

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Article 29 Working Party Issues Opinion on Cloud Computing

The Art of Constructing Global Whistleblowing Programmes

Management Liability Policy

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Data Protection and Information Security: The top 5 risks for November 2012

The potential legal consequences of a personal data breach

The HR Skinny: Effectively managing international employee data flows

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

2014 Whistleblower Policy. Calibre Group Limited ABN Version 1.5

Services & Teams. Our Employment Service

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

On the edge Lexis PSL Restructuring & Insolvency

WHISTLEBLOWING TO THE CHILDREN S COMMISSIONER FOR WALES

Thompson Jenner LLP Last revised April 2013 Standard Terms of Business

Mitigating and managing cyber risk: ten issues to consider

technical factsheet 176

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com

Data Protection & Cyber Security Law Update 1 st October 2015

WHISTLEBLOWING: Legislative changes, possible reforms and case law update. Euan Smith

Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Our Services. Employment, Industrial Relations and Occupational Health and Safety

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Act on the Supervision of Financial Institutions etc. (Financial Supervision Act)

External Whistleblowing (Protected Disclosures) Policy

An overview of UK data protection law

Merthyr Tydfil County Borough Council. Data Protection Policy

ANTI BRIBERY AND FOREIGN CORRUPT PRACTICES ACT COMPLIANCE POLICY

Code of Business Conduct and Ethics. Strike Energy Limited ACN

Code of Conduct 1. The Financial Services Authority

SPECIALIST HEALTH AND SOCIAL CARE SOLICITORS. QualitySolicitors Burroughs Day

Lawyer Mobility in the Context of Corporate Law Departments

GSK Public policy positions

Data Protection for Charities

E-Discovery and EU Data Protection laws

Firm Registration Form

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Claims Management Services Regulation. Conduct of Authorised Persons Rules 2014

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Management Liability Policy

Data Protection Policy

MICHAEL HILL INTERNATIONAL LIMITED SECURITIES TRADING POLICY AND GUIDELINES

Human Resources Policy documents. Data Protection Policy

Road Transport & Logistics Services

Whistleblowing. Some Relevant Considerations

Response of the Northern Ireland Human Rights Commission on the Health and Social Care (Control of Data Processing) NIA Bill 52/11-16

Business Ethics Policy

THE FORTY RECOMMENDATIONS OF THE FINANCIAL ACTION TASK FORCE ON MONEY LAUNDERING

Real Estate Agents Act (Professional Conduct and Client Care) Rules 2012

a. employees Company; or

Whistleblowing Policy

The Rehabilitation of Offenders Act 1974 (Exclusions and Exceptions) (Scotland) Amendment Order 2015 Draft

Multinational M&A and Asset Transactions What You Need to Know Before You Buy or Sell The View from Different Perspectives

Monitoring Employee Communications: Data Protection and Privacy Issues

Privacy and Social Networking in the Workplace FRANCE, GERMANY & THE UK

TRADING POLICY AND GUIDELINES

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Legal Ethics: THE LAWYER S ROLE WHEN SOMETHING GOES WRONG

THE TRANSFER OF UNDERTAKINGS (PROTECTION OF EMPLOYMENT) REGULATIONS 2006

BBC. Anti-Bribery Policy. June 2011

Information Management Compliance and Data protection.

DRAFT. Anti-Bribery and Anti-Corruption Policy. Introduction. Scope. 1. Definitions

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

FRANCE. Chapter XX OVERVIEW

INTEGRITY IN ACTION - HEALTH CARE COMPLIANCE

Improving protections for corporate whistleblowers. Submission to the Treasury

Employment & HR Support Package

INFORMATION SECURITY MANAGEMENT POLICY

HR/Employment Law Consultancy Services. Your Service, Your Way

The Diverse Law Firm.

Financial Services Guidance Note Outsourcing

The Cloud and Cross-Border Risks - Singapore

Questions to ask a recruitment or labour hire firm prior to engagement of services in New Zealand

Code of business conduct and ethics. for Advisors

Directors and Officers Liability Insurance Guidance and Advice for Risk Managers

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Changes to Consumer Credit Regulation

Welcome to our Summer London seminar programme 2016

ELEMENT FINANCIAL CORPORATION CODE OF BUSINESS CONDUCT AND ETHICS

Transcription:

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU 10 April 2014 Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA Kirsti Laird Solicitor, (qualified in New Zealand)

OUR TEAM Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors We have offices in Paris, Luxembourg, Zurich and Geneva Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches We are listed in Chambers 2014 and Legal 500 as a leading law firm for Data Protection and have advised on this area of law since 1983 What I liked was the fact that the team was very willing for us to see itself as an extension of our existing in-house team. I like the way it integrated members sat alongside and guided us. That was what impressed. Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures. 2

MONICA SALGADO Monica is a Portuguese qualified Lawyer and a Registered European Lawyer with experience assisting clients with the most varied data protection issues, both in Portugal and the UK. She has notably assisted clients preparing submitting registrations and requests for authorisation with relevant data protection authorities, analysing processor / controller agreements - including conducting previous due diligence procedures and trans border flows of personal data. provides topnotch client service Legal 500, 2011 Monica has also participated in preparing replies to subject access requests and other data protection related requests, implementing data protection compliance measures and tools, including drafting relevant data protection policies, performing data protection compliance assessments, providing data protection training and assisting businesses to comply with E-Privacy rules by conducting cookies audits, drafting cookies policies and implementing cookies consent tools. Monica is a regular speaker on Speechly's webinars and external data protection events, such as the Privacy and Data Protection Conference, and also contributes regularly to internal and external publications, including the PDP journal. Monica.Salgado@speechlys.com +44(0)20 7427 6554 3

KIRSTI LAIRD Kirsti is a New Zealand qualified lawyer who has experience advising on all aspects of UK employment law. She advises about general human resources issues, including negotiating and drafting employment contracts and service agreements for employees and directors as well as advising on grievance and dismissal procedures (including termination / settlement agreements) as well as the processes for conducting both small and large scale redundancies. She also advises clients in relation to commercial matters affecting employees, including mergers and acquisitions, restructurings, re-contracting scenarios and TUPE. She also has experience in Tribunal and High Court claims relating to employment matters, including an LLP in relation to an employment status claim by a former member. Kirsti produces our monthly Employment Newsletter, which updates our clients on news and events, including recent decisions of the Tribunals and courts on employment matters. Kirsti.Laird@speechlys.com +44 (0)207 427 6411 4

TOPICS Practical considerations when dealing with whistleblower reports in EU What to ask when analyzing a report? Looking back at the organisation s whistleblowing procedures Dealing with the report 5

YOU HAVE JUST RECEIVED A WHISTLEBLOWING REPORT Your organisation just received a whistleblowing report Now what? 6

WHAT TO ASK? Was the report submitted within the context of an employment dispute? Where was the report submitted? Was it made through the whistleblower hotline? Who submitted the report? - Employee - Supplier - Customer Was the report made in accordance with your organisation s local policy on whistleblowing? Do your whistleblowing policy and the report follow local - Whistleblower protection laws? - Whistleblowing hotline restrictions? 7

WHERE, HOW, WHO? One side England & Wales - Public Interest Disclosure Act 1998 US - Sarbanes-Oxley Act 2002 Other side Other EU member States - Comprehensive Labour laws / codes - More focus privacy in the workplace 8

UNITED KINGDOM Listed companies Sound system of internal control Bribery Act Adequate procedures in place to prevent bribery Guidance by the Ministry of Justice - include having effective whistleblowing procedures that encourage reporting suspected bribery Public Disclosure Act Affords protection to whistleblowers who: - Are workers - Disclose information about malpractice in the workplace - This malpractice has to affect the public interest - Disclose the information to the right people Protection from detriment 9

US - SARBANES OXLEY SOX mandatory Code of Ethics A confidential, anonymous reporting mechanism SOX Section 301(4) states that "Each audit committee shall establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. 10

EU DATA PROTECTION PRINCIPLES An individual has a right to know what data is being processed about them; Personal data has to be processed fairly and lawfully; Personal data must be kept for no longer than is necessary and must be kept accurate and up to date; Personal data must be, at all times, kept secure and where processed by a third party be managed securely; and Personal data should not be transferred outside the European Economic Area to any other country that does not have adequate protection for the rights of the individual. 11

CONFLICT BETWEEN SOX AND EU DATA PROTECTION LAWS Breach SOX or breach Data Protection laws? Anonymity of the reports High potential to cause significant harm or distress to the reported individuals Transfer of personal data outside the EEA - At least to the parent company in the US Use of hotline providers - controller & processor relationship - Written agreement - Mandatory controller actions - Strict instructions from the controller High potential to process sensitive personal data - Criminal offences or suspicions thereof and criminal convictions 12

EU SOLUTION Art. 29 Working Party issued guidelines Setting out the recommendations for legitimate SOX whistleblower hotlines - Confidentiality preferred rather than anonymity - Specific data retention periods - Specific matters that may be reported - Specific individuals that may be reported Most EU member States have either issued guidelines or follow this Article 29 Opinion however there are still differences between all the member States! 13

DIFFERING STANCES OF EU MEMBER STATES Compulsion Mandatory or voluntary reporting? Anonymity Allowed, restricted, or completely prohibited? Scope limitation All matters may be reported or are there restricted matters? All personal data or restricting sensitive personal data? All individuals may report or just employees may report? How should the report be investigated? As per the parent company s policy or following a local mandatory procedure? How long should the reports be kept for? 14

OTHER DIFFERENCES BETWEEN EU MEMBER STATES Notification requirements Notification, exemption or approval request? - May depend on the scope of the policy policies that are too broad will tend to require approval Permission to transfer personal data outside the EEA Different formalities: - Exemption still applies - Exemption falls - Approval required Specific requirements of local regulators Need to see the policy? Labour/Employment law requirements Works Council approval / consultation? 15

EU PRIVACY IN THE WORKPLACE European Convention of Human Rights Article 8-1. Everyone has the right to respect for his private and family life, his home and his correspondence. - 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. ECHR Case law this right includes right to privacy in the workplace Very relevant throughout Europe 16

WHISTLEBLOWING POLICY Consider the whistleblowing policy! Do you have one? Is a policy necessary / advisable? Different approaches depending on the: - Country - Type of company / industry - Type of whistleblowing facilities Tailor it to your specific needs 17

POLICY & LOCAL LAW Is the policy compliant with local law? Does the whistleblowing policy impose limitations / restrictions: - on what can be reported? - on who can report? - on what can be reported? How was the policy rolled out? - Data Protection Authorities - Works Councils - Translated in local language - Display the policy or just intranet? Whistleblowing procedures - Is there a third party hotline provider? - What is the internal procedure to investigate? 18

CONSIDERATIONS FOR COMPLIANT WHISTLEBLOWING HOTLINES IN THE EU Remember country by country specifics! One size does not fit all ethical hotlines must be tailored to meet local requirements Narrow scope of reports Anonymity should be a last resort Strict retention periods should be observed Third party vendors need to be contractually controlled and guided 19

WHY ALL THIS MATTERS WHEN YOU RECEIVE A WHISTLEBLOWING REPORT? Organisation may be fined for non compliance with local Data Protection laws Organisation may be fined for non compliance with local Labour / Employment laws on - privacy in the workplace - workers representation Whistleblowing detriment cases can be costly to defend - Liability is uncapped - Significant legal costs - Significant management time diverted from core business. Other costs internal costs reputational damage and loss of public trust - Share price, turnover, profits - Legal advice to prevent future loss - Forensic examination - Greater marketing push to improve public image - Business disruption 20

DEALING WITH THE REPORT Decision on procedure: Is it to be investigated as a whistleblower report? Is it to be followed up as an internal HR matter? Process / consequences different! 21

DEALING WITH THE REPORT Decide who will investigate Local subsidiary or parent company? Specific investigation procedure, grievance or other procedures? Investigative actions Consider your monitoring policy and procedures Different approaches for different countries Care Protection from detriment Warn whistleblowers of what can happen with their report Especially when, how and why could the reported individuals become aware of the report Reconfigure your procedures if noncompliant! 22

FURTHER INFORMATION For more information please contact: Monica Salgado Data Protection & Information Security team +44 (0)20 7427 6554 Monica.Salgado@speechlys.com Kirsti Laird Employment team +44 (0)20 7427 6411 Kirsti.Laird@speechlys.com 23

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information