27 July 2007
LAWFUEL – The Law Newswire – The Spanish Data Protection Agency (“AEPD”) has recently issued an opinion of a whistleblowing procedure submitted to it by a Spanish company. The opinion is not binding, and only considers the particular whistleblowing procedure proposed by that company. However, it provides a valuable insight into the AEPD’s views on the compliance of whistleblowing procedures with Organic Law 15/1999, on personal data protection (“LOPD”). It is also the first time that the AEPD has issued an opinion on whistleblowing procedures.
Overview
In general, the AEPD follows the Opinion 1/2006 of Article 29 Working Party on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime*, which analyzes the implementation of these systems in relation to accounting, internal accounting control and auditing matters derived from the Sarbanes-Oxley Act.
Whistleblowing systems necessarily trigger the processing of personal data. According to Directive 1995/46/EC, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Data Protection Directive”), data processing can be based on: (i) the unambiguous consent of the data subject; (ii) compliance with a legal obligation to which the controller is subject; or (iii) the legitimate interests pursued by the controller, provided said interests are not overridden by the fundamental rights of the data subjects.
Basis for Processing – Consent
Given the nature and operation of the whistleblowing systems, it is not possible to obtain the relevant data subject’s consent for the processing of their personal data under the whistleblowing system.
Basis for Processing – Legal Obligation
Nor can this processing be justified based on the compliance with a legal obligation as this requirement is construed as an obligation imposed by a national law, and not by a foreign regulation.
Spanish regulations do not impose a general obligation regarding the implementation of whistleblowing procedures. The AEPD recognises that investment services companies, credit entities, and persons or entities that act on the Stock Exchange who receive or execute orders, or who provide advice on stock investments are able to implement whistleblowing systems based on article 79.1 of Spanish Securities Market Act 24/1988. However, this is a specific rather than a general regime.
Additionally, the Spanish Unified Best Practice Corporate Governance Code (“Best Practice Code”), of 19 May 2006, advises public companies to implement mechanisms to allow employees to denounce, confidentially (and even anonymously, if appropriate), any irregularities taking place within the company, particularly in the context of financial and audit work, provided that those systems are implemented in compliance with the LOPD. The Best Practice Code, applicable to public companies, is based on the “comply or explain” principle: a company must explain how it complies with a best practice or explain the reasons why it fails to do so. Therefore, in this case, it is arguable whether this is really a legal obligation to which the controller is subject, as regulations allow public companies not to implement whistleblowing systems if they explain why such systems have not been implemented.
The AEPD does not consider the status of the Best Practice Code as a legal obligation to enable public companies to implement whistleblowing procedures. Although there are reasons to consider this as a proper legal obligation (although regarded as “soft law”), this issue will have to be dealt by the AEPD in the future.
Basis for Processing – Legitimate Interest
The third alternative under the Data Protection Directive to render a whistleblowing procedure lawful is that the whistleblowing systems can be implemented according to the legitimate interests of a company, as long as those legitimate interests are not overridden by the fundamental rights of the data subjects.
According to the Article 29 Working Party, the whistleblowing systems can be considered legitimate as a means of ensuring financial security in international financial markets and, in particular, with the aim of preventing fraud and misconduct in respect of accounting, internal accounting controls, auditing matters and reporting. The fight against bribery, banking and financial crime is also considered to constitute a legitimate interest.
Unfortunately, the LOPD does not adequately implement this “legitimate interest exception” and, according to the AEPD, data controllers cannot therefore rely on it. Therefore, the implementation of whistleblowing procedures in Spain cannot be based on the legitimate interest exception.
Basis for Processing – Performance of a Contract
To resolve these issues and find a basis for the processing, the AEPD has instead broadly construed another exception to the principle of consent, under which data can be processed if this is necessary for the performance of a contract to which the data subject is party.
According to the AEPD, the contractual exception will be applicable provided that the people covered by the whistleblowing procedure are bound the company by an employment, civil or commercial contract. The company will be able to rely upon the contractual exception insofar as the whistleblowing:
is part of the contractual relationship and all the concerned parties have been duly informed of the system; and
is necessary for the performance of the contract.
Scope of Whistleblowing Procedures
On this basis, the AEPD’s opinion considers whether the purposes set forth in the specific whistleblowing procedure it analysed are adequate, relevant, proportionate, specific, explicit and legitimate.
According to the AEPD, this principle can only be met to the extent the whistleblowing systems are limited to reporting specific irregularities, and only cover those irregularities which have an impact on the maintenance of the employment contract between the reported person and the company.
According to the AEPD, a whistleblowing procedure intended to report “behaviours, actions or facts that may constitute infringements both of the internal corporate rules or the laws, regulations or the ethic codes”, does not meet the requirements inherent to the data processing described above, and it would thus be necessary to limit the scope of the system to those factors which are direct relevant to relevant person’s the employment contract.
Anonymous Reporting
The AEPD also states that whistleblowing procedures which allow the whistleblower not to disclose his/her identity do not comply with the LOPD. This contrasts with the position taken by the Article 29 Working Party which held that, although anonymous reports should not be accepted as a general rule and should be discouraged, in certain circumstances it would be adequate to accept them. It may also conflict with the requirements of section 301 of the Sarbanes Oxley Act of 2002 which requires “the confidential, anonymous submission by employees of the issuer of concerns regarding question able accounting or auditing matters”.
However, the AEPD also states that the person to whom the whistleblowing report relates will not have to be informed on the identity on the whistleblower in any case, whereas the Article 29 Working Party holds that the whistleblower will need to be informed that his/her identity may be disclosed if necessary in the context of a judicial proceeding. According to the AEPD, as the person to whom the report relates is not allowed to access the identity of the whistleblower, the confidentiality requirement is achieved in full, and it is therefore unacceptable to process data obtained anonymously.
Fair Processing Information
In relation to the obligation to inform the reported person regarding the collection and processing of his/her personal data, according to the Article 29 Working Party data subjects must be informed as soon as possible of the collection of their personal data, provided, however, that this obligation “must be applied restrictively, on a case-by-case basis, and it should take account of the wider interests at stake”. Therefore, the right of information may be complied with at a later stage where there is a risk that the company would not be able to adequately investigate the report if the reported person is informed immediately.
The AEPD accepts this approach, if appropriate on a case-by-case basis and as long as the reported person is informed at the latest 3 months after the date of the report.
Security
Finally, the AEPD takes a strict approach in relation to the level of security that whistleblowing procedures need to comply with. Taking into account the sensitive nature of the information that may be processed, it will have to comply with the highest standard of security established in Spanish regulations.
Conclusion
In conclusion, the AEPD has for the first time publicised its position on the compliance of whistleblowing procedures with data protection law. It accepts the validity of those procedures, as long as strict criteria are complied with. At this stage, it does not accept that public companies have a legal obligation (although imposed by “soft law”) to implement those mechanisms, but there are grounds to argue the contrary.
The position of the AEPD is a significant step forward for companies wishing to implement whistleblowing procedures. Nevertheless, companies will have to tailor-make their procedures to ensure that they are compliant with LOPD in the eyes of the AEPD as, in practice, companies’ European or worldwide policies may not meet all the parameters set by the AEPD. Finally, it would still be necessary to persuade the AEPD of the validity of some aspects of whistleblowing procedures which it has not duly considered at this stage, or where, in our opinion, the position of the AEPD could be challenged.
Implementing Whistleblowing Procedures in Practice
Following the introduction of Sarbanes-Oxley 2002, a number of multinational companies have begun to implement their own systems in Spain. These are still in the early stages of development.
The most commonly implemented system appears to be the telephone hotline (“ethics hotline”) which provides employees who suspect that unethical or criminal activities are being carried out with an anonymous channel through which they may make their concerns known. This also provides the company with a means of increased vigilance and an avenue for ensuring that undesirable conduct is rooted out. A similar measure is to provide specifically allocated internet mailboxes where employees wishing to disclose information may post it anonymously.
Whistleblowing procedures are normally part of companies’ codes of conduct, or “ethical codes” as a guide to the kind of behaviour they wish to encourage and that which should be stamped out. Codes of conduct are normally not a set of disciplinary rules, but rather guiding principles common to all employees; they do not supersede or replace the employee’s obligations under local employment regulations, and are intended to set forth policies and guidance on some important business and legal matters; they are therefore not aimed at imposing new terms and conditions of employment.
As a result, from a strictly legal perspective, in most cases companies are in principle not obliged to follow a consultation process with the workers’ representatives, but merely to request a report on the implementation of the code of conduct, which is not binding on the company. This notwithstanding, in practice, companies often follow a consultation process to maintain good employee relations and avoid future disputes concerning the potential enforceability of the code. It is relevant to note that Spanish case law has not yet determined the nature of such codes, and it may therefore be advisable to have the workers’ representatives sanction its content.
Employees must, in turn, acknowledge receipt (to prove that they have read, understood, accepted and will comply with the code of conduct) and for incoming employees, express reference to it should be included in the employment contract and annexed thereto.
Taking these steps should ensure compliance with the AEPD approach (see Basis for Processing – Performance of a Contract above) as the whistleblowing procedure will be part of the employee’s contractual relationship and, to some extent, necessary for the performance of the contract.
Whistleblowing procedures nonetheless require a close review and tailor-made content in order to ensure compliance with other Spanish legal issues including employment laws and the employee’s fundamental right to honour and free speech.
