In today's business world, companies are often confronted with compliance issues. In particular, the question arises whether data protection officers (DPOs) can also act as an internal whistleblower reporting point. Although this should be legally permissible, it poses some risks and challenges. In this blog article, we will discuss the possibilities and limitations of this dual function, the associated risks and conflicts of interest, as well as recommended actions to ensure compliance.
Data protection and whistleblower protection have more in common than it might first appear, especially for practical reasons. Both areas are often exercised by the compliance department or even by the same person. The EU Whistleblower Directive, which came into force in December 2021, has expanded the requirements for companies to set up a whistleblower reporting office.
DPOs and whistleblowers have several things in common, such as independence, access to top management, confidentiality and personal integrity, capacity and resources, and knowledge of the organisation. Therefore, it is understandable why companies would want to merge these two roles.
However, merging the two roles also poses risks and conflicts of interest. A potential conflict of interest exists when a notification concerns data protection, e.g. the processing of personal data. If the same person in the role of DPO assesses the data processing as legally compliant, he or she can hardly judge differently as a whistleblower reporting office.
Another potential conflict of interest arises when the whistleblowing process itself involves sensitive and risky data processing. Protecting the identity of the whistleblower is a key element of the entire process. If the identity of the whistleblower becomes known to unauthorised recipients, the DPO should also review the case. However, if the data is leaked by the DPO while he is acting in the role of whistleblower reporting officer, he can hardly be expected to acknowledge his own procedural error.
The benefits of merging the two roles often outweigh the risks and potential conflicts of interest mentioned above. The potential benefits of merging the two roles are mainly cost reduction. If a company has an expert who meets the requirements and whose DPO role does not take up all of his or her work capacity, it may make sense to assign him or her an additional whistleblower reporting role.
However, this does not mean that the company should take the risk. A viable solution may be to have other employees or an external person run the whistleblowing unit. It is also conceivable to have another person without relevant in-house expertise act as an intermediary, first carrying out a preliminary review of the content and thus identifying the conflicts of interest. However, it is rather questionable whether this can be reconciled with the legal requirements in every case.
Organisations that merge the DPO and whistleblower reporting roles should set up a process where complaints or questions on common points, such as data protection in whistleblower investigations, are handled by someone else. This could be another employee from the compliance department, an external lawyer, a relevant board member, etc. The company should inform all relevant persons about this solution to avoid mistrust in both systems.
Setting up an additional system to handle data protection in whistleblower situations may be at odds with cost reduction, but in practice the number of similar joint cases will be small. This additional capacity should not place an undue burden on the company. Instead, it will bring savings and efficient use of capacity, as well as ensuring the trust of staff and other affected persons in a functioning data protection and whistleblowing process. And trust is one of the most important outputs of both processes mentioned. Nevertheless, it entails costs and time losses to implement the mentioned points in-house. Therefore, outsourcing the operation of the hotline should be considered against the background of economic efficiency considerations.
If you do not want to deal with the aforementioned issues either in terms of personnel or organisation, the solution of an external reporting office that functions as an "internal reporting office" is an option. In this case, it is only necessary that you name a contact person in your company to your external service provider with whom you can interact about whistleblower cases so that internal investigations can begin if the contents of the cases require it.
In addition, this solution usually saves you from having to prepare data protection impact assessments, as the software used to operate the reporting channel is in most cases also operated by this external service provider.
In addition, the service provider will only contact you if it is absolutely necessary and the case has a corresponding explosiveness, so that you have to become active. All cases that do not fall under the scope of whistleblower protection will be sorted out and archived for you by this external service provider anyway.
With an external service provider, you also no longer have to worry about documentation, as this is also taken over.
Interested in a service provider for the operation of your reporting centre? Write to us at firstname.lastname@example.org or call us without obligation at +49 (0) 176 72224558. We will be happy to discuss with you how you can realise a cost-effective and time-saving solution without conflicts of interest.