Regina Mühlich - AdOrga Solutions GmbH Datenschutz

Ex­plo­ring Legal Ob­li­ga­ti­ons, Con­fi­den­tia­li­ty, and Impact As­sess­ment. Data Pro­tec­tion in the Context of the Hin­weis­ge­ber­schutz­ge­setz (HinSchG)

When highly sen­si­ti­ve data is being coll­ec­ted, it’s crucial to de­ter­mi­ne who can access it. Data sub­jects have a right to access, but does this mean I have to dis­c­lo­se ever­y­thing to them? This raises several follow-up questions.

1: Legal Foun­da­ti­ons for Data Processing

The legal basis for data pro­ces­sing is the HinSchG, spe­ci­fi­cal­ly § 10, in con­junc­tion with Art. 6 para. 1 lit. c GDPR – „pro­ces­sing is ne­ces­sa­ry for com­pli­ance with a legal ob­li­ga­ti­on to which the con­trol­ler is subject“.

 At this point, it is also re­la­tively simple: Any­thing that’s not allowed or re­qui­red by the HinSchG has no basis in data pro­tec­tion law, so we’re out. Logical, so stick to the law.

2: Im­ple­men­ting Pro­tec­ti­ve Measures
Ap­pro­pria­te pro­tec­ti­ve me­a­su­res must be im­ple­men­ted, as ex­ten­ded by § 22 para. 2 BDSG in Germany. This action should be un­der­ta­ken re­gard­less. Certain data ought to be pseud­ony­mi­zed, among other steps. Whilst fa­mi­li­ar to data pro­tec­tion of­fi­cers, it’s es­sen­ti­al to em­pha­si­ze their im­portance in this context once more.
It is also im­portant to ensure that the hotline staff, as well as the investigators—who may vary de­pen­ding on the report—are sen­si­ti­zed and trained ac­cor­din­gly. This is also man­da­ted by German le­gis­la­ti­on. Trai­ning con­sti­tu­tes a key element in this regard.
3: Safe­guar­ding Data Subject Interests

The data con­cer­ning al­le­ga­ti­ons, espe­ci­al­ly those of mis­con­duct or cri­mi­nal of­fen­ses, are ty­pi­cal­ly highly sen­si­ti­ve. Con­se­quent­ly, safe­guar­ding the per­so­nal data of the data sub­jects is imperative.This is because the no­ti­fi­ca­ti­on of a breach „entails an initial risk of stig­ma­tiza­ti­on and vic­ti­miza­ti­on of the person con­cer­ned within the or­ga­niza­ti­on to which he or she belongs, even before the person con­cer­ned becomes aware that he or she has been accused and that the alleged facts have been verified“.

 Art. 5 para. 1 GDPR sends „special gree­tings“ at this point. A data pro­tec­tion impact as­sess­ment must be con­duc­ted, ne­ces­si­ta­ting the im­ple­men­ta­ti­on of spe­ci­fic and ap­pro­pria­te me­a­su­res to safe­guard the in­te­rests of the data sub­jects. Na­tu­ral­ly, the do­cu­men­ta­ti­on re­qui­re­ments (Art. 6 (2) Ac­coun­ta­bi­li­ty) also come into play, in­clu­ding the main­ten­an­ce of records of pro­ces­sing ac­ti­vi­ties. The GDPR is fully ap­pli­ca­ble, en­com­pas­sing the in­for­ma­ti­on ob­li­ga­ti­ons as well. It’s no­te­wor­t­hy that in­di­vi­du­als re­port­ing brea­ches in good faith are pro­tec­ted, thus ab­sol­ving any as­so­cia­ted in­for­ma­ti­on obligations.

4: Hand­ling Whist­le­b­lower Information
If the iden­ti­ty of a whist­le­b­lower or other cir­cum­s­tances that allow con­clu­si­ons to be drawn about his or her iden­ti­ty is dis­c­lo­sed, the HinSchG re­gu­la­tes the in­for­ma­ti­on ob­li­ga­ti­ons of the hotline towards the whist­le­b­lower. In this respect, the hotline must inform the in­for­mant in advance of the trans­fer (§ 9 HinSchG). The in­for­ma­ti­on must be pro­vi­ded in the in­di­vi­du­al case prior to the dis­clo­sure. In­for­ma­ti­on on the iden­ti­ty of persons who are the subject of a report and other persons named in the report may be passed on to the com­pe­tent aut­ho­ri­ty under certain strict con­di­ti­ons. However, the hotline may also be obliged to dis­c­lo­se information.
5: Right of Access and Confidentiality
In the case of the right of access, the si­tua­ti­on differs. If the „accused person“ — who has been im­pli­ca­ted, po­ten­ti­al­ly to their di­s­ad­van­ta­ge, and who seeks cor­rec­tion, for in­s­tance — ap­proa­ches the hotline and re­quests in­for­ma­ti­on about the com­plainant. However, as the accused in­di­vi­du­al, I am re­qui­red to de­mons­tra­te that the whist­le­b­lower has made false ac­cu­sa­ti­ons against me in bad faith. This poses a chall­enge because I am unaware of the iden­ti­ty of the accuser. Thus, proving the con­di­ti­ons will be dif­fi­cult. While there exists a right of access, the accused must sub­stan­tia­te the cir­cum­s­tances. The whistleblower’s right to con­fi­den­tia­li­ty remains in force. The con­trol­ler, i.e., the company, bears re­spon­si­bi­li­ty for data pro­tec­tion. While the con­trol­ler pos­s­es­ses a right of access, the hotline also carries the ob­li­ga­ti­on of main­tai­ning confidentiality.
6: Im­po­sing Fines and Legal Framework

The law does not specify who imposes fines. In Germany, the general pro­vi­si­ons of the Ad­mi­nis­tra­ti­ve Of­fen­ses Act (OWiG) are likely to apply. We are talking about  a fine of EUR 50,000.

Con­clu­si­on: Na­vi­ga­ting the Complex Terrain of Data Pro­tec­tion Under HinSchG

The na­tio­nal im­ple­men­ta­ti­on re­qui­res im­pro­ve­ment, pos­si­bly not only in Germany, but in­iti­al­ly through court rulings as well. Given that the law is new, its ef­fi­ca­cy will become evident over time. Nevert­hel­ess, for the benefit of all parties in­vol­ved, the im­ple­men­ta­ti­on of the details should not be unduly delayed.

In the me­an­ti­me, as data pro­tec­tion of­fi­cers, we should re­mem­ber, par­ti­cu­lar­ly con­cer­ning the ques­ti­ons I have listed here and which are still open, that the purpose of the GDPR is to protect natural persons re­gar­ding the pro­ces­sing of per­so­nal data – that is, all those in­vol­ved. Then we will get it right.

Author: Regina Mühlich, Data Pro­tec­tion Expert, Com­pli­ance Manager, Whist­le­b­lower Pro­tec­tion Officer

If you have any ques­ti­ons or require advice on these and other topics, please do not he­si­ta­te to contact us – via E-Mail: 

Wie können wir Ihnen weiterhelfen?

Kontaktieren Sie uns: Wir sind gerne für Sie da!