Exploring Legal Obligations, Confidentiality, and Impact Assessment. Data Protection in the Context of the Hinweisgeberschutzgesetz (HinSchG)
When highly sensitive data is being collected, it’s crucial to determine who can access it. Data subjects have a right to access, but does this mean I have to disclose everything to them? This raises several follow-up questions.
1: Legal Foundations for Data Processing
The legal basis for data processing is the HinSchG, specifically § 10, in conjunction with Art. 6 para. 1 lit. c GDPR – „processing is necessary for compliance with a legal obligation to which the controller is subject“.
At this point, it is also relatively simple: Anything that’s not allowed or required by the HinSchG has no basis in data protection law, so we’re out. Logical, so stick to the law.
2: Implementing Protective Measures
3: Safeguarding Data Subject Interests
The data concerning allegations, especially those of misconduct or criminal offenses, are typically highly sensitive. Consequently, safeguarding the personal data of the data subjects is imperative.This is because the notification of a breach „entails an initial risk of stigmatization and victimization of the person concerned within the organization to which he or she belongs, even before the person concerned becomes aware that he or she has been accused and that the alleged facts have been verified“.
Art. 5 para. 1 GDPR sends „special greetings“ at this point. A data protection impact assessment must be conducted, necessitating the implementation of specific and appropriate measures to safeguard the interests of the data subjects. Naturally, the documentation requirements (Art. 6 (2) Accountability) also come into play, including the maintenance of records of processing activities. The GDPR is fully applicable, encompassing the information obligations as well. It’s noteworthy that individuals reporting breaches in good faith are protected, thus absolving any associated information obligations.
4: Handling Whistleblower Information
5: Right of Access and Confidentiality
6: Imposing Fines and Legal Framework
The law does not specify who imposes fines. In Germany, the general provisions of the Administrative Offenses Act (OWiG) are likely to apply. We are talking about a fine of EUR 50,000.
Conclusion: Navigating the Complex Terrain of Data Protection Under HinSchG
The national implementation requires improvement, possibly not only in Germany, but initially through court rulings as well. Given that the law is new, its efficacy will become evident over time. Nevertheless, for the benefit of all parties involved, the implementation of the details should not be unduly delayed.
In the meantime, as data protection officers, we should remember, particularly concerning the questions I have listed here and which are still open, that the purpose of the GDPR is to protect natural persons regarding the processing of personal data – that is, all those involved. Then we will get it right.
Author: Regina Mühlich, Data Protection Expert, Compliance Manager, Whistleblower Protection Officer
If you have any questions or require advice on these and other topics, please do not hesitate to contact us – via E-Mail: consulting@adorgasolutions.de