Update (January 2019): This client alert was published in August 2018. In the meantime, the German data protection authorities have reacted to the criticism and comments that were raised in relation to their new rules for whistleblowing hotlines and released an updated version of their guidelines on 14 November 2018. The updated guidelines now specifically address the question of potential exemptions from the information obligation pursuant to Art. 14 GDPR. Unfortunately, the guidelines still lack specific examples on when exactly the German data protection authorities consider those exemptions to be applicable. Please see I.b and II.d for details.
The coming into force of new EU-wide privacy legislation means German companies should review, and likely implement, changes to any existing whistleblowing hotlines offered to their employees. In light of the implementation of the General Data Protection Regulation (GDPR), the German data protection authorities (German DPAs) have changed their position on, amongst others, how employees submit whistleblowing reports anonymously. The German DPAs recently issued guidance on this point1:
The general EU position before the GDPR was implemented was that whistleblowers were not encouraged to file anonymous reports. We note that, in some EU countries, such as Portugal, anonymous reporting was in fact prohibited. The Guidance, in light of the implementation of the GDPR, reverses this position and now provides that employees must be encouraged to submit reports anonymously. The Guidance also provides that, when an employee wishes to identify himself as the whistleblower, the employee must be informed that his/her identity will be disclosed to the individuals mentioned in the report and that the employee's consent is required for this disclosure. Art. 14 GDPR provides that the individuals mentioned in the report must be informed about the whistleblowing report, including the identity of the whistleblower as the source of the personal data.
1The Guidance: Orientierungshilfe der Datenschutzaufsichtsbehörden zu Whistleblowing-Hotlines: Firmeninterne Warnsysteme und Beschäftigtendatenschutz.