to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

We use SSL Technology for web data entry points:

What is SSL?

Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Whistleblowing Hotline Guidelines for Germany

compliance and privacy

Current News Updates

Whistleblowing Hotline Guidelines for Germany

Unlike other countries in Europe (e.g. France), Germany does not have any official binding rules on the admissibility of Whistleblowing Hotlines. However, the Ad-hoc Working Group on "Employee Data Protection" of the Düsseldorfer Kreis ("Working Group") has recently issued a report on Whistleblowing Hotlines and data protection. Although the recommendations in this report have no binding character, they will materially influence the embodiment of Whistleblowing Hotlines, because the various data protection authorities in Germany normally adopt these recommendations.

The Working Group which exists of representatives of the data protection authorities of the private sector in Germany generally accepts the establishment of such Hotlines to report misconduct as an addition to internal management. For the application of the general legal principles on Whistleblowing Hotlines, the Working Group qualified the following groups as breaches of codes of conduct:

Group 1: Conduct which constitutes a criminal offence against the interests of the company (in particular fraud and misconduct relating to accounting and internal accounting controls, auditing matters, corruption, banking and financial crime and prohibited insider trading);

Group 2: Conduct breaching human rights (e.g. exploitation of favourable production conditions abroad in the form of child labour) or environmental interests;

Group 3: Conduct which adversely affects company ethics (e.g. Wal-Mart Case - Decision of the Düsseldorf Regional Employment Court of 14 November 2004).

The Working Group concluded that the admissibility of Whistleblowing Hotlines under German data protection law requires the balancing of the interests of the company against the interests of the data subjects. The Group further determined that in the case of processing of personal data being connected with the uncovering of breaches of Group 1 and 2 conducts above ("hard factors"), it might be regarded as lawful. The reason for this is that the interests are generally weighed in favour of the legitimate interests of the company as the reporting of such breaches helps to avoid legal consequences in the form of, for example, prosecution, compensation claims and defamation. In contrast, in the case of conduct which falls under Group 3 above ("soft factors"), it is assumed that the interests of the data subjects prevail and the processing of such data is unlawful.

As a consequence, internal company guidelines on Whistleblowing schemes should mirror this distinction between Group 1 and 2 and Group 3 conducts when defining the purposes of the reporting system. Unless a case by case analysis provides otherwise, the Working Group suggests that personal data with regard to Group 3 conduct should not be collected in the framework of Whistleblowing systems.

It is also important to mention that the Working Group seriously questions the general validity of individual consent given by the data subjects in an employment relationship. In this regard the Working Group adopts the findings of the EU Art. 29 Data Protection Working Group and has the opinion that consent cannot be given freely due to the hierarchical relationship between the company and its employee.

The Working Group recommends anonymous reports only in exceptional cases, because it promotes misuse and denunciations. As a consequence, the Group suggests procedures which ensure that the identity of the whistleblower is kept confidential during all stages of the investigation. Further, the whistleblower should be informed on the first contact with the system that his/her identity will be treated confidentially.

German law provides that if personal data is processed for the company’s own purposes, such data shall be erased as soon as the knowledge thereof is no longer required. The Working Group clarified this rule with regard to data received in the framework of a Whistleblowing system and recommended that such data should be destroyed within two months after conclusion of the investigation. Storing the data for a longer period of time may only be legitimate until further legal measures, such as disciplinary proceedings or the enforcement of criminal proceedings, have been clarified. Personal data which can be regarded without substance has to be deleted without undue delay.

This article is reproduced from Eversheds e80 service. You can find out more about Eversheds e80 and search the Eversheds e80 archive at e80 is provided by Eversheds for information purposes only and should not be regarded as a substitute for taking legal advice. It is reproduced here by kind permission of and is © Eversheds.


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.