Whistleblowing schemes
Whistleblowing lets employees report illegal or improper activity with privacy safeguards. SOX (2002) drove their prominence and reaches EU subsidiaries of US companies, creating tension with EU data protection law. Some states (e.g. , ) are wary of anonymous reporting. The EU Whistle-blowing Directive required member states to set up internal systems by 17 December 2021. A compliant scheme needs a DPIA, works-council liaison, transfer mechanisms (SCCs/BCRs), and a careful policy following WP29/CNIL guidance.
EU companies in US groups can face two conflicting regimes: SOX, which requires enabling employees to report wrongdoing, and EU data protection law, which limits the use of personal data here. Certain jurisdictions (Spain, Portugal) are historically sensitive about anonymous reports because the accused has no right of reply and anonymity can be abused.
| Element | Recommended approach |
|---|---|
| Individuals reporting | Limit to those in a position to know about the conduct |
| Individuals incriminated | Limit to people likely known by the reporter (same section/department) |
| Confidentiality vs anonymity | Keep identity confidential; anonymous reporting should not be encouraged |
| Scope of reports | Limit to matters affecting corporate governance; bullying/harassment via HR |
| Data retention | Strict period after investigation (e.g. two months); delete unsubstantiated reports immediately |
| Rights of incriminated persons | May be limited where notice would jeopardise the investigation |
| Transfers outside the EEA | Process to EU standards; state the SCCs/BCRs mechanism used |
An EU subsidiary of a US company may have to satisfy both SOX and EU data protection law. The EU Whistle-blowing Directive required internal systems by 17 December 2021.