Less formalities when launching whistleblowing schemes in Sweden

As of 1 November 2010 the Swedish Data Inspection Board (“Board”) has issued a regulation for whistleblowing. The new regulation takes away some of the formalities for companies which are about to launch whistleblowing schemes in Sweden.

The Swedish Data Protection Act (“Act”) prohibits other parties than public authorities to process personal data concerning legal offences. Since whistleblowing schemes may involve the processing of such personal data, companies wanting to implement whistleblowing schemes in Sweden have, in the past, been obliged to procure a formal exemption from the Board. With the new regulation this is no longer necessary (as long as the company complies with the regulation).

Basically, the regulation codifies the Board’s view as it has been expressed in its past decisions. In essence this means that a whistleblowing scheme may be implemented provided that:

  • Only key employees or top management may be reported in the scheme.
  • It is objectively justified to process the data in order to investigate whether an individual has been involved in irregularities. This means, for example, that the scheme must form an optional complement to normal internal information and reporting channels.
  • The processing must be limited to serious irregularities concerning (i) bookkeeping, internal control of accounts, audit, suppressing of bribes, crime within the banking and finance industry, or (ii) other serious irregularities concerning either the vital interests of the company or its group of companies, or the life and health of individuals, including for example, serious environmental crime, major security problems in the workplace and serious forms of discrimination and harassment.
  • The company ensures that its processing of personal data complies with the Act including, without limitation, rules regarding processing of sensitive data, information to employees and transfers of personal data to third countries. In addition, the company must comply with applicable Swedish labour laws.

It may be interesting to note that the Board is of the view that a Swedish company introducing a whistleblowing scheme for its employees always will be considered a data controller. As a consequence, the Act – and hence the new whistleblowing regulation – will apply to the processing. This is the case also when a Swedish subsidiary merely implements a whistleblowing scheme provided by a parent company situated in another European country. Considering the Article 29 Working Party’s recent opinion on applicable law (Opinion 8/2010, WP 179), it would be interesting to hear from jurisdictions where a local entity may be considered a data processor to its parent company in the context of whistleblowing.

One thought on “Less formalities when launching whistleblowing schemes in Sweden”

  1. The Hungarian DPA has also adopted a similar opinion which provides that it would be illegal if local employees could make whistleblowing reports directly to the parent company (considered as a third party) and not to the Hungarian employer. Consequently, whistleblowing schemes should be operated on the part of the Hungarian employer (as the controller of data) and not by the parent, however, under Hungarian national law it is not excluded to involve the parent as a processor in connection with the operation of the scheme.

    As regard the interplay between reporting schemes and the recently adopted WP opinion on applicable law, in my view, whistleblowing can be considered as an employment related data processing activity where employees can report the serious breach of laws / ethical rules on the part of co-employees laid down by the employer which is then normally investigated by the employer. It sounds therefore that such data processing indeed happens within the context of activities of the local employer (pursuant to Article 4(1)(a) of the Directive) and not that of the parent (if any). The WP opinion also acknowledged that “human resource or client data are thus normally subject to the data protection law of the country where the activity – in the context of which the data are being processed – takes place.” In my opinion, this statement also holds true as regards the processing of employee data relating to whistleblowing, which means in practice that the local employer has special responsibility as regards the compliance of the scheme with national labour and privacy laws applicable at the place of establishment. However, once the parent (that is situated in another European country) is also involved in the operation of the scheme where the parent is the addressee of the reports/complaints, the simultaneous application of multiple national laws (namely, the local law of the employer and the parent’s local law) could not be excluded which is also confirmed by Example No 4 of the Opinion in my view.

Leave a Reply

Your email address will not be published. Required fields are marked *