As of 1 November 2010 the Swedish Data Inspection Board (“Board”) has issued a regulation for whistleblowing. The new regulation takes away some of the formalities for companies which are about to launch whistleblowing schemes in Sweden.
The Swedish Data Protection Act (“Act”) prohibits other parties than public authorities to process personal data concerning legal offences. Since whistleblowing schemes may involve the processing of such personal data, companies wanting to implement whistleblowing schemes in Sweden have, in the past, been obliged to procure a formal exemption from the Board. With the new regulation this is no longer necessary (as long as the company complies with the regulation).
Basically, the regulation codifies the Board’s view as it has been expressed in its past decisions. In essence this means that a whistleblowing scheme may be implemented provided that:
- Only key employees or top management may be reported in the scheme.
- It is objectively justified to process the data in order to investigate whether an individual has been involved in irregularities. This means, for example, that the scheme must form an optional complement to normal internal information and reporting channels.
- The processing must be limited to serious irregularities concerning (i) bookkeeping, internal control of accounts, audit, suppressing of bribes, crime within the banking and finance industry, or (ii) other serious irregularities concerning either the vital interests of the company or its group of companies, or the life and health of individuals, including for example, serious environmental crime, major security problems in the workplace and serious forms of discrimination and harassment.
- The company ensures that its processing of personal data complies with the Act including, without limitation, rules regarding processing of sensitive data, information to employees and transfers of personal data to third countries. In addition, the company must comply with applicable Swedish labour laws.
It may be interesting to note that the Board is of the view that a Swedish company introducing a whistleblowing scheme for its employees always will be considered a data controller. As a consequence, the Act – and hence the new whistleblowing regulation – will apply to the processing. This is the case also when a Swedish subsidiary merely implements a whistleblowing scheme provided by a parent company situated in another European country. Considering the Article 29 Working Party’s recent opinion on applicable law (Opinion 8/2010, WP 179), it would be interesting to hear from jurisdictions where a local entity may be considered a data processor to its parent company in the context of whistleblowing.