- 02.04.24
- Reading time: 5 Minuten
DATA PROTECTION REVIEW OF NOTICE SYSTEMSIndispensable! But why actually and what does such an examination include?
The Whistleblower Protection Act (HinSchG), which came into force at the beginning of July 2023, obliges numerous companies to set up an internal whistleblower system. And as is usual with new obligations, the market already offers numerous offers with which companies can fulfill the requirements of the law. When making their selection, companies look at price-performance, user-friendliness, compatibility with existing systems, and much more. Whistleblower systems process personal data and should therefore be subjected to a comprehensive data protection review before they are introduced.
The protection of personal data is of utmost importance in today’s digital world. Once a whistleblower system is in place, it collects, processes and stores personal data. To ensure the confidentiality and integrity of this sensitive information, companies must ensure that they comply with applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
It cannot be automatically assumed that this legal certainty exists for all software providers, as it naturally also depends on the individual requirements of the companies. To avoid the sometimes severe penalties for data protection violations from the outset, it is advisable to get your data protection officer on board directly during the introduction and to have the systems available for selection checked.
A data protection audit consists of several steps. After performing a threshold analysis, we look to see whether a data protection impact assessment from the software manufacturer is already available, and if not, whether one is even necessary in your case, or whether a comprehensive audit report alone should be prepared. If a privacy impact assessment is deemed necessary or an existing privacy impact assessment is cross-checked, these results are also addressed in an audit report.
The threshold analysis
In the threshold analysis, it is first checked whether the form of data processing is fundamentally subject to a high risk, Art 35 GDPR. At its core, the threshold analysis is a risk analysis that determines whether a data protection impact assessment (DPA) is necessary. The potential risk is determined by assessing the probability of occurrence and determining the severity of the potential harm of an event. When implementing a new technology in the form of a whistleblower platform in a company, it can always be assumed that whistleblowing employees would, for example, have to reckon with severe reprisals, possibly even threatening their existence, if the wrong people became aware of the contents of their tips because the newly implemented technology is incomplete, for example because it does not include a sufficient rights-role concept or technical and organizational measures are not implemented properly.
In the event of such a high risk, a DSFA must always be performed.
The data protection impact assessment
As soon as software is expected to pose a high risk to the rights and freedoms of natural persons, companies must conduct a data processing risk assessment when introducing it. The DSFA is used to identify and assess data protection risks and to develop suitable measures to mitigate the risk. It is usually prepared by the data protection officer and, accordingly, is often part of the data protection audit. If a data protection impact assessment already exists for the selected whistleblower system on the part of the software service provider, there is of course no need to prepare a second one. In this case, however, the auditor should review it in detail and include any necessary additions or changes.
The audit report
The audit report summarizes the data protection audit for your company and shows which measures have already been implemented, are still being implemented and where there is still a need for improvement. In the following, we present a few of the most important points covered by our audit reports.
Legal compliance
As a matter of principle, we check whether all relevant legal requirements are met. On the one hand, this concerns all relevant standards of the DSGVO, the BDSG and regularly the Telecommunications Telemedia Data Protection Act (TTDSG), but on the other hand also the requirements of the HinSchG. The paragraphs dealing with the processing of personal data, the confidentiality requirement and the tasks of internal and external reporting offices are particularly relevant.
Rights-role concept
Highly relevant and sensitive data can be received in the whistleblowing system, so it is essential to use a well thought-out rights-role concept to prevent the recipient of the whistleblowing from easily facing a conflict of interest. It goes without saying that it is unfortunate, for example, if an employee reports on grievances in the department and his department head is responsible for receiving the tip. Optimally, this problem can be solved by technical measures such as encryption mechanisms, pseudonymization and by an external ombudsman office.
Response mechanisms
Particularly in the area of data privacy, there are tight deadlines that companies absolutely must meet. For example, once a company becomes aware of a data leak internally, it has 72 hours under Art. 33 GDPR to report the data breach or mishap to the relevant supervisory authority and must even notify the data subject of the breach of their rights without delay, Art 34 GDPR. This time has passed faster than many a company would like. In order to be able to act as quickly and efficiently as possible in the event of a breach, it is essential to implement the response mechanisms in a technically clean manner from the outset and to clearly define which person has which responsibilities.
Order processing contract
As always when data is processed, a contract processing agreement (CPC) is mandatory. The software solution provider must ensure that all data accessed by its software is protected in a GDPR-compliant manner. This includes, for example, that a secure firewall exists or that the software provider does not knowingly share data. As a rule, these requirements are self-evident for most companies, but it is still important to contractually fix self-evident aspects. Whether the GCU meets the data protection requirements for processing is also checked and explained in the audit report.
Implementation of technical and organizational measures (TOMs)
Of course, not only the software provider, but also the company itself must implement appropriate technical and organizational measures (TOMs) in accordance with Art. 32 GDPR. These are, for example, access restrictions or the use of secure passwords. These measures are standard in most companies and should not pose a challenge.
And then?
Once the data protection audit has been completed, the ideal result is “Overall, this is an appropriate implementation of the requirements under EU Directive 2019/1937, the DSGVO, the BDSG and the Whistleblower Protection Act in terms of data protection. From a data protection perspective, this is the starting signal for the rollout of the selected solution. It becomes more difficult when the auditor raises concerns. If possible, companies should take immediate action to remedy the noted grievances. This could involve adjusting the system architecture, implementing additional security measures or revising data protection policies and procedures. Particular attention should be paid to technical and organizational measures. Working with data protection experts can help companies assess data protection concerns and minimize risks without losing sight of the cost-benefit ratio.
To prevent the data protection review from being carried out too late and leading to undesirable results, the data protection officer or consultant should ideally be involved at the beginning of the selection process. This security is provided by our whistleblower system, which was developed by attorneys and lawyers with data protection expertise in close collaboration with IT specialists.
If you are interested, please feel free to book a non-binding demo appointment. But even if you have already established or selected a whistleblower system, we are there for you and can take over the data protection audit.
