Personal Data and Whistleblower Schemes

Businesses have to navigate and compete in a world characterised by increased digitisation, access to big data and cloud solutions, and by significant regulatory variations globally.

Globalisation and digitisation do not translate into corporate deregulation, however. Quite the contrary, in fact. Rules are tightened and fine levels increased so fast that it is hard to keep up. In addition, authorities increasingly cooperate across borders to enforce regulations. 

We advise on:

  • Personal data
  • Whistleblower schemes
  • Compliance policies

Data protection law

Data protection law is developing fast and is becoming increasingly important in many contexts. For advisers on the area, specialist knowledge and practical experience with the areas that are subject to special regulation are crucially important. 

While the most important rules on the area are derived from the EU,  Denmark also has a number of special rules implemented. Examples include special rules on civil registration numbers, information about criminal records, other information of a purely private nature, and data processing in the context of credit rating activities. For many industries there will also be special statutory rules to be observed. 

Our specialists advise on all legal aspects of data protection law in all industries, including the financial sector, the research and health sector and the telecom industry, and we have reinforced and expanded our skills and advice on data protection law quite substantially in recent years. With our many experienced and skilled attorneys and assistant attorneys, Kromann Reumert therefore ranks among the leading Danish law firms within this field.

Here are some typical examples of data protection issues that we  advise clients on: 

  • Data transfers into central corporate databases
  • Data transfers to countries outside the EU, including in connection with outsourcing
  • Drafting and implementation of binding corporate rules
  • Setting up whistleblower schemes
  • Processing of information in anti-corruption initiatives and investigations
  • Processing of special types of data, e.g. credit data, customer data, health information, and employee data
  • Collection and processing of data in the pharmaceutical industry, e.g. in conducting clinical trials
  • Data protection issues in relation to M&As and bankruptcies
  • Drafting privacy policies
  • The rights of data subjects, including right of access to data
  • Technical and organisational safety requirements
  • Applications, approvals and complaints in relation to regulatory authorities

We can help both in the obtaining of data processing permits, with enquiries and with complaints or supervisory proceedings in all of the areas listed above. 

But the areas for which there are special regulations in place as described above are not the only ones to look out for. Also general data protection requirements will frequently require attention. Those requirements are the ones that impact the greatest number of companies, and we therefore also have extensive experience advising on them. 

Areas include:

  • Use of data processors
  • Security requirements and the handling of incidents
  • Drafting privacy policies
  • Use of video surveillance
  • Sale of personal data in connection with a transfer of undertaking
  • Staff data for administrative purposes

Some of the issues come up in connection with other challenges. For example, in a transfer of undertaking it may be all-important whether the buyer will be able to access the customer files of the new company or will have to start over and collect the data anew. 

Other recommended points to consider 

A company’s public image may suffer tremendously if, for example, it is found to have used unlawful video surveillance and is criticised for it by authorities, employees or customers. Breaches of data security can be equally damaging and are often a critical point in many complaints and supervisory proceedings with with the Danish Data Protection Agency. Security incidents can become costly affairs and cause severe damage to a company’s image. 

We have advised on preventive measures in all manner of situations and have also stepped in for urgent crisis management when things have gone wrong.

Basis for data transfers

Transferring data to countries outside the EU is complicated business and will require, in most cases, the prior permission of the Danish Data Protection Agency. The permission may be based on EU model agreements, guaranteeing an adequate level of protection for the processing of data outside the EU, or any binding corporate rules the company may have implemented to govern the processing.

Choosing the right basis

We can advise you on what basis of transfer to choose. We will look at the pros and cons of each option, many of which will depend on the specific circumstances of each case, among other things:

  • How much data will be transferred, and how often?
  • Who are the parties involved?
  • What kind of information will be transferred?

Credit information, credit ratings, warning registers, etc.

The Act on Processing of Personal Data contains special regulations on processing of credit information, warning registers, etc., and there are also special rules to be observed by financial companies. Companies engaging in the obtaining or disclosing of credit information find themselves in a very complex area of regulation, and also the companies collecting and using the information need to be attentive of the special rules. 

We have in-depth experience with the rules and are able, therefore, to advise in detail about how to navigate and what to do to ensure a compliant and commercially viable processing of data.

Clinical trials, health information

Pharmaceutical companies engaging in clinical trials are subject to special rules and regulations, as are anyone active in the treatment of disease, i.e. hospitals, alternative therapists, other healthcare providers, etc.  

We serve as legal advisers to some of the biggest pharmaceutical companies in the world and have in-depth knowledge of the requirements to meet when applying for permission to conduct clinical trials and for subsequent monitoring of the pharmaceuticals. 

We are also thoroughly experienced in the special rules for treatments and processing under healthcare law, e.g. requirements for journals, patients’ consent, etc.

Whistleblower shemes

Whistleblower schemes allow employees, directors and other persons with direct affiliations to a company to report irregularities and wrongdoings to the management. Whistleblower schemes typically involve processing of confidential and sensitive personal information, such as information about criminal offenses. 

Previously, only whistleblower schemes in the financial and audit sectors were required by law, but with the most recent amendment of the Danish Act on Money Laundering, lawyers are now also required to take measures to prevent money laundering and financing of terrorism. This requirement can be met by establishing a whistleblower scheme that only allows reporting of (potential) violations of the financial legislation, the Danish Act on Approved Auditors and Audit Firms and the Danish Act on Money Laundering. Under such arrangement, anonymous reporting must be possible.

In other areas that are not regulated by law, whistleblower schemes may be established at discretion. The schemes are subject to the Danish Data Protection Agency’s practice and guidelines. Accordingly, only serious violations (or suspected violations) that may impact the company as a whole or significantly impact the life and health of individuals may be reported, including e.g. serious economic crimes, environmental pollution, serious breaches of work safety rules and serious personal incidents such as violence or sexual assault. Also, reporting of accounting, internal control and audit irregularities and of suspected corruption and financial crimes is possible to the extent required under the U.S. Sarbanes Oxley Act.

The successful whistleblower scheme

For a whistleblower scheme to be successful, it must be designed to meet a company's individual needs. It is therefore important to make a risk assessment that takes into account the type and size of the company and the risk factors inherently associated with its activities. These factors should be assessed against the investment that it will take to establish and operate the scheme. 

Also, the whistleblower scheme should often be seen in wider context, for instance in relation to existing compliance programmes, codes of conduct, anti-corruption programmes and other initiatives arising from more general CSR initiatives such as participation in UN Global Compact. Whatever the circumstances, there will be a multitude of legal concerns to be addressed before deciding on the model of choice.
Advice on whistleblower schemes
We have provided advice to a large number of Danish businesses and international groups in connection with the implementation of whistleblower schemes. 

We have also assisted in numerous internal investigations, advising on, inter alia:

  • compliance with the processing rules in the General Data Protection Regulation and the Danish Data Protection Act;
  • the impact of principles of proportionality on the extent of the investigations;
  • protection of data subjects’ rights, including information to be provided, access to data, etc.;
  • drafting of whistleblower policies and other documents required in connection with the introduction of the schemes, including assessment as to whether an impact assessment is required.

Compliance policies

What is a compliant business?

Corporate compliance is often seen as an elusive and hard-to-address kind of concept. However, at the practical level compliance is all about knowing where compliance is required. A business may be compliant with the law, safety standards, quality standards or audit standards, or in respect of its policies in general. The first step in any compliance analysis is therefore to establish which rules, regulations and standards apply to the business. While the business may be fully in control of meeting the requirements of applicable rules and standards, it should also be able to document its compliance and follow-up measures to the authorities and auditors.

Drafting a compliance policy

Once the applicable compliance requirements have been determined, the business should set its ambition in the relevant areas. For this purpose, the business should focus on rules and processes that actually contribute to the bottom line. Compliance is not a clearly defined state. Management should start by asking the question whether it is worthwhile being able to document compliance with a standard or a set of rules at all. To answer this question, the business should consider both what it achieves and what it avoids. By way of example, it may be very difficult to show any return on investment from a security measure because security is primarily about preventing incidents, which is a difficult thing to document. 

Advantages of being compliant

The advantages to the organisation of maintaining clear compliance policies and consistent compliance and follow-up practices in business critical areas are more tangible: 

  • Common understanding and shared expectations
  • Clear distribution of responsibilities and assignments
  • Work process optimisation
  • Uniform quality
  • Flexibility in connection with growth and staff intake
  • Fundamental risk assessment and basis for contingency planning
  • Audit savings

Kromann Reumert's compliance team

Kromann Reumert's compliance team has assisted many different types of businesses in drafting and implementing relevant compliance policies and programmes. Therefore, our compliance team has the necessary experience to ask the critical questions in a compliance evaluation and to inspire and drive the implementation of relevant compliance policies and codes of conduct.

Compliance audits

Are the processes and transactions in your business in accordance with current rules and guidelines?

What are compliance audits?

A compliance audit is one way to reveal any violations of the law and determine the reason for such violations. With a compliance audit analysis, your business will receive specific recommendations on how to avoid future violations. An audit analysis may include everything from statutory requirements and industry standards to the internal guidelines of the business.

Compliance audits are characterised by a "yes/no" review. Accordingly, any act or transaction which is tested in a compliance audit process will be classified as either compliant or non-compliant. The end product we provide to the business is typically an audit report, specifying the compliance percentage in each of the tested areas. The compliance audit report will be accompanied by a description of the reasons for any non-compliance findings as well as specific remedial recommendations, which could include a proposal for new business procedures or other recommendations. 

Compliance audit - an example

By way of example, a compliance audit could be done by mapping your company’s data flows, reviewing the manner in which the data were collected, assessing the degree of compliance with applicable rules, and identifying what, if any, measures should be taken to achieve compliance. This might be in relation to the legal basis for processing, the necessary agreements with third parties, and the arrangements by which data are transferred to countries outside the EU. 

Kromann Reumert's compliance audit team for data protection

At Kromann Reumert, we have a dedicated compliance audit team with the experience and tools that are necessary to conduct efficient and cost-effective compliance audits. Our compliance team is always assisted by our in-house industry specialists within the relevant field. This enables us not only to deliver accurate audit results, but also to recommend commercially viable solutions if non-compliance is found.

For further information, please contact partner Tina Brøgger Sørensen, who is Kromann Reumert's compliance audit expert.

Contacts within Personal Data and Whistleblower Schemes