Personal data and whistleblower schemes

Businesses have to navigate and compete in a world characterised by increased digitisation, access to big data and cloud solutions, and by significant regulatory variations globally.

Globalisation and digitisation do not translate into corporate deregulation, however. Quite the contrary, in fact. Rules are tightened and fine levels increased so fast that it is hard to keep up. In addition, authorities increasingly cooperate across borders to enforce regulations. 

We advise on:

  • Personal data
  • Whistleblower schemes
  • Compliance policies

DATA PROTECTION LAW

Data protection law is developing fast and is becoming increasingly important in many contexts. For advisers on the area, specialist knowledge and practical experience with the areas that are subject to special regulation are crucially important. 

While the most important rules on the area are derived from the EU,  Denmark also has a number of special rules implemented. Examples include special rules on civil registration numbers, information about criminal records, other information of a purely private nature, and data processing in the context of credit rating activities. For many industries there will also be special statutory rules to be observed. 

Our specialists advise on all legal aspects of data protection law in all industries, including the financial sector, the research and health sector and the telecom industry, and we have reinforced and expanded our skills and advice on data protection law quite substantially in recent years. With our many experienced and skilled attorneys and assistant attorneys, Kromann Reumert therefore ranks among the leading Danish law firms within this field.

Here are some typical examples of data protection issues that we  advise clients on: 

  • Data transfers into central corporate databases
  • Data transfers to countries outside the EU, including in connection with outsourcing
  • Drafting and implementation of binding corporate rules
  • Setting up whistleblower schemes
  • Processing of information in anti-corruption initiatives and investigations
  • Processing of special types of data, e.g. credit data, customer data, health information, and employee data
  • Collection and processing of data in the pharmaceutical industry, e.g. in conducting clinical trials
  • Data protection issues in relation to M&As and bankruptcies
  • Drafting privacy policies
  • The rights of data subjects, including right of access to data
  • Technical and organisational safety requirements
  • Applications, approvals and complaints in relation to regulatory authorities

We can help both in the obtaining of data processing permits, with enquiries and with complaints or supervisory proceedings in all of the areas listed above. 

But the areas for which there are special regulations in place as described above are not the only ones to look out for. Also general data protection requirements will frequently require attention. Those requirements are the ones that impact the greatest number of companies, and we therefore also have extensive experience advising on them. 

Areas include:

  • Use of data processors
  • Security requirements and the handling of incidents
  • Drafting privacy policies
  • Use of video surveillance
  • Sale of personal data in connection with a transfer of undertaking
  • Staff data for administrative purposes

Some of the issues come up in connection with other challenges. For example, in a transfer of undertaking it may be all-important whether the buyer will be able to access the customer files of the new company or will have to start over and collect the data anew. 

Other recommended points to consider 

A company’s public image may suffer tremendously if, for example, it is found to have used unlawful video surveillance and is criticised for it by authorities, employees or customers. Breaches of data security can be equally damaging and are often a critical point in many complaints and supervisory proceedings with with the Danish Data Protection Agency. Security incidents can become costly affairs and cause severe damage to a company’s image. 

We have advised on preventive measures in all manner of situations and have also stepped in for urgent crisis management when things have gone wrong.

Basis for data transfers

Transferring data to countries outside the EU is complicated business and will require, in most cases, the prior permission of the Danish Data Protection Agency. The permission may be based on EU model agreements, guaranteeing an adequate level of protection for the processing of data outside the EU, or any binding corporate rules the company may have implemented to govern the processing.

Choosing the right basis

We can advise you on what basis of transfer to choose. We will look at the pros and cons of each option, many of which will depend on the specific circumstances of each case, among other things:

  • How much data will be transferred, and how often?
  • Who are the parties involved?
  • What kind of information will be transferred?

Credit information, credit ratings, warning registers, etc.

The Act on Processing of Personal Data contains special regulations on processing of credit information, warning registers, etc., and there are also special rules to be observed by financial companies. Companies engaging in the obtaining or disclosing of credit information find themselves in a very complex area of regulation, and also the companies collecting and using the information need to be attentive of the special rules. 

We have in-depth experience with the rules and are able, therefore, to advise in detail about how to navigate and what to do to ensure a compliant and commercially viable processing of data.

Clinical trials, health information

Pharmaceutical companies engaging in clinical trials are subject to special rules and regulations, as are anyone active in the treatment of disease, i.e. hospitals, alternative therapists, other healthcare providers, etc.  

We serve as legal advisers to some of the biggest pharmaceutical companies in the world and have in-depth knowledge of the requirements to meet when applying for permission to conduct clinical trials and for subsequent monitoring of the pharmaceuticals. 

We are also thoroughly experienced in the special rules for treatments and processing under healthcare law, e.g. requirements for journals, patients’ consent, etc.

WHISTLEBLOWER SCHEMES

Whistleblower schemes allow employees, directors and other persons with any direct affiliation with a company to report irregularities and wrong-doing to the management. Typically the schemes will include the processing of sensitive personal information, such as information about possibly criminal offenses, etc.In the vast majority of cases, therefore, the establishing of whistleblower schemes must be reported to the Danish Data Protection Agency. The Agency issued, in July 2009, the first proper guidelines for reporting whistleblower schemes. The guidelines have subsequently been revised and expanded.

Whistleblower schemes are regulated by statute only in relation to the financial sector and in relation to auditors. Generally, the statutory rules require that only (potential) violations of financial regulations and auditing legislation may be reported under the schemes and that it must be possible to report anonymously.

Outside of these regulated areas, the establishment of whistleblower schemes is voluntary. Voluntary schemes are regulated by the practice of and guidelines issued by the Danish Data Protection Agency. Generally, only serious violations (or suspected violations) that may impact the company as a whole or significantly impact the life and health of individual persons may be reported. These include, for example, serious economic crime, environmental pollution, serious breaches of work safety and serious issues directed at an employee, such as domestic violence or sexual assault. Also, reporting is possible where required under the American Sarbanes Oxley Act, i.e. in case of accounting, internal control and audit irregularities, suspected corruption, and banking crimes.

The success of any whistleblower scheme hinges on the way it is designed; it must fit the needs of each company. For the same reason it is important to do a risk assessment that takes into account the type and size of the company and the risk factors inherently associated with its activities. These factors should be assessed against the investment that the company will need to make to establish the scheme, have it approved and, once approved, operating it. In many cases, you will need to view the whistleblower scheme in a bigger picture. 

This could be relevant, for example, in relation to any existing compliance programmes, codes of conduct, anti-corruption programmes and other initiatives born from more general CSR initiatives, e.g. from joining UN Global Compact. Whatever your circumstances, there will be a multitude of legal concerns to be addressed before deciding on your model of choice.
   

Advice on whistleblower schemes

We have advised on countless whistleblower schemes (the design of them and the relevant approval processes) for national undertakings as well as international groups. 

We have assisted on numerous internal investigations, advising on, inter alia:

  • How to ensure compliance with the rules of the Act on Processing of Personal Data
  • How principles of proportionality affect the scope of investigations
  • How to handle data subject's rights (duty of disclosure, right of access to data, etc.)
  • How to draft whistleblower policies, how to implement them in practice, etc.

COMPLIANCE POLICIES

What is a compliant business?

Corporate compliance is often seen as an elusive and hard-to-address kind of concept. However, at the practical level compliance is all about knowing where compliance is required. A business may be compliant with the law, safety standards, quality standards or audit standards, or in respect of its policies in general. The first step in any compliance analysis is therefore to establish which rules, regulations and standards apply to the business. While the business may be fully in control of meeting the requirements of applicable rules and standards, it should also be able to document its compliance and follow-up measures to the authorities and auditors.

Drafting a compliance policy

Once the applicable compliance requirements have been determined, the business should set its ambition in the relevant areas. For this purpose, the business should focus on rules and processes that actually contribute to the bottom line. Compliance is not a clearly defined state. Management should start by asking the question whether it is worthwhile being able to document compliance with a standard or a set of rules at all. To answer this question, the business should consider both what it achieves and what it avoids. By way of example, it may be very difficult to show any return on investment from a security measure because security is primarily about preventing incidents, which is a difficult thing to document. 

Advantages of being compliant

The advantages to the organisation of maintaining clear compliance policies and consistent compliance and follow-up practices in business critical areas are more tangible: 

  • Common understanding and shared expectations
  • Clear distribution of responsibilities and assignments
  • Work process optimisation
  • Uniform quality
  • Flexibility in connection with growth and staff intake
  • Fundamental risk assessment and basis for contingency planning
  • Audit savings

Kromann Reumert's compliance team

Kromann Reumert's compliance team has assisted many different types of businesses in drafting and implementing relevant compliance policies and programmes. Therefore, our compliance team has the necessary experience to ask the critical questions in a compliance evaluation and to inspire and drive the implementation of relevant compliance policies and codes of conduct.

COMPLIANCE AUDITS

Are the processes and transactions in your business in accordance with current rules and guidelines?

What are compliance audits?

A compliance audit is one way to reveal any violations of the law and determine the reason for such violations. With a compliance audit analysis, your business will receive specific recommendations on how to avoid future violations. An audit analysis may include everything from statutory requirements and industry standards to the internal guidelines of the business.

Compliance audits are characterised by a "yes/no" review. Accordingly, any act or transaction which is tested in a compliance audit process will be classified as either compliant or non-compliant. The end product we provide to the business is typically an audit report, specifying the compliance percentage in each of the tested areas. The compliance audit report will be accompanied by a description of the reasons for any non-compliance findings as well as specific remedial recommendations, which could include a proposal for new business procedures or other recommendations. 

Compliance audit - an example

By way of example, a compliance audit could be done by mapping your company’s data flows, reviewing the manner in which the data were collected, assessing the degree of compliance with applicable rules, and identifying what, if any, measures should be taken to achieve compliance. This might be in relation to the legal basis for processing, the necessary agreements with third parties, and the arrangements by which data are transferred to countries outside the EU. 

Kromann Reumert's compliance audit team for data protection

At Kromann Reumert, we have a dedicated compliance audit team with the experience and tools that are necessary to conduct efficient and cost-effective compliance audits. Our compliance team is always assisted by our in-house industry specialists within the relevant field. This enables us not only to deliver accurate audit results, but also to recommend commercially viable solutions if non-compliance is found.

For further information, please contact partner Tina Brøgger Sørensen, who is Kromann Reumert's compliance audit expert.

Contacts within Personal data and whistleblower schemes