Responsibility for personal data processed in whistleblowing systems
Through a new provision in The Data Protection Authority Statute Book it is now possible for companies to process personal data in whistleblowing systems without having to apply for a special permission from The Data Protection Authority.
However, the same substantial conditions as before are applicable to such systems. Companies that wish to create so-called whistleblowing systems, where information about legal offences may occur, must comply with the provisions of the Personal Data Act (PDA), and the specific prerequisites described in the new regulation.
The requirements in the Personal Data Act imply among other things that the company must comply with the fundamental requirements in the Personal Data Act, have a legal ground for the processing and provide sufficient information to the data subjects.
The requirements in the regulation mean among other things that the reporting may only comprise serious improprieties committed by persons who have a key position or a leading position within the own company or group of companies.