On February 24, 2023, the Whistleblower Protection Act (HSchG) was enacted. Entrepreneurs and legal entities in Austria must now implement their obligations in a staggered manner while reconciling whistleblower protection and data privacy.
What does the HSchG regulate?
Due to the HSchG, which implements the EU Whistleblowing Directive (Directive 2019/1937), all entrepreneurs and legal entities in the public sector with 50 or more employees are required to establish an internal reporting channel. Through this channel, individuals can report various (potential) legal violations. The purpose of the law is to prevent discrimination against whistleblowers based on their reports. Confidentiality and data protection regulations must be adhered to, and violations of the law may result in fines.
When does the law apply to whom?
Entrepreneurs with between 50 and 249 employees had to implement internal whistleblower systems by December 17, 2023, while entrepreneurs with at least 250 employees already had to be compliant by August 25, 2023. After all deadlines have expired, it is now time for companies in Austria to proceed with the implementation.
Whistleblower Protection in Austria and Data Privacy – How do they fit together?
Reports under the HSchG may contain sensitive data (e.g., political opinions). Therefore, the interface between whistleblower protection and data privacy is of central importance. Here are some key points:
The retention period is five years (instead of the originally planned 30). Additionally, data must be retained for as long as necessary for the conduct of administrative and judicial proceedings. To protect the identity of whistleblowers and potential further investigations, data subject rights can be restricted. Entrepreneurs operating a whistleblower protection system (e.g., within a group) are joint controllers. Whistleblowers providing personal data beyond what is necessary for the follow-up of the report are considered data protection controllers in that regard (e.g., reporting a CEO engaging in arms deals with ties to Russia and unrelated personal matters). The latter is not relevant for pursuing the legal violation. However, the obligation to delete always lies with the operator of the whistleblowing system, i.e., the entrepreneur or legal entity. They must set up the whistleblower system to allow targeted and selective deletion of personal data.
How can we support you with Whistleblower Protection in Austria and Data Privacy?
Setting up a whistleblower protection system that is user-friendly and compliant with data protection may entail a significant time and cost investment. If you wish to seek advice from a lawyer, feel free to contact us. We provide guidance not only from a data protection and compliance perspective but also collaborate with an experienced software provider as legal professionals. You can outsource the setup, coordination, and maintenance of your whistleblower protection system to us. Please reach out to our law firm for more information. Visit our website or contact us at office@geuer.at or by phone at +43-1-4380072. We look forward to your inquiry.