Processing of leads and internal investigations
In addition to introducing a whistleblowing system, the EU directive also requires the planning of a regulated procedure and the correct handling of incoming reports from whistleblowers. Such a procedure includes, first and foremost, the definition of responsibilities within the company, ensuring data protection-compliant documentation, and training the responsible persons in handling the system and internal investigations.
The editing process
When designing the handling process, the EU Whistleblowing Directive grants companies discretion. A company is only obliged to follow up on a report once it has been received. To avoid initiating an investigation indiscriminately for every report, it has proven effective to begin the handling process with a preliminary review. Based on this preliminary review, a decision is made on initiating and structuring the further handling process. The handling concludes with the drafting of a report and further documentation. We will elaborate on these three steps below.
Step 1: Preliminary check
During the preliminary examination, the indication of validity is investigated. The most important question is whether the indication is convincing. Company context This involves determining whether the issue has occurred within the company or could have consequences for the company (e.g., third-party liability from suppliers). If no company connection exists, the review of the report can be concluded at this point. This is then followed directly by final documentation and reporting. The informant must also be informed of this decision, even if the report is not pursued further. Read more about the requirements of the EU directive in our blog post “The EU Whistleblowing Directive: a brief summary”.
If there is a connection to a company, the following questions must be answered in the next step:
- Is all the information complete and, above all, verifiable (i.e., logical)?
- Theoretically, could the incident have happened this way?
- Is the person concerned an employee of the company?
- Is this unlawful behaviour or a breach of (internal) guidelines, or is it merely a complaint or an indication of “poor” corporate governance?
If there are already indications regarding this matter or if the person concerned is already known, the preliminary examination is considerably simplified, as this indication can then be assigned to the existing „file“. If the case is not yet known, it is taken up anew.
In a final step of the preliminary examination, it must then be clarified what type of violations are present. If it concerns unlawful or abusive conduct, it must be clarified which law exactly is being violated.
The preliminary examination must be carefully and thoroughly justified and documented.
Step 2: Decision on further processing
In the next step, the focus of the investigation and the investigative strategy will be determined. When making this decision, the protection of the whistleblower's safety and the safety of the person concerned must always be taken into account. Here, as in criminal law, the principle of Presumption of innocence and that Principle of fair trial. During the internal investigation, the need-to-know principle must absolutely be maintained. The internal investigation must be documented throughout. Serious offences, such as cases of corruption, security risks or other breaches of competition law, must be reported immediately to management. If a data review is necessary, the data protection officer must be consulted. Furthermore, a data protection review must be carried out before reviewing emails or hard drives. If necessary, the works council must be involved in employee interviews. Employees conducting these interviews must receive special training.
It is recommended to define fundamental guidelines for handling tips. This will ensure that all regulations are adhered to. Nevertheless, further processing should not be a case of simply following a template, but rather decisions should always be made on a case-by-case basis.
Step 3: Finalise editing
Finally, the results of the internal investigation, including communication with senior management, must be carefully documented. This documentation is to be considered to be Report to draft and present to the management. This report is the basis for the Decision on follow-up actions, such as employment law measures or the reimbursement of a report. Once the report and the decision on follow-up measures have been made, both the whistleblower and – if necessary – the affected employee are to inform. In doing so, care must be taken to only share information that is absolutely necessary with the whistleblower. Naturally, data protection regulations must be observed. Since it is possible that the whistleblower may consult with other employees, the potential impact of the feedback on the company culture must also be considered with regard to content and wording. Finally, the Data protection compliant deletion This needs to be regulated. Because as soon as the purpose of data processing ceases and no legal retention obligations exist within the company, the data must be deleted.
Do's and Don'ts when processing leads
„Things to consider – the most important do's
- A quick, independent and complete review of the observation
- Take all indications seriously, as long as there are no objective reasons to the contrary.
- Always evaluate advice based on its content and, if necessary, rephrase it into an objective presentation.
- Inform the whistleblower on the progress and outcome of the investigation to an appropriate extent.
- Uphold the presumption of innocence from start to finish
- Protection of all involved persons through confidentiality and the need-to-know principle
- Protection of the whistleblower against retaliation, even if their identity becomes known
- Respectful communication with whistleblowers while maintaining necessary objectivity
„Beware of the trap!“ - The most important don'ts
- Never make decisions about the content of the notice dependent on the person.
- Do not accept the assessments, motivations, or similar of the whistleblower.
- Whistleblowers could „leak“ information. Therefore, caution is advised when sharing information in communications with the whistleblower.
If a tip-off turns out to be false, it is not necessarily due to malicious intent. It is most often simply a wrong assessment of a situation. Whistleblowers always see just one specific moment of a larger situation from a subjective viewpoint and then evaluate that single moment. If the entire context is not known, it is quite possible for a wrong assessment to occur.
In such cases, complete documentation and detailed justification of decisions are particularly important. However, if it turns out to be a wilful false report, the company is to sanction it. Compensation with the person affected by the false report must also be arranged. However, it is not recommended to use this situation to make an example of the whistleblower. This could lead to employees no longer using the whistleblower system, even for justified concerns.
If you want to learn more about the path of a tip within a digital whistleblowing system, feel free to read Part 7 “Process of a digital whistleblowing system“our whistleblowing basics series. Do you have questions about our whistleblowing system or about whistleblowing in general, Contact You like one of our experts.
Website. Know-how page or in our Guide to implementing the Whistleblower Protection Act in your company”.
(The male form used refers to all persons, regardless of gender.)
