Handling of whistleblowing reports and internal investigations
In addition to the introduction of a whistleblowing system, the EU Whistleblowing Directive also requires the planning of a determined process and the correct handling of incoming reports by whistleblowers. Such a process includes, first of all, defining responsibilities within the company, ensuring that documentation complies with data protection requirements and training the responsible persons in dealing with the system and internal investigations.
The handling process
The EU Whistleblowing Directive gives companies some leeway in designing the handling process. A company is only obliged to follow up on a report after it has been received. In order not to initiate an undifferentiated investigation for every report, it has proven useful to begin the handling process with a preliminary examination. On the basis of this preliminary examination, a decision is made on the initiation and organisation of the further handling process. The process concludes with the writing of a report and further documentation. These three steps will be explained in the following.
Step 1: Preliminary examination
During the preliminary examination, the report is examined for validity. The most important question is whether the report is related to the company. This does not concern the origin of the report, but rather whether the facts occurred in the company or whether the facts could have consequences for the company (e.g. third-party liability for suppliers). If the report is not related to the company, the examination can be stopped here. Then the final documentation and reporting takes place directly. Even if the report is not taken into further consideration, the whistleblower must be informed of this decision. Read more about the requirements of the EU Directive in our blog post “The EU Whistleblowing Directive: a brief summary“.
If there is a reference to the company, the next step is to answer the following questions:
- Are all the details complete and, above all, can they be objectified (i.e. are the details logical)?
- Could the facts of the case theoretically have occurred in this way?
- Is the person concerned an employee of the company?
- Is it a case of illegal behaviour or a violation of (internal) guidelines or is it merely a complaint or a report on “bad” corporate governance?
If reports have already been received on this matter or if the person concerned is already known, the preliminary examination is considerably simplified, as this report can then be assigned to the already existing “file”. If the case is not yet known, it is taken anew.
In a final step of the preliminary examination, it must be clarified what kind of violations have occurred. If the conduct is unlawful or abusive, it must be clarified which law exactly is being violated.
The preliminary examination must be carefully and extensively substantiated and documented.
Step 2: Decision on further processing
The next step is to determine the focus of the investigation and the investigation strategy. This decision must always take into account the preservation of the whistleblower’s safety and the safety of the person concerned. Here, as in criminal law, the principle of presumption of innocence and the principle of fair trial apply. During the internal investigation, the need-to-know principle should be upheld at all costs. The internal investigation must be documented throughout. Serious offences, such as cases of corruption, security risks or other competition violations, must be reported immediately to the management. If a data review is necessary, the data protection officer must be consulted. In addition, a data protection review must be carried out before viewing emails or hard drives. When interviewing employees, the works council may have to be involved. For these interviews, the employees who are in charge must be specially trained.
It is advisable to define basic guidelines for the handling of whistleblowing reports. This ensures that all regulations are complied with. Nevertheless, further handling should not simply follow a pattern, but should always be decided on a case-by-case basis.
Step 3: Finalise the editing
Finally, the results of the internal investigation, including communication with the management, must be carefully documented. This documentation is to be written as a report and submitted to the management. This report is the basis for deciding on follow-up measures, such as labour law measures or filing a complaint. After the report and the decision on follow-up measures have been made, both the whistleblower and – if necessary – the employee concerned must be informed. Care must be taken to ensure that the whistleblower is only given information that is really necessary. Of course, data protection regulations must be observed. Since it is possible that the whistleblower will exchange information with other employees, the potential influence of the feedback on the corporate culture must also be taken into account with regard to content and wording. Finally, data protection-compliant deletion must be regulated. As soon as the purpose of the data processing no longer applies and there are no longer any legal obligations to retain the data in the company, the data must be deleted.
Do's and don'ts when handling whistleblowing reports
"What you should be thinking about" - the most important do's
- A quick, independent and complete examination of the report
- Take all reports seriously as long as there are no objective reasons not to do so
- Always evaluate the report on the basis of its content and, if necessary, reformulate it into an objective account
- Inform the whistleblower to an appropriate extent about the status and outcome of the investigation
- Consider the presumption of innocence from beginning to end
- Protect all persons involved through confidentiality and the need-to-know principle
- Protect whistleblowers from reprisals even if their identity is revealed
- Communicate with whistleblowers in a respectful manner while maintaining the necessary objectivity
"Beware of the trap" - the most important don'ts
- Never make decisions about the content of the report based on the person
- Do not adopt the whistleblower’s judgement, motivation or similar
- Whistleblowers may “leak” information. Therefore, caution should be exercised when sharing information with the whistleblower
If a report is false, this was not necessarily done with malicious intent. In most cases, it is simply an incorrect assessment of a situation. Whistleblowers always see only one concrete moment of a larger situation from a subjective point of view and then evaluate this one moment. If the whole context is not known, it is easy for a wrong assessment to occur.
In such cases, full documentation and detailed justification of decisions are particularly important. However, if it turns out to be a deliberate misreporting, it must be sanctioned by the company. A compromise should also be achieved with the person concerned by the false report. However, it is not recommended to use this situation to make an example of the person making the report. This could lead to employees no longer using the whistleblowing system even for legitimate issues.
If you would like to learn more about the process of a whistleblowing report in a digital whistleblowing system, feel free to read part seven “A digital whistleblowing system’s process” of our Whistleblowing Basics series. If you have any questions about our whistleblowing system or about whistleblowing in general, please feel free to contact one of our experts.
You can find more information on the topic of whistleblowing on our Know-How page or in “Your guide to comply with the Whistleblowing Directive in your company“.