A Directive containing the EU’s new whistleblowing rules was adopted by the European Parliament on 16 April 2019 in Strasbourg, with 591 votes in favour, 29 against and 33 abstentions.

 

The rules in question ensure greater safeguards for people who blow the whistle (whistleblowers) on wrongdoings in the workplace, in areas like “public contracts”, “financial services”, “money laundering”, “product and transport safety” “nuclear safety”, “public health”, “consumer and personal data protection”.

 

This important piece of community legislation became necessary in light of the outcome of a study carried out in 2017 on behalf of the European Commission. In detail, the report estimates that the lack of whistleblower protection results in losses, in the public procurement sector alone, of almost 10 billion euro per year.

 

Safeguards

To protect potential whistleblowers, and the information reported, the new rules provide for reporting:

  • internally within the entity or company the person works for;
  • directly to the competent national authorities;
  • to EU bodies and agencies.

 

Protection will be provided even if the reporting person decides to publicly disclose the information if there is an imminent threat for the public interest or a risk of retaliation.

Small undertakings and small municipalities are exempted from the protection rules.

 

The Directive explicitly prohibits any form of retaliation against the reporting person and provides safeguards against suspension, demotion and intimidation or other forms of reprisal against the person.

 

Rights

Persons who assist the reporting persons (facilitators, colleagues and relatives) will also receive protection.

 

Reporting persons must also be guaranteed:

  • access to comprehensive and independent information and advice, free of charge, on the procedures and remedies available;
  • access to legal aid in proceedings;
  • financial assistance and psychological support.

 

Procedure for adoption of the text of the Directive

Following the final approval of the legislative text by the MEPs, the Member States will have to adapt their national legislation accordingly within two years. In fact, currently, only 10 Countries (France, Hungary, Ireland, Italy, Lithuania, Malta, the Netherlands, Slovakia, Sweden and the United Kingdom) offer complete protection to all sectors or categories of workers.

 

Related Links:

 

Whistle-blowing: upcoming Directive

An announcement published on the website of the European Data Protection Board (EDPB) confirms that, in March 2019, the Polish data protection authority (UODO) imposed its first fine on a Swedish company pursuant to the data personal protection Regulation (EU) 2016/697 (“GDPR”), ordering it pay a penalty of 220,000 euro. The Swedish company had processed the personal data of a number of people without them knowing and without giving them appropriate information on the processing of their data, in flagrant breach of art. 14 of the GDPR.

 

Reference Regulations

Where personal data have not been obtained directly from the data subject, art. 14 of the GDPR requires that the controller provides the data subject with the following information:

  1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  4. the categories of personal data concerned;
  5. the recipients or categories of recipients of the personal data, if any;
  6. where applicable, that the controller intends to transfer personal data to a third country outside the European Union;
  7. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  8. the legitimate interests pursued by the controller or by a third party;
  9. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing and to object to processing as well as the right to data portability;
  10. where processing is based on consent given, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  11. the right to lodge a complaint with the supervisory authority;
  12. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  13. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject.

 

The controller must provide said information within a reasonable period, at the latest within one month from the date of collection or at the time of the first communication to that data subject or to third parties.

 

The facts

In the case examined, the fined company – which supplies decision-making support in the form of digital business, marketing and credit information – had processed the personal data of a large number of natural persons (entrepreneurs) without them knowing.

 

The data subjects were not informed that their personal data were being processed and were thus deprived of the possibility to exercise their rights under the GDPR. Nor were they able to object to further processing or request the rectification or erasure of the personal data.

 

Specifically, the company provided the information set out in art. 14 of the GDPR only to those persons for whom it had an email address. For the other persons, it did not to satisfy the information requirement because of (on its own admission) the “significant operating costs” involved in sending the notice to the data subjects by recorded delivery – therefore limiting its action solely to the publication of the privacy notice on its website.

 

According to the President of the UODO, since the company had the postal addresses and telephone numbers of such persons, it should have satisfied the information requirement using that information. In fact, the GDPR does not require the controller to send notices by “recorded delivery”.

 

The President of the UODO thus held that the breach was intentional, since – as established during the procedure – the company was aware of the requirement to provide appropriate information and of the need to inform the data subjects directly.

 

In imposing the fine, the UODO also considered that the company had failed to take any action to remedy the breach, or declare its intention to do so.

 

To conclude, the UODO considered the breach to be very serious as “it affects the fundamental rights and freedoms of the persons whose personal data the company has processed, and refers to the basic issue of: the information to be provided to data subjects regarding the processing of personal data concerning them. The fine must be imposed since the controller has not complied with the law”.

 

Comments

The decision is important insofar as (i) the fine arises from the breach not of a national law but of a European law (applicable also in the Italian legal system) on the protection of personal data and (ii) it highlights an error in terms of corporate compliance. Indeed, by failing to notify the data subjects that data concerning them was being processed, the company had failed to satisfy its legal obligation.

 

 

Alberto De Luca will be a speaker at the conference “Distressed M&A transactions: regulatory developments and best practice”, organised by Convenia on 21 and 22 May 2019 in Milan.

 

Location and time

The event will take place at the NH Machiavelli Hotel, Via Lazzaretto 5 – 20124 Milan.

Each session will commence at 9:00 and end at 17:00.

 

Focus

The following topics will be addressed by industry experts: market scenarios and new regulatory framework for Distressed M&A in the context of NPL/UTP transactions, asset acquisitions in insolvency proceedings and listed target companies, Distressed M&A and criminal liability, labour-law aspects, tax issues in the valuation of companies in crisis, role of the liquidator/temporary manager, intervention of an institutional investor.

 

Alberto De Luca’s speech will address the issue of “Distressed M&A: opportunities and risks in managing continuing and redundant employment relationships”, with specific focus on:

 

– special rules for distressed companies: exceptions to workers’ acquired rights as a result of provisions of law and cherry picking.

– the role of trade union relationships

– the right of termination in employment contracts referring to managers and non-managers

 

Antonella Iacobellis took part in teaching sessions held last 8 and 9 April on the Labour Law module of the Master in “Law and Business” (Rome) organized by Il Sole 24 ORE Business School.

 

8 April 2019

The teaching session covered sources of labour law, entering into employment relationships, the typical aspects of employment and self-employment relationships and art. 2103 of the civil code “Jus variandi”, with particular focus on demotion.

 

Exercise: drawing up an employment contract and a non-compete clause.

 

9 April 2019

The teaching session covered the termination of the employment relationship: actual protection and mandatory protection, individual dismissals and collective redundancy, resignations. Focus on the Constitutional Court’s intervention on increasing protections and the subsequent rulings on the matter.

 

Exercise: drawing up a letter of dismissal for justified objective reasons.

In its recent judgement no. 285 dated 1 February 2019, the Court of Milan ruled on the legitimacy of an employer’s conduct in requiring a candidate to submit a certificate of pending proceedings and whether the candidate must comply with the request. The case originates from the disciplinary proceedings initiated against a worker for not having disclosed, during the interview, the fact of having been sentenced in court, two years earlier, to 4 years and 4 months of imprisonment, for cyber crimes. The judgement reports in full the letter of disciplinary complaint sent to the worker, where the facts were described in detail, such as, in particular, the fact of having used the data unlawfully stolen from a woman, who also worked for the same employer, to stalk her. In particular, the worker was accused, on the one hand, of having acted in a way (stalking) that was detrimental to the health and safety at the workplace of a colleague, and, on the other hand, of having fraudulently concealed the event (and the existence of such a significant criminal conviction) at the time of recruitment. As a result of the proceedings, the worker was sentenced to a 10-day suspension from work without pay. The Court of Milan, called upon to rule on the appeal filed by the worker, cancelled the disciplinary measure. On the first point, the Judge, in the opinion of the writer, ruling questionably, noted that the suspension measure was not an adequate to sanction a breach against health and safety at the workplace, which instead should have been sanctioneded with an expulsive measure. This, the judge argued, since given the seriousness of the claimed fact, “the [conservative – ed.] nature of the disciplinary measure (…) appears contradictory and unethical with respect to the assumptions detailed in the disciplinary claim”, which would lead to the conclusion that the only legitimate sanction could have been the dismissal. As for the alleged breach of obligation to disclose any pending criminal charges, the Milan-based Judge also excluded the general information duty for the worker, at the time of recruitment, regarding the existence of criminal records against him, outside those cases in which, in the public administration or in relation to specific jobs, this was the subject matter of a specific request by the employer. In conclusion, it is interesting to note that the judgement under review confirmed once again – and specifically with reference at the time of personnel selection – the principle according to which only in certain circumstances it is lawful to ask the worker to show a “certificate of criminal charges”, or a “criminal records certificate”, reporting any criminal convictions (also under the provisions of Article 8 of the Workers’ Statute); while, it should be kept in mind that there is still full prohibition to ask for a “certificate of pending proceedings”, which would interfere with the presumption of innocence of each citizen until a final conviction is ruled (Court of Cassation judgement No. 19012 dated 17 July 2018).