A draft Government bill relating to implementation of the Market Abuse Regulation ((EU) No 596/2014, the “MAR”) proposes a new requirement for issuers of securities, insurance companies and certain insurance intermediaries to establish effective and reliable mechanisms for the purpose of reporting breaches (a “whistleblowing system”) of financial markets legislation. MAR enters into force on 3 July 2016.
As a rule, whistleblowing systems are proposed to be made available to employees of issuers, insurance companies and relevant insurance intermediaries. However, the relevant entity may at its discretion also invite other stakeholders, such as clients, to notify suspicious practices and procedures in the operations of the entity through the whistleblowing system.
“Framework created by data protection law and company-specific system rules”
Many companies, including many Finnish listed companies, have voluntarily already implemented a whistleblowing system for their employees. Also numerous Finnish subsidiaries of U.S. issuers have implemented a whistleblowing system as part of a group-wide implementation. Such systems generally stem from the U.S. Sarbanes-Oxley Act which requires publicly traded companies in the U.S. to establish procedures for employees to submit complaints.
When implementing a whistleblowing system it is advisable, and an entity which as a result of entry into force of the MAR introduces such system is indeed required, to prepare clear rules and instructions for the use of the system. Such rules and instructions typically include provisions relating to rights and obligations of the whistleblower and the person who is allegedly responsible for a breach, and contents, investigation and other handling of the notifications.
Typically, as part of normal functioning of a whistleblowing system, personal data of employees is received and retained. Such system creates a register of personal data subject to the Personal Data Act (523/1999). This means, among other things, that personal data must be processed with due care, such processing is strictly restricted to predetermined purposes and there must be appropriate procedures in place for such processing, e.g. as regards data security.
“Confidentiality of notification protected”
One of the most important requirements for a whistleblowing system is that the identity of the whistleblower and the employee subject to the notification, i.e. the alleged offender, must be kept confidential, subject to procedural laws. Access to the report is also typically limited to persons who require access to investigate the alleged breach and solve the matter. In practice, however, by way of application of the procedural laws in most severe incidents constituting a criminal offense, the identity of the whistleblower appears to become public in connection with the trial. A whistleblowing notification can also be made anonymously.
“Limited inspection rights for the data subject”
In contrast to the general principle adopted under the Personal Data Act, an employee is proposed not to be granted a right to access his or her personal data in a whistleblowing system. The Finnish Data Ombudsman (the “DPA”) is proposed to have authority, upon the employee’s request, to access the register and inspect information concerning the employee.
Outsourcing to Third-Parties or Intra-Group
The requirement to have an independent channel for the notifications does not appear to require or prevent outsourcing of the whistleblowing system to third parties or to another group company. Having one whistleblowing system for the entire group under which data concerning several group companies is collected may actually safeguard the independence of the notification processing more effectively than having separate systems for each entity.
Outsourcing the maintenance of the whistleblowing system to a third party is, like any other outsourcing of processing of personal data to a third party, subject to a notification obligation to the DPA.
Regulator’s Whistleblowing System
Also the Finnish Financial Supervisory Authority is required to maintain an effective and reliable whistleblowing system which is generally open for reporting of potential or actual breaches of all financial markets legislation, including as of 3 July 2016 the MAR.
In particular, companies which do not currently have any whistleblowing system in place should carefully analyse the proposed requirements to avoid unnecessarily increasing the administrative burden caused by the whistleblowing system and, at the same time, ensure that the system is enough flexible and, in terms of confidentiality and integrity, robust.