The Danish Data Protection Agency has established a new external whistleblower scheme effective as of 17 December 2021. The scheme is intended to supplement the individual workplaces’ whistleblower schemes, which must be in place on 17 December 2021.

At the same time, the scheme may be used by e.g. employees in private businesses and public authorities which have not established a whistleblower scheme. According to the Whistleblower Act, which comes into force on 17 December 2021, the Data Protection Agency must have established this scheme.

Many private employers with 250 or more employees and public employers with 50 or more employees and the municipalities have been working to prepare and set up their whistleblower schemes according to the requirements of the new Whistleblower Act to be ready on 17 December 2021.

Private employers with 50 - 249 employees are required to have established an internal whistleblower scheme no later than 17 December 2023.

In their schemes, employers must inform the potential whistleblowers about the possibility of alternatively reporting to the Data Protection Agency's whistleblower scheme.

Who may report to the Data Protection Agency’s whistleblower scheme?

The Whistleblower Act determines which persons may report to the Data Protection Agency's whistleblower scheme. These persons will be covered by the protection of the Whistleblower Act, provided that the other protective conditions of the Whistleblower Act are met.

It is possible to report to the Data Protection Agency’s whistleblower scheme if a person, as part of his work-related activities, has received information about matters at a workplace and belongs to one of the following groups of persons:

  • Employees
  • Self-employed persons, e.g. self-employed persons cooperating with the workplace in question.
  • Shareholders and members of the executive board, the board of directors, the supervisory board or a similar managerial body of a company.
  • Volunteers.
  • Paid or unpaid trainees.
  • Persons working under the supervision and management of contracting parties, subcontractors and suppliers, including employees in a business with which the workplace in question has entered into a contract and employees in a business which is a supplier or sub-supplier of goods or services to the workplace in question.
  • Previous employees, including persons who were employed at the workplace in question before the Whistleblower Act came into force.
  • Persons whose employment has not yet started who report information about violations which they have obtained access to during the employment procedure or other pre-contractual negotiations, including both persons who are subsequently employed at the workplace in question and persons who are not employed.

This means that it is not possible for e.g. ordinary citizens in a municipality to report to the Data Protection Agency’s whistleblower scheme. Citizens who wish to complain about matters in a municipality will therefore instead have to use existing complaint possibilities in the area in question. The same applies to customers at a supermarket who experience that the refrigerated counter is not clean.

What may be reported to the Data Protection Agency?

The Data Protection Agency’s whistleblower scheme considers reports which concern violations of EU law within a number of areas. This includes information about violations of rules on open procedures, transport safety, environmental protection, data protection and consumer protection.

In addition, the Data Protection Agency’s whistleblower scheme considers reports concerning serious wrongdoings and other serious matters. The criterion that it must be a serious wrongdoing or a serious matter means that it must generally be information which it is in the public interest to reveal. This includes reports about criminal offences, including breach of a duty of confidentiality, misuse of funds, theft, fraud, embezzlement, deceit and bribery, sexual harassment and other serious harassment at the workplace.

It is possible to report matters having occurred before the Whistleblower Act came into force.

Some information may not be reported to the Data Protection Agency. For example, the Data Protection Agency does not consider reports that concern the whistleblower’s own employment conditions, including disputes between two or more employees, unless it is a serious wrongdoing or a serious matter, e.g. sexual harassment or cooperation difficulties that lead to a real risk of damage.

How to report to the Data Protection Agency’s whistleblower scheme?

Reports to the Data Protection Agency’s whistleblower scheme may be made in a number of different ways. It will be possible to use a reporting portal where anonymous reports may be made.

In addition, reports may be made by phone, in writing (e-mail or surface mail) or by physical appearance. You can read more about the reporting options here.

Do you want to know more about the whistleblower act and whistleblower schemes in general?

Horten has wide experience establishing whistleblower schemes for both Danish companies and international groups, and we also receive reports for a number of clients. In addition, we have extensive experience providing general advice in the whistleblower area.

We have previously (July 2021) described the most important provisions of the new Whistleblower Act. You can read more about this here: Ny lov om beskyttelse af whistleblowere er nu vedtaget (in Danish).

In addition, we have held two webinars about whistleblower schemes:
Whistleblower schemes in the public sector. New rules on the way (in Danish)
Whistleblower schemes
(in Danish)

Contacts

Birgitte Toxværd

Partner

Rikke Søgaard Berth

Partner

Søren Hornbæk Svendsen

Partner

Christoffer Alsted Skafte

Attorney

Anne Louise Ellingsøe

Assistant Attorney