Along with the ordinance, the Commission for personal data protection ("CPDP") has issued the first Methodological Guidelines for the receipt, registration and review of reports received by the obliged entities.
Register of reports
The detailed procedure for the maintenance of the register provided for in the Protection of Persons Who Report or Publicly Disclose Information on Breaches Act ("PPWRPDIBA") which the companies should establish, shall be determined in accordance with the ordinance, as each obliged person shall adopt a specific act (order / internal rules). Additionally, each obligated entity should name an officer(s) to receive, register and review reports.
It is envisaged that the entry of the circumstances in the register will be done in stages depending on the information received on the report.
The maintenance of the register, and more broadly - the operation of the internal whistleblowing channel, is based on the principles of completeness, integrity and confidentiality of information and preventing unauthorized persons from accessing it.
Receipt, registration and review of reports
Each company should assign a person or persons to be responsible for receiving, registering and reviewing reports. The obligeded entity shall determine, at its discretion, whether these functions will be performed by one person or they shall be shared. In any case, the review of the report can only be assigned to an employee within the obliged entity's organization, i.e. it cannot be assigned to an external provider/adviser etc. The external provider can only and exclusively receive and register reports, but the review of the same must necessarily be done internally for the obliged entity by a dedicated person (an employee). When selecting an employee should be taken into account and respected the requirement that the functions performed by the employee must not give rise to a conflict of interest and must ensure his/her independence when dealing with reports.
When a report is received, a series of steps are envisaged to ensure that the report is accurately pre-assessed, properly registered and dealt with.
A unique identification code (UIN) should be generated for each report that falls under the PPWRPDIBA through the CPDP's website. A UIN is not generated for anonymous reports. The obliged entities under the PPWRPDIBA are required to provide the CPDP with statistic information by 31 January each year on the number of reports received by them, their UINs, subject matter, number of reviews carried out and their results.
The reports and the materials thereto shall be kept by the obliged entities for a period of 5 years after the completion of their review, except in the case of criminal, civil, labour and administrative proceedings.
Sending reports to the CPDP
Reports shall be send to the CPDP in the following cases:
- the report is received from a private sector employer who is not an obliged entity under the PPWRPDIBA (does not maintain an internal channel);
- the whistleblower reports breaches committed by persons holding senior public positions;
- the report refers to the activities of another entity without that entity being specifically mentioned in the report;
- there is a need for the CPDP to take action on the report.
The newly adopted rules on the keeping of a register of reports, their administration and sending to the central authority - the CPDP, brings considerable clarity to the specific obligations of the employers in relation to the establishment of an internal channel for whistleblowing under the PPWRPDIBA.