Whistle-blowing processes have been regulated in Hungary since Act CLXV of 2013, on complaints and reports of public interest (also called the Whistleblowing Act), came into effect.
Whistle-blowing systems may be used by employees and any person in a contractual relationship with the employer who has reasonable interest to make a report or to remediate the behavior subject to the report.
Reasonable interest must be decided on a case-by-case basis.
Any violation of the policy of the employer, public or private, may be reported. Reports may be submitted anonymously, but the employer may choose to ignore an anonymous one. In any case, there is no obligation to collect any data about the whistle-blower.
In Hungary, the whistle-blowing system must be designed in a way that only those who are in charge of investigating the reported case may know the identity of the whistle-blower. The report must be kept secret (except for the notification of the subject of the report) until the end of the investigation or until the subject of the report is held liable. The subject has the right to explain his or her statements regarding the report and to offer evidence. Reports must be investigated by the employer or a third-party service provider.
At the beginning of the investigation, the whistle-blower must be informed of his or her rights under the applicable data-protection regulations. The whistle-blower must also be informed of the result of the investigation, any measure taken by the employer, the consequences (in case the report was made in bad faith), the rules of the investigation procedure and that his or her identity will be treated confidentially.
Any entity implementing a whistle-blowing system must register in the data-protection registry of the Data Protection Agency (DPA). Personal data may only be processed after the registration.
As there is a growing tendency to engage third-party data-protection officers, it is advisable for companies to consider engaging a whistle-blower-protection attorney to investigate reported cases.
It may considerably increase employees’ trust in the whistle-blowing system, as serious independency rules apply to whistle-blower attorneys.
In practice, we saw several companies operating policies that include certain whistle-blowing mechanisms that may not be in full harmony with the Whistleblowing Act. There were also questions about whether previously appropriate whistle- blowing policies are fully compliant and functional after the entry into force of a number of new or amended laws (e.g., the Civil Code, the General Data Protection Regulation and the Information Act). As the Whistleblowing Act prescribes various data- privacy obligations (publication of data privacy notice, prohibition of processing special categories of data, immediate deletion of unnecessary data, etc.) and data-security expectations (personal data of whistle-blowers, employees and persons affected in investigation procedure must be safeguarded) — such provisions coupled with the increased scope of duties stemming from the GDPR may mean a serious compliance challenge for those operation whistle-blowing schemes. The issue is one not to be underestimated: the lack or compromise of such protections may not only undermine the lawfulness of the measures taken (e.g., sanctions against the employees) and the lawful operation of the whistle-blowing system; it may also quickly erode the reputation of a company, should the whistle-blowing matter become publicized and receive bad publicity. It is highly advisable to use integrated solutions and a holistic approach to tackle these risks, achieve compliance and protect business interests at the same time.
Country-by-country and EU whistle-blowing rules need to be taken into account in setting the best practices and policies in this growing area of risk, including what an employer must do when faced with a whistle-blower claim, such as whether an investigation is required, protections of the employee who complained of company practices and litigation issues.
Best practice requires companies to take action in advance by creating a hotline and training its employees in ethical behavior.