New rules on recording and handling whistleblowing reports
The Commission for Personal Data Protection (CPDP) adopted new regulations regarding the procedure for keeping a record of whistleblowing reports within the meaning of the Act on the protection of persons reporting information or publicly disclosing information on breaches (the Whistleblowers Protection Act or the Act), as well as guidelines on the organization for receiving, recording, and handling the reports, as following:
- Ordinance No. 1 dated 27 July 2023 for keeping the record of the reports under art. 18 of the Act on the protection of persons reporting information or publicly disclosing information on breaches and for forwarding internal reports to the Commission for personal data protection, effective as of 04 August 2023 (the Ordinance) and
- Methodological guidelines No. 1 for receiving, recording, and handling reports, sent to the obliged subjects under the Act on the protection of persons reporting information or publicly disclosing information on breaches, adopted with a resolution of the CPDP under protocol No. 28/27 July 2023 (the Guidelines).
A summary of some new rules in the Ordinance and the Guidelines is outlined below:
Internal act for determining the procedure for keeping a record under art. 18 of the Act
The employers under art. 12, para. 1 of the Act, which are obliged to create an internal reporting channel, shall adopt by an internal act (e.g., an order or an internal policy) the procedure for keeping the record under art. 18 of the Act in compliance with the Order and the Guidelines. The obliged employers include:
(1) the employers in the private sector with 50 and more employees, as well as
(2) the employers in the private sector, conducting an activity as defined in the Act (e.g., financial services, insurance, investment funds, etc.), regardless of the staff number, i.e., even with only 1 employee.
The record should be kept in a durable form
The record should be kept and maintained in a durable form and shall be stored in a way, allowing the reproduction of the information without any data loss. According to the Act’s definition, a durable form means any form of keeping information, providing the liable employers or the CPDP with the possibility to store information, allowing its easy usage in the future for a period, corresponding to the purposes, for which the information is intended, and allowing the unchanged reproduction of the stored information. In practice, we consider that the record could be kept as a file in an electronic form.
Limited access to the record
The record shall be accessed only by the employees, responsible for handling reports, who are determined by the obliged employers (the Responsible employees) as well as the CPDP. Therefore, every obliged employer should choose at its own discretion a technical and organizational manner for ensuring limited access to the record.
Model record and standard form for registering reports, approved by the CPDP
The CPDP has created a model of the record and a standard form for registering reports, which are published on the CPDP’s website and shall be used by the obliged employers. The standard form for registering reports as approved by the CPDP is obligatory for use and filling in by the Responsible employees, even if the report has been submitted by the reporting person in a free form other than the standard one.
Generating UIN of the reports
The reports, which fall under the scope of art. 3 of the Act, shall be registered with UIN (unique identification number), generated by the Responsible employee via the CPDP’s website. The reporting person shall be notified about this UIN as well as about the internal incoming number of the report, within 7 days after the report’s receipt.
Current status of the reports
The Ordinance provides what the minimum contents of the record should be, as well as the possibility for giving instructions to the reporting person about additional provision of missing information in the submitted report within 7 days and for the gradual addition of data in the record. Upon every addition of data to the record the Responsible employee shall indicate the current status of the report, as specified in the Guidelines: under pending rectification, not subject to handling, under pending handling or closed. As per the Guidelines the employer may introduce other statuses as well, by stating them in its act for determining the procedure for record keeping.
Language of the record
The Responsible employees shall keep the record in Bulgarian regardless of the language of the communication with the reporting person.
Statistical information for submitted reports
Every year until 31 January the Responsible employees shall provide the CPDP with statistical information about the reports, submitted during the previous year, including the number of submitted reports, their generated UIN, subject-matter, number of conducted inspections and the results from them.
Storage terms and submission for storage with the CPDP upon closing and deregistering of the employer
The Ordinance provides for a 5-year storage term for the whistleblowing reports, the materials attached thereto, and any subsequent documentation related to their handling. This term shall start running from the time of closing the report’s handling by the Responsible employee or the final closing of any criminal, civil, labor and/or administrative proceedings related to the submitted report. The information, for which the specified 5-year term has not expired, as well as the record, shall be submitted for storage keeping to the CPDP in case the obliged employer is closed or deregistered without successors (e.g., upon voluntary liquidation and deregistration of an employer, which is a company, from the Commercial register with the Registry agency).
Assignment and distribution of the functions for receiving, recording and handling reports
Depending on the obliged employer’s choice, the functions for receiving, recording, and handling reports may be conducted simultaneously by the same person or may be distributed between different people, so that for example one person shall receive and record the reports and another person shall only handle them. The simultaneous assignment of the three functions to one person is allowed only if it is an employee in the obliged employer’s structure. An external contractor (a natural person or an entity) may only receive and register the written reports to the obliged employers in the private sector, while the handling of the reports shall always be conducted by an internal person – an employee. If the function for handling reports is assigned to more than one employee, each of them may handle the reports in a specified field depending on their expertise or one employee may perform this function, while the others assist that employee in handling the reports. The obliged employers shall clearly determine in an internal act (an order or an internal policy) the organization for recording and handling reports, including how and between which employees the specified functions for receiving, recording and handling reports shall be distributed.#
Prohibition for legal representatives to receive, record and handle reports
The functions of receiving, recording, and handling whistleblowing reports cannot be performed by the obliged employer itself, respectively by its representative. This means that a general manager of a limited liability company or a member of the board of directors with representative powers of a joint stock company cannot receive, record, or handle the reports within the meaning of the Act.
Internal organization for the avoidance of conflict of interests
Due to the requirement for no conflict of interests, the obliged employer shall create in advance an internal organization for handling a report, if the report is submitted against the Responsible employee (e.g., by the appointment of a substitute employee or entrusting the function of handling the reports to a group of employees).
We are happy to support you with additional questions regarding the implementation of an internal organization for receiving, recording, and handling reports and for determining the procedure for keeping the record of reports. If you have any questions and for more information, get in touch with your regular contact at Stoeva Tchompalov & Znepolski.