Denmark: Datatilsynet clarifies data responsibility when outsourcing whistleblowing schemes
The Danish data protection authority ('Datatilsynet') announced, on 23 November 2022, that it had published its response, on 13 October 2022, to a query it had received from the law firm DLA Piper in 2021 on data responsibility and the distribution of roles in some different scenarios where an employer outsources an internal whistleblower scheme to an external whistleblower supplier. In particular, the Datatilsynet stated that the firm has expressed that there is some uncertainty as to whether an external whistleblower supplier is a data processor on behalf of an employer, and that it seeks to clarify such uncertainties in data responsibility in the following scenarios when an external supplier:
- handles reports from whistleblowers via direct contact ('Scenario 1');
- handles reports via direct contact and an IT platform available ('Scenario 2'); and
- only makes an IT platform available to the employer ('Scenario 3').
In response to the firm's query, the Datatilsynet expressed that, in relation to Scenario 1, it considers as a starting point that both the employer and the external supplier act as independent data controllers. In this regard, the Datatilsynet specified that this is because, in Scenario 1, the external supplier has a certain degree of self-determination in relation to independent decision-making regarding how the processing of whistleblowing reports is handled, with vague or non-existent instruction from the employer on how personal data should be processed. In support of this, the Datatilsynet pointed to the fact that, in Scenario 1, both the employer and the external supplier have distinct and different purposes for processing the personal data, but noted that it cannot rule out exceptional cases where that may differ, such as cases where there are very strict instructions from the employer on how the external supplier must process personal data on its behalf.
Likewise, in relation to Scenario 2, the Datatilsynet specified that as a starting point, both parties would act as data controllers; however, it expressed that this will depend on how much discretion the employer has left to the external supplier, noting that the external supplier could act as a data processor for the employer in relation to the operation of the IT platform, if the employer's processing of the reports continues in the platform after the employer has received the reports from the external supplier, rather than processing in the platform only taking place with the external supplier.
Lastly, in relation to Scenario 3, the Datatilsynet noted that where the external supplier hosts the platform, but it is the employer's own employees who access the platform and process the whistleblowing reports, there must be a data processing arrangement between the parties, as the supplier provides a service which consists of the external supplier processing personal data on behalf of the employer, deeming the supplier a data processor.