Whistleblowing System – What Applies?
Whistleblowing System – What Applies? Protection for whistleblowers is nothing new, as there has long been legislation protecting employees who report serious misconduct. Current regulations mean that employees who sound the alarm about serious irregularities are protected against reprisals from their employer. The new Whistleblower Act means that all private sector organizations with at least 50 employees will be required to establish an internal whistleblowing system. Public sector organizations above a certain size, all municipalities, as well as certain actors in the financial sector and a number of designated authorities, must also meet the legal requirements to set up an internal whistleblowing system. The special channels for reporting misconduct are, according to the government, intended to provide stronger protection for whistleblowers than today. Information about a whistleblower’s identity must be covered by the strictest level of confidentiality. This means it may not be disclosed under any circumstances. The possibility of safer whistleblowing also opens the door to more secure anti-corruption efforts. The law requires that individuals or companies responsible for a whistleblowing function must be independant and autonomous in relation to the organization. This, in turn, places specific demands on how affected organizations design their whistleblowing systems. When does the law take effect? The law is proposed to enter into force on December 17, 2021. Medium-sized companies are granted until December 17, 2023 to establish internal reporting channels, while other obligated organizations are required to comply by July 17, 2022. Read more on regeringen.se. Use VisionFlow as a whistleblowing system! By using a combination of modules in VisionFlow, you gain access to a flexible and secure whistleblowing system. VisionFlow is developed and delivered by Visionera, a Swedish company established in 2001. Want to know more about how to use VisionFlow as a whistleblowing system? Don’t hesitate to contact us – we’ll be happy to help!
What Does Schrems II Mean?
What does Schrems II mean? – Why VisionFlow is a safe and smart choice for your case management On July 16, 2020, the European Court of Justice announced the Schrems II ruling, which has had extensive consequences for the use of American cloud services. Under GDPR, the transfer of personal data to a third country – that is, a country outside the EU/EEA – may only take place if the recipient country can guarantee an adequate level of protection for the data. In practice, this has proven to be highly complex, making it difficult to ensure the required level of protection. After Schrems II, there is in many cases no longer a clear legal path for processing personal data in the U.S. By choosing VisionFlow for your case management and CRM, you can rest assured. As a local Nordic provider, we comply with GDPR and ensure that data is stored within the EU. All information is handled securely, and VisionFlow offers the necessary features to help you and your organization meet GDPR requirements. With VisionFlow, you can always trust that all customer information is kept safe within Sweden’s borders. What is Schrems? C-362/14 and C-311/18 are what we today call Schrems I and II. Both are rulings from the European Court of Justice, named after Austrian lawyer and privacy activist Maximilian Schrems. Schrems challenged Facebook in Ireland, arguing that the company reserved the right to transfer his personal data to the U.S., despite the country’s mass surveillance systems conflicting with EU data protection laws. The case reached the European Court of Justice, which ruled in Schrems’ favor. The Court invalidated the agreement known as Safe Harbour, which companies had used for transatlantic data transfers. This ruling, later called Schrems I, affected not only Facebook but many other companies. Safe Harbour was replaced in 2016 with the Privacy Shield framework, which allowed digital traffic between the EU and U.S. to continue relatively unhindered. U.S. companies could register with the U.S. Department of Commerce to certify compliance. On July 16, 2020, the European Court of Justice declared that the Privacy Shield agreement did not provide sufficient protection for personal data transferred to the U.S. Schrems once again won, and the ruling became known as Schrems II. What does this mean for Swedish companies and organizations? Schrems II applies to all companies that process personal data within the EU but transfer it to a third country. It is very common to find Swedish companies using American cloud services. The Schrems II ruling states that supervisory authorities in EU member states must actively intervene against controllers who transfer personal data to third countries without legal grounds. Sweden’s privacy regulator (IMY) has already begun investigations against Swedish companies. The review is part of an EU-wide effort led by the European Data Protection Board (EDPB) task force set up to handle the complaints filed since the Schrems II ruling. What happens if you don’t comply with Schrems II? The exact consequences are still not entirely clear, since no cases have yet been decided under Schrems II. But based on previous violations of the EU’s General Data Protection Regulation, companies risk fines, sanctions, and compensation claims. Given the potentially devastating consequences for companies that are found non-compliant, it is highly relevant to review your suppliers that involve data transfers to the U.S. The key question: is it truly necessary to use this solution, or would it be safer and smarter to choose a provider that keeps data within the EU and thereby eliminates the risk of a potential ruling? Do you have questions about GDPR, Schrems II, or VisionFlow’s data management? Don’t hesitate to contact us!