November 28, 2005
Recent decisions by German courts and German and French Data Protection Authorities require international companies with German or French subsidiaries to carefully examine the local legal requirements before implementing anonymous reporting procedures and codes of ethical conduct. The Sarbanes-Oxley Act ("SOX") does not automatically legalize the implementation of such measures in Germany or France.
On June 15, 2005, a German Labor Court ruled that Wal-Mart’s German subsidiaries could not validly implement a "code of ethical conduct" and an anonymous alert hotline without the prior approval of the company’s works council. Furthermore, certain conduct rules may also violate the employee’s personal rights and can therefore not be validly implemented at all. Wal-Mart appealed against the decision. On November 15, 2005, the Duesseldorf Upper Labor Court denied the appeal and it seems reasonable to believe that there will be no deviating decision from the German Federal Labor Court.
In addition, German Data Protection Authorities expressed concerns that anonymous alert hotlines may violate German data protection law. There is no case law available determining to what extent reporting procedures are acceptable. However, it is rather likely that the German Data Protection Authorities will provide guidelines to ensure compliance with German law in the course of December 2005. It is expected that these guidelines will not strongly deviate from the French guidelines, outlined below, which have already been issued by the French Data Protection Authority (CNIL).
On May 26, 2005, the CNIL issued two decisions which strongly suggested a ban on the use of any anonymous reporting procedures by French companies. Conscious of the difficulties the decisions triggered in light of SOX, the CNIL thereafter issued guidelines on professional reporting procedures (guidelines dated November 10, 2005, publicized on its website on November 15, 2005: www.cnil.fr). In these guidelines, the CNIL indicated that it was not opposed in principle to reporting procedures, provided they comply with certain requirements, the main ones being: (1) the scope of the reporting must be restricted to auditing, accounting and finance, and the fight against corruption and must not be viewed as a replacement of other reporting means; (2) reporting should always be discretionary and by no means mandatory; (3) anonymous reporting – although inevitable – should not be the rule and employees should be requested to identify themselves when filing an alert, it being specified that their confidentiality will be and must be protected; (4) data regarding alerts must be destroyed within set time periods unless it triggered disciplinary or judicial proceedings; and (5) the rights of the individual(s) accused in an alert must be protected. The CNIL announced that it would, by the end of this year, publish a standard declaration to be completed by companies wishing to implement reporting procedures. Companies declaring that their procedures comply with the requirements set forth therein will benefit from an authorization and the Authority will be able to conduct on-site inspections to verify the actual compliance of the procedure. Procedures that do not fall within the defined requirements will be subject to a case-by-case analysis and authorization.
We advise those wishing to implement a code of conduct and reporting procedure in their German or French subsidiaries to check for possible conflicts with local labor legislation. If the subsidiary has established a works council, prior approval from the works council needs to be obtained in Germany, and it is likely that the non-binding opinion of the works council needs to be requested in France before introducing the new measures to the local employees.
Compliance with the local data protection laws is also necessary. Companies with German subsidiaries should await the suggestions of the German Data Protection Authorities, which we hope are due shortly. If this timeframe is not suitable, we would be pleased to provide guidance in order to minimize the risk of violating German data protection law. Unlike Germany, the French Authorities already expressed their view. Companies with French subsidiaries must, therefore, ensure compliance with the CNIL’s guidelines and requirements, to be published shortly, or require a specific authorization from the CNIL.
Finally, it should be noted that data transfer from Germany or France to non-European countries (e.g. the U.S.) requires compliance with additional data privacy rules.
Gibson, Dunn & Crutcher lawyers are available to assist clients in addressing any questions they may have regarding these issues. Please contact the Gibson Dunn attorney with whom you work, or contact Michael Walther (+49 89 189 330) or Antonia Wauschkuhn (+49 89 189 330) in our Munich office, or Frederique Sauvage (+33 1 56 43 13 00) or
Edouard Eltvedt (+33 1 56 43 13 00) in our Paris office.
© 2005 Gibson, Dunn & Crutcher LLP