There is no question that laws, rules and internal company regulations must be complied with. If violations nevertheless occur, the company management is dependent on information. Only in this way can the company avert damage and recognise gross misconduct at an early stage, clarify it and settle it as quickly as possible.
From 17 December 2021, companies with more than 250 employees are obliged to set up an internal reporting channel that ensures the anonymity of whistleblowers. The basis for the new law is the EU Directive 2019/1937. Digital whistleblower systems enable anonymous communication with the whistleblower via a secure, web-based reporting platform.
The otris whistleblowing system enables companies to implement the policy in a secure, straightforward manner. Compliance officers receive reports via an anonymous channel and process the cases using the solution’s management tools. The otris solution simplifies the review process and speeds up processing, communication and information.
The solution combines easy handling with high standards of data security and anonymity. Adaptations of the system to company-specific requirements are uncomplicated to implement.
The otris notice system meets the highest data security standards: High-security data centres in Germany certified to ISO 27001, modern encryption algorithms and DSGVO compliance, as well as recurring IT security audits and penetration tests.
The otris tip-off system is immediately available to you after installation without any further adjustments, but at the same time it is very flexible. For example, you can design the notice form of the otris reporting platform or the processing procedure in case management individually according to your wishes. A link to already existing systems is possible.
Dashboard and reports
The integrated dashboard and real-time statistics facilitate your compliance reporting. Clear reports can be created for individual tips as well as graphical evaluations for a specific portfolio; e.g. evaluations regarding topic, status and relevance of incoming tips.
Without information from the staff, it is almost impossible to uncover gross misconduct, as disregard for rules often goes hand in hand with concealment. Potential whistleblowers, however, fear the disadvantages of revealing their information and identity.
How to help
Violations of rules by individual employees can have serious, business-damaging effects and legal consequences for your company. In the worst case, the reputation, financial stability and job security of the entire workforce are at stake. Early warning from your employees about breaches of the rules helps you to implement measures to limit the damage in good time. Your company can learn from violations and further optimise internal company processes and structures. Motivating employees to disclose information to an internal body is therefore a sensible component of the company-wide compliance strategy.
Potential whistleblowers fear disadvantages if they give information publicly. They endanger good relations with colleagues, their professional development opportunities and, in extreme cases, even their mental and physical health. If these risks disappear, the motivation to report serious breaches of rules increases. The most reliable way to minimise risks for whistleblowers is to ensure their anonymity. For their own sake (to gain access to confidential information), compliance officers should provide secure reporting channels for whistleblowers to disclose information anonymously. With the otris whistleblowing system, the whistleblower decides for himself whether he wants to remain anonymous or deliberately disclose his identity.
In order to set up a reporting channel that is compliant with EU Directive 2019/1937, it must ensure the anonymity of the whistleblower. On a technical level, the otris reporting platform ensures anonymity through external operation and encrypted communication.
The more secure a whistleblower considers the system to be, the more willing he is to disclose his information. The whistleblower sends his message anonymously to the whistleblower via the otris reporting platform. With the help of an automatically generated ID, the whistleblower can communicate with the whistleblower (compliance officer) via an anonymous mailbox.
As a neutral entity, otris software AG operates the reporting platform in the cloud and guarantees the anonymity of all participants at the technical level. All content exchanged between whistleblowers and whistleblowers is highly encrypted by the reporting platform. In addition to anonymity, the otris whistleblower system fulfils the legal requirements for data protection and data security.
In addition to the reporting platform, the otris whistleblower system includes a flexibly configurable case management system with which you document, evaluate and consistently follow up on reports. According to the EU Whistleblower Protection Directive 2019/1937, an acknowledgement of receipt must be received by the whistleblower for each report after 7 days at the latest and a response after 3 months at the latest. The system sends alerts to the processor if an open case has a deadline.
Your compliance team communicates with the whistleblower, starting from the case management system, to check the validity and relevance of the whistleblowing. The case management system forwards the message to the reporting platform, which the whistleblower accesses anonymously. As the operator of the case management system, you decide whether the system is operated on-premises (in your company) or in the cloud. In contrast to the case management system, there is no choice for the reporting platform: the reporting platform is always operated by otris software AG as a neutral entity in the cloud, so that the anonymity of the whistleblower is technically guaranteed.
A compact summary: the most important questions and answers on the topic of the whistleblower system, IT security and data protection
With the Whistleblower Directive, the EU aims to enforce EU law and to detect and prevent violations. Whistleblower protection is an instrument to achieve this goal by
In order to implement whistleblower protection, the Directive contains provisions for companies and organisations to set up reporting channels. The reporting channels or whistleblowing systems must be designed in such a way that the identity of the whistleblower is protected. Affected by the regulation are:
The EU directive requires companies to offer reporting channels that are securely designed to preserve the confidentiality of the whistleblower’s identity. The otris whistleblowing system ensures the required identity protection by enabling anonymous reporting.
Anonymity is realised by these technical means:
The otris whistleblowing system protects the identity and thus also the personal data of whistleblowers through a procedure that enables anonymous reporting (see previous point). The reporting platform does not log any personal data of anonymous whistleblowers. Information sent by the whistleblower is protected by the system through transport and end-to-end encryption. In addition, an FAQ provides the whistleblower with information on how to protect his or her personal data.
However, compliance with the GDPR is not limited to anonymous whistleblowers. Personal data of non-anonymous whistleblowers as well as of third parties (e.g. an accused person) are also subject to the provisions of the GDPR. On a technical level, these data are also protected by transport and end-to-end encryption (reporting platform and case management). Rule-based deletion routines support the data protection-compliant deletion of received reports. A possible two-factor authentication offers additional protection against unauthorised access to personal data via the backend.
The SaaS offering of the otris whistleblowing system is provided exclusively on servers in data centres that are
Due to the end-to-end encryption, it is not possible for operators of the data centres to read submitted reports.
A TÜV expert opinion confirms the effectiveness of the data protection concept for the otris whistleblower system.
The otris whistleblowing system and the infrastructure used meet the following data security standards:
The otris whistleblower system is available within a few hours after configuration. The data protection statement, whistleblower FAQ, message categories and e-mail texts are ready for immediate use as templates and can be easily adapted by the user if required. The otris whistleblowing system has a processing procedure for whistleblowing that can be team- and role-based. This means that the system is immediately ready for use from the moment a tip is submitted to the time it is processed. Adaptations are easy to implement due to the system architecture, but require additional time for implementation.
No. As long as the confidentiality of the whistleblower’s identity is preserved, each company / organisation can determine for itself what kind of reporting channels it sets up. Alternatives to the software system are e.g. ombudsperson, e-mail box, telephone hotline. It should be noted that the required identity protection may be difficult to implement via these channels: the ombudsperson works on behalf of the company, with ordinary e-mail communication the IP address can be traced and with a telephone hotline the whistleblower cannot be sure who he is talking to on the phone and whether his voice is being alienated. Software systems offer the possibility to ensure the identity protection of the whistleblower by technical means and thus motivate him to provide information. In addition, software systems enable queries via the anonymous mailbox. Further benefits: Software-supported whistleblowing systems are easily accessible (via a website), permanently accessible, simplify timely processing, documentation and the deletion of received reports in compliance with data protection requirements.