Significant Points for the Protection of Personal Data in the Structuring of an Ethics Hotline

Hande Çağla Yılmaz co-authored this article.

1. Introduction

In the modern business world, companies (hereinafter referred to as "company") establish ethical standards and take actions to ensure compliance to the standards in order to maintain and enhance trust, and thereby providing as sustainable working environment. It is crucial for companies to be aware of unethical behavior to sustain such sustainable environment and adherence to ethical standards. For this reason, companies design ethics hotline processes and encourage their employees and stakeholders (e.g., suppliers, subcontractors, customers, etc.) to use the ethics hotline.

Ethics processes, inherently, involve the processing of personal data. Therefore, it is essential to also focus on the protection of personal data to operate the ethics hotlines effectively and securely. We will examine the significant aspects in ethics hotline applications, especially concerning the protection of personal data specifically for employees with this article.

2. What is an Ethics Hotline?

An ethics hotline can be summarized as a confidential communication channel established to report potential/actual unethical misconduct, behavior/rule violations, and/or issues within the company. Through this, employees find a counterpart to report issues that they cannot or do not wish to share with their managers. The ethics hotline can be operated via email, phone, or both. While the ethics hotline generally operates anonymously, it is possible for individuals to share their personal information, while reporting unethical incidents. However, if employees share their information within the ethics scope, there is a risk of retaliation, and their workplace peace might be disturbed. Despite keeping the complainant's name anonymous, personal data such as name, surname, complaint details, department information, etc. of the accused are shared. Therefore, it cannot be considered as an anonymous process in all aspects.

3. What Should be Considered in Terms of Personal Data Protection?

The protection of personal data is one of the most critical elements in ethics hotline applications. Collecting, viewing, analyzing, and storing personal data are defined as data processing under the Law No. 6698 on the Protection of Personal Data and relevant legislation ("Data Protection Legislation"). Hence, it is important to establish policies regarding the protection of personal data within ethics processes and inform employees about these policies. Additionally, appropriate technical and organizational measures should be taken to ensure the security of employees' personal data, which is crucial for compliance with data protection legislation and the protection of personal data.

a) Ethics Hotline Policies and Procedures: For ethics hotlines to function successfully, companies must have clear and concise policies and procedures. As many personal data may be encountered in ethics hotline processes, these policies and procedures should outline how personal data will be handled, who can process the data, and whether any data transfers will occur. The existence of these documents is also crucial for ethics hotline staff to know how to act towards personal data. Apart from ethics-specific policies and procedures, documents such as personal data processing, special category personal data processing and personal data breach intervention policies will make the use of personal data in ethics hotline processes more understandable within the company. Moreover, the preparation of these policies is not only necessary for the continuity of the ethics hotline, but it also is an organizational measure required by the Data Protection Legislation. Therefore, these policies are essential for the sustainability of the ethics hotline and compliance with Data Protection Legislation.

Furthermore, data governance is critically important for the secure management and storage of information collected through ethics hotlines. Accordingly, data governance policies must be developed and implemented. These policies determine who can access the data, how it will be stored, and under what circumstances it will be shared. Technical measures necessary for ensuring data security should also be part of these policies. With secure and robust data governance, the information shared by employees via the ethics hotline remains protected.

b) Anonymity: Nowadays, where there is a debate on whether anonymity is a right, anonymity holds great importance concerning personal data protection. Respecting the right of employees to remain anonymous, when accessing the ethics hotline is crucial. Anonymity will encourage more employees to use the ethics hotline by making them feel secure. To preserve anonymity, employees' identity information should be kept confidential, not shared with unauthorized third parties, and the number of individuals and their access rights to this information should be restricted. Additionally, the confidentiality of reported unethical violations should be maintained, and this information should only be accessible to authorized individuals responsible for resolving the reported issue.

c) Training and Awareness Programs: It is appropriate to provide awareness training and conduct awareness activities for employees involved in ethics hotline processes. In this way, employees involved in the ethics hotline processes will become aware of how to act concerning the personal data they constantly process due to the nature of the ethics hotline. Furthermore, conducting these training sessions periodically is considered as an organizational measure under the Data Protection Legislation and is an obligation for data controllers and data processors.

d) Regular Audits: It will be appropriate to regularly audit the compliance of the ethics hotline operation with the Data Protection Regulation, the security of personal data processed within the scope of the ethics hotline and to conduct necessary improvements. These audits, like the aforementioned measures, fall under organizational measures required by the Data Protection Legislation and are an obligation for data controllers and data processors. Additionally, these audits will help as certain whether ethical activities within the company are conducted effectively.

e) Technical Infrastructure: Ensuring an appropriate technical infrastructure for the ethics hotline operation is crucial for maintaining the anonymity of employees reporting through the hotline. Without suitable technical infrastructure, implementing the measures listed above may be challenging.

f) Choosing the Ethics Hotline Supplier: Despite listing many considerations above, in practice, ethics hotline operations are often conducted through suppliers. Therefore, companies must ensure that the supplier meets the criteria mentioned above; this includes signing appropriate contract provisions, incorporating personal data protection clauses into the contract, or preparing an additional protocol. Through these contracts and/or additional protocols, companies should ensure that the ethics hotline supplier takes all necessary measures for the protection of personal data. In other words, it is appropriate for the company to ensure that the ethics hotline suppliers take all required organizational and technical measures under Data Protection Legislation. Otherwise, in the event of a possible personal data breach, there is a risk of reputational damage to the company and administrative fines imposed by the Turkish Personal Data Protection Board.

4. Conclusion

Ethics hotlines play a critical role in ensuring companies adhere to ethical values. However, to operate these hotlines effectively and securely, special attention must be paid to issues such as the protection of personal data and maintaining the anonymity of employees, compliance with Data Protection Legislation, proper selection of the ethics hotline supplier, periodic training for ethics hotline staff, ensuring appropriate infrastructure, and conducting regular audits. The measures taken and policies implemented in this context will contribute to the successful operation of ethics hotlines. Therefore, it is an ethical and Data Protection Legislation-compliant behavior for companies to adopt all the elements mentioned in this article as a minimum requirement before implementing an ethics hotline.