The purpose of the EU’s whistleblower directive (2019/1937) is to protect those who choose to report and report on work-related misconduct (whistle blowing). All EU member states are obliged to implement the whistleblower directive in their national legislation by 17 December 2021 at the latest.
What can be reported by a whistleblower?
All violations of EU legislation in a work-related context can be reported. It includes, among others, public procurement, money laundering, tax fraud, product and transport security, data protection, protection of privacy and personal data as well as network and information system security, public health, animal protection, environmental protection, violations of the Union’s competition rules and state aid rules, violations concerning the internal market in relation to actions that constitute violations of the rules on corporation tax or to arrangements whose purpose is to obtain tax advantages that counteract the aim or purpose of the applicable corporation tax legislation, as well as abuses of a public interest.
It is possible to be covered even if a person has provided information that later turns out to be incorrect, if it was done by mistake. In order to be covered by the protection, it is required that the whistleblower at the time of reporting had reasonable grounds to assume that the information reported was true.
However, persons who intentionally and knowingly report incorrect or misleading information shall not be protected.
Are you covered by the protection if you breach the duty of confidentiality?
A whistleblower may not be held liable for breach of confidentiality, provided that the whistleblower had reasonable grounds to believe that the reporting of the information was necessary to disclose the misconduct reported.
However, one must not violate the so-called qualified confidentiality which, according to the national Publicity and Secrecy Act, restricts the right to communicate and publish information.
Who can be a whistleblower?
Any person working in the private or public sector who has acquired information about violations in a work-related context can blow the whistle.
It includes, inter alia, employees (even after termination of employment), self-employed persons, shareholders and persons belonging to a company’s administrative management or supervisory body including non-executive board members, volunteers and interns (including unpaid), person working under the supervision and direction of ( sub)contractors and suppliers, promoting persons, third parties related to reporting persons who may be subject to reprisals in a work-related context including colleagues and relatives of the reporting person, legal entities that the reporting person owns or works for or at other way is related to in a work-related context.
Reporting via the business’s internal reporting channel or the authorities’ external reporting channels is optional, but the recommendation is to use the internal reporting channel first.
Before sounding the alarm publicly, for example via the media, you must first have reported to an authority’s external reporting channel without reasonable measures being taken beforehand.
There are exceptions to that rule, for example if there is an imminent or obvious danger to life, health, safety or risk of extensive damage to the environment. Or if there is reasonable reason to assume that an external report would lead to a risk of reprisals or that the misconduct would likely not be remedied effectively.
Whistleblowing to internal and external reporting channels may be anonymous under Union law but does not limit the power of Member States to decide on the obligation of legal entities in the private or public sector and competent authorities to receive and follow up anonymous reports. An anonymous whistleblower who is later identified is protected against reprisals under the directive.
Existing constitutional protection does not change due to the new law.
Who is affected by the whistleblower directive?
All legal entities in the private sector with 50 or more employees, municipalities with 10,000 inhabitants or at least 50 employees, and organizations that are particularly sensitive to money laundering or terrorist financing regardless of the number of employees are required to establish reporting channels and associated whistleblowing processes.
Member states may have other threshold values for particular activities in their national legislation.
What needs to be done?
Everyone affected by the directive and national legislation must create internal reporting channels and associated processes that make it possible to raise the alarm internally within a business in a secure and anonymous way.
The reporting channels shall be designed, established and operated in a secure manner that ensures that confidential treatment of the reporting person’s identity and the identity of all third parties mentioned in the report is protected and that access by unauthorized personnel is prevented.
You must be able to raise the alarm in writing (e.g. via web form), verbally via telephone or other voice message systems or at the request of the reporting person at a physical meeting within a reasonable time limit.
The function must be able to receive reports of misconduct and have contact with whistleblowers, follow up on what is reported, and provide feedback on the follow-up to those who raised the alarm if the whistleblower has left contact options (not anonymous).
The persons or units appointed to manage the internal reporting channel and associated processes can either be employees of the business operator or of someone who has been hired for this on behalf of the business operator, for example the law firm the business normally uses.
Businesses with up to 249 employees can share internal reporting channels and processes for reporting and follow-up. Larger businesses are obliged to introduce their own internal reporting channels. Municipalities and regions can share channels and procedures with municipal companies, foundations and associations.
However, shared reporting channels do not affect the obligations of the respective business/municipality/region that follow from this directive to maintain confidentiality, provide feedback and remedy reported violations.
How should reports from whistleblowers be handled?
The reporting function must have clear internal processes for handling reports of misconduct.
In practice, this should be done by implementing a whistle-blowing policy in accordance with the Whistleblower Act, which informs how the whistle-blower can use the channel and for what type of irregularities it can be used, about who/who are the recipients of the reports and as an internal tool for use procedures for the handling of received reports.
Procedures and follow-up that should be included in the policy:
- Confirmation of receipt of the report to the reporting person within seven days of receipt if the latter has not chosen to remain anonymous.
- An impartial person or independent department designated as authorized to follow up on reports, who may be the same person or department as the person receiving the reports and who, unless the person has chosen to remain anonymous, will be in contact with the reporting person and when necessary, request additional information from and provide feedback to the reporting person.
- Careful follow-up by the designated person or department referred to in point 2.
- Careful follow-up on this is prescribed in national law with regard to anonymous reporting.
- A reasonable time limit for, if the person has not chosen to be anonymous, to provide feedback not exceeding three months from confirmation of receipt or, if no confirmation is sent to the reporting person, after the end of the seven-day period from when the report was made.
- Clear and easily accessible information on the procedures for external reporting to competent authorities and, where applicable, to Union institutions, bodies or agencies.
Feel free to use our whistleblowing policy template, free for your own use.
New ISO 37002:2021; guidelines for whistleblowing management systems
ISO (International Organization for Standardization) has developed the first standard entirely dedicated to whistleblowing management: ISO 37002:2021 – Whistleblowing management systems – standard for guidelines. ISO 37002 is a type B standard that provides guidelines for implementation and is not intended for certification.
The standard provides guidelines for implementing, managing, evaluating, maintaining and improving whistleblowing management systems (WMS) within an organization. Like all ISO standards, it represents an international best practice that companies and organizations worldwide can use as a model to structure their internal processes.
The standard covers the entire process of WMS implementation, including planning (organizational context, leadership, resources), operation (receiving, assessing and processing reports and closing whistleblower cases), review (internal audit and management reviews) and improvement.
When should whistleblower systems be implemented?
Member states are obliged to implement the whistleblower directive in their national legislation by 17 December 2021 at the latest. However, work on this has been delayed in several countries, status 2022-08-29:
- The law implemented: Cyprus, Denmark, France, Ireland, Croatia, Latvia, Lithuania, Malta, Portugal, Romania and Sweden.
- Act underway but delayed: Belgium, Bulgaria, Czech Republic, Estonia, Finland, Greece, Italy, Luxembourg, Netherlands, Poland, Slovakia, Slovenia, Spain, Germany and Austria.
- Law not started: Hungary.
The directive must be implemented in all EU member states, there is no reason for those affected by the directive to wait to introduce internal reporting systems, especially if the business has employees or others who may be whistleblowers and are resident and active in countries that have already implemented the legislation .
Violating the Whistleblower Directive or national legislation?
The directive does not specify minimum levels of fines or fines, but requires national legislation to punish those who prevent whistleblowers from sounding the alarm, breach confidentiality or in any way expose a whistleblower to negative consequences after reporting.
What requirements apply to whistleblowers in the processing of personal data (GDPR)?
In general, it can be said that the Whistleblower Act contains special rules on the processing of personal data. The rules in the Whistleblower Act supplement the provisions on the processing of personal data contained in the relevant regulations.
Personal data may only be processed if the processing is necessary for a follow-up matter according to the law. What is meant by a follow-up case is clear from the law.
Furthermore, personal data that is clearly not relevant to the handling of a particular whistle-blowing report may not be collected and must be deleted as soon as possible if it has been collected by mistake. Personal data may also not be processed longer than two years after the follow-up matter has been completed.
The Whistleblower Act also states that only persons who are authorized to receive, follow up and provide feedback on reports may have access to personal data processed in such a case.
Businesses with at least 50 employees have an obligation to have internal reporting channels according to the Whistleblower Act and therefore do not need to seek permission for such processing as is needed under the new Whistleblower Act.
Businesses with fewer than 50 employees are not required to have internal whistleblower channels under the Whistleblower Act. For voluntarily established reporting channels, an application for permission is therefore needed in advance if there is a need to process personal data about violations of the law in a way that goes beyond what is allowed in the relevant regulations.
Business operators must address the processing of personal data within the framework of the internal whistle-blowing reporting channel in the registry according to the relevant regulations.
An impact assessment must be carried out when an organization introduces an internal reporting system (whistleblower system) in which it is possible to report misconduct in the workplace.
Do we have to have a complete whistleblower case management system?
Most whistleblower systems offered today are complete case management systems for very large businesses and are really unnecessarily complex and expensive with an unnecessarily high learning curve for most businesses affected by the Directive. In fact, it is enough to create simple reporting channels, processes and a policy for this.
ANON::form offers a cost-effective alternative with a low learning threshold where an internal reporting channel for whistleblowers via secure and anonymous forms in purpose-built systems (operated by Anonform Ab), with written reporting in the form of encrypted e-mail to the business’s designated administrator who then handles the matter in the internal systems and processes chosen for this.
In addition to the reporting channel, a standard automatically generated whistleblowing policy is included in our E2EE Form BASIC subscription at no extra cost.
Modern mobile telephony offers excellent alternatives, often at no extra cost, to creating channels for voice reporting.
HINT! Read more about our affordable subscription… and feel free to add secure contact forms to your website, they are included free of charge in a subscription with us.
If you are still unsure about how to deal with the whistleblower directive and legislation?
The new Whistleblower Directive and associated legislation may feel large and unwieldy but is still surprisingly easy to implement for most businesses. In addition to the purpose-built whistleblower reporting channel we offer, we can help with everything from consulting to a complete implementation of the entire solution, please get in touch and discuss your special needs!