EU Whistleblowing Directive: All you need to know right now
On 16 December 2019, the EU Directive on the protection of whistleblowers entered into force. We will show you how you can implement the directive quickly and easily in your company.
Content of this white paper:
EU Whistleblowing Directive at a glance
Whistleblowers are vital for maintaining an open and transparent society, as they expose misconduct or hidden threats. To ensure that they are better protected against negative consequences, EU Directive 2019/1937 on the protection of whistleblowers came into force on 16 December 2019.
The goals of the EU Whistleblowing Directive are:
Protective measures for whistleblowers are the focus of the EU Directive
The core feature of this directive is protection of whistleblowers. The essential points are:
With these safeguards, the EU is sending a clear message to whistleblowers that they have nothing to fear while encouraging individuals to report on company infringements.
Who is affected by the directive?
Companies with more than 50 employees, public sector institutions, authorities as well as municipalities with 10,000 or more inhabitants are obliged to set up suitable internal reporting channels. Companies with 250 or more employees will be are expected to comply within two years of adoption, whereas companies with employees between 50 and 250 have another two years after transposition to comply.
Whistleblowers should be able to submit reports either in writing via an online system, a mailbox or by post and/or orally via a telephone hotline or answering machine system. Not only are employees who report wrongdoing are protected, but also job applicants, former employees, supporters of the whistleblower or journalists.
Whistleblower protection refers to the reporting of wrongdoing related to EU law, such as tax fraud, money laundering or offences related to public procurement, product and transport safety, environmental protection, public health and consumer and data protection.
However, the EU encourages national legislators to extend this scope also in into their respective national laws.
EU Directive obligations on businesses
All personal data, both that of the whistleblower and any accused persons, must be handled in accordance with the GDPR.
Companies must determine the “most suitable” person to receive and follow up on reports internally. According to the EU, this could be a:
Compliance officer, Head of HR, Legal counsel, Chief Financial Officer (CFO), Executive board member or management
Companies can also outsource the processing of reports, for example to an external ombudsman.
The company is obliged to confirm receipt of the report to the whistleblower within seven days. The whistleblower must be informed of any action taken within three months, the status of the internal investigation and its outcome.
Companies are required to provide information on the internal reporting process as well as on the reporting channel(s) to the competent authority. This information must be easily understandable and accessible, not only to employees, but also to suppliers, service providers and business partners.
All reports received must be kept in a secure place so that they can be used as evidence, if necessary.
Companies with between 50 and 250 employees may use a shared reporting channel to obtain and identify evidence, provided that all obligations outlined are met.
The EU directive also includes details on sanctions. Companies that obstruct the reporting of concerns or attempt to obstruct them will face penalties. The same applies if companies fail to keep the identity of the whistleblower confidential. Retaliatory measures against whistleblowers will also be punished. It is the job of national legislators to determine the severity of these sanctions.
While the Directive clearly benefits whistleblowers we also believe there are significant benefits for organizations. Most importantly, by ensuring that effective whistleblowing arrangements are in place, employees and other stakeholders are encouraged to raise concerns internally.
By doing so, organizations have an opportunity to identify and manage risk at an early stage, helping to avoid or limit financial and reputational damage.
All information on the Directive including a checklist can be found in our white paper.
The following aspects must be taken into account:
Next steps & tips
The Whistleblower Protection Directive entered into force on 16 December 2019. This marks the start of the two-year period during which EU member states must transpose the requirements into their own national legislation. First, companies with more than 250 employees must fulfill their obligations and two years later this will also apply to companies with 50 to 250 employees. Companies are advised not to wait until the last minute and to take action at an early stage.
The Whistleblowing Report 2021 shows that many companies have already proactively set up hotlines and received reports that have enabled them to better manage risk within their organisations.
Implement internal whistleblowing systems and set up processes
The freedom of choice aspect for whistleblowers is something companies need to note in particular. If the whistleblower cannot find suitable internal reporting channels, he or she can contact the relevant authority or even go public – the worst outcome for companies. It is therefore essential that suitable internal reporting channels are available and known about within the company.
To ensure that employees feel comfortable reporting internally, the channels should be available 24/7, offer anonymity, be available in the relevant languages, have comprehensible explanatory texts and be accompanied by an effective internal communication strategy.
Since all reports must be documented and follow-up action taken, each report needs to be easily accessible to, compliance officers for the management of the next steps. Accordingly, a whistleblower system should be intuitive and easy to use.
Most importantly, the whistleblower must be confident that his or her identity is fully protected.
For this reason, digital whistleblowing systems that are proven to be secure and reliable are particularly recommended for small and large companies as well as public institutions. A data protection and IT security-certified system ensures that data cannot be accessed even by the provider. For reasons of data protection law, attention should also be paid to the location of the provider’s servers.
International companies should also ensure that reports can be submitted regardless of location and time in order to ensure that international employees have full access to the system.
Private and public organisations are well advised to implement a whistleblowing system at an early stage, as implementation can take between a few weeks and a couple of months, depending on the size and complexity of the organisational structure.
The whistleblower should be informed within a reasonable period of time about the follow-up actions planned or taken and the reasons for choosing these.
The time requirements for action include:
§ the reference to other channels or procedures for reports that only concern the individual rights of the whistleblower,
§ the completion of the procedure due to lack of evidence or other reasons,
§ the initiation of internal investigations, possibly with an indication of the results and possible measures to remedy the problem, or
§ involve referral to a competent authority for further investigation insofar as this information does not affect internal research or the investigation and does not affect the rights of the person concerned by the report.“
The whistleblower should be kept informed of the progress and results of the investigation as it proceeds.
Yes, based on the EU Whistleblower Directive, staff handling the reports on breaches should be specially trained and familiar with the applicable data protection regulations. These skills are necessary to process reports efficiently, to communicate with the whistleblower, even if they choose to remain anonymous, and to manage the appropriate follow-up actions.
According to the Directive, it should not be possible to rely on the legal or contractual obligations of individuals, such as loyalty clauses in contracts or confidentiality or non-disclosure agreements, in order to exclude the possibility of reporting, to deny protection to whistleblowers, or to impose sanctions on them for reporting information on breaches:
§ to exclude the possibility of reporting,
§ to refuse whistleblowers protection
§ provide sanctions for reporting or disclosing information about violations when disclosure of the information covered by these clauses and agreements is necessary to uncover the violation.
If these conditions are met, whistleblowers should not be liable under civil, criminal or administrative law or in respect of their employment.
The Directive states that whistleblowers who lawfully acquire or obtain access to the information on breaches should enjoy immunity from liability. If the relevant information has been acquired or obtained by committing a criminal offence, such as physical trespassing or hacking, the criminal liability should remain governed by the applicable national law.
Download the white paper now
Register now for our Compliance News Service and receive relevant news from compliance, whistleblowing and business ethics. After successful registration for the Compliance News Service, you will receive the link to the white paper via e-mail. You can unsubscribe from the news at any time.