Whistleblowing, a vital mechanism for ensuring transparency and accountability in both public and private sectors, has gained significant prominence across Europe in recent years.
This practice, which involves the disclosure of information by an individual regarding wrongdoing, corruption, or unethical behavior within an organization, has emerged as a powerful tool in the battle against corporate fraud, governmental misconduct, and abuse of power. To ensure the protection of whistleblowers from retaliation and persecution, the European Union enacted the Whistleblowing Directive that mandates all member states to implement corresponding national legal frameworks.
The EU Whistleblowing Directive, formally known as Directive (EU) 2019/1937, is a legal act enacted by the EU with the aim of enhancing protection for whistleblowers across its member states. Adopted on the 23rd of October, 2019, the directive seeks to create a safe and uniform environment for individuals to report breaches at the workplace without fear of retaliation.
The subject of the Directive: All EU-based public and private companies with 50+ employees, as well as municipalities with 10,000+ inhabitants.
The whistleblower's status refers to the recognition and protection granted to individuals who disclose information about illegal, unethical, or fraudulent activities within an organization. This status aims to shield whistleblowers from potential retaliation, such as harassment, demotion, or termination while encouraging them to come forward and report wrongdoing. The whistleblower status plays a critical role in promoting transparency and accountability, as it empowers individuals to act as counselors against corruption and abuse of power.
Aiming to ensure comprehensive protection for whistleblowers, the EU Whistleblowing Directive 2021 covers a broad range of aspects in different areas, including:
The EU Whistleblower Directive 2021 affects various stakeholders, including individuals, organizations, and national authorities across the EU. The main parties include:
Whistleblowers: individuals who report or disclose information about wrongdoings or breaches of EU law. They can be employees, contractors, subcontractors, suppliers, volunteers, or even job applicants;
Private and public organizations operating within the EU member states. All EU-based public and private companies with 50+ employees are required to establish internal reporting channels for whistleblowing. Apart from the businesses, the directive 2019/1937 also applies to municipalities with 10,000+ inhabitants.
National authorities in EU member states. Each member state must establish external reporting channels and competent authorities for whistleblowers to report wrongdoings;
Managers and executives in organizations. They must ensure compliance with the EU directive provisions, create a supportive environment for whistleblowers, and take appropriate action when wrongdoings are reported;
Legal and HR professionals play a crucial role in helping organizations implement and maintain policies, procedures, and reporting channels in compliance with the directive.
Overall, the EU Whistleblowing Directive indirectly affects all employees and the general public. The goal behind the directive is to foster a culture of transparency, accountability, and ethical conduct within organizations and public institutions.
The EU Whistleblower Directive covers a wide range of individuals who report or disclose information about breaches of EU law. Thus, the directive's coverage is not limited to employees but it extends to various categories of people who may come across wrongdoings in their professional daily life, including:
Employees, including full-time and part-time workers, regardless of their contract type;
Self-employed individuals, such as independent contractors, freelancers, or consultants who work for an organization or public institution;
Shareholders and members of the management or administrative bodies;
Volunteers, unpaid trainees and job applicants;
Third-party individuals such as contractors, subcontractors, and suppliers who have a work-related connection to the organization or public institution.
The directive aims to protect employees, contractors and subcontractors, suppliers, shareholders and top managers, volunteers and trainees, as well as job applicants. This holds true for both ongoing and ended working relationships. This requirement is designed to encourage employees to come forward with information without fear of reprisals, and to ensure you take allegations of wrongdoing seriously and investigate them thoroughly.
What does this mean for companies?
Companies are prohibited from taking any adverse action against employees who report illegal activities or other serious breaches, including demoting or dismissing them, withholding pay or benefits, or subjecting them to harassment or other forms of intimidation.
Whistleblowers must be able to report information confidentially and, depending on their choice, anonymously or not. The Directive (EU) 2019/1937 prohibits organizations from imposing sanctions or otherwise discriminating against whistleblowers who choose to remain anonymous.
What does this mean for companies?
Companies must establish secure channels for reporting and ensure that only authorized personnel has access to the information shared by the whistleblower. Additionally, they must ensure that their information is taken seriously and investigated thoroughly without any subsequent negative consequences.
Learn more about the difference between confidential and anonymous reporting.
To ensure that whistleblowers are able to report information effectively, the directive requires companies to establish clear, accessible, secure, and confidential reporting channels.
What does this mean for companies?
Companies must provide clear specifications on how to report efficiently, including contact details for designated persons or channels. They must also ensure that these channels are monitored and accessible to all employees.
The directive (EU) 2019/1937 requires companies to respond in a timely and effective manner by:
Acknowledging receipt of the report within the recommended by directive 7 days,
Investigating the information and providing feedback to the whistleblower within a reasonable timeframe after the receipt of the report. The directive recommends that the feedback is given within three months.
What does this mean for companies?
Companies need to meet the established national legislation deadlines and keep whistleblowers informed about the progress of the investigation throughout the process.
Additionally, companies also need to set up mechanisms for follow-up and appoint a person, a department, or a third-party provider to receive and handle whistleblowing reports. Last but not least, all report-related data must be handled in compliance with data privacy regulations.
Finally, the EU Whistleblowing Directive requires companies to provide training and awareness-raising to all employees about the importance of whistleblowing and the protections that are available to whistleblowers.
What does this mean for companies?
Companies must ensure that all employees are aware of their rights and the reporting channels available to them. Also, they understand the importance of reporting any illegal activities or other serious breaches, thus ensuring transparency and integrity within your organization.
According to the EU Whistleblowing Directive, whistleblowers can submit reports through three types of channels:
Internal reporting channels. Informants submit reports directly to the company, or to the appointed case handlers, if to be more precise. In this way, reported issues can be investigated and solved internally in the company. For internal reporting, companies can provide a variety of different ways to submit reports: dedicated hotlines, email addresses, online platforms, or designated staff members to which internal reports must be communicated. Internal reporting should be available both for employees and all third-parties companies have working relations.
External reporting channels. External reporting implies sending reports to external government agencies established by each of the EU member state authorities. Informants can choose to use external reporting channels if they believe internal channels are insufficient, or compromised, or if they fear retaliation.
Public disclosure. Alternatively, whistleblowers may disclose information to the public or the media. In practice, people do it only in exceptional cases:
If they have reasonable grounds to believe that there is an imminent danger to the public interest, such as a threat to public health, safety, or similar;
If they risk retaliation, or there's a low probability of the wrongdoing being effectively addressed through internal or external reporting channels.
It is important to remember that even though all national legislation among the EU member states should align with the EU Directive recommendations, there might be slight changes. Therefore, you should always check local rules of the national legislation, e.g., HinSchG in Germany, Ley Whistleblowing in Spain, etc.
Establishing an internal whistleblowing system in a company involves creating a safe, confidential, and user-friendly channel that encourages employees and other stakeholders to report wrongdoings or breaches of the law. To set up an internal whistleblowing system in compliance with the EU Whistleblower Directive, organizations are advised to implement the following steps:
Develop a comprehensive whistleblowing policy that outlines the purpose, scope, and procedures for reporting wrongdoings in line with the EU Whistleblowing Directive 2021 and other relevant national and international regulations;
Designate individuals or dedicated teams responsible for handling whistleblower reports;
Ensure confidentiality and anonymity of the reporting channels. Preferably, provide end-to-end encryption of all communication channels using secure digital tools;
Provide multiple reporting channels to accommodate different preferences and needs;
Establish clear and impartial procedures for receiving, handling, and investigating whistleblower reports, as well as define timelines for acknowledging reports, providing feedback, and concluding investigations;
Raise awareness and communicate to the employees and stakeholders the content of the whistleblowing policy, reporting channels, and their rights and protections under the EU Whistleblowing Directive;
Monitor, review, and constantly assess the effectiveness of the whistleblowing system and the whistleblowing policy, while also making necessary improvements based on feedback from users, best practices, and changes in legislation.
The key protections the EU Whistleblower Directive aims to ensure are the following:
Confidentiality. The directive mandates that the identity of whistleblowers must be kept confidential throughout the entire reporting process;
Prohibition of retaliation. The Whistleblower Directive expressly prohibits any form of retaliation against whistleblowers, such as dismissal, demotion, harassment, discrimination, threats, or any other negative treatment;
Burden of proof. In case whistleblowers face retaliation, the directive reverses the burden of proof, requiring the employer or organization to demonstrate that any negative action taken against the whistleblower was not related to their reporting;
Remedies and support. The Whistleblowing Directive requires EU member states to provide whistleblowers with access to appropriate remedies and support, including legal, financial, and psychological assistance;
Protection against liability. Whistleblowers are protected from civil, criminal, or administrative liability for reporting breaches of EU law;
Protection for a broader range of individuals. The directive covers not only employees but also self-employed individuals, contractors, subcontractors, shareholders, members of management or administrative bodies, volunteers, unpaid trainees, and job applicants.
The state of implementation of the Whistleblowing Directive in 2023.
By March 2023, 20 Member States have adopted a transposing law. Check the EU Whistleblowing Monitor to see the current status of implementation among EU countries.
If your company is based in the EU and falls within the scope of the Directive (EU) 2019/1937, it is important to ensure compliance as soon as possible. The deadline for EU member states to transpose the directive into their national laws was December 17, 2021.
Does EU Whistleblowing Directive require anonymity? The EU Whistleblowing Directive does not explicitly require that whistleblowers be allowed to report anonymously, but it does emphasize the importance of confidentiality and encourages member states to provide the option of anonymous reporting.
The directive mandates that the identity of whistleblowers must be kept confidential throughout the entire reporting process, and any unauthorized disclosure of the whistleblower's identity is strictly prohibited.
Yes, the EU Whistleblowing Directive covers financial services. The Directive (EU) 2019/1937 requires Member States to establish comprehensive and effective whistleblower protection mechanisms in both the public and private sectors, including in the financial sector.
Under the Directive, financial service providers with more than 50 employees are required to establish internal reporting channels for whistleblowers and to appoint a person or department responsible for receiving and handling reports.
The GDPR (General Data Protection Regulation) and the Whistleblowing Directive are two separate regulations that both address data protection in the EU, but they have different focuses and objectives.
The GDPR is a comprehensive data protection regulation that became effective in May 2018. It establishes rules for the processing of personal data by organizations operating within the EU, as well as by organizations outside the EU that offer goods or services to EU citizens or monitor their behavior. The GDPR sets out requirements for data controllers and processors, including the collection, storage, and processing of personal data, and provides individuals with certain rights, such as the right to access and control their personal data.
The Whistleblowing Directive, which was adopted in December 2019 and became effective in December 2021, is a directive that establishes rules for the protection of whistleblowers across the EU. It requires Member States to establish comprehensive and effective whistleblower protection mechanisms in both the public and private sectors, including in the financial sector. The Directive sets out requirements for internal reporting channels, external reporting options, protection against retaliation, and confidentiality, among others.
Whistleblowers may disclose personal data when reporting misconduct or wrongdoing, and organizations that receive reports under the EU Whistleblowing Directive must ensure that they comply with the GDPR's requirements when handling and processing personal data.
The responsibility for dealing with whistleblower reports falls on both organizations (through internal reporting channels) and competent national authorities (through external reporting channels), depending on the chosen reporting channel.
The time it takes to implement a whistleblowing system can vary depending on the size, complexity, and resources of the organization, as well as the scope and features of the system.
Considering all necessary steps, implementing a whistleblowing system could take anywhere from 45 minutes to 6 months. The implementation process may be faster for smaller organizations or those using external service providers that offer pre-built whistleblowing solutions.