Deadlines for compliance were staggered under the Directive: companies with 250 or more workers in a Member State were required to comply by 17 December 2021, extending to companies with 50 or more workers in a Member State by 17 December 2023.
The Directive requires each Member State to legislate so that companies with 50 or more workers in that Member State must: (i) put in place appropriate reporting channels to enable those workers to report breaches of EU law; and (ii) ensure that those making whistleblowing reports are legally protected against retaliation for having done so.
Under the Directive, companies are required to put in place internal reporting channels, where confidentiality of the whistleblower will be ensured, and Member States are required to put in place external reporting channels.
Whistleblower protection must cover those making reports in relation to breaches of the areas of EU law specified in the Directive (including public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; protection of the environment; protection of privacy and personal data, and security of network and information systems). However, Member States are free to include protections for those who blow the whistle in other areas, and many have done so, in varying ways. For example, in Denmark, those who report on “serious offences and other serious matters” are covered by the domestic whistleblower legislation, and ultimately it will be for the courts to determine the boundaries of this somewhat broad formulation. Hungary has taken a similarly broad approach, covering unlawful or suspected unlawful acts or omissions or other abuses. Businesses will need to determine how best to reflect this uncertainty in their internal reporting procedures. Multi-nationals will need to consider how the Directive has been implemented across the EU 27 more generally and assess whether it is feasible to take a uniform approach to whistleblowing across their EU operations, given the differences in local law.
One particular and ongoing concern for employers with operations across the EU will be how they ensure compliance with the Directive’s requirements that each legal entity with 50 or more workers must have its own reporting channel and procedure, and must maintain confidentiality as to the identity of the reporting person. The European Commission has indicated that this will preclude reliance on a central compliance team within a parent company to handle all whistleblower reports (although there is a derogation allowing entities with 50-249 workers to “share resources” between themselves). The Danish legislature has included provision in its implementing law allowing companies to use a centralised reporting and investigation system, pending further clarification on whether or not this approach is compatible with the Directive. By contrast, the legislation passed in a number of other jurisdictions simply follows the scheme of the Directive and will need to be interpreted carefully by employers, with the legal risks and consequences of non-compliance (which will also vary between Member States) front of mind.
Whistleblowing systems entail the collection and processing of potentially large volumes of personal data, some of which will be “special category” data. The Directive expressly stipulates that any processing of personal data pursuant to the Directive must be compliant with the GDPR.
There is long-standing guidance from data protection authorities which emphasises the need to balance protection for those who blow the whistle, with the need to ensure that schemes don’t encourage the collection of inaccurate and highly damaging data on persons about whom reports are made. This can be a particular risk where hotline schemes encourage anonymous reports. This will need to be taken into account by businesses putting in place systems to comply with the Directive. Data Protection Impact Assessments are also likely to be needed for the operation of a whistleblowing hotline in at least some Member States, and careful consideration will need to be given to any internal or intra-group sharing of data in connection with investigations.
Whistleblowing policies and procedures will need to be reviewed and updated and rolled out in a legally compliant way (taking into account local works council / trade union / other staff consultation requirements), so HR, privacy and legal teams will need to work closely together to achieve compliance.
Businesses operating in the EU should:
Key areas to address will be ensuring that:
As a helpful starting point, we have prepared this tracker which shows:
View the current implementation here