The EU Whistleblowing Directive

Local variations – one size does not fit all

Whistleblower protection must cover those making reports in relation to breaches of the areas of EU law specified in the Directive (including public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; protection of the environment; protection of privacy and personal data, and security of network and information systems). However, Member States are free to include protections for those who blow the whistle in other areas, and many have done so, in varying ways. For example, in Denmark, those who report on “serious offences and other serious matters” are covered by the domestic whistleblower legislation, and ultimately it will be for the courts to determine the boundaries of this somewhat broad formulation.  Hungary has taken a similarly broad approach, covering unlawful or suspected unlawful acts or omissions or other abuses.  Businesses will need to determine how best to reflect this uncertainty in their internal reporting procedures.  Multi-nationals will need to consider how the Directive has been implemented across the EU 27 more generally and assess whether it is feasible to take a uniform approach to whistleblowing across their EU operations, given the differences in local law.

Group-wide channels - to share or not to share? 

One particular and ongoing concern for employers with operations across the EU will be how they ensure compliance with the Directive’s requirements that each legal entity with 50 or more workers must have its own reporting channel and procedure, and must maintain confidentiality as to the identity of the reporting person.  The European Commission has indicated that this will preclude reliance on a central compliance team within a parent company to handle all whistleblower reports (although there is a derogation allowing entities with 50-249 workers to “share resources” between themselves).  The Danish legislature has included provision in its implementing law allowing companies to use a centralised reporting and investigation system, pending further clarification on whether or not this approach is compatible with the Directive.  By contrast, the legislation passed in a number of other jurisdictions simply follows the scheme of the Directive and will need to be interpreted carefully by employers, with the legal risks and consequences of non-compliance (which will also vary between Member States) front of mind.       

Data protection considerations

Whistleblowing systems entail the collection and processing of potentially large volumes of personal data, some of which will be “special category” data.  The Directive expressly stipulates that any processing of personal data pursuant to the Directive must be compliant with the GDPR. 

There is long-standing guidance from data protection authorities which emphasises the need to balance protection for those who blow the whistle, with the need to ensure that schemes don’t encourage the collection of inaccurate and highly damaging data on persons about whom reports are made. This can be a particular risk where hotline schemes encourage anonymous reports. This will need to be taken into account by businesses putting in place systems to comply with the Directive. Data Protection Impact Assessments are also likely to be needed for the operation of a whistleblowing hotline in at least some Member States, and careful consideration will need to be given to any internal or intra-group sharing of data in connection with investigations.

The “to do” list

Whistleblowing policies and procedures will need to be reviewed and updated and rolled out in a legally compliant way (taking into account local works council / trade union / other staff consultation requirements), so HR, privacy and legal teams will need to work closely together to achieve compliance. 

Businesses operating in the EU should:

• assess, in light of their worker numbers in each EU jurisdiction and local legislation, where they will need to ensure compliance with laws implementing the Directive;
• review their standards of business conduct and reporting arrangements, including whistleblower hotlines, to ensure compliance with the Directive and continued compliance with GDPR requirements;
• implement internal whistleblowing policies (or adapt existing policies to ensure they take account of the new legislation);
• inform / consult with works councils and other relevant employee representative bodies regarding implementation in jurisdictions where this is required.

Key areas to address will be ensuring that:

• reports are handled and investigated by the correct people, in accordance with prescribed timescales and with appropriate security and confidentiality;
• required information is given to the reporter and to the person investigated;
• there is guidance and training in place to ensure non-retaliation; and
• there are appropriate retention periods for reports and investigation data.

The starter for 10

As a helpful starting point, we have prepared this tracker which shows:

• progress towards implementation by jurisdiction; and
• how some of the key topics covered in the Directive, including reporting topics, persons covered, timescales, anonymous reporting and remedies for retaliation, are dealt with in local implementing legislation (where this information is available).