Whistleblowing.software: the software solution which ensures compliance according to EU rules
Whistleblowing EU Regulations
Directive (EU) 2019/1937 (23 Oct 2019)
EU Whistleblower protection
Protection of persons reporting on breaches of Union law
European Council adopted rules on whistle-blower protection. The rules require the creation of safe channels for reporting both within an organisation – private or public – and to public authorities. It also provides a high level of protection to whistle-blowers against retaliation, and require national authorities to adequately inform citizens and train public officials on how to deal with whistle-blowing.
The main elements of the compromise include:
Creation of channels of reporting within companies/administrations: all companies with more than 50 employees will have to set up an internal procedure to handle whistleblowers’ reports. All state, regional administrations and municipalities with over 10,000 inhabitants will also be covered by the new law.
Hierarchy of reporting channels: whistleblowers are encouraged to use internal channels within their organisation first, before turning to external channels which public authorities are obliged to set up.
Feedback obligations for authorities and companies: obligation to respond and follow-up to the whistleblowers’ reports within 3 months (with the possibility of extending this to 6 months for external channels in duly justified cases).
🇵🇹
Portuguese Whistleblowing Law
Portugal implemented the EU Whistleblowing Directive on 20 December 2021 by Law 93/2001, bringing it into force on 18 June 2022. The Portuguese Whistleblowing Law is called “Regime geral de proteção de denunciantes de infrações (RGPDI)”, that means “general whistleblower protection scheme”.
As of June 18, 2022, all private and public entities with 50 or more employees and municipalities with 10,000 or more inhabitants must establish internal reporting channels.
Portuguese branches of companies with foreign headquarters are also subject to this rule.
Reporting channels within the organization must include the following requirements:
It is necessary to establish and operate channels for receiving reports that are designed, set up, and managed in a manner that guarantees the confidentiality of the identity of the reporting person and any third party mentioned in the report, and that prevents unauthorized staff from accessing it. Reports must be stored securely, confidentially, and in accordance with GDPR;
The report should be acknowledged within 7 days of receipt;
Whistleblowers should be followed up with and kept in regular contact with an impartial person or department who will request or provide further information as needed;
Feedback must be provided within a reasonable timeframe, not later than 3 months from the acknowledgment of receipt or, if no acknowledgment was sent to the whistleblower, 3 months and 7 days after the submission of the report;
Reports must be stored in a register for a minimum period of 5 years;
The procedure for reporting externally to competent authorities should be made clear and easily accessible.
🇸🇪
Swedish Whistleblowing Act
The new regulation regarding Whistleblowing implemented in Sweden SFS 2021:890 as a result of the EU Whistleblowing Directive differs from the previous one by introducing specific channels for reporting misconduct and by ensuring that the identity of the whistleblower shall be covered by confidentiality.
Key aspects:
Internal reporting channels must be introduced in companies with at least 50 employees;
All municipalities are affected by the new legislation, even if their population is lower than 10,000 inhabitants;
All processing of personal data should be in accordance with GDPR;
Employees have the possibility to report wrongdoing in written and oral formats;
Confirmation of a report must be provided to the whistleblower within seven days while feedback must be given within three months;
Personal information can be collected when necessary and stored for a maximum of two years while personal information irrelevant to the case needs to be removed immediately.
🇸🇰
New Croatian Whistleblower Protection Act
The Republic of Croatia, after two readings in the Croatian Parliament, adopted the Croatian Whistleblower Protection Act, which has been in force since April 23, 2022.
The new Act contains extended mechanisms and represents progress over the previous law. Based on the implemented provisions of the EU Directive, it ensures an improved level of whistleblower protection and contributes to the further strengthening of the legal protection of whistleblowers.
Key aspects:
It covers both the public and private sectors in addition to better outlining the scope of application;
There is no delay for medium-sized organizations which means that internal reporting systems need to be established almost simultaneously (a few months difference) by all entities with 50 or more employees;
- Public companies and private sector entities with 50-249 employees can share resources in receiving and managing reports;
Anonymous reporting should be legitimate and every employer must accept an anonymous report and act upon it.
🇨🇾
Protection of Persons Reporting Breaches of Union and National Law
On 4 February 2022, Cyprus published the Protection of Persons Reporting Breaches of Union and National Law, the Whistleblowing Law in the Official Gazette, transposing the EU Whistleblowing Directive.
Key aspects:
Internal reporting is mandatory for all private organizations with more than 50 employees and all public organizations, excluding those with fewer than 5,000 inhabitants or under 25 employees;
The procedures for internal reporting must include channels for the report’s reception, which are designed, implemented, and operated in a secure way that ensures confidentiality, protection of the identity of the whistleblower and every other person that is mentioned in the report;
It can be submitted in written format, orally, or both;
The whistleblower must receive confirmation that his or her report has been received within seven days of making it;
- The whistleblower must receive updates no later than 3 months from the date of confirmation that the report has been received.
🇩🇰
Danish Act – Protection of Whistleblowers
In Denmark, the EU Whistleblowing Directive was implemented through the Danish Act on the Protection of Whistleblowers which entered into force on 17 December 2021. The Danish implementation of the Directive is in many ways a very close representation of the European Directive.
Key aspects:
- The obligation to establish whistleblowing schemes apply to all public and private organizations with 50 or more employees
The report can be submitted in written format, orally or both;
- The identity of the whistleblower cannot be disclosed to anyone outside the whistleblowing unit unless the whistleblower consents to this.
🇫🇷
French Whistleblowing Act
The law transposing the EU Directive was passed in France on March 21, 2022. The entities subject to the law had until September 1, 2022 (6 months) to comply with its provisions. The law extends the whistleblower protection regime to certain third parties linked to the whistleblower (such as colleagues or family members) and facilitators.
Key aspects:
It covers all entities, public or private, with more than 50 employees;
Anonymous reporting should be legitimate and every employer must accept an anonymous report and act upon it, and the whistleblower whose identity is later revealed will still benefit from the same protection;
The internal whistleblowing system must comply with the GDPR as well with the CNIL (the French Data Protection Authority) recommendations on whistleblowing systems;
- The whistleblowing system may be common to several or all the companies in a Group.
🇮🇪
Protected Disclosures Bill 2022 – Ireland
The Protected Disclosures (Amendment) Bill 2022 was signed into law in July 2022 and it substantially enhances and strengthens protection for whistleblowers while bringing the country in line with the European standard. In Ireland, whistleblowing is more formally known as “making a protected disclosure”.
Key aspects:
- All private and public sector organisations with 50 or more employees must establish formal whistleblowing channels and procedures for their employees;
Organisations with between 50 and 249 employees will have to implement this requirement by 17 December 2023;
- Acknowledgement of the receipt of the protected disclosure must be given within 7 days with diligent follow-up conducted;
Feedback on any action taken must be provided to the whistleblower within 3 months;
- Unauthorised disclosure of the identity of a whistleblower will be a criminal offence while new offences will be created for employers who fail to establish internal whistleblowing channels;
- Breaching the duty of confidentiality to protect the identity of the person making a protected disclosure includes serious financial penalties.
🇲🇹
Whistleblowing Act – Republic of Malta
Whistleblower protection legislation was first introduced in Malta by the adoption of the “Protection of the Whistleblower Act” on 15 September 2013. It was subsequently amended by an act of the Maltese Parliament on 18 December 2021 to transpose the EU Whistleblowing Directive.
Key aspects:
All private sector organisations with 50 or more employees must establish formal whistleblowing channels and procedures for their employees;
- Organizations with less than 50 employees are strongly encouraged by the new law to introduce the same measures;
In the public sector, the requirements of the Act apply to each ministry of the Maltese government;
- Organizations now have an obligation of record keeping, to ensure that any personal data which is manifestly not relevant for the processing of a report will not be collected or, if accidentally collected, must be deleted without undue delay;
- Public institutions and medium-sized enterprises (50-249 employees) could merge and create unified internal alarm systems;
Anonymous disclosures are not protected disclosures under the Law. However anonymous reports may be received and processed and taken into consideration in determining whether an improper practice has occurred.
🇱🇻
Latvia Whistleblowing Law
On January 20, 2022, the new Whistleblowing Law was adopted in Latvia and it entered into force on 04 February 2022. It is designed to transpose Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019.
Key aspects:
- Municipal institutions and medium-sized enterprises (50-249 employees) could merge and create unified internal alarm systems;
Institutions of a public person regardless of the number of employees and those legal persons governed by private law which have more than 50 employees shall establish an internal whistleblowing system;
- Personal data of a whistleblower, report and appended written or material evidence, and also materials from the examination of the whistleblower’s report shall have the status of restricted access information;
- The list of areas of offences has also been extended to include, for example, misconduct affecting climate change, transport safety or animal welfare.
🇱🇹
Lithuania Whistleblowing Law
On December 16th, 2021, the new Whistleblowing Law was adopted in Latvia and it entered into force on February 15th, 2022. It is designed to transpose Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019.
Key aspects:
Internal reporting is mandatory for all private and public organizations with more than 50 employees;
Whistleblowers can report through internal reporting channels, external or make a public disclosure;
Organizations must provide feedback to a report within two days, and inform the whistleblower on the progress of the provided information and status of the investigation within ten days;
- In terms of the conservation of data related to a report, relevant data must be within 5 months after the last decision or examination of the case. An extension of time can be made in the case where the whistleblower explicitly gave their consent.
Others regulations:
- GRECO is the authority who’s been entrusted by the Council of Europe in order to monitor the EU Members’ compliance with the EU standards in the Corruption field. According to the GRECO principles against corruption, the States have:
- to ensure that the organisation, functioning and decision-making processes of public administrations take into account the need to combat corruption, in particular by ensuring as much transparency as is consistent with the need to achieve effectiveness (GP 9),
- to ensure that the rules relating to the rights and duties of public officials take into account the requirements of the fight against corruption and provide for appropriate and effective disciplinary measures; promote further specifi-cation of the behaviour expected from public officials by appropriate means, such as codes of conduct (GP 10)
Currently, GRECO comprises 50 member States (49 European States and the United States of America).
It requires Contracting Parties to provide in their domestic law “for effective remedies for persons who have suffered damage as a result of acts of corruption, to enable them to defend their rights and interests, including the possibility of obtaining compensation for damage” (Art.1).