Whistleblowing.software: the software solution which ensures compliance according to EU rules

Organizations with 250 or more employees have three months from the date the law comes into force, that is until June 13, to implement the required measures. Organizations with 249 or fewer employees have until December 1, 2023;

A new Independent Whistleblower Protection Authority (Autoridad Independiente de Protección del Informante) will be in charge of supporting whistleblowers;

Any action taken within two years of the conclusion of the investigation that could be considered retaliatory (including, for example, denial of a license or permit) is void;

Regardless of the number of employees, companies falling within the scope of EU legislation on financial services, products, or markets, the prevention of money laundering and terrorist financing, transport safety and environmental protection must also set up and maintain reporting channels.

It is necessary to establish and operate channels for receiving reports that are designed, set up, and managed in a manner that guarantees the confidentiality of the identity of the reporting person and any third party mentioned in the report, and that prevents unauthorized staff from accessing it. Reports must be stored securely, confidentially, and in accordance with GDPR;

The report should be acknowledged within 7 days of receipt;

Whistleblowers should be followed up with and kept in regular contact with an impartial person or department who will request or provide further information as needed;

Feedback must be provided within a reasonable timeframe, not later than 3 months from the acknowledgment of receipt or, if no acknowledgment was sent to the whistleblower, 3 months and 7 days after the submission of the report;

Reports must be stored in a register for a minimum period of 5 years;

The procedure for reporting externally to competent authorities should be made clear and easily accessible.

Companies and public entities must establish an internal IT reporting channel that ensures the confidentiality of the whistleblower’s identity;

Companies with the 231 model must have an internal whistleblower channel, regardless of the number of employees;

All whistleblowers in the public and private sectors are protected from retaliation, even in companies that have not adopted the 231 organizational and management model;

Whistleblowers must be informed that a report has been received within seven days of submission;

The organization must clearly outline the procedures to be followed when making a report and publish them both on the IT channel and on its website;

The processing of reports must comply with the GDPR data protection rules.

Internal reporting channels must be introduced in companies with at least 50 employees;

All municipalities are affected by the new legislation, even if their population is lower than 10,000 inhabitants;

All processing of personal data should be in accordance with GDPR;

Employees have the possibility to report wrongdoing in written and oral formats;

Confirmation of a report must be provided to the whistleblower within seven days while feedback must be given within three months;

Personal information can be collected when necessary and stored for a maximum of two years while personal information irrelevant to the case needs to be removed immediately.

It covers both the public and private sectors in addition to better outlining the scope of application;

There is no delay for medium-sized organizations which means that internal reporting systems need to be established almost simultaneously (a few months difference) by all entities with 50 or more employees;

Public companies and private sector entities with 50-249 employees can share resources in receiving and managing reports;

Anonymous reporting should be legitimate and every employer must accept an anonymous report and act upon it.

Internal reporting is mandatory for all private organizations with more than 50 employees and all public organizations, excluding those with fewer than 5,000 inhabitants or under 25 employees;

The procedures for internal reporting must include channels for the report’s reception, which are designed, implemented, and operated in a secure way that ensures confidentiality, protection of the identity of the whistleblower and every other person that is mentioned in the report;

It can be submitted in written format, orally, or both;

The whistleblower must receive confirmation that his or her report has been received within seven days of making it;

The whistleblower must receive updates no later than 3 months from the date of confirmation that the report has been received.

The obligation to establish whistleblowing schemes apply to all public and private organizations with 50 or more employees

The report can be submitted in written format, orally or both;

The identity of the whistleblower cannot be disclosed to anyone outside the whistleblowing unit unless the whistleblower consents to this.

It covers all entities, public or private, with more than 50 employees;

Anonymous reporting should be legitimate and every employer must accept an anonymous report and act upon it, and the whistleblower whose identity is later revealed will still benefit from the same protection;

The internal whistleblowing system must comply with the GDPR as well with the CNIL (the French Data Protection Authority) recommendations on whistleblowing systems;

The whistleblowing system may be common to several or all the companies in a Group.

All private and public sector organisations with 50 or more employees must establish formal whistleblowing channels and procedures for their employees;

Organisations with between 50 and 249 employees will have to implement this requirement by 17 December 2023;

Acknowledgement of the receipt of the protected disclosure must be given within 7 days with diligent follow-up conducted;

Feedback on any action taken must be provided to the whistleblower within 3 months;

Unauthorised disclosure of the identity of a whistleblower will be a criminal offence while new offences will be created for employers who fail to establish internal whistleblowing channels;

Breaching the duty of confidentiality to protect the identity of the person making a protected disclosure includes serious financial penalties.

All private sector organisations with 50 or more employees must establish formal whistleblowing channels and procedures for their employees;

Organizations with less than 50 employees are strongly encouraged by the new law to introduce the same measures;

In the public sector, the requirements of the Act apply to each ministry of the Maltese government;

Organizations now have an obligation of record keeping, to ensure that any personal data which is manifestly not relevant for the processing of a report will not be collected or, if accidentally collected, must be deleted without undue delay;

Public institutions and medium-sized enterprises (50-249 employees) could merge and create unified internal alarm systems;

Anonymous disclosures are not protected disclosures under the Law. However anonymous reports may be received and processed and taken into consideration in determining whether an improper practice has occurred.

Municipal institutions and medium-sized enterprises (50-249 employees) could merge and create unified internal alarm systems;

Institutions of a public person regardless of the number of employees and those legal persons governed by private law which have more than 50 employees shall establish an internal whistleblowing system;

Personal data of a whistleblower, report and appended written or material evidence, and also materials from the examination of the whistleblower’s report shall have the status of restricted access information;

The list of areas of offences has also been extended to include, for example, misconduct affecting climate change, transport safety or animal welfare.

Internal reporting is mandatory for all private and public organizations with more than 50 employees;

Whistleblowers can report through internal reporting channels, external or make a public disclosure;

Organizations must provide feedback to a report within two days, and inform the whistleblower on the progress of the provided information and status of the investigation within ten days;

In terms of the conservation of data related to a report, relevant data must be within 5 months after the last decision or examination of the case. An extension of time can be made in the case where the whistleblower explicitly gave their consent.