What Information Is Needed For Companies In Regard To The Whistleblower Directive?
A storm in a teacup or acute need for action? Initially, the EU Whistleblower Directive was supposed to be effective by December 17, 2021. However, the legislative process failed during the last legislative period. Do (medium-sized) companies still need to implement a whistleblower protection system in their company now? At the very least, preparations should be undertaken immediately since Germany must implement the Whistleblower Directive as soon as possible. The following information will give you an idea of what is in store for companies and how they can prepare for it.
By the end of December 2021, Whistleblower Directive (EU) 2019/1937 (“Whistleblower Directive”) should have been incorporated into German law. However, the legislative process initiated in the last legislative period initially failed, and the implementation deadline was not met. Nevertheless, the public sector must assume that the Whistleblower Directive will be directly applicable and already have an acute need to take action. While private companies can, in principle, wait for the Whistleblower Directive to be transposed into German law – but here, too, the Whistleblower Directive may already have an indirect impact in individual cases. Accordingly, all companies should deal with this issue as quickly as possible. The EU Whistleblower Directive is expected to be transposed into national law soon.
In its coalition agreement, the coalition government has clearly stated its support for protecting whistleblowers and for a “legally secure and practicable” implementation of the Whistleblower Directive. It can even be assumed that Germany will go beyond the minimum requirements of EU Whistleblower Directive 2019/1937. For example, the national Whistleblower Protection Act is to apply not only to reports relating to breaches of EU law but also to reports “of significant breaches of regulations or other significant misconduct, the discovery of which is in the particular public interest.”
The exact specifications of the national whistleblower protection law are not yet known conclusively. However, at the very least, the requirements of the EU Whistleblower Directive must be transposed into German law. Companies can already take their cue from this and start with the organizational implementation.
Which companies are affected?
In particular, private-sector companies with 250 or more employees or annual sales of more than EUR 10 million must maintain secure internal reporting channels – the aforementioned EU Whistleblower Directive already provided for this from December 17, 2021. It can therefore be assumed that the requirements of European law will be implemented quickly. Likewise, public institutions, authorities, and municipalities with a population of 10,000 or more must introduce whistleblowing systems – for these, it can already be assumed that the EU Whistleblower Directive will apply directly.
Private companies with between 50 and 249 employees have to introduce a whistleblowing system until the end of 2023.
What types of whistleblower systems are possible?
There is room for maneuver in the precise design of the whistleblower system. Three types of whistleblower systems are possible:
– Establishment of an internal company mailbox;
– Assigning a ombudsperson to receive corresponding tips;
– Establishment of an electronic reporting system.
In any case, the reporting channels must be designed in such a way that the information can be provided in writing or verbally. In addition, a physical meeting within a reasonable time frame should also be made possible at the whistleblower’s request.
In any case, the confidentiality (anonymity is not a prerequisite) of the whistleblower must be maintained.
The various reporting options can be combined. In each case, the preferred solution depends on the concrete circumstances, such as the size, structure, and spaciousness of the company organization, and whether a suitable person can be identified.
In addition, it should be possible for persons outside the company to use the whistleblower system. If possible, companies should design the reporting channel so that it is also open to employees of business partners of the company or group of companies. This is in addition to persons who receive information from the company in their professional activities. These include temporary workers, members of the company’s executive bodies and shareholders, job applicants, self-employed persons, and former employees.
In addition to establishing an internal reporting system, companies must also provide their employees, as potential whistleblowers, with comprehensible and easily accessible information about the possibilities of making external reports to certain authorities.
Unlike in the past, internal reporting no longer has priority. The whistleblower can decide whether to report violations internally or externally to an authority. Hence, companies should ensure that internal reporting systems are in place and create incentives.
Which reports enjoy whistleblower protection?
According to the EU Whistleblower Directive, whistleblowers are entitled to report violations that fall within the scope of the EU legal acts listed in the annex and concern the following areas in particular:
– Public procurement,
– Financial services, financial products, and financial markets, and Prevention of money laundering and terrorist financing,
– Product safety and conformity,
– transport safety,
– environmental protection,
– Radiation protection and nuclear safety,
– Food and feed safety, animal health and welfare,
– public health,
– consumer protection,
– privacy and personal data protection, and network and information systems security.
Whistleblower reporting – and then?
If a whistleblower report is received by the company, the confidentiality of the whistleblower’s identity and third parties mentioned in the report must be maintained. Unauthorized employees must not have access to the report. Establishing anonymous whistleblowing systems or the possibility of anonymous whistleblowing is not necessary. The whistleblower must receive confirmation of receipt of the report within seven days.
Based on the reports, companies must designate an impartial person or department to take follow-up action, such as internal inquiries and investigations. This may be the same person or department that receives reports. In addition, whistleblowers must provide feedback within a reasonable period of time, specifically within a maximum of three months, on any reactions to the report that have been initiated.
The company must document the reports that come in. If necessary, the whistleblower should be provided with the documentation for verification purposes.
Since whistleblowers have the option of reporting internally or externally, companies should urgently create professional internal structures in order to avoid reports to external bodies. If whistleblowers trust that companies will take tips seriously, follow them up carefully, and investigate and appropriately sanction criminal acts and irregularities, they will use internal reporting structures.
Protective effect for the whistleblower
Whistleblowers enjoy legal protection only if there was reasonable cause to believe that the reported information about violations was true at the time of the report. This is because they provided it through the specified internal or external reporting channels. Under these conditions, the EU Whistleblower Directive prohibits any form of reprisal, discrimination or disadvantage. If they make a proper report, whistleblowers do not have to fear any consequences under employment law. In the event of a lawsuit under employment law, the Whistleblower Directive provides for a reversal of the burden of proof in favor of the whistleblower. Accordingly, the employer must prove that there was no connection with the employee’s reporting of the whistleblower. In addition, the Whistleblower Directive provides for sanctions, in some cases with substantial fines.
There is no time to waste – action must be taken now!
The implementation of the Whistleblower Directive will have a significant impact on small and medium-sized companies in particular, as whistleblower systems do not yet exist in these companies as a rule. Hence, it is advisable to begin the process of implementing such a system at an early stage and to assign tasks to the appropriate persons. In order to create an incentive for internal reporting and thus prevent possible damage to the company’s reputation as a result of any malpractice becoming known, companies should set up a transparent internal reporting system from the outset if possible and inform employees about it. It is critical to include a whistleblower policy in the code of conduct or be accompanied by an internal whistleblower policy.
These measures should be started as early as possible to clarify the technical requirements and the legal framework conditions, such as possible co-determination rights of the works council and data protection requirements.
How We Can Help
Explore Our Consulting Services
Certification & Training
The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.Subject Access Request Automation
Individuals have the right to access their personal data, commonly referred to as subject access. But can this process be automated?How to Become A Certified Data Protection Officer?
It is required by law to appoint a data protection officer in your company. Read all you need to know for your organization.