Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the Whistleblowing Directive) must be implemented by all EU Member States by no later than 17 December 2021.  

The Whistleblowing Directive requires Member States to implement legislation obliging all companies with 50 or more workers to: (i) put in place appropriate reporting channels to enable those workers to report breaches of EU law; and (ii) ensure that those making whistleblowing reports are legally protected against retaliation for having done so.  

The Directive requires companies to put in place internal reporting channels, where confidentiality of the whistleblower will be ensured, and requires Member States to put in place external reporting channels. The protections for whistleblowers must cover reports made in relation to breaches of the areas of EU law specified in the Directive (including public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; protection of the environment; protection of privacy and personal data, and security of network and information systems). However, Member States can – if they wish – include protections for those who blow the whistle in other areas. 

There is long-standing guidance from data protection authorities which emphasises the need to balance protection for those who blow the whistle, with the need to ensure that schemes don’t encourage the collection of inaccurate and highly damaging data on persons about whom reports are made. This can be a particular risk where hotline schemes encourage anonymous reports.  This will need to be taken into account by businesses putting in place systems to comply with the Directive.  In addition, whistleblowing policies and procedures will need to be reviewed and updated, and rolled out in a legally compliant way (taking into account local works council / trade union / other staff consultation requirements), so HR and legal teams will need to work closely together to achieve compliance.      

Whilst December 2021 may still feel like a long way off, international businesses (particularly those with operations in a large number of EU jurisdictions, where the time needed to agree changes to policies and then translate these can be significant) can avoid a last-minute rush to compliance by preparing now to:

  • review their standards of business conduct and reporting arrangements, including whistleblower hotlines, to ensure compliance with the Whistleblowing Directive and continued compliance with GDPR; and  
  • implement internal whistleblowing policies (or adapt their existing policies to ensure they take account of the new legislation).

Key areas to address will be ensuring that:

  • reports are handled in accordance with prescribed timescales and with appropriate security and confidentiality; 
  • required information is given to the reporter and to the person investigated; 
  • there is guidance and training in place to ensure non-retaliation; and 
  • there are appropriate retention periods for reports and investigation data.  

To enable businesses to plan for a smooth transition, we have produced this tracker , which shows:

  • progress towards implementation by jurisdiction; and 
  • the degree of change to existing law that implementation will entail.   

Please also see our articles here and here for a more detailed examination of implementation in the Nordics.

For any questions or support with your compliance planning, please get in touch.

 

EU Whitleblower map_CTA Implementation_400x274 EU Whitleblower map_CTA Degree of Change_400x274_v02