Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the Whistleblowing Directive) must be implemented by all EU Member States by no later than 17 December 2021.
The Whistleblowing Directive requires Member States to implement legislation obliging all companies with 50 or more workers to: (i) put in place appropriate reporting channels to enable those workers to report breaches of EU law; and (ii) ensure that those making whistleblowing reports are legally protected against retaliation for having done so.
The Directive requires companies to put in place internal reporting channels, where confidentiality of the whistleblower will be ensured, and requires Member States to put in place external reporting channels. The protections for whistleblowers must cover reports made in relation to breaches of the areas of EU law specified in the Directive (including public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; protection of the environment; protection of privacy and personal data, and security of network and information systems). However, Member States can – if they wish – include protections for those who blow the whistle in other areas.
There is long-standing guidance from data protection authorities which emphasises the need to balance protection for those who blow the whistle, with the need to ensure that schemes don’t encourage the collection of inaccurate and highly damaging data on persons about whom reports are made. This can be a particular risk where hotline schemes encourage anonymous reports. This will need to be taken into account by businesses putting in place systems to comply with the Directive. In addition, whistleblowing policies and procedures will need to be reviewed and updated, and rolled out in a legally compliant way (taking into account local works council / trade union / other staff consultation requirements), so HR and legal teams will need to work closely together to achieve compliance.
Whilst December 2021 may still feel like a long way off, international businesses (particularly those with operations in a large number of EU jurisdictions, where the time needed to agree changes to policies and then translate these can be significant) can avoid a last-minute rush to compliance by preparing now to:
Key areas to address will be ensuring that:
To enable businesses to plan for a smooth transition, we have produced this tracker , which shows:
Please also see our articles here and here for a more detailed examination of implementation in the Nordics.
For any questions or support with your compliance planning, please get in touch.
We're delighted to appoint David Chu as partner in Hong Kong, providing a significant boost to our International Di… https://t.co/oE1MH744jw
We're proud to be participating in @RoyalMail and Hestia Charity initiative: Online Safe Spaces, a discrete pop-up… https://t.co/4KeUgYKjtd
Read @Ipkat review of Partner Graham Smith's (@cyberleagle) Internet Law and Regulation book here: #internetlaw https://t.co/ddk18CDFrl