On 7 October 2019, the Council of the European Union adopted the new whistleblower directive which must be implemented in the member states by 17 December 2021 at the latest. The first steps towards an implementation has now been taken in Denmark, as the government on 24 February introduced a bill on “Act on protection of whistleblowers”.
The directive distinguished between private companies and public authorities in the sense that the obligation covered all private businesses with 50 or more employees. As a general rule, all public authorities were covered with the possibility, however, to exempt authorities of a certain limited size.
The bill, however, treats both private companies and public authorities together, as section 9 provides that:
”Employers with 50 or more employees must establish an internal whistleblower system, through which employees can report violations covered by section 1”.
The term ”employer” must in this connection be interpreted in accordance with the term “legal entity” as defined in section 3 of the Danish act on the central business register. Both private businesses and public authorities, including regions and municipalities, are covered thereof.
The Minister of Justice may, however, based on a specific risk assessment or a negotiation with the relevant minister lay down further rules stipulating that employers with less than 50 employees also can establish an internal whistleblower system.
The limit of 50 employees does not apply for employers bound by specific rules with the same obligation. This e.g. includes financial businesses, which pursuant to the financial business act have a more extensive obligation to implement internal whistleblower systems.
The act obligates both companies and public authorities to introduce internal whistleblower systems which must be available for all employees in the company/authority.
The bill only states that internal whistleblower systems must be introduced and made available to "employees", see section 9 of the bill. This restriction does not appear to be in accordance with the directive as both the directive and the bill's own definition of a “whistleblower” list a number of categories other than employees, e.g. suppliers and subcontractors, volunteers and paid or unpaid trainees, persons who have previously worked for the employer, etc., see section 4 of the Directive and section 2 (1), No. 7 of the Bill. This must be understood to the effect that the whistleblower system must be available to all the groups mentioned and not only the employees as long as the information is "acquired in a work-related context".
Further, the government will create an external whistleblower system within the Data Protection Agency which i.a. can be used as a supplement to the whistleblower systems at the individual workplaces and will thus provide the possibility for employees in small businesses, which is not obligated to create an internal whistleblower system, to make external reports. The introduction of a such public whistleblower system is made to fulfil the directive’s requirement thereon.
The protection of whistleblowers entails that a prohibition against any type of reprisals against the whistleblower will apply.
An internal whistleblower system must include the option to submit written or oral reports or both. A whistleblower system will thus fulfil the legislative requirements, if the option for both written and oral reporting is available.
The reporting channels may be created by means of mail, a physical complaints box or an online platform, either on an intranet or internet platform. There are no requirements as regards the technical solution of the reporting channel. If oral reporting is possible, the reporting must be possible by telephone or through a voice messaging system.
The employer must establish a so-called internal “whistleblower unit” by appointing an impartial person or department within the Company. To fulfil the specific tasks in relation to any reporting, the employer may however, choose to outsource this externally by using a third party provider either in whole or partly. In either case, it must be ensured that the unit is created so that independency and the absence of conflicts of interests are ensured, and a third party provider must therefore also provide a written guarantee that it fulfil the legal requirements in relation to independency, confidentiality, data protection etc.
The whistleblower unit must:
1) Receive reports and be in contact with the whistleblower
2) Follow up on reports
3) Provide feedback to the whistleblower
An employer must implement suitable procedures for the whistleblower system to ensure:
1) that the whistleblower receives a confirmation of the receipt of the report within seven days after the receipt thereof,
2) that reports are followed up carefully,
3) that the whistleblower receives feedback as soon as possible and no later than three months after the confirmation of receipt, cf. 1 above.
In article 2, the whistleblower directive lists the directive’s “material scope”, which means the types of breaches of the EU legislation the report must regard in order to fall within the scope of the whistleblower directive.
In connection with the implementation, the member states can choose to extend the scope of the circumstances which can be reported and thus extent the protection of the reporting person.
Pursuant to the bill, there is a possibility for a wider scope that the scope under the directive, as it is possible to report “serious breached and other serious circumstances”. Information on criminal situations, including breach of a confidentiality duty, misuse of financial funds, theft, fraud, embezzlement and bribery fall within the scope.
In certain situations, it depends on a specific assessment whether the report is considered to concern a serious breach or a serious circumstance. This will be a matter of an objective criterion and ultimately, the courts must decide whether a report falls within or outside the scope of the act.
It is a requirement that an internal whistleblower system is created and run in a way that ensures confidentiality regarding the identity of the whistleblower and any third parties mentioned in the report, just as unauthorised access to the system must be prevented.
All employers must in writing document the implementation of and the procedures for the whistleblower system.
Further, a requirement will be introduced obligating public authorities to publish once every year information on e.g. the number of received reports, the themes of the received reports and the status of the follow-up on the reports.
Employers are obligated to implement a whistleblower system no later than 17 December 2021.
As regards employers in the private sector with 50-249 employees, however, the requirement of implementation of a whistleblower system is not until 17 December 2023.
Several authorities and organisations etc. have received the bill and the deadline for interested parties to submit comments to the bill is on 24 March 2021.
When the final act has been passed, Bird & Bird will make a thorough analysis of the obligations under the act, including of how the act deviates from the directive.
Bird & Bird follows the implementation of the whistleblower directive closely in several jurisdictions and have created a theme page thereon where you can see our ”Implementation tracker” and the ” Degree of change to existing law”.