The Whistleblowing Directive requires Member States to implement legislation obliging all companies with 50 or more workers to: (i) put in place appropriate reporting channels to enable those workers to report breaches of EU law; and (ii) ensure that those making whistleblowing reports are legally protected against retaliation for having done so.
The Directive requires companies to put in place internal reporting channels, where confidentiality of the whistleblower will be ensured, and requires Member States to put in place external reporting channels. The protections for whistleblowers must cover reports made in relation to breaches of the areas of EU law specified in the Directive (including public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; protection of the environment; protection of privacy and personal data, and security of network and information systems). However, Member States can – if they wish – include protections for those who blow the whistle in other areas. There is likely to be variation between Member States as to what breaches will be covered by domestic legislation, and some will be more prescriptive than others. For example, in Denmark, those who report on “serious offences and other serious matters” are covered by the domestic whistleblower legislation; ultimately it will be for the courts to determine the boundaries of this somewhat broad formulation. In the meantime, businesses will need to determine how best to reflect this uncertainty in their internal reporting procedures. Multi-nationals will need to monitor implementation across the EU 27 and assess whether it is feasible to take a uniform approach to whistleblowing across their EU operations.
One particular concern for larger employers with operations across the EU will be how they ensure compliance with the Directive’s requirement that each legal entity with 50 or more workers must have its own reporting channel and procedure. The European Commission has indicated that this will preclude reliance on a central compliance team within a parent company to handle all whistleblower reports (although there is a derogation allowing entities with 50-249 workers to “share resources” between themselves). The Danish legislature has included provision in its implementing law allowing companies to use a centralised reporting and investigation system, pending further clarification on whether or not this approach is compatible with the Directive. By contrast, the draft legislation published in some other jurisdictions simply follows the scheme of the Directive.
There is long-standing guidance from data protection authorities which emphasises the need to balance protection for those who blow the whistle, with the need to ensure that schemes don’t encourage the collection of inaccurate and highly damaging data on persons about whom reports are made. This can be a particular risk where hotline schemes encourage anonymous reports. This will need to be taken into account by businesses putting in place systems to comply with the Directive. In addition, whistleblowing policies and procedures will need to be reviewed and updated and rolled out in a legally compliant way (taking into account local works council / trade union / other staff consultation requirements), so HR and legal teams will need to work closely together to achieve compliance.
With a handful of countries now providing more clarity on local implementing legislation, international businesses (particularly those with operations in a large number of EU jurisdictions, where the time needed to agree changes to policies and then translate these can be significant) should be:
- reviewing their standards of business conduct and reporting arrangements, including whistleblower hotlines, to ensure compliance with the Whistleblowing Directive and continued compliance with GDPR; and
- implementing internal whistleblowing policies (or adapting their existing policies to ensure they take account of the new legislation) and informing / consulting with relevant employee representative bodies regarding implementation in jurisdictions where this is required.
Key areas to address will be ensuring that:
- reports are handled by the correct people, in accordance with prescribed timescales and with appropriate security and confidentiality;
- required information is given to the reporter and to the person investigated;
- there is guidance and training in place to ensure non-retaliation; and
- there are appropriate retention periods for reports and investigation data.
To enable businesses to plan for a smooth transition, we have produced this tracker, which shows:
- progress towards implementation by jurisdiction; and
- how some of the key topics covering the in Directive are dealt with in local implementing legislation (where this information is available).
For any questions or support with your compliance planning, please get in touch.