While the Law does not greatly deviate from the principles of the Whistleblowing Directive, it has a wider scope as it applies to any violations of national law, regardless of whether they are classified as administrative or criminal offenses. The protection of whistleblowers is thus not limited to the disclosure of certain acts or to certain areas of action of the EU, but extended to any disclosure of acts or omissions that are unlawful or go against the purpose of national or European law (Violations).

The aim of the Law is hence to create greater legal certainty for both whistleblowers and businesses. At the same time and in line with the Whistleblowing Directive, the Law will create additional costs and administrative burdens for medium-scale Luxembourg-based companies.

Main obligations and reporting mechanisms

Reporting mechanisms

The Law distinguishes three types of alerts: internal alert (within the company/public entity); external alert (addressed to named authorities); and, as a last resort, public disclosure if no appropriate response has been made to the initial alert or if there are legitimate concerns about reprisals.

Internal alerts

The main obligation created by the Law is the obligation for public entities (except municipalities with fewer than 10,000 inhabitants) or for companies having 50 or more employees (or any lower thresholds that may be set by special laws) to create internal canals of whistleblowing. This threshold of 50 workers has to be met during the last 12 consecutive months and may vary (upscale or downscale) for certain special sectors. Entities of the private sector must have implemented their internal procedures by December 17, 2023, at the latest. No deadline is set regarding public entities.

While companies that have less than 50 employees are not legally required to implement such 'internal canals,' they are however indirectly encouraged to do so since, in the absence of an internal whistleblowing channel, recourse to public disclosure by their employees can be more easily justified. In this respect, parliamentary works have stressed that internal procedures are especially recommended for companies whose activities are prone to lead to (even unjustified) public disclosure.

External alerts

The Law also imposes 22 named authorities (the Competent Authorities), which include sectorial supervisory authorities but also professional bodies such as the Bar associations, to create their own independent and autonomous external reporting channels for receiving and processing information on Violations. Reporting to these authorities as well as to an EU institution are regarded as external alerts.

Which whistleblowers are protected?

Persons who may benefit from the whistleblower's protection

The Law applies to employees, independents/self-employed/liberal workers, shareholders, board members, executive and non-executive staff members, any trainees, and any person working under the supervision and direction of contractors, subcontractors, and suppliers.

It also applies to people who are no longer working for someone or who are yet to be hired and can also report to authorities regarding illegal activities, as well as to people who have made anonymous reports or disclosures.

Aside from the whistleblowers themselves, the following persons may also enjoy protection from the Law:

• facilitators;
• third parties who are connected to the whistleblowers and who are at risk of retaliation in a professional context, such as colleagues or relatives of the whistleblowers; and
• legal entities belonging to the whistleblowers for which they work, or with which they are connected in a professional context.

Conditions to meet to benefit from the whistleblower's protection

To enjoy legal protection, people listed above need to meet the following conditions:

• they had/have reasonable grounds for believing that the information reported on Violations was true at the time of reporting and that such information falls within the scope of the Law; and

• they have made a report either internally or externally; or
• they have made a public disclosure but only if:
  • they have first issued an internal or an external alert but no appropriate timely action has been taken in response; or
  • following the whistleblower's legitimate belief, the breach may represent an imminent or manifest danger to the public interest; or
  • in the case of external reporting, the whistleblower has reasonable grounds for believing that there is a risk of reprisals, or there is little chance that the violation will actually be remedied, due to the particular circumstances of the case.

What is the scope of whistleblower protection?

Reprisal protection

If they meet the conditions above, persons who report a Violation will be protected against all forms of reprisals, including threats and attempted reprisals, that is to say, any direct or indirect act or omission that occurs in a professional context and causes or may cause unjustified harm to the whistleblower. The Law lists some examples which are to be considered as 'reprisal,' such as layoff, disciplinary measures, mobbing, 'unbalanced or unfair treatment,' blacklisting, or referral to a psychiatrist, etc.

Protective measures

Any reprisal measure is automatically null and void, without prejudice to any compensative damages. To reinforce the protection of the whistleblower, the Law presumes that the damage suffered by the whistleblower results from a reprisal for the alert or public disclosure. It is then on the author of the measure at hand to demonstrate the contrary.

Liability exemption

Provided they meet the conditions to benefit from legal protection, whistleblowers cannot be held liable for any breach of confidentiality. They also incur no liability for obtaining or accessing information that is reported or publicly disclosed, provided that such obtaining or access does not constitute an autonomous criminal offense (in which case, criminal law applies). The whistleblowing protection can also be used as a defense against any legal action (e.g., defamation action, copyright infringement, breach of secrecy, violation of data protection rules, disclosure of trade secrets, etc.).

Exceptions

The whistleblower protection never applies to reports of violations relating to national security, nor does it apply to whistleblowers whose relations are covered by medical secrecy, professional secrecy, or by the rules of criminal procedure.

What principles and conditions must the internal whistleblowing channel respect?

Any internal whistleblowing procedure, whether organized by a public or a private entity, must comply with the following:

Organization of the internal whistleblowing mechanism

Transparency

The Law does not expressly require entities to adopt written procedures but it is highly advisable to meet the legal requirements, in particular as regards the obligation to provide clear and easily accessible information on reporting procedures to the competent authorities and, where appropriate, to EU institutions, bodies, offices, or agencies, as well as appropriate information on the use of internal reporting channels (including on the person or service in charge of the follow-up).

Language

Reporting must be available in at least one of the three official languages of Luxembourg, namely Luxembourgish, French, and German.

Reporting means

Reporting can be made either orally or in written form. Whistleblowers must be able to report either by telephone or via other voice messaging systems and, at the whistleblower's request, through a face-to-face meeting within a reasonable period of time.

Independence

Entities must appoint one or several impartial persons or departments competent to receive alerts, follow up, maintain communication with the author of the alert and, if necessary, request further information and provide feedback.

Follow-up

An acknowledgment of receipt must be sent to the author of the alert within seven days of receipt of the alert and feedback must be provided within a reasonable period, not exceeding three months.

Management

Entities of the private sector who reach the threshold of 50+ workers are allowed to share the costs, means, and support for the reception and follow-up of the alerts, but must maintain confidentiality and comply with their respective obligations at any time. While collaboration might be a very interesting option to cut costs and save time, this should never lead to the merging of canals or databases.

Confidentiality

Confidentiality by design

Whistleblowing channels must be designed and managed to maintain the identity of the author of the alert and of any third party mentioned in the alert and limit access to such information to a need-to-know basis. Any disclosure to non-authorized staff can only be done with the consent of the author of the alert. Appropriate security safeguards must be taken in this respect.

Exceptions

The confidentiality principle can only be overturned in limited cases, for example, if it:

• is necessary and proportional to comply with a mandatory legal provision from either the amended Law on the freedom of speech in the media (e.g. possibly the obligation to publish a 'right of reply' in the press, provided said reply is proportional) or with a mandatory EU law provision; or
• takes place in the context of investigations carried out by national authorities or as part of legal proceedings, most notably when this is necessary to safeguard the rights of defense of the concerned person; and
• is protected by appropriate safeguard measures, such as for instance the information of the author of the alert.

Trade secrets

The Law specifies that Competent Authorities that receive information on Violations involving trade secrets must not use or disclose them for any purpose beyond that necessary to ensure appropriate follow-up. While private sector companies are not bound by this legal provision, they are subject to a similar obligation to not divulge trade secrets without undue imperative reasons, per the Law on trade secrets.

Data protection compliance

GDPR compliance

While obvious, the Law stresses that all processing of personal data made in the course of the Law (including the exchange of information between Competent Authorities) must be made in compliance with the General Data Protection Regulation (GDPR) and all Luxembourg laws on data protection.

Specific recording regulation

Aside from the essential obligations of the GDPR (e.g., data minimization), the Law regulates the use of reporting records.

When a recorded telephone/voicemail conversation is used for reporting, with the consent of the whistleblower, public and private sector legal entities and competent authorities have the right to record the oral report either as a recording of the conversation in a durable and retrievable form or as a complete and accurate transcript of the conversation drawn up by the member of staff responsible for processing the report. The whistleblower must have the possibility of verifying, rectifying, and approving the call transcript by affixing its signature.

• Recording alerts made by telephone or other voicemail systems must receive the consent of the whistleblower. If such consent is granted, public and private entities as well as Competent Authorities can store either the recording of the conversation in a durable and retrievable form or a complete and accurate transcript of the conversation. The whistleblower must have the possibility of verifying, rectifying, and approving the transcript by affixing its signature.
• If no record of the telephone conversation or other recorded voicemail is made (for instance, because the whistleblower did not consent), public and private entities as well as Competent Authorities can make an accurate written transcript of the conversation. Once again, the whistleblower must have the possibility of verifying, rectifying, and approving the transcript by affixing its signature.
• Similarly, minutes or recordings of in-person meetings must receive the consent of the whistleblower. Accurate records (either vocal or video capture, or written transcript) of the meeting must be kept in a durable and retrievable form and the whistleblower must have the possibility of verifying, rectifying, and approving the meeting minutes by affixing its signature.

Penalties

Criminal liability

Those who take reprisal measures or who institute abusive proceedings against the whistleblower(s) incur a fine of between €1,250 and 25,000. A whistleblower who knowingly reports or publicly discloses false information may be subject to a prison sentence of between eight days and three months, and a fine of between €1,500 and 50,000 (without prejudice to any possible civil damages).

Administrative fines

In addition to these penalties, private entities may incur administrative fines, depending upon the cases, directly from some of the Competent Authority or from the newly created Office of Reporting, when they hinder or attempt to hinder an alert, violate the confidentiality of the author of an alert, refuse to cooperate with the relevant authorities, refuse to remedy the violation found, or fail to establish internal whistle-blowing channels and procedures. Said administrative sanctions can range from €1,500 to 250,000. The maximum fine may be doubled in the event of a repeat offense within five years of the last sanction which has become final.

Claire Leonelli Partner
[email protected]
Florian Poncin Senior Associate
[email protected]
CLAW - Avocats à la Cour, Luxembourg