Whistleblowing
EU Whistleblowing Directive Tracker
EU Whistleblowing Directive Tracker
Individuals working in private or public organisations are often the first to know about threats to the public interest and violations of EU law. However, fear of retaliation, i.e. an act that occurs within the work-related context in response to a whistleblower report and which may cause detriment to the whistleblower, may discourage reporting of breaches in a work-related context.
In light of the fragmented legislative approaches towards whistleblowers' protection, the European Commission issued, on 23 April 2018, a legislative proposal for the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'), which aims to set out some common minimum standards throughout the EU for the protection of whistleblowers.
The proposal was adopted by the European Parliament at its first reading through a resolution on 16 April 2019.
Following the European Parliament's approval, the Council of the European Union adopted, on 7 October 2019, the Whistleblowing Directive (press release available here), which was subsequently published in the Official Journal of the EU on 26 November 2019. The Whistleblowing Directive entered into force on 16 December 2019, twenty days after its publication in the Official Journal. Member States were required to transpose the Whistleblowing Directive into national legislation by 17 December 2021.
Shortly after the deadline for transposition, the European Commission initiated, on 27 January 2022, infringement proceedings against Member States that did not transpose the Whistleblowing Directive in a timely manner (infringement decisions available here).
OneTrust's solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency, and unparalleled guidance as you build, adapt, and mature your Ethics program. Organisations can leverage the OneTrust Ethics & Compliance solution to centralise and automate their ethics & compliance programs. From implementing robust whistleblower and incident reporting hotlines to tracking risk across internal and third-party initiatives, OneTrust Ethics provides clear insights to leadership teams and expedites task execution.
- title
- Status
- Last Update
- Official Text
- Austria
Implemented
25/02/2023
2 August 2021: There is no publicly available draft bill implementing the Whistleblowing Directive. However, the Federal Minister of Labour confirmed that a bill is currently being worked on and is expected to be submitted to Parliament in autumn 2021 (announcement, only available in German, here).
27 January 2022: The European Commission initiated infringement proceedings against Austria (infringement decisions available here).
9 February 2022: The Province of Tyrol adopted the Law of 9 February 2022 on the establishment of whistleblower systems for certain violations of Union law and the protection of whistleblowers (only available in German here), and the Law of 9 February 2022 with which accompanying regulations to the Whistleblower Act are enacted (only available in German here), to implement the Whistleblowing Directive. OneTrust DataGuidance Research confirmed with Dietmar Huemer, Attorney at Legis, that these laws relate to the internal organisation of the provincial agencies, as well as other public entities subject to provincial legislation, such as the municipalities. The laws, therefore, have a limited impact, relating to the public sector in the Province of Tyrol only.
20 April 2022: The State of Burgenland adopted two laws (only available in German here and here) to transpose the Whistleblowing Directive. As is the case with other state and provincial laws, such laws have limited effect on private entities.
3 June 2022: The Federal Ministry of Labour submitted to the National Council a draft law to implement the Whistleblowing Directive for public consultation. According to the legislative brief, the draft law is currently limited to implementing the minimum standards established by the Whistleblowing Directive, in view of keeping the burden on small and medium-sized companies low. Comments on the draft law may be provided until 15 July 2022.
13 June 2022: The State of Vorarlberg adopted a Whistleblower Protection Act (only available in German here) to transpose the Whistleblowing Directive. As is the case with other state and provincial laws, such laws have limited effect on private entities.
30 June 2022: The State of Styria adopted a Whistleblower Protection Act (only available in German here) to transpose the Whistleblowing Directive. As is the case with other state and provincial laws, such laws have limited effect on private entities.
18 July 2022: According to the legislative portal, the draft law has been transmitted to the Federal Ministry of Labour.
29 September 2022: The European Commission announced that it had taken further steps in its infringement procedure by issuing a reasoned opinion. Member States have two months to reply. If the replies are not satisfactory, the Commission may refer to the Court of Justice of the European Union (press release available here and infringement decisions available here).
25 January 2023: The Social Committee of the National Council approved the draft law and accompanying amendments (press release, only available in German, here).
1 February 2023: The draft law passed the National Council and has been referred to the Federal Council's Committee on Labour, Social Affairs and Consumer Protection (press release, only available in German, here).
24 February 2023: The Whistleblower Protection Act has been adopted and published in the Official Gazette and will enter into force on the day following its promulgation, with the exception of Sections 11 to 13, which will enter into force on 17 December 2023 (press release here and Act here, both only available in German).
25 February 2023: The Whistleblower Protection Act entered into force.
Legislative portal: https://www.parlament.gv.at/PAKT/VHG/XXVII/ME/ME_00210/index.shtml (only available in German)
Official text: https://www.parlament.gv.at/PAKT/VHG/XXVII/ME/ME_00210/fname_1450390.pdf (only available in German) / https://www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2023_I_6/BGBLA_2023_I_6.pdfsig (Whistleblower Protection Act, as published in the Official Gazette, only available in Austrian)
- Belgium
Implemented
15/02/2023
9 January 2021: The Parliament passed a motion for a resolution on measures to protect whistleblowers and for the implementation of the Whistleblowing Directive (motion, only available in Dutch and French, here).
27 January 2022: The European Commission initiated infringement proceedings against Belgium (infringement decisions available here).
25 February 2022: The Council of Ministers approved a preliminary draft law for the private sector to transpose the Whistleblowing Directive. Please note that the text of the draft law for the private sector is currently not publicly available, although it has been submitted to the Council of State for consideration (press release, only available in French and Dutch, here and here).
29 September 2022: The European Commission announced that it had taken further steps in its infringement procedure by issuing a reasoned opinion. Member States have two months to reply. If the replies are not satisfactory, the Commission may refer to the Court of Justice of the European Union (press release available here and infringement decisions available here).
27 October 2022: The Belgian Parliamentary Committee on Economy, Consumer Protection and Digital Agenda approved a draft law for the private sector, which is now now awaiting approval from the plenary Parliament Assembly (draft law, only available in French and Dutch, here).
13 January 2023: The Council of Ministers approved a draft Royal Decree designating the competent authorities to receive reports of violations of Union or national law within a legal entity in the private sector, which completes the transposition into national law of Whistleblowing Directive, by designating the authorities entitled to receive external alerts of violations and competent to investigate and follow-up on the alerts, as well as to issue sanctions (press release here and draft Royal Decree here, both only available in French and Dutch).
28 November 2022: The House of Representatives adopted Bill 55K2912 on the protection of persons who report violations of Union law or national law found within a legal entity in the private sector (draft law for private sector, only available in French and Dutch, here).
8 December 2022: According to the legislative portal, the House of Representatives adopted Bill 55K2952 on reporting channels and protection of whistleblowers reporting integrity violations in the federal public sector and the integrated police, with amendments.
23 December 2022: The whistleblowing law for the public sector was published in the Official Gazette (draft law for public sector, as published in the Official Gazette, here).
15 February 2023: The whistleblowing law for the private sector entered into force, following its publication in the Official Gazette.
Legislative portal (public sector): https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&legislat=55&dossierID=2952 (only available in French and Dutch)
Official Text: https://www.ejustice.just.fgov.be/eli/loi/2022/11/28/2022042980/justel (private sector, only available in French and Dutch) / https://www.ejustice.just.fgov.be/mopdf/2022/12/23_1.pdf#Page10 (public sector, only available in French and Dutch)
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
1. LEGISLATION | NOTABLE CASE LAW
1.1. Specific whistleblowing legislation
- Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Directive')
The Directive was first introduced by the European Commission as a legislative proposal on 23 April 2018, which was later adopted by the European Parliament on 16 April 2019.
Following the European Parliament's approval, the Directive was finally adopted by the Council of the European Union on 7 October 2019 and subsequently published in the Official Journal of the European Union on 26 November 2019, entering into effect 20 days later on 16 December 2019 (Article 28 of the Directive).
Purpose and scope
The purpose of the Directive is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law (Article 1 of the Directive).
In addition to establishing requirements for internal and external reporting and public disclosures, the Directive also outlines various measures to protect:
- reporting persons, i.e. natural persons who report or publicly disclose information on breaches acquired in the context of their work-related activities (Article 5(7) of the Directive); and
- persons concerned, i.e. natural or legal persons who are referred to in the report or public disclosure as a person to whom the breach is attributed or with whom that person is associated (Article 5(8) of the Directive).
Transposition
EU Member States are required to bring into force the laws, regulations, and administrative provisions necessary to comply with the Directive by 17 December 2021 (Article 26(1) of the Directive).
However, as regards legal entities in the private sector with 50 to 249 workers, Member States are required to bring into force the laws, regulations, and administrative provisions necessary to comply with the obligation to establish internal reporting channels under Article 8(3) of the Directive by 17 December 2023 (Article 26(2) of the Directive).
Please note that in transposing the Directive, Member States may introduce or retain provisions more favourable to the rights of reporting persons than those set out in the Directive (Article 25 of the Directive). This may include, among other things:
- the material scope of protection afforded to reporting persons (see Article 2(2) of the Directive);
- whether legal entities in the private or public sector and competent authorities are required to accept and follow up on anonymous reports of breaches (see Article 6(2) of the Directive); and
- the penalties applicable to natural or legal persons who breach the provisions of the Directive (see Article 23 of the Directive).
For further information on the progress of transposition by Member States, as well as any national variations to the Directive, please see the Whistleblowing portal.
1.2. Sector-specific whistleblowing legislation
The following legislation has been cited in the recitals of the Directive as providing sector-specific whistleblower protection:
- Directive on Access to the Activity of Credit Institutions and the Prudential Supervision of Credit Institutions and Investment Firms (Directive (EU) 2013/36), which applies in the context of Regulation on Prudential Requirements for Credit Institutions and Investment Firms (Regulation (EU) 575/2013);
- Regulation on the Reporting, Analysis and Follow-up of Occurrences in Civil Aviation (Regulation (EU) 376/2014);
- Directive concerning Certain Flag State Responsibilities for Compliance with and Enforcement of the Maritime Labour Convention, 2006 (Directive (EU) 2013/54);
- Directive on Port State Control (Directive 2009/16/EC);
- Directive on Safety of Offshore Oil and Gas Operations (Directive (EU) 2013/30);
- Market Abuse Regulation (Regulation (EU) 596/2014) and Commission Implementing Directive on Regulation 596/2014 as regards Reporting to Competent Authorities of Actual or Potential Infringements of that Regulation (Commission Implementing Directive (EU) 2015/2392);
- Regulation on Key Information Documents for Packaged Retail and Insurance-Based Investment Products (Regulation (EU) 1286/2014);
- Council Directive on the Introduction of Measures to Encourage Improvements in the Safety and Health of Workers at Work (Council Directive 89/391/EEC); and
- Regulation laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (Regulation (EEC, Euratom, ECSC) 259/68).
Please also note that where specific rules on the reporting of breaches are provided for in the sector-specific Union acts listed in Part II of the Annex of the Directive, those rules shall apply. The provisions of the Directive shall be applicable to the extent that a matter is not mandatorily regulated in those sector-specific Union acts (Article 3(1) of the Directive).
1.3. Additional applicable legislation
The Directive references the following applicable legislation:
- General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR');
- Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) ('the Law Enforcement Directive');
- Regulation on the Protection of Natural Persons with regard to the Processing of Personal Data by the Union Institutions, Bodies, Offices and Agencies and on the Free Movement of Such Data (Regulation (EU) 2018/1725) ('Regulation 2018/1725');
- Treaty on the Functioning of the European Union ('TFEU');
- Charter of Fundamental Rights of the European Union ('the Charter');
- Directive on the Right to Information in Criminal Proceedings (Directive (EU) 2012/13);
- Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) against their Unlawful Acquisition, Use and Disclosure (Directive (EU) 2016/943); and
- Directive on Legal Aid for Suspects and Accused Persons in Criminal Proceedings and for Requested Persons in European Arrest Warrant Proceedings (Directive (EU) 2016/1919).
Please note that the Directive shall not affect the responsibility of Member States to ensure national security or their power to protect their essential security interests. In particular, it does not apply to reports of breaches of the procurement rules involving defence or security aspects unless they are covered by the relevant acts of the Union (Article 3(2) of the Directive).
Furthermore, the Directive shall not affect the application of Union or national law relating to the protection of classified information, the protection of legal and medical professional privilege, the secrecy of judicial deliberations, and the rules on criminal procedure (Article 3(3) of the Directive).
1.4. Guidelines
The European Commission has issued the following resources:
- Whistleblowers protection;
- Frequently Asked Questions: Whistleblower protection; and
- EU sanctions whistleblower tool.
1.5. Case law
There is currently no case law concerning the Directive.
2. COMPETENT WHISTLEBLOWING AUTHORITY
In terms of transposing the Directive, the European Commission is responsible for monitoring its correct and timely implementation and, where necessary, initiating formal infringement procedures against Member States (Article 27 of the Directive).
In terms of the duties under the Directive itself, Member States must designate a national authority, or authorities, to (Articles 5(14) and 11(1) of the Directive):
- receive reports in accordance with Chapter III of the Directive and give feedback to the reporting person; and/or
- carry out the duties provided for in the Directive, in particular as regards follow-up.
In this regard, Chapter III of the Directive further outlines the responsibilities of such competent authorities, primarily in relation to:
- the obligation to establish external reporting channels and to follow up on reports (see Article 11 of the Directive);
- the design of external reporting channels (see Article 12 of the Directive);
- the provision of information regarding the receipt of reports and their follow-up (see Article 13 of the Directive); and
- the review of the procedures by competent authorities (see Article 14 of the Directive).
3. SCOPE OF WHISTLEBLOWER PROTECTION
3.1. How are whistleblowers protected?
Chapter VI of the Directive outlines various protection measures.
In particular, in transposing the Directive, Member States must take the necessary measures to prohibit any form of retaliation against reporting persons, including threats of retaliation and attempts of retaliation and in particular in the form of (Article 19 of the Directive):
- suspension, lay-off, dismissal, or equivalent measures;
- demotion or withholding of promotion;
- transfer of duties, change of location of place of work, reduction in wages, or change in working hours;
- withholding of training;
- a negative performance assessment or employment reference;
- imposition or administering of any disciplinary measure, reprimand, or other penalty, including a financial penalty;
- coercion, intimidation, harassment, or ostracism;
- discrimination, disadvantageous, or unfair treatment;
- failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that they would be offered permanent employment;
- failure to renew, or early termination of, a temporary employment contract;
- harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income;
- blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;
- early termination or cancellation of a contract for goods or services;
- cancellation of a licence or permit; and
- psychiatric or medical referrals.
For the purposes of the Directive, 'retaliation' refers to any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person (Article 5(11) of the Directive).
In this regard, Article 21 of the Directive further outlines measures that ensure that reporting persons are protected against retaliation, primarily in relation to liability arising from:
- restrictions on the disclosure of information;
- the acquisition of, or access to, the information;
- acts or omissions which are unrelated to the reporting or which are not necessary for revealing a breach pursuant to the Directive;
- legal proceedings, including for defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, or from compensation claims based on private, public, or collective labour law; and
- the disclosure of information that includes trade secrets.
Please note that Member States must ensure that reporting persons have access to support measures, as outlined in Article 20 of the Directive.
Finally, Member States must also ensure that the rights and remedies provided for under the Directive cannot be waived or limited by any agreement, policy, form, or condition of employment, including a pre-dispute arbitration agreement (Article 24 of the Directive).
3.2. Who is protected?
Article 4 of the Directive outlines the personal scope for protection under the Directive.
In particular, the Directive applies to reporting persons working in the private or public sector who acquired information on breaches in a work-related context including, at least, the following (Article 4(1) of the Directive):
- persons having the status of worker, within the meaning of Article 45(1) of the TFEU, including civil servants;
- persons having self-employed status, within the meaning of Article 49 of the TFEU;
- shareholders and persons belonging to the administrative, management, or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees; and
- any persons working under the supervision and direction of contractors, subcontractors, and suppliers.
The Directive also applies to reporting persons:
- where they report or publicly disclose information on breaches acquired in a work-based relationship which has since ended (Article 4(2) of the Directive); and
- whose work-based relationship is yet to begin in cases where information on breaches has been acquired during the recruitment process or other pre-contractual negotiations (Article 4(3) of the Directive).
Furthermore, the protection measures set out in Chapter VI of the Directive (see the section on how whistleblowers are protected) also apply, where relevant, to (Article 4(4) of the Directive):
- facilitators;
- third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context, such as colleagues or relatives of the reporting persons; and
- legal entities that the reporting persons own, work for, or are otherwise connected with in a work-related context.
For the purposes of the Directive, the following definitions apply:
- 'facilitator' refers to a natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be confidential (Article 5(8) of the Directive); and
- 'work-related context' refers to current or past work activities in the public or private sector through which, irrespective of the nature of those activities, persons acquire information on breaches and within which those persons could suffer retaliation if they reported such information (Article 5(9) of the Directive).
3.3. Is protection limited to certain subject matters?
Article 2 of the Directive outlines the material scope for protection under the Directive.
In particular, the Directive lays down common minimum standards for the protection of persons reporting the following breaches of Union law (Article 2(1) of the Directive):
- breaches falling within the scope of the Union acts set out in the Annex of the Directive that concern the following areas:
- public procurement;
- financial services, products and markets, and prevention of money laundering and terrorist financing;
- product safety and compliance;
- transport safety;
- protection of the environment;
- radiation protection and nuclear safety;
- food and feed safety, and animal health and welfare;
- public health;
- consumer protection; and
- protection of privacy and personal data, and security of network and information systems;
- breaches affecting the financial interests of the Union as referred to in Article 325 of the TFEU and as further specified in relevant Union measures; and
- breaches relating to the internal market, as referred to in Article 26(2) of the TFEU, including breaches of Union competition and State aid rules, as well as breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.
The Directive is without prejudice to the power of Member States to extend protection under national law as regards areas or acts not covered by the above (Article 2(1) of the Directive).
3.4. What kinds of reporting, disclosures, or actions are protected?
Reporting persons qualify for protection under the Directive, provided that they reported (Article 6(1)(b) of the Directive):
- internally in accordance with Article 7 of the Directive;
- externally in accordance with Article 10 of the Directive; or
- made a public disclosure in accordance with Article 15 of the Directive.
Furthermore, persons reporting to relevant institutions, bodies, offices, or agencies of the Union breaches falling within the scope of the Directive shall qualify for protection as laid down in the Directive under the same conditions as persons who report externally (Article 6(4) of the Directive).
For the purposes of the Directive, the following definitions apply:
- 'internal reporting' refers to the oral or written communication of information on breaches within a legal entity in the private or public sector (Article 5(4) of the Directive);
- 'external reporting' refers to the oral or written communication of information on breaches to the competent authorities (Article 5(5) of the Directive); and
- 'public disclosure' refers to the making of information on breaches available in the public domain (Article 5(6) of the Directive).
Internal and external reporting
As a general principle and without prejudice to Articles 10 and 15 of the Directive, information on breaches may be reported through internal reporting channels and procedures (Article 7(1) of the Directive).
Member States are required to encourage reporting through internal reporting channels before reporting through external reporting channels, where the breach can be addressed effectively internally and where the reporting person considers that there is no risk of retaliation (Article 7(1) of the Directive).
Reporting persons must report information on breaches using the external reporting channels and procedures referred to in Articles 11 and 12 of the Directive, after having first reported through internal reporting channels, or by directly reporting through external reporting channels (Article 10 of the Directive).
For further information on the general requirements for internal reporting and follow-up, please see the section on management of internal whistleblowing schemes.
Public disclosures
A person who makes a public disclosure qualifies for protection under the Directive if any of the following conditions are fulfilled (Article 15(1) of the Disclosure):
- the person first reported internally and externally, or directly externally in accordance with Chapters II and III of the Directive, but no appropriate action was taken in response to the report within the stipulated timeframe; or
- the person has reasonable grounds to believe that:
- the breach may constitute an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible damage; or
- in the case of external reporting, there is a risk of retaliation, or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.
However, please note that such conditions do not apply to cases where a person directly discloses information to the press pursuant to specific national provisions establishing a system of protection relating to freedom of expression and information (Article 15(2) of the Directive).
3.5. Is anonymous reporting protected?
Without prejudice to existing obligations to provide for anonymous reporting by virtue of Union law, the Directive does not affect the power of Member States to decide whether legal entities in the private or public sector and competent authorities are required to accept and follow up on anonymous reports of breaches (Article 6(2) of the Directive).
Persons who reported or publicly disclosed information on breaches anonymously, but who are subsequently identified and suffer retaliation, shall nonetheless qualify for the protection provided for under Chapter VI of the Directive, provided that they meet the conditions laid down in Article 6(1) of the Directive (Article 6(3) of the Directive).
3.6. What conditions or proof must whistleblowers satisfy or provide to qualify for protection?
Reporting persons qualify for protection under the Directive, provided that they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Directive (Article 6(1) of the Directive).
For the purpose of the Directive, the following definitions apply:
- 'breaches' refers to acts or omissions that are unlawful and relate to, or defeat the object or the purpose of the rules in, the Union acts and areas falling within the material scope referred to in Article 2 of the Directive (Article 5(1) of the Directive); and
- 'information on breaches' refers to information, including reasonable suspicions, about actual or potential breaches, which occurred or are very likely to occur in the organisation in which the reporting person works or has worked or in another organisation with which the reporting person is or was in contact through their work, and about attempts to conceal such breaches (Article 5(2) of the Directive).
4. MANAGEMENT OF INTERNAL WHISTLEBLOWING SCHEMES
4.1. What channels and follow-up procedures must be established?
Chapter II of the Directive outlines requirements for internal reporting and follow-up.
In particular, Member States must ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up, following consultation and in agreement with the social partners where provided for by national law (Article 8(1) of the Directive).
For legal entities in the private sector, this will only apply to those with 50 or more workers (Article 8(3) of the Directive), although this threshold does not apply to certain entities falling within the scope of Union acts referred to in Parts I.B and II of the Annex of the Directive (Article 8(4) of the Directive). Following an appropriate risk assessment taking into account the nature of the activities of the entities and the ensuing level of risk for, in particular, the environment and public health, Member States may also require legal entities in the private sector with fewer than 50 workers to establish internal reporting channels and procedures in accordance with Chapter II of the Directive (Article 8(7) of the Directive).
In this regard, such channels and procedures should enable the entity's workers to report information on breaches. They may enable other persons, referred to in Article 4 of the Directive, who are in contact with the entity in the context of their work-related activities to also report information on breaches (Article 8(2) of the Directive).
Furthermore, procedures for internal reporting and for follow-up must include the following (Article 9(1) of the Directive):
- channels for receiving the reports which are designed, established, and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members;
- acknowledgment of receipt of the report to the reporting person within seven days of that receipt;
- the designation of an impartial person or department competent for following up on the reports which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from, and provide feedback to, that reporting person;
- diligent follow-up by the designated person or department;
- diligent follow-up, where provided for in national law, as regards anonymous reporting;
- a reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made; and
- provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities pursuant to Article 10 of the Directive and, where relevant, to institutions, bodies, offices, or agencies of the Union.
For the purposes of the Directive, the following definitions apply:
- 'follow-up' refers to any action taken by the recipient of a report to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions, such as an internal enquiry, investigation, prosecution, action for recovery of funds, or the closure of the procedure (Article 5(12) of the Directive); and
- 'feedback' refers to the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up (Article 5(13) of the Directive).
The Directive does not explicitly address hotlines.
However, channels for receiving the reports should enable reporting in writing or orally, or both. Oral reporting must be possible by telephone or through other voice messaging systems and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe (Article 9(2) of the Directive).
For further information on record-keeping requirements in relation to telephone reporting, please see the section on whether there any record-keeping requirements.
4.2. With whom does the responsibility lie for the management of the scheme?
The procedures for internal reporting and for follow-up should include the designation of an impartial person or department competent for following up on the reports which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from, and provide feedback to, that reporting person (Article 9(1)(c) of the Directive).
4.3. Are there any prior notification, registration, and approval requirements?
Member States must ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up, following consultation and in agreement with the social partners where provided for by national law (Article 8(1) of the Directive).
Please note that the Directive shall not affect national rules on the exercise by workers of their rights to consult their representatives or trade unions, and on protection against any unjustified detrimental measure prompted by such consultations, as well as on the autonomy of the social partners and their right to enter into collective agreements. This is without prejudice to the level of protection granted by the Directive (Article 3(4) of the Directive).
4.4. What information must be provided to employees about a whistleblowing scheme?
Appropriate information relating to the use of internal reporting channels must be provided in the context of the information given by legal entities in the private and public sector pursuant to Article 9(1)(g) of the Directive (i.e. in the context of providing clear and easily accessible information regarding the procedures for reporting externally to competent authorities pursuant to Article 10 of the Directive and, where relevant, to institutions, bodies, offices, or agencies of the Union) (Article 7(3) of the Directive).
4.5. Are there requirements or restrictions for the use of external service providers?
Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party. The safeguards and requirements referred to in Article 9(1) of the Directive (see the section on what channels and follow-up procedures must be established) shall also apply to entrusted third parties operating the reporting channel for a legal entity in the private sector (Article 8(5) of the Directive).
4.6. Are there requirements or restrictions for international/group organisations?
Legal entities in the private sector with 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out. This shall be without prejudice to the obligations imposed upon such entities by the Directive to maintain confidentiality, to give feedback, and to address the reported breach (Article 8(6) of the Directive).
Likewise, internal reporting procedures should enable legal entities in the private sector to receive and investigate, in full confidentiality, reports by the workers of the entity and of its subsidiaries or affiliates (or 'the group'), but also, to any extent possible, by any of the group's agents and suppliers and by any persons who acquire information through their work-related activities with the entity and the group (Recital 55 of the Directive).
5. PROCESSING OF WHISTLEBLOWING REPORTS
5.1. Is there a duty of confidentiality in relation to whistleblowing reports?
Identity of reporting persons
Member States must ensure that the identity of the reporting person is not disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person. This also applies to any other information from which the identity of the reporting person may be directly or indirectly deduced (Article 16(1) of the Directive).
However, the identity of the reporting person and any other information may be disclosed only where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned (i.e. the natural or legal person who is referred to in the report as a person to whom the breach is attributed or with whom that person is associated) (Article 16(2) of the Directive).
Furthermore, disclosures of the identity of the reporting person are subject to appropriate safeguards under the applicable Union and national rules. In particular, reporting persons must be informed before their identity is disclosed, unless such information would jeopardise the related investigations or judicial proceedings. When informing the reporting persons, the competent authority must send them an explanation in writing of the reasons for the disclosure of the confidential data concerned (Article 16(3) of the Directive).
Identity of persons concerned
Notably, the Directive does not explicitly address the duty of confidentiality in relation to persons concerned.
However, competent authorities must ensure, in accordance with national law, that the identity of persons concerned is protected for as long as investigations triggered by the report or the public disclosure are ongoing (Article 22(2) of the Directive).
Finally, the rules set out in Articles 12, 17, and 18 of the Directive as regards the protection of the identity of reporting persons should also apply to the protection of the identity of persons concerned (Article 22(3) of the Directive).
5.2. Are there any record-keeping requirements?
Member States must ensure that legal entities in the private and public sector keep records of every report received, in compliance with the confidentiality requirements provided for in Article 16 of the Directive (see the section on whether there is a duty of confidentiality in relation to whistleblowing reports). Reports should be stored for no longer than it is necessary and proportionate in order to comply with the requirements imposed by the Directive, or other requirements imposed by Union or national law (Article 18(1) of the Directive).
Recorded telephone reports
Where a recorded telephone line or another recorded voice messaging system is used for reporting, subject to the consent of the reporting person, legal entities in the private and public sector have the right to document the oral reporting in one of the following ways (Article 18(2) of the Directive):
- by making a recording of the conversation in a durable and retrievable form; or
- through a complete and accurate transcript of the conversation prepared by the staff members responsible for handling the report.
Furthermore, legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify, and agree the transcript of the call by signing it (Article 18(2) of the Directive).
Unrecorded telephone reports
Where an unrecorded telephone line or another unrecorded voice messaging system is used for reporting, legal entities in the private and public sector have the right to document the oral reporting in the form of accurate minutes of the conversation written by the staff member responsible for handling the report.
Legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify, and agree the minutes of the conversation by signing them (Article 18(3) of the Directive).
In-person reports
Where a person requests a meeting with the staff members of legal entities in the private and public sector for reporting purposes, legal entities in the private and public sector must ensure, subject to the consent of the reporting person, that complete and accurate records of the meeting are kept in a durable and retrievable form (Article 18(4) of the Directive).
Legal entities in the private and public sector have the right to document the meeting in one of the following ways (Article 18(4) of the Directive):
- by making a recording of the conversation in a durable and retrievable form; or
- through accurate minutes of the meeting prepared by the staff members responsible for handling the report.
Legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify, and agree the minutes of the meeting by signing them (Article 18(4) of the Directive).
5.3. Does the accused person have to be informed when data concerning them is recorded?
The Directive does not explicitly address information to be provided to persons concerned.
For further information on the right to be informed under data protection legislation, please see the section on whether there are any restrictions to data subject rights.
5.4. How do data protection rules apply in relation to whistleblowing reports?
Any processing of personal data carried out pursuant to the Directive, including the exchange or transmission of personal data by the competent authorities, must be carried out in accordance with the GDPR and the Law Enforcement Directive. Any exchange or transmission of information by Union institutions, bodies, offices, or agencies shall be undertaken in accordance with Regulation 2018/1725 (Article 17 of the Directive).
Personal data which is manifestly not relevant for the handling of a specific report should not be collected or, if accidentally collected, should be deleted without undue delay (Article 17 of the Directive).
Please note that the following guidance had been issued in relation to the Data Protection Directive (95/46/EC) ('the Data Protection Directive'):
- Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight Against Bribery, Banking and Financial Crime ('Opinion 1/2006') issued by the Article 29 Working Party ('WP29') (now the European Data Protection Board ('EDPB')); and
- Guidelines on processing personal information within a whistleblowing procedure issued by the European Data Protection Supervisor ('EDPS').
While the Directive Protection Directive has since been superseded by the GDPR, the above guidelines may nevertheless provide guidance for organisations processing personal data in the context of whistleblowing schemes in accordance with the GDPR.
5.5. Are there any restrictions to data subject rights (e.g. rights to be informed, access, rectify, erase, etc.)?
As part of the record-keeping obligations under the Directive, legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify, and agree to what is being documented (Article 18 of the Directive).
However, the Directive does not explicitly address the application of data subject rights under the GDPR and other data protection legislation.
Nevertheless, the WP29 has expressed the following points (Sections 3 and 4 of Part IV of Opinion 1/2006):
- '[In terms of Article 10 of the Data Protection Directive,] the requirement of clear and complete information on the system obliges the controller to inform data subjects about the existence, purpose, and functioning of the scheme, the recipients of the reports, and the right of access, rectification, and erasure for reported persons.'
- 'From a data protection point of view, whistleblowing schemes should focus on the data subject's rights, without damage to the whistleblower's ones. A balance of interests should be established between the rights of the parties concerned, including the company's legitimate investigation needs.'
- 'The person accused in a whistleblower's report shall be informed by the person in charge of the scheme as soon as practicably possible after the data concerning them are recorded. Under Article 14 [of the Data Protection Directive], they also have the right to object to the processing of their data if the legitimacy of the processing is based on Article 7(f) [of the Data Protection Directive]. This right of objection, however, may be exercised only on compelling legitimate grounds relating to the person's particular situation. […] However, where there is substantial risk that such notification would jeopardise the ability of the company to effectively investigate the allegation or gather the necessary evidence, notification to the incriminated individual may be delayed as long as such risk exists. This exception to the rule provided by Article 11 [of the Data Protection Directive] is intended to preserve evidence by preventing its destruction or alteration by the incriminated person. It must be applied restrictively, on a case-by-case basis, and it should take account of the wider interests at stake.'
- 'The exercise of these rights [of access, rectification, and erasure] may be restricted in order to ensure the protection of the rights and freedoms of others involved in the scheme. This restriction should be applied on a case-by-case basis. Under no circumstances can the person accused in a whistleblower's report obtain information about the identity of the whistleblower from the scheme on the basis of the accused person's right of access, except where the whistleblower maliciously makes a false statement. Otherwise, the whistleblower's confidentiality should always be guaranteed.'
For further information on the rights of data subjects, please see EU - GDPR - Data Subject Rights.
6. PENALTIES AND LEGAL RECOURSE
6.1. Penalties for breach of duties and/or retaliation
Member States must provide for effective, proportionate, and dissuasive penalties applicable to natural or legal persons that (Article 23(1) of the Directive):
- hinder or attempt to hinder reporting;
- retaliate against persons referred to in Article 4 of the Directive;
- bring vexatious proceedings against persons referred to in Article 4 of the Directive; and
- breach the duty of maintaining the confidentiality of the identity of reporting persons, as referred to in Article 16 of the Directive.
Furthermore, Member States must provide for effective, proportionate, and dissuasive penalties applicable in respect of reporting persons where it is established that they knowingly reported or publicly disclosed false information (Article 23(2) of the Directive).
6.2. Other liability
The Directive does not explicitly address the liability of legal entities in the private sector, or various liability for retaliation by co-workers.
For further information on the liability of reporting persons, please see the section on how whistleblowers are protected.
6.3. Compensation for whistleblowers
Member States shall take the necessary measures to ensure that remedies and full compensation are provided for damage suffered by persons referred to in Article 4 in accordance with national law (Article 21(8) of the Directive).
6.4. Legal recourse for accused persons
Member States must provide for measures for compensating damage resulting from the reporting or public disclosure of false information in accordance with national law (Article 23(2) of the Directive).
In general, Member States must also ensure, in accordance with the Charter, that persons concerned fully enjoy the right to an effective remedy and to a fair trial, as well as the presumption of innocence and the rights of defence, including the right to be heard and the right to access their file (Article 22(1) of the Directive).
Global Whistleblowing Laws
Global Whistleblowing Laws
- There is a requirement in place.
- Click to view information for additional detail.
- There is no requirement in place.
- Governing Texts
- Specific
- Sector-specific
- Additional
- Official guidelines
- Notification Registration Approval
- DPA / Works Councils / Other
- Scheme Management
- Personnel
- Hotlines
- External Providers
- Rights of the Whistleblower
- Anonymity
- Confidential Report
- Rights of the Accused
- Be informed
- Confidential identity
- Penalties
- Penalties
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
On November 30, 2023, the Baden-Württemberg data protection authority (LfDI Baden-Württemberg) announced the establishment of the internal reporting office of the LfDI Baden-Württemberg in accordance with the German Whistleblower Protection Act (HinSchG). LfDI Baden-Württemberg provided, among other things, information regarding the kind of viol
On November 14, 2023, the Securities and Exchange Commission (SEC) published the SEC Office of the Whistleblower Annual Report to Congress for Fiscal Year 2023 (the Report).
On November 20, 2023, the Government of Saint Kitts and Nevis announced that the Whistleblowers Protection Bill 2023 (the Bill) was passed into law. The Bill aims to safeguard individuals who report illicit activities within an organization, particularly in the public sector.
On November 9, 2023, the Baden-Württemberg data protection authority (LfDI Baden-Württemberg) published frequently asked questions (FAQs) on the Whistleblower Protection Act (HinSchG).
On September 11, 2023, Bill 257 SE for the Act on the protection of whistleblowers who report breaches of European Union law was introduced to the Estonian Parliament and thereafter referred by the Legal Committee, on September 26, 2023, to the plenary assembly for its first parliamentary reading, which is scheduled for October 18, 2023.
On September 21, 2023, the House for Whistleblowers published a report on an investigation into whether an individual was disadvantaged for whistleblowing.
On September 15, 2023, the Cyberspace Administration of China (CAC) published Guiding Opinions on Further Strengthening the Reporting of Internet Infringement Information. In particular, the Opinions highlight the need to handle reports involving individuals.
The Ministry of Justice (BMJ) announced, on July 7, 2023, the release of a draft ordinance on the organization of the external federal reporting office under the Whistleblowing Protection Act (HinSchG), and launched a consultation on the same.
The Commission for Personal Data Protection (CPDP) announced, on August 4, 2023, the publication in the State Gazette of Ordinance No.
On August 9, 2023, the Ministry of Justice of Czechia published a statement regarding the European Court of Human Rights' (ECHR) judgement in Halet v. Luxembourg (21884/18) of May 5, 2021.
The Italian data protection authority (Garante) announced, on August 4, 2023, in its newsletter, that it had issued, on July 6, 2023, its favorable opinion on the draft whistleblowing guidelines on procedures for submitting and handling external reports issued by the National Anti-Corruption Authority (ANAC).
On July 27, 2023, the Minister for Public Expenditure, NDP Delivery and Reform signed Statutory Instrument No. 375 of 2023 European Union (Protection of Persons who Report Breaches of Union law) Regulations 2023 (the Regulations) to amend the Protected Disclosures (Amendment) Act 2022 to give further effect to the Whistleblowing Directive.
On July 26, 2023, Senators Chuck Grassley and Maggie Hassan, along with Representative Zach Nunn, introduced the CFTC Whistleblower Fund Improvement Act 2023 to bolster the Commodity Futures Trading Commission (CFTC) whistleblowing program. Grassley, Hassan, and Nunn noted that the bill would:
The National Anti-Corruption Authority (ANAC) announced, on July 21, 2023, on Twitter, that it had launched the new portal dedicated to whistleblowing reports under Decree No. 24 of 10 March 2023 Implementing the EU Whistleblowing Directive.
The National Anti-Corruption Authority (ANAC) approved, on July 12, 2023, whistleblowing guidelines on the procedures for the submission and management of external reports, pursuant to Article 10 of Legislative Decree No. 24 of 10 March 2023 Implementing the EU Whistleblowing Directive.
The Luxembourg Law Transposing the Whistleblowing Directive (the Law) generalizes the protection of whistleblowers, which only existed before in the financial sector and in relation to money laundering violations.
In this Insight article, Violetta Kunze and Lilia Kisseva, from Djingov, Gouginski, Kyutchukov & Velichkov, explore whistleblowing and the need for protection.
Spain recently published Law 2/2023 of 20 February on the protection of persons who report violations of the law and the fight against corruption (the Law) (only available in Spanish here), which transposes Directive (EU) 2019/1937 on the protection of persons who
At long last, on March 15, 2023, the Legislative Decree No.
The Whistleblowing Directive is aimed at ensuring a higher degree of protection to individuals who report a violation of EU law and policies, introducing measures and requirements which foster the creation of a safe space for the reporters. The Whistleblowing Directive has been implemented in Italy through Legislative Decree No.
On February 2, 2023, Bulgaria passed its first Whistleblowing Act as part of the process of transposing the EU Whistleblowing Directive into national legislation. Hristina Dzhevlekova and Zhulieta Markova, from Wolf Theiss, discuss the main provisions of the Whistleblowing Act for whistleblowers and what this law requires of companies.
The Act on the Protection of Whistleblowers ('ZZPri') was recently published in the Official Gazette of the Republic of Slovenia on 7 February 2023, and took effect on 22 February 2023.
Spanning a long history, whistleblowing is widely regarded as a practical way to detect, investigate, and eventually prosecute a breach of law which, without the input of a whistleblower, risks going undetected.
The Whistleblower Protection Act implements Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'), by amending and renaming the House for Whistleblowers Act of 2016.
An update on the transposition of the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive') into Belgian law is imminent.
The Act on Whistleblowers' Protection (Official Gazette No. 46/2022) ('the WP Act') entered into force in Croatia on 23 April 2022. The WP Act replaced the previous legal framework governing the protection of whistleblowers in Croatia, in force since 2019.
The Protected Disclosure Act 2000 ('the Protected Disclosure Act') was passed by the New Zealand Parliament ('Parliament') more than 20 years ago to strengthen whistleblower protection.