Support Centre
Whistleblowing
workspace-icon
Back

Whistleblowing

EU Whistleblowing Directive Tracker

EU Whistleblowing Directive Tracker

Individuals working in private or public organisations are often the first to know about threats to the public interest and violations of EU law. However, fear of retaliation, i.e. an act that occurs within the work-related context in response to a whistleblower report and which may cause detriment to the whistleblower, may discourage reporting of breaches in a work-related context.

In light of the fragmented legislative approaches towards whistleblowers' protection, the European Commission issued, on 23 April 2018, a legislative proposal for the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'), which aims to set out some common minimum standards throughout the EU for the protection of whistleblowers.

The proposal was adopted by the European Parliament at its first reading through a resolution on 16 April 2019.

Following the European Parliament's approval, the Council of the European Union adopted, on 7 October 2019, the Whistleblowing Directive (press release available here), which was subsequently published in the Official Journal of the EU on 26 November 2019. The Whistleblowing Directive entered into force on 16 December 2019, twenty days after its publication in the Official Journal. Member States were required to transpose the Whistleblowing Directive into national legislation by 17 December 2021.

Shortly after the deadline for transposition, the European Commission initiated, on 27 January 2022, infringement proceedings against Member States that did not transpose the Whistleblowing Directive in a timely manner (infringement decisions available here).

OneTrust's solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency, and unparalleled guidance as you build, adapt, and mature your Ethics program. Organisations can leverage the OneTrust Ethics & Compliance solution to centralise and automate their ethics & compliance programs. From implementing robust whistleblower and incident reporting hotlines to tracking risk across internal and third-party initiatives, OneTrust Ethics provides clear insights to leadership teams and expedites task execution.

    title
  • Status
  • Last Update
  • Official Text
  • Austria
    • Draft law in progress

    • 18/07/2022

    2 August 2021: There is no publicly available draft bill implementing the Whistleblowing Directive. However, the Federal Minister of Labour confirmed that a bill is currently being worked on and is expected to be submitted to Parliament in autumn 2021 (announcement, only available to download in German, here).

    27 January 2022: The European Commission initiated infringement proceedings against Austria (infringement decisions available here). 

    9 February 2022: The Province of Tyrol adopted the Law of 9 February 2022 on the establishment of whistleblower systems for certain violations of Union law and the protection of whistleblowers (only available in German here), and the Law of 9 February 2022 with which accompanying regulations to the Whistleblower Act are enacted (only available in German here), to implement the Whistleblowing Directive. OneTrust DataGuidance confirmed with Dietmar Huemer, Attorney at Legis, that these laws relate to the internal organisation of the provincial agencies, as well as other public entities subject to provincial legislation, such as the municipalities. The laws, therefore, have a limited impact, relating to the public sector in the Province of Tyrol only.

    20 April 2022: The State of Burgenland adopted two laws (only available in German here and here) to transpose the Whistleblowing Directive. As is the case with other state and provincial laws, such laws have limited effect on private entities.

    3 June 2022: The Federal Ministry of Labour submitted to the National Council a draft law to implement the Whistleblowing Directive for public consultation. According to the legislative brief, the draft law is currently limited to implementing the minimum standards established by the Whistleblowing Directive, in view of keeping the burden on small and medium-sized companies low. Comments on the draft may be provided until 15 July 2022.

    13 June 2022: The State of Vorarlberg adopted a Whistleblower Protection Act (only available in German here) to transpose the Whistleblowing Directive. As is the case with other state and provincial laws, such laws have limited effect on private entities.

    30 June 2022: The State of Styria adopted a Whistleblower Protection Act (only available in German here) to transpose the Whistleblowing Directive. As is the case with other state and provincial laws, such laws have limited effect on private entities.

    18 July 2022: According to the legislative portal, the draft law has been transmitted to the Federal Ministry of Labour.

    Legislative portal: https://www.parlament.gv.at/PAKT/VHG/XXVII/ME/ME_00210/index.shtml (only available in German)

    Official text: https://www.parlament.gv.at/PAKT/VHG/XXVII/ME/ME_00210/fname_1450390.pdf (only available to download in German)

  • Belgium
    • Draft law in progress

    • 25/02/2022

    9 January 2021: The Parliament passed a motion for a resolution on measures to protect whistleblowers and for the implementation of the Whistleblowing Directive (motion, only available in Dutch and French, here).

    27 January 2022: The European Commission initiated infringement proceedings against Belgium (infringement decisions available here).

    25 February 2022: The Council of Ministers approved a preliminary draft law to transpose the Whistleblowing Directive. Please note that the text of the draft law is currently not publicly available, although it has been submitted to the Council of State for consideration (press release, only available in French and Dutch, here and here).

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

1. LEGISLATION | NOTABLE CASE LAW

1.1. Specific whistleblowing legislation

The Directive was first introduced by the European Commission as a legislative proposal on 23 April 2018, which was later adopted by the European Parliament on 16 April 2019.

Following the European Parliament's approval, the Directive was finally adopted by the Council of the European Union on 7 October 2019 and subsequently published in the Official Journal of the European Union on 26 November 2019, entering into effect 20 days later on 16 December 2019 (Article 28 of the Directive).

Purpose and scope

The purpose of the Directive is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law (Article 1 of the Directive).

In addition to establishing requirements for internal and external reporting and public disclosures, the Directive also outlines various measures to protect:

  • reporting persons, i.e. natural persons who report or publicly disclose information on breaches acquired in the context of their work-related activities (Article 5(7) of the Directive); and
  • persons concerned, i.e. natural or legal persons who are referred to in the report or public disclosure as a person to whom the breach is attributed or with whom that person is associated (Article 5(8) of the Directive).

Transposition

EU Member States are required to bring into force the laws, regulations, and administrative provisions necessary to comply with the Directive by 17 December 2021 (Article 26(1) of the Directive).

However, as regards legal entities in the private sector with 50 to 249 workers, Member States are required to bring into force the laws, regulations, and administrative provisions necessary to comply with the obligation to establish internal reporting channels under Article 8(3) of the Directive by 17 December 2023 (Article 26(2) of the Directive).

Please note that in transposing the Directive, Member States may introduce or retain provisions more favourable to the rights of reporting persons than those set out in the Directive (Article 25 of the Directive). This may include, among other things:

  • the material scope of protection afforded to reporting persons (see Article 2(2) of the Directive);
  • whether legal entities in the private or public sector and competent authorities are required to accept and follow up on anonymous reports of breaches (see Article 6(2) of the Directive); and
  • the penalties applicable to natural or legal persons who breach the provisions of the Directive (see Article 23 of the Directive).

For further information on the progress of transposition by Member States, as well as any national variations to the Directive, please see the Whistleblowing portal.

1.2. Sector-specific whistleblowing legislation

The following legislation has been cited in the recitals of the Directive as providing sector-specific whistleblower protection:

Please also note that where specific rules on the reporting of breaches are provided for in the sector-specific Union acts listed in Part II of the Annex of the Directive, those rules shall apply. The provisions of the Directive shall be applicable to the extent that a matter is not mandatorily regulated in those sector-specific Union acts (Article 3(1) of the Directive).

1.3. Additional applicable legislation

The Directive references the following applicable legislation:

Please note that the Directive shall not affect the responsibility of Member States to ensure national security or their power to protect their essential security interests. In particular, it does not apply to reports of breaches of the procurement rules involving defence or security aspects unless they are covered by the relevant acts of the Union (Article 3(2) of the Directive).

Furthermore, the Directive shall not affect the application of Union or national law relating to the protection of classified information, the protection of legal and medical professional privilege, the secrecy of judicial deliberations, and the rules on criminal procedure (Article 3(3) of the Directive).

1.4. Guidelines

The European Commission has issued the following resources:

1.5. Case law

There is currently no case law concerning the Directive.

2. COMPETENT WHISTLEBLOWING AUTHORITY

In terms of transposing the Directive, the European Commission is responsible for monitoring its correct and timely implementation and, where necessary, initiating formal infringement procedures against Member States (Article 27 of the Directive).

In terms of the duties under the Directive itself, Member States must designate a national authority, or authorities, to (Articles 5(14) and 11(1) of the Directive):  

  • receive reports in accordance with Chapter III of the Directive and give feedback to the reporting person; and/or
  • carry out the duties provided for in the Directive, in particular as regards follow-up.

In this regard, Chapter III of the Directive further outlines the responsibilities of such competent authorities, primarily in relation to:

  • the obligation to establish external reporting channels and to follow up on reports (see Article 11 of the Directive);
  • the design of external reporting channels (see Article 12 of the Directive);
  • the provision of information regarding the receipt of reports and their follow-up (see Article 13 of the Directive); and
  • the review of the procedures by competent authorities (see Article 14 of the Directive).

3. SCOPE OF WHISTLEBLOWER PROTECTION

3.1. How are whistleblowers protected?

Chapter VI of the Directive outlines various protection measures.

In particular, in transposing the Directive, Member States must take the necessary measures to prohibit any form of retaliation against reporting persons, including threats of retaliation and attempts of retaliation and in particular in the form of (Article 19 of the Directive):

  • suspension, lay-off, dismissal, or equivalent measures;
  • demotion or withholding of promotion;
  • transfer of duties, change of location of place of work, reduction in wages, or change in working hours;
  • withholding of training;
  • a negative performance assessment or employment reference;
  • imposition or administering of any disciplinary measure, reprimand, or other penalty, including a financial penalty;
  • coercion, intimidation, harassment, or ostracism;
  • discrimination, disadvantageous, or unfair treatment;
  • failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that they would be offered permanent employment;
  • failure to renew, or early termination of, a temporary employment contract;
  • harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income;
  • blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;
  • early termination or cancellation of a contract for goods or services;
  • cancellation of a licence or permit; and
  • psychiatric or medical referrals.

For the purposes of the Directive, 'retaliation' refers to any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person (Article 5(11) of the Directive).

In this regard, Article 21 of the Directive further outlines measures that ensure that reporting persons are protected against retaliation, primarily in relation to liability arising from:

  • restrictions on the disclosure of information;
  • the acquisition of or access to the information;
  • acts or omissions which are unrelated to the reporting or which are not necessary for revealing a breach pursuant to the Directive;
  • legal proceedings, including for defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, or from compensation claims based on private, public, or on collective labour law; and
  • the disclosure of information that includes trade secrets.

Please note that Member States must ensure that reporting persons have access to support measures, as outlined in Article 20 of the Directive.

Finally, Member States must also ensure that the rights and remedies provided for under the Directive cannot be waived or limited by any agreement, policy, form, or condition of employment, including a pre-dispute arbitration agreement (Article 24 of the Directive).

3.2. Who is protected?

Article 4 of the Directive outlines the personal scope for protection under the Directive.

In particular, the Directive applies to reporting persons working in the private or public sector who acquired information on breaches in a work-related context including, at least, the following (Article 4(1) of the Directive):

  • persons having the status of worker, within the meaning of Article 45(1) TFEU, including civil servants;
  • persons having self-employed status, within the meaning of Article 49 TFEU;
  • shareholders and persons belonging to the administrative, management, or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees; and
  • any persons working under the supervision and direction of contractors, subcontractors, and suppliers.

The Directive also applies to reporting persons:

  • where they report or publicly disclose information on breaches acquired in a work-based relationship which has since ended (Article 4(2) of the Directive);
  • whose work-based relationship is yet to begin in cases where information on breaches has been acquired during the recruitment process or other pre-contractual negotiations (Article 4(3) of the Directive).

Furthermore, the protection measures set out in Chapter VI of the Directive (see section 3.1. above) also apply, where relevant, to (Article 4(4) of the Directive):

  • facilitators;
  • third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context, such as colleagues or relatives of the reporting persons; and
  • legal entities that the reporting persons own, work for, or are otherwise connected with in a work-related context.

For the purposes of the Directive, the following definitions apply:

  • 'facilitator' refers to a natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be confidential (Article 5(8) of the Directive); and
  • 'work-related context' refers to current or past work activities in the public or private sector through which, irrespective of the nature of those activities, persons acquire information on breaches and within which those persons could suffer retaliation if they reported such information (Article 5(9) of the Directive).

3.3. Is protection limited to certain subject matters?

Article 2 of the Directive outlines the material scope for protection under the Directive.

In particular, the Directive lays down common minimum standards for the protection of persons reporting the following breaches of Union law (Article 2(1) of the Directive):

  • breaches falling within the scope of the Union acts set out in the Annex of the Directive that concern the following areas:
    • public procurement;
    • financial services, products and markets, and prevention of money laundering and terrorist financing;
    • product safety and compliance;
    • transport safety;
    • protection of the environment;
    • radiation protection and nuclear safety;
    • food and feed safety, and animal health and welfare;
    • public health;
    • consumer protection; and
    • protection of privacy and personal data, and security of network and information systems;
  • breaches affecting the financial interests of the Union as referred to in Article 325 TFEU and as further specified in relevant Union measures; and
  • breaches relating to the internal market, as referred to in Article 26(2) TFEU, including breaches of Union competition and State aid rules, as well as breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

The Directive is without prejudice to the power of Member States to extend protection under national law as regards areas or acts not covered by the above (Article 2(1) of the Directive).

3.4. What kinds of reporting, disclosures, or actions are protected? 

Reporting persons qualify for protection under the Directive, provided that they reported (Article 6(1)(b) of the Directive):

  • internally in accordance with Article 7 of the Directive;
  • externally in accordance with Article 10 of the Directive; or
  • made a public disclosure in accordance with Article 15 of the Directive.

Furthermore, persons reporting to relevant institutions, bodies, offices, or agencies of the Union breaches falling within the scope of the Directive shall qualify for protection as laid down in the Directive under the same conditions as persons who report externally (Article 6(4) of the Directive).

For the purposes of the Directive, the following definitions apply:

  • 'internal reporting' refers to the oral or written communication of information on breaches within a legal entity in the private or public sector (Article 5(4) of the Directive);
  • 'external reporting' refers to the oral or written communication of information on breaches to the competent authorities (Article 5(5) of the Directive); and
  • 'public disclosure' refers to the making of information on breaches available in the public domain (Article 5(6) of the Directive).

Internal and external reporting

As a general principle and without prejudice to Articles 10 and 15 of the Directive, information on breaches may be reported through internal reporting channels and procedures (Article 7(1) of the Directive).

Member States are required to encourage reporting through internal reporting channels before reporting through external reporting channels, where the breach can be addressed effectively internally and where the reporting person considers that there is no risk of retaliation (Article 7(1) of the Directive).

Reporting persons must report information on breaches using the external reporting channels and procedures referred to in Articles 11 and 12 of the Directive, after having first reported through internal reporting channels, or by directly reporting through external reporting channels (Article 10 of the Directive).

For further information on the general requirements for internal reporting and follow-up, please see section 4 below.

Public disclosures

A person who makes a public disclosure qualifies for protection under the Directive if any of the following conditions are fulfilled (Article 15(1) of the Disclosure):

  • the person first reported internally and externally, or directly externally in accordance with Chapters II and III of the Directive, but no appropriate action was taken in response to the report within the stipulated timeframe; or
  • the person has reasonable grounds to believe that:
    • the breach may constitute an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible damage; or
    • in the case of external reporting, there is a risk of retaliation, or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.

However, please note that such conditions do not apply to cases where a person directly discloses information to the press pursuant to specific national provisions establishing a system of protection relating to freedom of expression and information (Article 15(2) of the Directive).

3.5. Is anonymous reporting protected?

Without prejudice to existing obligations to provide for anonymous reporting by virtue of Union law, the Directive does not affect the power of Member States to decide whether legal entities in the private or public sector and competent authorities are required to accept and follow up on anonymous reports of breaches (Article 6(2) of the Directive).

Persons who reported or publicly disclosed information on breaches anonymously, but who are subsequently identified and suffer retaliation, shall nonetheless qualify for the protection provided for under Chapter VI of the Directive, provided that they meet the conditions laid down in Article 6(1) of the Directive (Article 6(3) of the Directive).

3.6. What conditions or proof must whistleblowers satisfy or provide to qualify for protection? 

Reporting persons qualify for protection under the Directive, provided that they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Directive (Article 6(1) of the Directive).

For the purpose of the Directive, the following definitions apply:

  • 'breaches' refers to acts or omissions that are unlawful and relate to, or defeat the object or the purpose of the rules in, the Union acts and areas falling within the material scope referred to in Article 2 of the Directive (Article 5(1) of the Directive); and
  • 'information on breaches' refers to information, including reasonable suspicions, about actual or potential breaches, which occurred or are very likely to occur in the organisation in which the reporting person works or has worked or in another organisation with which the reporting person is or was in contact through their work, and about attempts to conceal such breaches (Article 5(2) of the Directive).

4. MANAGEMENT OF INTERNAL WHISTLEBLOWING SCHEMES 

4.1. What channels and follow-up procedures must be established? 

General requirements

Chapter II of the Directive outlines requirements for internal reporting and follow-up.

In particular, Member States must ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up, following consultation and in agreement with the social partners where provided for by national law (Article 8(1) of the Directive).

For legal entities in the private sector, this will only apply to those with 50 or more workers (Article 8(3) of the Directive), although this threshold does not apply to certain entities falling within the scope of Union acts referred to in Parts I.B and II of the Annex of the Directive (Article 8(4) of the Directive). Following an appropriate risk assessment taking into account the nature of the activities of the entities and the ensuing level of risk for, in particular, the environment and public health, Member States may also require legal entities in the private sector with fewer than 50 workers to establish internal reporting channels and procedures in accordance with Chapter II of the Directive (Article 8(7) of the Directive).

In this regard, such channels and procedures should enable the entity's workers to report information on breaches. They may enable other persons, referred to in Article 4 of the Directive, who are in contact with the entity in the context of their work-related activities to also report information on breaches (Article 8(2) of the Directive).

Furthermore, procedures for internal reporting and for follow-up must include the following (Article 9(1) of the Directive):

  • channels for receiving the reports which are designed, established, and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members;
  • acknowledgment of receipt of the report to the reporting person within seven days of that receipt;
  • the designation of an impartial person or department competent for following-up on the reports which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person;
  • diligent follow-up by the designated person or department;
  • diligent follow-up, where provided for in national law, as regards anonymous reporting;
  • a reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made; and
  • provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities pursuant to Article 10 of the Directive and, where relevant, to institutions, bodies, offices, or agencies of the Union.

For the purposes of the Directive, the following definitions apply:

  • 'follow-up' refers to any action taken by the recipient of a report to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, investigation, prosecution, action for recovery of funds, or the closure of the procedure (Article 5(12) of the Directive); and
  • 'feedback' refers to the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up (Article 5(13) of the Directive).

Hotlines

The Directive does not explicitly address hotlines.

However, channels for receiving the reports should enable reporting in writing or orally, or both. Oral reporting must be possible by telephone or through other voice messaging systems and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe (Article 9(2) of the Directive).

For further information on record-keeping requirements in relation to telephone reporting, please see section 5.2. below.

4.2. With whom does the responsibility lie for the management of the scheme?

The procedures for internal reporting and for follow-up should include the designation of an impartial person or department competent for following-up on the reports which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person (Article 9(1)(c) of the Directive).

4.3. Are there any prior notification, registration, and approval requirements?

Member States must ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up, following consultation and in agreement with the social partners where provided for by national law (Article 8(1) of the Directive).

Please note that the Directive shall not affect national rules on the exercise by workers of their rights to consult their representatives or trade unions, and on protection against any unjustified detrimental measure prompted by such consultations as well as on the autonomy of the social partners and their right to enter into collective agreements. This is without prejudice to the level of protection granted by the Directive (Article 3(4) of the Directive).

4.4. What information must be provided to employees about a whistleblowing scheme?

Appropriate information relating to the use of internal reporting channels must be provided in the context of the information given by legal entities in the private and public sector pursuant to point Article 9(1)(g) of the Directive (i.e. in the context of providing of clear and easily accessible information regarding the procedures for reporting externally to competent authorities pursuant to Article 10 of the Directive and, where relevant, to institutions, bodies, offices, or agencies of the Union) (Article 7(3) of the Directive).

4.5. Are there requirements or restrictions for the use of external service providers?

Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party. The safeguards and requirements referred to in Article 9(1) of the Directive (see section 4.1. above) shall also apply to entrusted third parties operating the reporting channel for a legal entity in the private sector (Article 8(5) of the Directive).

4.6. Are there requirements or restrictions for international/group organisations?

Legal entities in the private sector with 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out. This shall be without prejudice to the obligations imposed upon such entities by the Directive to maintain confidentiality, to give feedback, and to address the reported breach (Article 8(6) of the Directive).

Likewise, internal reporting procedures should enable legal entities in the private sector to receive and investigate in full confidentiality reports by the workers of the entity and of its subsidiaries or affiliates (or 'the group'), but also, to any extent possible, by any of the group's agents and suppliers and by any persons who acquire information through their work-related activities with the entity and the group (Recital 55 of the Directive).

5. PROCESSING OF WHISTLEBLOWING REPORTS 

5.1. Is there a duty of confidentiality in relation to whistleblowing reports? 

Identity of reporting persons

Member States must ensure that the identity of the reporting person is not disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person. This also applies to any other information from which the identity of the reporting person may be directly or indirectly deduced (Article 16(1) of the Directive).

However, the identity of the reporting person and any other information may be disclosed only where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned (i.e. the natural or legal person who is referred to in the report as a person to whom the breach is attributed or with whom that person is associated) (Article 16(2) of the Directive).

Furthermore, disclosures of the identity of the reporting person are subject to appropriate safeguards under the applicable Union and national rules. In particular, reporting persons must be informed before their identity is disclosed, unless such information would jeopardise the related investigations or judicial proceedings. When informing the reporting persons, the competent authority must send them an explanation in writing of the reasons for the disclosure of the confidential data concerned (Article 16(3) of the Directive).

Identity of persons concerned

Notably, the Directive does not explicitly address the duty of confidentiality in relation to persons concerned.

However, competent authorities must ensure, in accordance with national law, that the identity of persons concerned is protected for as long as investigations triggered by the report or the public disclosure are ongoing (Article 22(2) of the Directive).

Finally, the rules set out in Articles 12, 17, and 18 of the Directive as regards the protection of the identity of reporting persons should also apply to the protection of the identity of persons concerned (Article 22(3) of the Directive).

5.2. Are there any record-keeping requirements? 

Member States must ensure that legal entities in the private and public sector keep records of every report received, in compliance with the confidentiality requirements provided for in Article 16 of the Directive (see section 5.1. above). Reports should be stored for no longer than it is necessary and proportionate in order to comply with the requirements imposed by the Directive, or other requirements imposed by Union or national law (Article 18(1) of the Directive).

Recorded telephone reports

Where a recorded telephone line or another recorded voice messaging system is used for reporting, subject to the consent of the reporting person, legal entities in the private and public sector have the right to document the oral reporting in one of the following ways (Article 18(2) of the Directive):

  • by making a recording of the conversation in a durable and retrievable form; or
  • through a complete and accurate transcript of the conversation prepared by the staff members responsible for handling the report.

Furthermore, legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify, and agree the transcript of the call by signing it (Article 18(2) of the Directive).

Unrecorded telephone reports

Where an unrecorded telephone line or another unrecorded voice messaging system is used for reporting, legal entities in the private and public sector have the right to document the oral reporting in the form of accurate minutes of the conversation written by the staff member responsible for handling the report.

Legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify and agree the minutes of the conversation by signing them (Article 18(3) of the Directive).

In-person reports

Where a person requests a meeting with the staff members of legal entities in the private and public sector for reporting purposes, legal entities in the private and public sector must ensure, subject to the consent of the reporting person, that complete and accurate records of the meeting are kept in a durable and retrievable form (Article 18(4) of the Directive).

Legal entities in the private and public sector have the right to document the meeting in one of the following ways (Article 18(4) of the Directive):

  • by making a recording of the conversation in a durable and retrievable form; or
  • through accurate minutes of the meeting prepared by the staff members responsible for handling the report.

Legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify, and agree the minutes of the meeting by signing them (Article 18(4) of the Directive).

5.3. Does the accused person have to be informed when data concerning them is recorded? 

The Directive does not explicitly address information to be provided to persons concerned.

For further information on the right to be informed under data protection legislation, please see section 5.5. below.

5.4. How do data protection rules apply in relation to whistleblowing reports? 

Any processing of personal data carried out pursuant to the Directive, including the exchange or transmission of personal data by the competent authorities, must be carried out in accordance with the GDPR and the Law Enforcement Directive. Any exchange or transmission of information by Union institutions, bodies, offices, or agencies shall be undertaken in accordance with Regulation 2018/1725 (Article 17 of the Directive).

Personal data which are manifestly not relevant for the handling of a specific report should not be collected or, if accidentally collected, should be deleted without undue delay (Article 17 of the Directive).

Please note that the following guidance had been issued in relation to the Data Protection Directive (95/46/EC) ('the Data Protection Directive'):

While the Directive Protection Directive has since been superseded by the GDPR, the above guidelines may nevertheless provide guidance for organisations processing personal data in the context of whistleblowing schemes in accordance with the GDPR.

5.5. Are there any restrictions to data subject rights (e.g. rights to be informed, access, rectify, erase, etc.)? 

As part of the record-keeping obligations under the Directive, legal entities in the private and public sector should offer the reporting person the opportunity to check, rectify, and agree to what is being documented (Article 18 of the Directive).

However, the Directive does not explicitly address the application of data subject rights under the GDPR and other data protection legislation.

Nevertheless, the WP29 has expressed the following points (Sections 3 and 4 of Part IV of Opinion 1/2006):

  • '[In terms of Article 10 of the Data Protection Directive,] the requirement of clear and complete information on the system obliges the controller to inform data subjects about the existence, purpose, and functioning of the scheme, the recipients of the reports, and the right of access, rectification, and erasure for reported persons.'
  • 'From a data protection point of view, whistleblowing schemes should focus on the data subject's rights, without damage to the whistleblower's ones. A balance of interests should be established between the rights of the parties concerned, including the company's legitimate investigation needs.'
  • 'The person accused in a whistleblower's report shall be informed by the person in charge of the scheme as soon as practicably possible after the data concerning them are recorded. Under Article 14 [of the Data Protection Directive], they also have the right to object to the processing of their data if the legitimacy of the processing is based on Article 7(f) [of the Data Protection Directive]. This right of objection, however, may be exercised only on compelling legitimate grounds relating to the person's particular situation. […] However, where there is substantial risk that such notification would jeopardise the ability of the company to effectively investigate the allegation or gather the necessary evidence, notification to the incriminated individual may be delayed as long as such risk exists. This exception to the rule provided by Article 11 [of the Data Protection Directive] is intended to preserve evidence by preventing its destruction or alteration by the incriminated person. It must be applied restrictively, on a case-by-case basis, and it should take account of the wider interests at stake.'
  • 'The exercise of these rights [of access, rectification, and erasure] may be restricted in order to ensure the protection of the rights and freedoms of others involved in the scheme. This restriction should be applied on a case-by-case basis. Under no circumstances can the person accused in a whistleblower's report obtain information about the identity of the whistleblower from the scheme on the basis of the accused person's right of access, except where the whistleblower maliciously makes a false statement. Otherwise, the whistleblower's confidentiality should always be guaranteed.'

For further information on the rights of data subjects, please see EU - GDPR - Data Subject Rights.

6. PENALTIES AND LEGAL RECOURSE 

6.1. Penalties for breach of duties and/or retaliation 

Member States must provide for effective, proportionate, and dissuasive penalties applicable to natural or legal persons that (Article 23(1) of the Directive):

  • hinder or attempt to hinder reporting;
  • retaliate against persons referred to in Article 4 of the Directive;
  • bring vexatious proceedings against persons referred to in Article 4 of the Directive; and
  • breach the duty of maintaining the confidentiality of the identity of reporting persons, as referred to in Article 16 of the Directive.

Furthermore, Member States must provide for effective, proportionate, and dissuasive penalties applicable in respect of reporting persons where it is established that they knowingly reported or publicly disclosed false information (Article 23(2) of the Directive).

6.2. Other liability

The Directive does not explicitly address the liability of legal entities in the private sector, or various liability for retaliation by co-workers.

For further information on the liability of reporting persons, please see section 3.1. above.

6.3. Compensation for whistleblowers

Member States shall take the necessary measures to ensure that remedies and full compensation are provided for damage suffered by persons referred to in Article 4 in accordance with national law (Article 21(8) of the Directive).

6.4. Legal recourse for accused persons 

Member States must provide for measures for compensating damage resulting from the reporting or public disclosure of false information in accordance with national law (Article 23(2) of the Directive).

In general, Member States must also ensure, in accordance with the Charter, that persons concerned fully enjoy the right to an effective remedy and to a fair trial, as well as the presumption of innocence and the rights of defence, including the right to be heard and the right to access their file (Article 22(1) of the Directive).

Global Whistleblowing Laws

Global Whistleblowing Laws

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
    Governing Texts
  • Specific
  • Sector-specific
  • Additional
  • Official guidelines
    Notification Registration Approval
  • DPA / Works Councils / Other
    Scheme Management
  • Personnel
  • Hotlines
  • External Providers
    Rights of the Whistleblower
  • Anonymity
  • Confidential Report
    Rights of the Accused
  • Be informed
  • Confidential identity
    Penalties
  • Penalties
  • Argentina
  • Australia
  • Austria
  • Bangladesh
  • Belarus
  • Belgium
  • Bolivia
  • California
  • Canada Federal
  • Israel
  • Kazakhstan
  • Kenya
  • Lebanon
  • Mauritius
  • New York

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.