Support Centre
Whistleblowing
Back

Whistleblowing

Comply with EU Whistleblowing Directive

Individuals working in private or public organisations are often the first to know about threats to the public interest and violations of EU law. However, fear of retaliation i.e., an act that occurs within the work-related context in response to a whistleblower report and which may cause detriment to the whistleblower, may discourage reporting of breaches in a work-related context.

In light of the fragmented legislative approaches towards whistleblowers' protection, the European Commission issued, on 23 April 2018, a legislative proposal for the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive') which aims to set out some common minimum standards throughout the EU for the protection of whistleblowers.

The proposal was adopted by the European Parliament at its first reading through a resolution on 16 April 2019.

Following the European Parliament's approval, the Council of the European Union adopted, on 7 October 2019, the Whistleblowing Directive (press release available here), which was subsequently published in the Official Journal of the EU on 26 November 2019. The Whistleblowing Directive entered into force on 16 December 2019, twenty days after its publication in the Official Journal. Member States are required to transpose the directive into national legislation by 17 December 2021.

OneTrust's solutions are backed by AI, robotic automation and regulatory research, ensuring quick time to value, efficiency and unparalleled guidance as you build, adapt, and mature your Ethics program. Organisations can leverage the OneTrust Ethics & Compliance solution to centralise and automate their ethics & compliance programs. From implementing robust whistleblower and incident reporting hotlines to tracking risk across internal and third-party initiatives, OneTrust Ethics provides clear insights to leadership teams and expedites task execution.

February 2021

1. INTRODUCTION

1.1. Issuing body

The Council of the European Union adopted, on 7 October 2019, the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'), which was published, on 26 November 2019, in the Official Journal of the EU and entered into force on 16 December 2019, 20 days later.

This Guidance Note provides an overview of the Whistleblowing Directive.

1.2. Foundations and purpose

As indicated in the recitals of the Whistleblowing Directive, persons working in private or public organisations are the first to know about threats to the public interest and violations of EU law. However, an issue that arises is that potential whistleblowers may be discouraged from reporting said breaches out of fear of retaliation. In light of the fact that reports by whistleblowers are a key element of effective detection, investigation and prosecution of breaches of EU law, the need to encourage said whistleblowing goes hand in hand with ensuring the protection of whistleblowers (Recitals 1 and 2 of the Whistleblowing Directive).

In light of the fragmented legislative approaches to whistleblower protection across the EU at the time, the aim of the Whistleblowing Directive was to set out some common minimum standards for ensuring whistleblowers' protection across the Member States (Recitals 4 and 5 and Article 1 of the Whistleblowing Directive).

The Commission issued a legislative proposal on 23 April 2018 for a Whistleblowing Directive and the Parliament Committee on Legal Affairs issued a report on the Whistleblowing Directive Proposal on 26 November 2018. The proposal was adopted by the European Parliament at first reading through a resolution of 16 April 2019. Following the Parliament's approval of the proposal, as aforementioned in section 1.1. above, the Council of the European Union adopted, on 7 October 2019, the Whistleblowing Directive (press release available here), which was subsequently published in the Official Journal of the EU on 26 November 2019.

1.3. Compliance benefits

The transition period for implementing the Whistleblowing Directive into member state laws and regulations ends on 17 December 2021. This means that, by that date, Member States must have communicated to the European Commission the text of the national implementing measures incorporating the provisions of the directive into their legislation. If Member States fail to implement the Whistleblowing Directive by the above-mentioned deadline, they may face infringement proceedings by the Commission (information on monitoring directives implementation available here).

However, with respect to private legal entities with 50 to 249 workers, Member States have until 17 December 2023 to bring into force laws, regulations and administrative provisions necessary for complying with the obligation to establish internal reporting channels as required by Article 8(3) of the Whistleblowing Directive.

In addition, it should be noted that Article 23 of the Whistleblowing Directive provides that Member States should provide for effective, proportionate and dissuasive penalties that will be applicable to natural and legal persons who hinder or attempt to hinder reporting of breaches, retaliate against reporting persons or bring vexatious proceedings against them, or breach the duty of confidentiality in respect to reporting persons' identity.

Furthermore, Recital 102 of the Whistleblowing Directive highlights that criminal, civil or administrative penalties are necessary to ensure the effectiveness of the rules on whistleblower protection. Penalties against those who take retaliatory or other adverse actions against reporting persons can discourage further such actions. Penalties against persons who report or publicly disclose information on breaches which is demonstrated to be knowingly false are also necessary to deter further malicious reporting and preserve the credibility of the system. The proportionality of such penalties should ensure that they do not have a dissuasive effect on potential whistleblowers (Recital 102 of the Whistleblowing Directive).

1.4. Related legislation, frameworks, standards, and supplemental resources

In addition, please note that, on 24 September 2020, the Commission presented a legislative proposal by the European Commission for a Regulation on Markets in Crypto-Assets and amending Directive (EU) 2019/1937. Therefore, any implementation of the Directive may also depend on its amendment by the proposed regulation on crypto-assets. The proposed regulation includes provisions on, among others, whistleblowing with respect to breaches of the crypto-assets regulation. As of the date of authoring of this guidance note, the proposal is under deliberations in the Council of the EU (you can track the progress of the deliberations here).

Regarding national implementation, the Whistleblowing Directive stipulates, among other things, that its transposition into national law can under no circumstances constitute grounds for the reduction in the protection already afforded by Member States in the areas covered therein.

For further information on the national implementation of the Whistleblowing Directive, please see the Whistleblowing Comparison.

2. SCOPE OF APPLICATION

The Whistleblowing Directive is, at a first level, aimed towards Member States for its implementation into national law (Article 29 of the Whistleblowing Directive). At a second level, it creates obligations for companies to, among other things, create internal reporting channels and to enable persons to submit reports.

Summary of Whistleblowing Directive

The Whistleblowing Directive consists of the following parts:

  • Recitals 1-110, outlining the basis of the Whistleblowing Directive, its purpose, as well as the main rules and principles that are later expanded upon in the articles of the directive;
  • Chapter I, outlining the scope and definitions of the Whistleblowing Directive, as well as the  conditions for whistleblowers' protection under the Whistleblowing Directive;
  • Chapter II, outlining the main rules on internal reporting, i.e. the oral or written communication of information on breaches within a legal entity in the private or public sector, and follow-up (see definitions under section 3 below);
  • Chapter III, outlining the main rules on external reporting, i.e. the oral or written communication of information on breaches to the competent authorities, and follow-up (see definitions under section 3 below);
  • Chapter IV, outlining the rules governing public disclosures, i.e. making information on breaches available in the public domain (see definitions under section 3 below);
  • Chapter V, outlining rules applicable to both internal and external reporting;
  • Chapter VI, outlining measures for protecting both the person accused of the breach  and the person reporting the breach;
  • Chapter VII, outlining final provisions, including on the entry into force and transposition of the Whistleblowing Directive;
  • Annex I Part I citing legislation relevant to the Whistleblowing Directive. Part I.B mentioned below refers to legislation governing financial services, products and markets, and prevention of money laundering and terrorist financing; and
  • Annex I Part II citing EU legislation referred to by Article 3 of the Whistleblowing Directive, which governs the relationship between the Whistleblowing Directive and other EU and national legislation.

Personal scope

The personal scope of the Whistleblowing Directive is set out in Article 4. The Whistleblowing Directive aims to provide protection for any person reporting a breach in a work-related context and who is working in the private or public sector. It applies to any person. Thus, it applies to (Article 4(1) of the Whistleblowing Directive):

  • persons with the status of the worker, including civil servants;
  • persons having self-employed status;
  • shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees; and
  • any persons working under the supervision and direction of contractors, subcontractors and suppliers.

Beyond current employers, the Whistleblowing Directive catches prior employees and future employees. In particular, it applies to any persons who report or publicly disclose any information on breaches that had been acquired in a prior work-based relationship that has already ended (Article 4(2) of the Whistleblowing Directive). In addition, the Whistleblowing Directive applies to any reporting persons whose work-based relationship has not started but have acquired information on breaches during the recruitment process or other pre-contractual negotiations that have occurred (Article 4(3) of the Whistleblowing Directive).

Material scope

The material scope of the Whistleblowing Directive is set out in Article 2. The Whistleblowing Directive applies to the reporting of breaches (Article 2(1)):

  • falling under:
    • public procurement;
    • financial services, products and markets, and prevention of money laundering and terrorist financing;
    • product safety and compliance;
    • transport safety;
    • protection of the environment;
    • radiation protection and nuclear safety;
    • food and feed safety, animal health and welfare;
    • public health;
    • consumer protection; or
    • protection of privacy and personal data, and security of network and information systems;
  • affecting the financial interests of the EU; or
  • relating to the EU's internal market, such as a breach of competition law and state aid rules.

The Whistleblowing Directive does not protect any person falling under Article 4. Article 6 provides certain conditions reporting persons must fulfil to qualify for protection under the Whistleblowing Directive. In particular, reporting persons should qualify for said protection provided that (Article 6(1) of the Whistleblowing Directive):

  • they had reasonable rounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Whistleblowing Directive; and
  • they reported either internally in accordance with Article 7 or externally in accordance with Article 10 or made a public disclosure in accordance with Article 15.

Persons reporting to relevant institutions, bodies, offices or EU agencies breaches falling within the scope of the Whistleblowing Directive will qualify for protection under the same conditions as persons who report externally.

Protections of persons making public disclosures

In addition, any persons who have reported or publicly disclosed information on breaches anonymously, but who are subsequently iden­tified and suffer retaliation, shall nonetheless qualify for the protections provided for under Chapter VI of the Whistleblowing Directive, provided that they meet the conditions in Article 6(1) outlined above.

Chapter VI provides the conditions under which a person making a public disclosure may be protected under the Whistleblowing Directive. The conditions for persons making public disclosure to be protected under the directive are (Article 15(1) of the Whistleblowing Directive):

  • the person must have first reported internally and externally or directly externally but no appropriate action had been taken in accordance with the timeframes specified (see internal reporting and external reporting under section 5 below); or
  • the person had reasonable grounds to believe that:
    • the breach may constitute an imminent or manifest danger to the public interest (in an emergency situation or risk of irreversible danger); or
    • in the case of external reporting, there is a danger of retaliation or a low prospect of the breach being effectively addressed.

3. KEY DEFINITIONS | BASIC CONCEPTS

Article 5 of the Whistleblowing Directive includes a list of definitions and key terminologies incorporated, as below.

Breaches: acts or omissions that are unlawful and relate to EU acts falling under the areas specified under or defeating the objectives under 'Material scope' outlined in section 2 above.

Competent authority: any national authority designated to receive reports in accordance with Chapter III of the Whistleblowing Directive and give feedback to the reporting person, and/or designated to carry out the duties provided for in the Whistleblowing Directive, in particular as regards follow-up.

Facilitator: a natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be confidential.

Feedback: the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up.

Follow-up: any action taken by the recipient of a report or any competent authority, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure.

Internal and external reporting:  Internal reporting is the oral or written communication of information on breaches within a legal entity in the private or public sector. External reporting is the oral or written communication of information on breaches to the competent authorities.

Person concerned: a natural or legal person who is referred to in the report or public disclosure as a person to whom the breach is attributed or with whom that person is associated.

Public disclosure: making information on breaches available in the public domain.

Report: the oral or written communication of information on breaches.

Reporting person: a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities.

Retaliation: any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person.

Whistleblower: In the context of the Whistleblowing Directive, a 'whistleblower' is the person reporting breaches of EU law (recital 1 and Article 1 of the Whistleblowing Directive).

Whistleblowing: there is no definition of 'whistleblowing' in the Whistleblowing Directive. However, by reference to recital 1 and Article 1 of the Whistleblowing Directive, whistleblowing is the action of reporting breaches by whistleblowers.

Work-related context: current or past work activities in the public or private sector during which, irrespective of the nature of those activities, persons acquire information on breaches. Within this context those persons could suffer retaliation if they reported such information.

4. DATA PROCESSING

As abovementioned in section 1.4., Recital 83 notes that any processing of personal carried out in pursuant to the provisions of the Whistleblowing Directive must take place in accordance with the rules provided for in the GDPR and Directive (EU) 2016/680 on Law Enforcement ('the Law Enforcement Directive'), including the data processing principles outlined in Article 5 of the GDPR. Therefore, any data processing in the context of the Whistleblowing Directive must comply with the principles of lawful, fair and transparent processing, purpose limitation, data minimisation, accuracy, storage limitation and security.

In addition, Article 17 of the Whistleblowing Directive, apart from reiterating the need to comply with the GDPR and Law Enforcement Directive requirements on data processing, also provides that any personal data that is not relevant for the handling of a specific report should not be collected. If collected, such data should be deleted without undue delay (Article 17 of the Whistleblowing Directive).

Confidentiality obligations

The duty of confidentiality is central to whistleblowing systems under the Whistleblowing Directive. In particular, Recital 60 of the Whistleblowing Directive provides that to ensure effective detection and prevention of breaches of EU law it must be ascertained that whistleblowers can easily and in full confidentiality bring the information they possess to the attention of the relevant competent authorities that are able to investigate and to remedy the problem.

However, the reporting person's identity may be disclosed only where said disclosure is a necessary and proportionate obligation imposed by EU or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned (Article 16(2) of the Whistleblowing Directive). Any such disclosures should be subject to appropriate safeguards, namely (Article 16(3) of the Whistleblowing Directive):

  • reporting persons should be informed before their identity is disclosed (unless such information would jeopardise related investigations or judicial proceedings); and
  • send an explanation in writing of the reasons for disclosing the confidential data concerned.

Moreover, competent authorities are under the obligation to ensure that the identity of the reporting persons and person concerned are protected for the duration of the investigations or the public disclosure (Article 22 of the Whistleblowing Directive).

5. MANAGEMENT SYSTEM

Management of internal and external reporting 

Internal reporting

The rules on the management of internal reporting are outlined in Chapter II of the Whistleblowing Directive. Article 7(2) of the Whistleblowing Directive provides that Member States should encourage internal reporting before external reporting in cases where the breach can be effectively addressed internally and where the reporting person considers that there is no risk of retaliation.

Further to this, Member States are, under the Whistleblowing Directive, obliged to ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up (Article 8(1) of the Whistleblowing Directive). This obligation applies with respect to legal entities in the private sector with 50 or more workers (unless they fall under Parts I.B and II of the Annex). In addition, this obligation to ensure the establishment of channels and procedures for internal reporting and follow-up applies with respect to legal entities in the public sector (Article 8(9) of the Whistleblowing Directive). Regarding the obligation to ensure that legal entities establish reporting channels, Member States may be exempt from this obligation with respect to municipalities with fewer than 10,000 inhabitants or fewer than 50 workers, or other private entities with fewer than 50 workers (Article 8(9) of the Whistleblowing Directive).

Regarding the characteristics of such internal reporting channels, the Whistleblowing Directive provides the following (Article 8 of the Whistleblowing Directive):

  • the channels and procedures must enable an entity's workers and other persons who are in contact with the entity in the context of work-related activities to report information on breaches;
  • any legal entities in the private sector with workers that are between 50-249 may share resources as regards the receipt of reports and any investigation to be carried out. However, this should not compromise the fulfilment of obligations on confidentiality (see section 4 above), giving feedback and addressing the reported breach; and
  • after undertaking a risk assessment taking into account the nature of the activities of the entities and the ensuing level of risk for, in particular, the environment and public health, Member States may require legal entities in the private sector with fewer than 50 workers to establish internal reporting channels and procedures in accordance with Chapter II.

Internal reporting channels procedures should include the following safeguards (Article 9(1) of the Whistleblowing Directive):

  • channels for receiving the reports which are designed, established and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, as well as preventing access thereto by non-authorised staff members;
  • acknowledgement of receipt of the report to the reporting person within seven days of that receipt;
  • the designation of an impartial person or department competent for following-up on the reports. This may be the same person or department as the one that receives the reports. Said person or department will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person;
  • diligent follow-up by the person or department competent for following-up on the reports;
  • diligent follow-up, where provided for in national law, as regards anonymous reporting;
  • a reasonable timeframe to provide feedback. Such timeframe should not exceed three months from the acknowledgement of receipt, if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made; and
  • provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the EU.

Follow-up and internal reporting

In the context of following-up after a report has been submitted, the choice of the most appropriate persons or departments within a legal entity in the private sector to be designated as competent to receive and follow-up on reports depends on the structure of the entity. In any case, their function should be such as to ensure independence and the absence of conflict of interest. In smaller entities, this function could be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or pri­vacy officer, a chief financial officer, a chief audit executive or a member of the board (Recital 56 of the Whistleblowing Directive).

Follow-up can include the following (Recital 57 of the Whistleblowing Directive):

  • referral to other channels or procedures in the case of reports exclusively affecting individual rights of the reporting person;
  • closure of the procedure based on lack of sufficient evidence or other grounds;
  • launch of an internal enquiry and, possibly, its findings and any measures taken to address the issue raised; or
  • referral to a competent authority for further investigation, insofar as such information would not preju­dice the internal enquiry or the investigation or affect the rights of the person concerned. 

There are also information obligations towards the reporting person. After a report has been submitted, the reporting person must be informed as far as it is possible and in the most comprehensive way possible about the follow-up to the report (Recital 57 of the Whistleblowing Directive). A reasonable timeframe for informing the reporting person about the follow-up should not exceed three months and in cases where the appro­priate follow-up is yet to be determined, the reporting person should be informed about this and about any further feedback to expect (Recital 58 of the Whistleblowing Directive). In all cases, the reporting person should be informed of the investigation's progress and outcome.

External reporting

Chapter III of the Whistleblowing Directive governs external reporting and follow-up. Member States must ensure that the competent authorities (Article 11(2) of the Whistleblowing Directive):

  • establish independent and autonomous external reporting channels, for receiving and handling information on breaches;
  • promptly, and in any event within seven days of receipt of the report, acknowledge that receipt unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of the report would jeopardise the protection of the reporting person's identity;
  • diligently follow-up on the reports;
  • provide feedback to the reporting person within a reasonable timeframe not exceeding three months, or six months in duly justified cases;
  • communicate to the reporting person the final outcome of investigations triggered by the report, in accordance with procedures provided for under national law;
  • transmit in due time the information contained in the report to competent institutions, bodies, offices or agencies of the Union, as appropriate, for further investigation, where provided for under Union or national law.

Design of external reporting channels

To be considered independent and autonomous, reporting channels must satisfy the criteria below (Article 12 (1) of the Whistleblowing Directive):

  • be designed, established and operated in a manner that ensures the completeness, integrity and confidentiality of the information and prevents access thereto by non-authorised staff members of the competent authority;
  • enable the durable storage of information in accordance with Article 18 to allow further investigations to be carried out.

Staff obligations

Authorities should ensure that staff members receiving reports are prohibited from disclosing any information that might identify the reporting person or the person concerned, and that they promptly forward the report without modification to any staff members responsible (Article 12(3) of the Whistleblowing Directive)

In addition, Member States should ensure the designation by competent authorities of staff members responsible for handling reports for (Article 12(4) of the Whistleblowing Directive):

  • providing any interested persons with information on the procedures for reporting;
  • receiving and following-up on reports; and
  • maintaining contact with the reporting person for the purpose of providing feedback and requesting further infor­mation where necessary.

Furthermore, regarding roles and responsibilities, the choice of the most appropriate persons or departments within a legal entity in the private sector to be designated as competent to receive and follow-up on reports depends on the structure of the entity, but, in any case, their function should be such as to ensure independence and absence of conflict of interest. In smaller entities, this function could be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board (Recital 56 of the Whistleblowing Directive).

Follow-up on external reporting

Regarding follow-up, Member States can provide that competent authorities who have assessed the matter can decide that a reported breach is clearly minor and does not require further follow-up (Article 11(3) of the Whistleblowing Directive). In addition, competent authorities may decide to close procedures regarding repetitive reports which do not contain any meaningful new information on breaches compared to a past report in respect of which the relevant procedures were concluded, unless new legal or factual circumstances justify a different follow-up (Article 11(4) of the Whistleblowing Directive).

In cases where the authority that has received the report cannot address it, they should be able to transfer it to a competent authority within a reasonable time, in a secure manner, and ensure that the reporting person is informed, without delay, of such a transmission (Article 11(6) of the Whistleblowing Directive).

The obligations to give information on receipt of reports and follow-up

The Whistleblowing Directive also obliges Member States to ensure that competent authorities publish on their websites in a way that is clear, easily identifiable and accessible the following information (Article 13 of the Whistleblowing Directive):

  • the conditions for qualifying for protection under the Whistleblowing Directive;
  • the contact details for the external reporting channels, in particular the electronic and postal addresses, and the phone numbers for such channels, as well as any indication whether the phone conversations are recorded;
  • the procedures applicable to the reporting of breaches, including the manner in which the competent authority may request the reporting person to clarify the information reported or to provide additional information, the timeframe for providing feedback and the type and content of such feedback;
  • the confidentiality regime applicable to reports, and in particular the information in relation to the processing of personal also in relation to, among others, Articles 5 and 13 of the GDPR;
  • the nature of the follow-up to be given to reports;
  • the remedies and procedures for protection against retaliation and the availability of confidential advice for persons contemplating reporting;
  • a statement clearly explaining the conditions under which persons reporting to the competent authority are pro­tected from incurring liability for a breach of confidentiality; and
  • contact details of the information centre or of the single independent administrative authority.

Prevention of retaliation

Articles 19 to 21 of the Whistleblowing Directive provide for measures to prohibit any form of retaliation, including threats of retaliation and attempts of retaliation. Article 19 outlines the main forms of retaliation that could take place, such as suspension, lay-off, dismissal or equivalent measures, demotion or withholding of promotion, transfer of duties, change of location of place of work, reduction in wages, change in working hours, withholding of training, and a negative performance assessment or employment reference. Article 20 provides for the obligation of Member States to ensure that reporting persons have access to support measures, such as financial assistance and psychological support, comprehensive and independent information and advice on, among others, protection from retaliation, as well as for effective assistance from competent authorities before any relevant authority involved in their protection against retaliation.

Article 21 provides for Member States' obligation to take necessary measures for protection against retaliation. Such measures are, among others, that reporting persons shall not incur liability in respect of the acquisition of or access to the information which is reported or publicly disclosed and that, in legal proceedings, including for breach of secrecy and data protection rules, or related to disclosure of trade secrets, the reporting persons shall not incur the liability of any kind as a result of reports or public disclosures under the Whistleblowing Directive.

Awareness and training

The Whistleblowing Directive provides, in Recital 74 and in Article 12(5), that staff members of the competent authorities responsible for handling whistleblowing reports should be professionally trained, also on data protection laws, in order to ensure that they handle reports, ensure communication with the reporting persons, and follow-up on the report in a suitable manner. 

In addition, Recital 59 of the Whistleblowing Directive notes that some training should also be provided to persons who are potential whistleblowers. In particular, Recital 59 provides that persons who are reporting breaches of EU law should be able to make informed decisions about whether, how and when to report and that entities should make such information easily accessible for instance by including it in courses and training seminars on ethics and integrity.

Moreover, in connection with handling external reports, as outlined above, staff members of competent authorities must receive appropriate training (Article 12(5) of the Whistleblowing Directive).

Reporting channels

Member States should be able to provide encourage even legal entities with fewer than 50 employees to establish internal channels for reporting and follow-up, including through laying down less prescriptive requirements for those channels than those laid down under the Whistleblowing Directive. However, said requirements guarantee confidentiality and diligent follow-up (Recital 49 of the Whistleblowing Directive).

It is the responsibility of each individual legal entity either in the private or the public sector to define what kind of reporting channels to establish. However, such reporting channels should guarantee the confidentiality of the identity of the reporting person. The reporting channels should allow persons to (Recital 53 of the Whistleblowing Directive):

  • report in writing;
  • submit reports by posts;
  • submit reports by physical complaint boxes;
  • submit reports through online platforms (either on an intranet or internet platform);
  • report orally by telephone hotline or other voice messaging system, or both; or
  • report in the context of physical meetings within a reasonable timeframe. 

In addition, Article 16 of the Whistleblowing Directive provides for the duty of confidentiality which is applicable for both internal and external reporting and should be a key principle when setting up reporting channels. In particular, Member States are obliged to take measures to ensure that the identity of the reporting person is not disclosed to anyone beyond authorised staff members that are competent to receive or follow-up on reports, without having previously obtained the reporting person's consent (Article 16(1) of the Whistleblowing Directive).

Regular review of whistleblowing procedures

There should be a regular review of the procedures of competent authorities and good practices should be exchanged between them in order to guarantee that procedures governing whistleblowing are adequate and serving their purpose (Recital 78 of the Whistleblowing Directive).

6. DATA SECURITY

The Whistleblowing Directive includes various requirements for the confidentiality of the reporting persons and measures to be implemented in aid of this, such as ensuring secure reporting channels. According to Recital 3, for example, it is necessary to enhance enforcement by introducing effective, confidential and secure reporting channels and by ensuring that whistleblowers are protected effectively against retaliation.

See section 4 above for further information on the confidentiality of the reporting persons.

7. ACCOUNTABILITY AND RECORDKEEPING

Accountability

The protection of whistleblowers and steps taken to this effect fall under accountability obligations. As outlined in Recital 2 of the Whistleblowing Directive reports and public disclosures by whistleblowers are an upstream component of the enforcement of EU law and policies as whistleblowers help give to enforcement authorities information on breaches of EU law, thereby enhancing transparency and accountability. In addition, protecting public disclosures is also linked to accountability and fundamental rights of freedom of expression (Recital 33 of the Whistleblowing Directive).

Recordkeeping

Member States should ensure that there is adequate record-keeping as regards all reports of breaches, that every report is retrievable, as well as that information received through reports can be used as evidence in enforcement actions where appropriate (Recital 86 of the Whistleblowing Directive). Article 18 further explains the said obligation of Member States to ensure that private and public entities, as well as competent authorities, keep records of every report that has been received. For such recordkeeping, Article 18 of the Whistleblowing Directive provides, among other things, that:

  • recordkeeping must comply with confidentiality requirements;
  • where a recorded telephone line or another recorded voice messaging system is used for reporting ( subject to the consent of the reporting person) legal entities in the private and public sector and competent authorities shall have the right to document the oral reporting either through making a recording in a durable and retrievable form or through a complete and accurate transcript of the conversation prepared by staff members that were responsible for handling the report;
  • where an unrecorded telephone line or another unrecorded voice messaging system is used for reporting, public and private entities and competent authorities shall be able to document the oral reporting in the form of accurate minutes of the conversation written by the staff member responsible for handling the report;
  • where a person requests a meeting with the staff members of public and private entities or of competent authorities complete and accurate reports of the meeting are kept in a durable and retrievable form;
  • legal entities in the private and public sector and competent authorities shall have the right to document the meeting either by making a recording of the conversation in a durable and retrievable form, or through keeping accurate minutes of the meeting prepared by the staff members responsible for handling the report; and
  • private and public entities and competent authorities shall offer the reporting person the opportunity to check, rectify and agree on the minutes of the meeting by signing them.

8. DATA SUBJECT RIGHTS

The Whistleblowing Directive does not explicitly refer to data subject rights. However, the obligations of protecting the personal data and confidentiality of both reporting persons and persons concerned are repeated in the provisions of the Whistleblowing Directive (see section 4 above). In addition, as specified in section 5 above, there exist information obligations towards the reporting person; after a report has been submitted, the reporting person must be informed as far as it is possible and in the most comprehensive way possible about the follow-up to the report (Recital 57 of the Whistleblowing Directive).

In addition, the Whistleblowing Directive provides for the protection of reporting persons from retaliation and for their access to legal remedies and compensation in cases of retaliation. Recital 94 of the Whistleblowing Directive notes the importance of reporting persons suffering retaliation to have access to legal remedies and compensation consisting, such as actions for reinstatement, compensation for actual and future financial losses and costs linked to a change of occupation, as well as compensation for other economic damage.

See section 5 above for further information on the prevention of retaliation.

9. CROSS-BORDER DATA TRANSFERS AND LOCALISATION

The Whistleblowing Directive does not provide any requirements relating to cross-border data transfers and localisation. However, Recital 83, as abovementioned, does provide that any processing of personal data carried out pursuant to the Whistleblowing Directive, should be undertaken in accordance with the GDPR, among other standards, and that the exchange or transmission of personal data by the competent authorities is included.

10. VENDOR MANAGEMENT

Reporting channels can also be provided externally by a third party (apart from being operated internally by a person or department designated for that purpose) (Article 8(5) of the Whistleblowing Directive). Certain safeguards should apply to entrusted third parties operating the reporting channel for a legal entity in the private sector. These safeguards are provided for under Article 9(1) of the Whistleblowing Directive as outlined in section 5 above.

Third parties could also be authorised to receive reports of breaches on behalf of legal entities in the private and public sector. Third parties could be external reporting platform providers, external counsel, auditors, trade union representatives or employees' representatives. However, said third parties must offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy (Recital 54 of the Whistleblowing Directive).

Furthermore, in order to ensure competent authorities have secure and confidential channels in place, such channels could be required to be separated from the general channels through which the competent authorities communicate with the public, such as normal public complaints systems or channels through which the competent authority communicates internally and with third parties in its ordinary course of business (Recital 73 of the Whistleblowing Directive).

11. INCIDENT AND BREACH

The Whistleblowing Directive does not explicitly provide any measures on the management of security incidents or breaches. However, as part of the explanation of its application, Recital 14 details the importance of whistleblowing in the area of privacy and personal data protection. Specifically, Recital 14 of the Whistleblowing Directive provides that whistleblowers can help disclose breaches of Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), which introduces a requirement to provide notification of incidents, including those that do not compromise personal data, and security requirements for entities providing essential services across many sectors, for example, energy, health, transport and banking, for providers of key digital services, for example, cloud computing services, and for suppliers of basic utilities, such as water, electricity and gas. Recital 14 continues to state that whistleblowers' reporting in this area is particularly valuable for the prevention of security incidents that would affect key economic and social activities and widely used digital services, as well as for the prevention of any infringement of Union data protection rules. Such reporting helps ensure the continuity of services that are essential for the functioning of the internal market and the wellbeing of society.

12. PRIVACY BY DESIGN

The Whistleblowing Directive refers to the obligation to have due regard of the principles of Privacy by Design and by Default under Article 25 of the GDPR. However, it does not explicitly provide any further measures for ensuring Privacy by Design.

13. ADDITIONAL REQUIREMENTS

No waiver of rights and remedies

The Whistleblowing Directive provides that Member States should take steps to ensure that remedies provided for under the Whistleblowing Directive will not be waived or limited by any agreement, policy, form or condition of employment, including a pre-dispute arbitration agreement (Article 24 of the Whistleblowing Directive).

EU Whistleblowing Directive Implementation

EU Whistleblowing Directive Implementation

  • Implemented.
  • In progress.
  • Not started.
    title
  • Implemented
  • Additional information
  • Austria

    Austria has not yet officially commenced the process of implementing the Whistleblowing Directive.

  • Belgium

    On 9 January 2021, the Parliament passed a motion for a resolution on measures to protect whistleblowers and for the implementation of the Whistleblowing Directive (motion, only available in Dutch and French, here).

To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform

Try Free

Global Whistleblowing Laws

Global Whistleblowing Laws

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
    Governing Texts
  • Specific
  • Sector-specific
  • Additional
  • Official guidelines
    Notification Registration Approval
  • DPA / Works Councils / Other
    Scheme Management
  • Personnel
  • Hotlines
  • External Providers
    Rights of the Whistleblower
  • Anonymity
  • Confidential Report
    Rights of the Accused
  • Be informed
  • Confidential identity
    Penalties
  • Penalties
  • Argentina
  • Australia
  • Austria
  • Bangladesh
  • Belarus
  • Belgium
  • Bolivia
  • California
  • Canada Federal
  • Dubai International Financial Centre
  • Israel
  • Kazakhstan
  • Mauritius
  • Nigeria
  • USA Federal

To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform

Try Free