Belgium: Whistleblowing schemes - private sector status update
An update on the transposition of the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive') into Belgian law is imminent. In this Insight, Anneleen Van de Meulebroucke and Liesbet Vandenplas, from Eubelius Attorneys, outline the state of play for companies in the private sector and focus on the internal reporting schemes.
What is the status of the act?
Bill 55K2912 on the protection of persons who report breaches of Union law or national law found within a legal entity in the private sector ('the Act'), which transposes the Whistleblowing Directive, was accepted by the Chamber of Representatives on 24 November 2022 and is awaiting ratification and promulgation by the King.
The Act will then enter into force two months after the day it is published in the Belgian Official Gazette. We expect publication to take place soon.
To which companies do the new obligations apply?
Each legal entity with at least 50 employees must establish an internal channel for reporting breaches in a number of specific areas. Legal entities in the private sector with 50 to 249 employees have until 17 December 2023 to do so. Legal entities with less than 50 employees do not have to introduce an internal reporting procedure, but they can voluntarily choose to do so. Legal entities in the financial sector must always implement an internal reporting channel, regardless of the number of employees.
How do you calculate the threshold? This is done on the basis of the rules for social elections. Note, however, that the calculation must be done at the level of the legal entity, and not at the level of the technical business unit.
What obligations are introduced?
The main features of the Act are as follows:
- The scheme will cover reports on breaches in relation to: (i) public procurement; (ii) financial services, products and markets, and the prevention of money laundering and terrorist financing; (iii) product safety and compliance; (iv) transport safety; (v) the protection of the environment; (vi) radiation protection and nuclear safety; (vii) human and animal food safety and animal health and welfare; (viii) public health; (ix) consumer protection; (x) protection of privacy and personal data, and security of network and information systems; (xi) tax fraud; (xii) social fraud; and (xiii) the rules on the functioning of the European internal market (competition and state aid).
- Some information falls outside of the scope of the Act, such as information protected by medical professional secrecy as well as information protected by legal privilege of attorneys. The latter has caused debate because information received by other advisors, such as legal counsel and accountants, do not receive the same kind of protection.
- Reporting should be possible for a wide range of persons - not only employees and self-employed persons, but also shareholders, persons belonging to the administrative, management or supervisory body, volunteers, trainees, staff of (sub)contractors, and suppliers should be able to report infringements.
- A legal entity must set up channels and procedures for internal reporting and for their follow-up, after consultation with the competent consultation body (the works council, or in the absence thereof, the union delegation; in the absence of a union delegation, the committee for prevention and protection at work or, in the absence thereof, the workers themselves). Companies must provide the necessary information on the existence and use of the internal reporting channels.
- Legal entities must appoint a report receiver and a report handler, which can be the same person or service. The report handler must follow-up on the report, maintain communication with the reporting person (if needed, request additional information), and give feedback. The choice of a person or department within the legal entity that is most appropriate for receiving and handling reports depends on the structure of the legal entity, but their function must guarantee that they act independently and have no conflicts of interests. The reporting channel can be managed internally or externally be put at the disposal by a service provider.
- Legal entities with 250 employees or more must allow anonymous reporting. Legal entities with fewer employees are free to allow anonymous reporting. This difference is explained in the parliamentary works by the cost that anonymous reporting mechanisms entail. This cost was found too heavy to impose on smaller companies. The question on whether to allow anonymous reporting has always caused debate. Beforehand, the stance of the predecessor of the Data Protection Authority ('Belgium DPA') had always been not to allow anonymous reporting given the evident risk of abuse.
- Legal entities must handle and follow up on reports in a timely manner and within certain strict deadlines. An acknowledgement of receipt has to be sent within seven days following the report. The legal entities must follow-up by providing feedback to the reporting person within a reasonable delay not longer than three months after the acknowledgement of receipt.
- Protective measures apply not only to the reporting person, but also to facilitators and third parties associated with the reporting person (e.g. family members, colleagues who are aware of the report, or who assist in the report). One of those protective measures includes an obligation to keep the identity of the reporting person protected. Infringements of the confidentiality obligations can be sanctioned with the heaviest sanctions.
- In terms of data protection, the Act provides that reports should be kept throughout the duration of the contractual relationship with the reporting person.
- The reporting person can report through an internal reporting channel and an external reporting channel. In certain cases, they can even report via public disclosure. In each of these cases, the reporter is protected under certain conditions.
- Competent authorities for external reports and a federal coordinator will be appointed.
- The provisions touch upon public order; hence, no contractual or statutory derogations are possible.
- Violations of the rules on setting up internal reporting channels and keeping a register of the reports will be eligible for level 4 sanctions under the Social Criminal Code (imprisonment up to three years and criminal fines up to €48,000 or administrative fines up to €24,000). Violations regarding inter alia impeding reports, retaliations etc. will be eligible for criminal sanctions including imprisonment up to three years and criminal fines up to €48,000. Persons intentionally filing fake reports (regardless of the reporting channel) can be sanctioned with the criminal sanctions for defamation (imprisonment up to one year and criminal fines up to €8,000).
- A reporting person enjoys immunity against civil, criminal, or disciplinary sanctions provided that they had justified reasons to believe the report information was true and correct. In other words, protection does not depend on the information being actually correct. A reporting person, however, may still be sanctioned if they committed a crime in obtaining the reported information.
- Employees who fell victims to retaliations enjoy a liquidated damage-like presumption for their damage. They are entitled to a compensation equal to 18 to 26 weeks.
What needs to happen now?
Companies should prepare for the introduction of an internal reporting channel, ask about possible service providers for a reporting channel, and prepare a draft policy.