Bulgaria: The Bulgarian Whistleblowing Act - what you need to know
On February 2, 2023, Bulgaria passed its first Whistleblowing Act as part of the process of transposing the EU Whistleblowing Directive into national legislation. Hristina Dzhevlekova and Zhulieta Markova, from Wolf Theiss, discuss the main provisions of the Whistleblowing Act for whistleblowers and what this law requires of companies.
The Whistleblowing Act, which was adopted after more than a year of public discussions and several unsuccessful draft bills, is the first unified framework of whistleblowing mechanisms and protection in Bulgaria. Prior to its adoption, whistleblowing was only partially regulated under different local legislative acts, providing for sector-specific rules (e.g., in the banking sector, anti-corruption legislation, etc.). The available whistleblowing channels were, however, rarely used in practice. The new regime under the Whistleblowing Act is expected to significantly facilitate and encourage whistleblowers in the reporting of wrongdoings and is intended to be applied on top of the existing fragmented sector-specific regulations.
The Whistleblowing Act implements the standards and protections provided by the Whistleblowing Directive, but also establishes some country-specific derogations which are outlined in more detail below. It is an opportunity for the business to effectively counter non-compliance, to prevent litigation and limit any potential financial losses, but also to develop and promote a culture of transparency amongst the personnel.
Who is a whistleblower?
'Whistleblower' within the meaning of the Whistleblowing Act is any individual reporting or publicly disclosing wrongdoing of which they obtained knowledge in a work-related context. This definition is very broad and follows the approach of the Whistleblowing Directive with respect to the individuals who may qualify for protection as whistleblowers. Respectively, it covers not only current and former employees and job applicants, but also commercial partners, suppliers, customers, members of a company's management, shareholders, auditors, contractors, and subcontractors, etc.
What types of alerts are in the scope of the Whistleblowing Act?
The scope of alerts covered under the Whistleblowing Act encompasses:
- public procurement;
- financial services, products, and markets
- product safety and compliance;
- transport safety;
- environmental protection;
- radiation protection and nuclear safety;
- food and feed safety and animal health and welfare;
- public health;
- consumer protection;
- protection of privacy and personal data;
- security of networks and information systems;
- EU financial interests within the meaning of Article 325 of the Treaty on the Functioning of the European Union, i.e., fraud;
- internal market rules;
- controversial cross-border tax schemes;
- criminal offences;
- payment of outstanding public state and municipal debts;
- employment law; and
- performance of public service.
The Whistleblowing Act extends the materials scope of the Whistleblowing Directive in two directions – it allows reporting of breaches of Bulgarian legislation (not only of relevant legal acts of the EU) and also includes additional subject matters as eligible for whistleblowing reporting.
An important derogation from the minimum standards under the Whistleblowing Directive is the inclusion of criminal offenses and labor law in the scope of the Whistleblowing Act. This extension of the scope is a bold move on the part of the Bulgarian legislator, but it is yet to be seen what effect this would have in practice. Ensuring full compliance with the strict and formal requirements of Bulgarian labor law is already difficult for most companies and there are concerns that allowing whistleblowing reports on labor law breaches could open the door for malicious actions vis-à-vis employers. This is one of the biggest challenges that the business would have to face when considering its strategy for implementation of the Whistleblowing Act into its operations.
What makes a valid whistleblowing alert?
The Whistleblowing Act establishes criteria for assessing whether a whistleblowing alert is valid and admissible for substantive review. Namely, in order to be valid, a whistleblowing alert should:
- fall under the material scope of the Whistleblowing Act;
- be submitted via an established whistleblowing channel;
- concern a whistleblower who must have reasonable ground to consider the violation information to be true, i.e. alerts must not be deliberately false;
- not contain information that has been illegally obtained; and
- concern violations from the past two years.
Another important country-specific derogation from the Whistleblowing Directive concerns the matter of anonymous reporting. This matter was approached differently in each new draft bill submitted for public discussions – some versions prohibited, while others allowed anonymous whistleblowing reports.
The final Whistleblowing Act ultimately explicitly prohibits the option for anonymous reporting. This was justified with the argument that anonymous reporting creates risks and preconditions for malicious behavior and submission of false and/or large numbers of non-substantive signals. It is arguable whether the decision of the Bulgarian legislator to take a more conservative approach to anonymous reporting (compared to other EU countries) may in practice discourage potential whistleblowers from submitting an alert due to confidentiality concerns.
What protection shall whistleblowers receive?
The core underlying principle and aim of the Whistleblowing Directive is to ensure the effective minimum standards of whistleblower protection across the EU. The Whistleblowing Act has fully reflected this essential principle and provides for various measures for the protection of whistleblowers. The latter can broadly be categorized into four main groups:
- Prohibition of retaliation. Whistleblowers shall be safe from any acts of retaliation taken as a result of a submitted alert. The Whistleblowing Act provides only a non-exhaustive list of possible retaliation measures (such as temporary removal, dismissal, or employment termination of any kind; payment decrease or delay; negative job evaluation; disciplinary penalty of any kind; and direct or indirect discrimination or blacklisting, etc.) and intentionally leaves the definition for 'retaliation' open. Whistleblowers are also entitled to damages in case the prohibition for retaliation is breached.
- Confidentiality of the whistleblower. The Whistleblowing Act requires that the confidentiality of the whistleblower is ensured throughout the course of the investigation. Disclosure of the whistleblower's identity is possible only in limited exceptional cases (e.g. upon their consent or if required for the purposes of a government investigation/court proceedings).
- Exclusion of liability. Whistleblowers shall be exempt from liability for breach of legal or contractual obligations (such as loyalty clauses or confidentiality agreements) where they have lawfully acquired or gained access to the information subject of the alert.
- Support measures. The Whistleblowing Act provides for free-of-charge legal aid and mediation on cross-border disputes; however, no measures for financial or psychological support are envisaged.
What are companies required to do and by when?
The anti-retaliation principle enshrined under the Whistleblowing Act is generally applicable to all legal entities based in Bulgaria, which must comply with and observe the protection granted to whistleblowers whenever they are dealing with a whistleblowing alert.
Some categories of undertakings are subject to specific additional requirements under the Whistleblowing Act, namely:
- all public enterprises, except for municipalities with less than 10,000 citizens;
- private undertakings with 50 employees or more; and
- undertakings in specific sectors (e.g., financial services, products, and markets; anti-laundering and terrorism funding; transportation safety; and the environment).
The above-listed private and public entities are required to implement additional measures to accommodate effective whistleblowing within their organization. Most notably, they are required to establish an internal whistleblowing channel enabling receipt and handling of alerts regardless of how those have been submitted (in written or oral form, over the phone, etc.). Some of the additional requirements under the Whistleblowing Act further include the obligation to introduce an internal policy on whistleblowing (to be updated every three years), appointing an officer to handle alerts (or selecting an outsourcing solution), and maintaining a register of whistleblowing alerts, etc.
The Whistleblowing Act allows companies to outsource some of the above obligations to an external party. The scope of functions that can be outsourced was recently clarified by the national authority responsible for external reporting - the Bulgarian Commission for Personal Data Protection (CPDP). According to the authority's opinion, companies may only outsource the functions of receiving and registering whistleblowing reports to a third party, but not the substantive review and investigation of the alert. The latter shall be handled internally by the company, where external advisors/consultants may also be involved if needed with a view of the specifics of the request.
By when should companies ensure compliance with the Whistleblowing Act?
The Whistleblowing Act became effective on May 4, 2023, meaning that the protections provided to whistleblowers thereunder are already enforceable and binding.
As of May 4, 2023, all obligations under the Whistleblowing Act (including the implementation of internal whistleblowing channels) became fully applicable for all public sector employers and private companies with more than 249 employees.
A transition period is envisaged only for private companies with 50 to 249 employees, who have a term until December 17, 2023, to set up their internal reporting channels.
Who is the competent body for external reporting?
The Whistleblowing Act designates the CPDP as the national competent body for external whistleblowing. On April 20, 2023, the CPDP published an officially approved form for the registration of whistleblowing reports, as well as a model register of received reports. The forms are mainly intended to serve the persons at private/public undertakings who are entrusted with the receipt, administering, and following up whistleblowing reports, however, they may also be used by whistleblowers as a standard template for submitting a report. The forms further include some practical guidance on the information to be included under each section.
The CPDP has also initiated public consultation in relation to the amendment of its internal administrative and procedural rules, which aims to regulate its new competencies as an official body for external whistleblowing. The suggested amendments envisage inter alia the establishment of a designated unit within the CPDP for handling whistleblowing reports, the internal procedure for administering and reviewing submitted reports, as well as regulating the CPDP's new powers under the Whistleblowing Act.
Last but not least, the CPDP also organized some events with the purpose of popularizing the Whistleblowing Act, including a roundtable in cooperation with Basel Institute for Governance and the Bulgarian Institute for Legal Initiatives whose aim is to present and discuss key issues related to the technical organization and legal aspects of the new whistleblowing regime. Additional and more in-depth guidance by the CPDP on the Whistleblowing Act may also be expected in the upcoming months.