Croatia: The Act on Whistleblowers' Protection - Key takeaways
The Act on Whistleblowers' Protection (Official Gazette No. 46/2022) ('the WP Act') entered into force in Croatia on 23 April 2022. The WP Act replaced the previous legal framework governing the protection of whistleblowers in Croatia, in force since 2019.
In this Insight article, Andrej Žmikić, Lawyer at DTB, covers the relevant rights and obligations that arise from the WP Act for a whistleblower, organisation, person of confidence, and all other persons involved in the procedure of the whistleblower's report on irregularity, and provides information on how to comply with these obligations in practice.
The objective of the WP Act is to ensure the effective protection of whistleblowers, which also includes ensuring available and reliable manners of reporting irregularities.
As the new WP Act has just recently come into force, there are still no publicly available decisions of the supervisory authorities, i.e. the Ombudsman of the Republic of Croatia ('the Ombudsman'), as well as no case law of the competent courts dealing with the application of the WP Act in practice.
The WP Act is covering the following aspects/matters:
- reporting on irregularities;
- the procedure for the reporting on irregularities;
- rights of the persons involved in the procedure;
- obligations of the public authorities and legal and natural entities regarding the report on irregularities; and
- all other matters important for the reporting on irregularities and the protection of the person reporting the irregularity (i.e. the whistleblower).
Relationship with the Whistleblowing Directive
The new WP Act was adopted primarily due to the need for harmonisation of the national Croatian legislation with the EU acquis communautaire, as well as the need to comply and harmonise the Croatian legislation with the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive'). In particular, the aim of the WP Act is to further improve the reporting system, i.e. the public disclosure of irregularities based on the Whistleblowing Directive and stronger protection of whistleblowers, connected persons, and confidential persons.
The WP Act is fully transposing the principles and system of whistleblowers' protection established in the Whistleblowing Directive into Croatian law.
Main definitions and reporting mechanisms
The WP Act broadly defines a 'whistleblower' as any natural person reporting irregularities that are related to the work environment. 'Work environment' includes the performance of professional activities in the public or private sector where, regardless of the nature of such activities, of the persons gaining information on irregularities, and of where such persons may experience retaliation of the reporting on such irregularities.
Such activities especially include employment, self-employment, work outside employment (e.g. based on a service contract, engagement through an employment agency, etc.), volunteering, student work, participation in the recruitment process as a candidate, holders of stocks or shares in a company, persons who are members of the supervisory, management, or other bodies/boards of the company, persons who work under supervision and in accordance with the contractor's or vendor's instructions, as well as any other persons participating in activities of a natural or legal entity.
'Irregularity' is defined as any action or omission that is illegal and refers to the scope/area of application and regulations covered by the WP Act or is contrary to the goal and/or purpose of such regulations.
Irregularities that are within the scope/area of application of the WP Act are irregularities:
- covered within the scope of application of EU regulations dealing with the following areas: public procurement, financial services, products, markets, and prevention of anti-money laundering and countering terrorism financing ('AML/CFT'), product safety and compliance, traffic safety, environmental protection, protection from radiation and nuclear safety, safety of food and food for animals, animal health and welfare, public health, consumer protection, protection of privacy and personal data, and security of network and information system;
- affecting financial interests of the EU as referred to in Article 325 of the Treaty on Functioning of the European Union and further specified in relevant measures of the EU;
- relating to the internal market, as referred to in Article 26(2) of the Treaty on Functioning of the European Union, including violations of the EU rules on competition and state aid, as well as violations relating to the internal market in relation to acts violating rules on the income tax rules, or arrangements whose purpose is to realise tax advantage that is contrary to the goal or purpose of applicable income tax law; or
- relating to other regulations of the national law, if such irregularities also endanger the public interest.
The WP Act introduces three general reporting mechanisms and manners of reporting:
The internal whistleblowing procedure established by the organisation (employer) is based on the reporting on irregularities submitted to the person of confidence appointed by the organisation (employer).
The external reporting procedure is initiated by submitting a report on irregularities directly to the Ombudsman. External reports can be submitted to the Ombudsman either directly, or after submitting the application through the internal reporting system. The former constitutes a novelty that did not exist in the previous regulation, where the precondition for the external reporting was the previous use of the internal reporting mechanism.
Public disclosure of irregularities
This mechanism is only utilised exceptionally, if one of the following conditions is met:
- a person first submitted an internal or external report on irregularities; however, adequate measures have not been performed as a reaction to the report within the deadlines prescribed by the WP Act; or
- a person has a justified reason to believe that the irregularity can represent an imminent threat for public interest, as in cases of emergency situations or a risk of irreparable damage, or if, in case of an external reporting, there would be a risk of retaliation or the chances that the irregularity will be remedied effectively are low due to the special circumstances of the case.
Scope of the whistleblower protection
Under the WP Act, whistleblowers are afforded with the following types of protection:
- prohibition from prevention of reporting on irregularities and the initiation of malicious proceedings against the whistleblower, person of confidence, and/or connected persons1;
- protection from retaliation - the following forms of retaliation are prohibited on the employer/organisation's part:
- temporary suspension/removal from work, employment dismissal, discharge, revocation, or equivalent measures;
- degradation or denial of opportunities for advancement;
- change of the place of work, salary reduction, or change of the working hours;
- deprivation of the opportunities for training and education;
- negative performance appraisal or job recommendation;
- imposing of disciplinary measures, reprimands, or other sanctions (financial included);
- coercion, intimidation, harassment, or ostracism;
- discrimination, and disadvantageous or unfair treatment;
- denial of an offer to enter into an indefinite term employment agreement for which the legal conditions were met, if the employee had a reasonable expectation that they would be offered with it;
- failure to enter into a successive fixed-term employment agreement or an early termination thereof;
- causing damages, including damages to a person's reputation, especially on social media, or a financial loss, including the loss of business and income;
- negative labelling based on an informal or formal sector agreement or an industry-wide agreement, which may mean that a person will not be able to find a job in that sector or industry in the future;
- early termination or cancellation of an agreement for goods or services;
- cancellation of a licence or permit; and
- reference to psychiatric or medical assessments;
- protection of identity, personal data, and confidentiality;
- court protection;
- compensation of damages;
- primary free legal aid/assistance in accordance with a special law;
- emotional support;
- release from legal liability: in case of disclosing, providing, or enabling access to the information that is considered confidential, if the whistleblower had a justified reason to believe that the report and/or disclosure of such information was necessary for the detection of irregularities in accordance with the WP Act.
The whistleblower shall acquire the protection prescribed by the WP Act if they (cumulatively):
- had a justified reason to believe (reasonable belief) that reported or publicly disclosed information on irregularities is true at the moment of reporting and public disclosure;
- had a justified reason to believe (reasonable belief) that such information is covered by the scope of application of the WP Act; and
- the report has been submitted through an internal or external reporting system in accordance with the WP Act, or the information has been publicly exposed in accordance with the WP Act.
Whistleblowers are entitled to a protection before the court, if there was a harmful action or retaliation undertaken towards them in relation to their report. In such a court procedure, a whistleblower can ask for:
- the prohibition of further harmful actions/retaliation;
- compensation of damages; and
- the publication of a court judgment in the media.
Effects and obligations on organisations and employers
According to the WP Act, every organisation/employer employing 50 or more employees, or engaged in one of the following business/line of activities (financial services, products and markets, or AML/CFT), regardless on the number of employees, is obliged to:
- adopt an internal act or policy regulating the procedure of internal reporting on irregularities; and
- appoint a person of confidence.
The internal whistleblowing act/policy needs to regulate and prescribe the procedure for internal reporting on irregularities at the workplace (from the submission of a report to the person of confidence onwards), as well as the manner and process of appointment of the person of confidence. The internal whistleblowing act/policy of the employer needs to be made available, in an appropriate manner, to all persons involved in the work environment, together with all the information relevant for the submission of reports on irregularities.
Before implementing the internal whistleblowing act/policy, the employer needs to perform a prior consultation procedure with the works council (if established at the employer's workplace) or the labour union representative (if appointed at the employer's workplace, in the absence of the works council), in accordance with general labour regulations.
The employer is also responsible for:
- the appointment of the person of confidence and their deputy;
- protecting whistleblowers from harmful actions/retaliation;
- undertaking measures necessary for the discontinuation of a harmful action/retaliation towards the whistleblower and elimination of consequences thereof;
- protecting the information received in the report from unauthorised disclosure unless otherwise prescribed by national law;
- ensuring conditions for keeping records on the reports prescribed by the WP Act; and
- undertaking measures necessary for the elimination of determined irregularities.
Person of confidence
Reports on irregularities are submitted to the person of confidence, who also conducts the employer's internal whistleblowing procedure.
A person of confidence is an employee of the employer, or a third natural person appointed by the employer, for the purpose of receiving reports on irregularities, the communication with the whistleblower, and conducting the procedure with regard to the reporting on irregularities.
A person of confidence and its deputy are appointed by the employer, on the initiative of either a work council or a labour union representative, or at least 20% of employees, if no work council has been established or labour union representative has been appointed at the workplace.
In case of a lack of such an initiative on the part the work council/labour union representative or employees, the employer shall still appoint the person of confidence and their deputy (i.e. at its own discretion). However, such a position can be revoked, and the new person of confidence can be appointed at any time, on the subsequent initiative of the works council/labour union representative or at least 20% of employees.
Before their appointment, both the person of confidence and their deputy need to provide their prior written consent for the appointment.
A person of confidence can be any employee of the employer, i.e. from the HR department or any other internal department of the employer, save from the management or supervisory board members of the employer and their close family members.
According to the WP Act, a person of confidence can also be a third natural person. Therefore, it would be possible to use the services of external service providers for the submission of a report and/or conducting an internal whistleblowing procedure, provided that the WP Act rules on the protection of identity, personal data ,and confidentiality are always observed. This constitutes a novelty that did not exist in the previous regulation, where only an employee of the employer/organisation could be appointed as a person of confidence.
According to the WP Act, legal entities in the private sector employing between 50 and 249 employees can share resources in terms of receiving reports and conducting the procedure based thereon, under conditions envisaged by the WP Act and national laws regulating labour relations.
Internal whistleblowing procedure
The internal whistleblowing procedure established at the workplace is initiated at the moment of delivery of the report to the person of confidence. A person of confidence is obliged to:
- receive the report and confirm receipt thereof to a whistleblower within seven days;
- immediately perform actions within their competence, necessary for the whistleblower's protection;
- investigate irregularities and provide the whistleblower with the feedback information on the report within 30 days, but not later than 90 days from the date of confirmation of receipt of the report, or if such confirmation was not sent to the whistleblower, after seven days from the date of delivery of the report;
- immediately forward the report to authorities who are authorised to act depending on the nature and the content of the report, if irregularities have not been resolved at the workplace;
- immediately inform the whistleblower (in writing) of the outcome of the examination of the report;
- inform the external reporting authority (i.e. the Ombudsman), in writing, about the received report and the outcome of the procedure within 30 days from the decision on the report;
- protect the identity of the whistleblower and the data/information received in the report from unauthorised disclosure or publication to other persons, unless required by a special law; and
- provide clear and easily accessible information on the procedures for submitting reports to the external reporting authority (i.e. the Ombudsman) and, where appropriate, to the EU institutions, authorities, offices, or agencies responsible for dealing with the report depending on the content of the report.
The person of confidence must keep the records of every report received, in accordance with the confidentiality requirements laid down by the WP Act. Reports must be kept in a durable form in accordance with the national law governing the protection and processing of documentation and dossiers.
Requirements of the report
The main requirements for the report to be processed are:
Form of the report
The report must be submitted in writing (directly, by registered mail, or in electronic form, or by any other means of communication capable of producing a written record), or orally stated to a person of confidence (practical advice: such an oral report should be recorded in the relevant minutes/notes). An oral report is possible by phone or other voice messaging system, or (at the request of a whistleblower) at the face-to-face meeting with a person of confidence.
Mandatory content of the report
The report must include nformation about the person submitting the report (i.e. the whistleblower), name of the employer, organisation, or person to which the report refers, and the information on the reported irregularities.
As a general rule, the WP Act does not recognise anonymous whistleblowing, since one of the mandatory contents of the report must be the information about a person submitting the report. However, as an exception, if an anonymous report has been submitted in a situation where (i) all other conditions laid down by the WP Act for qualifying for the protection of a whistleblower have been fulfilled, (ii) the identity of a whistleblower is subsequently determined, and (iii) they suffer retaliation, despite of anonymous reporting, the whistleblower in question shall also be entitled to the protection laid down by the WP Act.
Penalties for breach of duties and/or retaliation
A general rule stemming from the WP Act is that a whistleblower must not be put in any kind of disadvantage or retaliation as a consequence of reporting irregularities. This especially includes the dismissal of employment, inability to be promoted, reduction of salary or other employment rights, change in working hours, lack of access to education and training, transfer to a different work position, and other unwanted consequences.
If such an unwanted consequence does occur, apart from the compensation of damages to a whistleblower and other potential claims of a whistleblower according to general laws and depending on the nature of a court procedure initiated against the employer, the employer may also be held liable for misdemeanour with a fine ranging between HRK 30,000 (approx. €4,010) and HRK 50,000 (approx. €6,680). On top of this, a responsible natural person of the employer (usually a management board member or director) may be held liable for misdemeanour with a fine ranging between HRK 3,000 (approx. €400) and HRK 30,000 (approx. €4,010).
The employer may also be held liable for any damages suffered by the whistleblower, as their employee, related to the performance of work at the workplace. This includes any damages suffered by the whistleblower due to reporting irregularities, retaliation by co-employees included. A whistleblower is entitled to claim compensation of damages also directly from a co-employee if the latter has caused damages to the whistleblower intentionally.
Pursuant to general labour regulations, if an employer provides compensation for damages caused to an employee at work or in connection with work by another employee, intentionally or due to gross negligence, the employee is obliged to compensate the employer for the amount of compensation paid to the employee who suffered damage at work or in connection with work.
Finally, according to Article 133 of the Criminal Code (Official Gazette No. 125/2011), whoever, at work or in connection with work, insults, humiliates, abuses, or in any other way disturbs and thereby impairs the health of another, may be punished by imprisonment for a term not exceeding two years. This criminal act is prosecuted based on the initiative of the victim.
Protection of identity, personal data, and confidentiality
A person of confidence, and any other person participating in the procedure based on the report on irregularity, is obliged to protect the information in the report and is prohibited from using or disclosing it for other purposes, except for purposes necessary for proper further actions and proceeding.
The identity of a whistleblower (including any information based on which their identity can be discovered) and all other information stated in the report must remain protected and available exclusively to persons authorised for receipt of the report and its further processing, except if:
- the whistleblowers themselves agree to their disclosure; or
- the disclosure of the identity of the whistleblower and all other information is a necessary and proportional obligation set out by EU law or national law within the framework of investigations conducted by national authorities or in the context of the court proceedings, such as for the purpose of protecting the rights of the reported person.
In the foregoing case, the authority disclosing the identity of a whistleblower is obliged to inform the whistleblower before disclosing it, except if such information would jeopardise the related investigations or court proceedings. When notifying, the competent authorities shall send a written notification to whistleblowers stating the reasons for the disclosure of confidential information.
Any processing of personal data conducted in accordance with the WP Act, including the exchange or transfer of personal data to the competent authorities, must be carried out in accordance with relevant EU regulations and national law governing the protection of personal data. Personal data which is manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay.
The Personal Data Protection Agency ('AZOP') has not issued any specific guidelines on the topic of whistleblowing yet. However, it is obvious that, while receiving and processing reports on irregularities in accordance with the WP Act, the main principles of personal data processing set out by he General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and national law governing the protection of personal data need to be observed at all times.
This means that, in addition to the above indicated obligation to not collect or, if accidentally collected, to delete without undue delay any personal data which is manifestly not relevant for the handling of a specific report, employers also need to observe the following main data protection rules and principles:
- access to reports on irregularities must be limited exclusively to authorised employees/persons with a strictly defined authorisation concept;
- the identity of a whistleblower must remain protected at all times, subject to exceptions expressly prescribed by the law;
- all potential whistleblowers must be provided with all relevant information on the handling and processing of personal data in accordance with Article 13 of the GDPR, and on the protection of their identity;
- this processing of personal data must be introduced in the mandatory record on data processing activities in accordance with Article 30 of the GDPR;
- data processing agreements referred to in Article 28 of the GDPR must be entered with service providers or systems that allow organisations to conduct the process of reporting irregularities;
- employers must ensure and prove that technical and organisational measures are in place for the protection of personal data of whistleblowers and reported persons; and
- employers must ensure and prescribe exact deadlines for the retention of personal data after the completion of investigations.
Conclusion: Concepts and fundamental purpose of the new law
The previous legal framework governing the protection of whistleblowers, that was in force in Croatia from 2019 until 22 April 2022, was not harmonised with the Whistleblowing Directive and was subject to criticism due to many unclear and vague provisions.
The new WP Act, at first glance, seems more clear, specific, 'to the point', and with less ambiguities than the previous legal framework - and perhaps most importantly, it fully implements the Whistleblowing Directive in Croatian law, making the Croatian legal framework governing the protection of whistleblowers compliant with the EU regulations. For example, the WP Act now clearly defines the scope of law, broadens and clarifies the definitions of a 'whistleblower' and 'irregularity', sets out more specific and concrete rules of the procedure for appointment of a person of confidence, and provides clearer provisions on the protection of the whistleblower's identity and the protection of personal data. In general, the WP Act improved the legal framework for the protection of whistleblowers compared to the earlier regulation.
Therefore, it seems that, with the adoption of the WP Act, Croatia finally has a law on the protection of whistleblowers that truly fulfils the fundamental purpose of the law, i.e. to ensure the effective protection of whistleblowers, including available and reliable manners to report irregularities. Nevertheless, it remains to be seen what obstacles and challenges will arise from the application of the WP Act in practice.
Andrej Žmikić Lawyer
1. Under the WP Act, a connected person of a whistleblower (e.g. an assistant, relative, colleague, and other person connected to a whistleblower that may suffer retaliation in the work environment) shall enjoy the same level of protection from initiation of malicious proceedings and retaliation as a whistleblower, and under the same conditions prescribed by the law. A connected person shall acquire the same level of protection as a whistleblower even in respect of other types of protection of a whistleblower prescribed by the WP Act if they demonstrate that retaliation was committed or attempted against them, or that they were threatened with retaliation due to their connection with a whistleblower.