Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Czechia: Regulation of whistleblowing - an overview

This Insight article delves into the recent adoption of the Act on the Protection of Whistleblowers (the Act) in Czechia, highlighting changes for employers. It covers key rules, the role of designated competent persons, and control mechanisms, offering practical recommendations for companies adjusting to the new whistleblowing regulations.

da-kuk / Signature collection / istockphoto.com

In Czechia, the Act transposing the Whistleblowing Directive was adopted last year, bringing major changes, especially for employers. Until the adoption, the whistleblowing regulation in Czechia was insufficient - a certain degree of protection of whistleblowers could be seen, but comprehensive regulation was missing despite many efforts to implement whistleblowing into the Czech legal system.  

Thanks to the transposition of the Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law1 (the Directive), it has now been possible to regulate this issue more comprehensively.

Adoption of the Czech whistleblowing regulation

As Czechia did not implement the Directive by the specified deadlines, i.e., by December 17, 2021, as required by the Directive, the Directive became directly effective against public authorities after the mentioned date.

Subsequently, the Directive was transposed into Czech legislation by the Act, which came into force on August 1, 2023, and serves as the primary whistleblowing regulation. Furthermore, the adoption of the Act also affected the Czech Anti-Money Laundering Act2 (AML), which marginally regulates whistleblowing.

Main rules of the Act

The Act creates a framework for reporting certain qualified violations, which include criminal offenses, more serious administrative misdemeanors, violations of the Act, and violations of other legislation or EU regulations in specific areas. The Act also provides protection to the whistleblower who may be, for example, an employee, a job applicant, a business partner, or a member of a legal entity's body, from potential retaliation, especially in the form of termination of employment, reduction in pay, dismissal, or withdrawal from a contract by the obliged entities, i.e., employers with 50 or more employees, selected public authorities, and public procurers.

The obligations imposed on obliged entities include the following:

  • introducing an internal notification system - obligated entities, such as those employing 250 or more employees, municipalities with more than 10,000 inhabitants, and public authorities, were required to do so no later than the Act's effective date, i.e., by August 1, 2023. Entities in the private sector with 50 to 249 employees were required to implement this by December 15, 2023;
  • designating a competent person to be in charge of the notification agenda – this includes receiving and assessing the validity of the whistleblowing notification, proposing measures to remedy or prevent the illegal situation, acting impartially, and maintaining confidentiality;
  • ensuring that the whistleblower can submit a notification through an internal system in writing (e.g., via email), orally (e.g., via telephone), or, upon whistleblower's request, in person;
  • publishing specified information in a manner allowing remote access – this includes information on the means of notification and identification of the competent person, along with their telephone number and email or other address for delivery; and
  • training the competent person on their rights and obligations and maintaining a written record confirming the training.

According to the Act, whistleblowers can use the following whistleblowing systems to submit a notification:

  • internal notification system - set up by the obliged entity;
  • external notification system - set up by the Czech Ministry of Justice;
  • publication - only as a last option, especially if corrective measures have not been taken after the notification has been submitted through the internal and external, or only external, notification system.

It is up to the whistleblower to choose whether they want to use the internal or external notification system for their report - there is no hierarchy that would force the whistleblower to submit the report first through the internal notification system and only then to choose the external notification system.

The Act also allows the sharing of the internal notification system across multiple obligated entities in the private sector, but only for such entities that do not employ more than 249 employees and municipalities. Similarly, it is possible to entrust the management of the internal notification system to a third party. Both natural persons and legal entities can be entrusted with the management of the internal notification system.

The Act furthermore allows the obliged entities to exclude the possibility of receiving notifications from third persons, e.g., from members of the legal entity's bodies, cooperating self-employed persons, business partners, and suppliers, who may submit their notifications to the Czech Ministry of Justice. This is at the discretion of the individual obligated entity - the advantage may be the reduction of administrative tasks related to notifications, while the disadvantage is the possible involvement of the Ministry of Justice and the impossibility to deal with notifications primarily internally.

Protection of the whistleblower's identity

Even though the Directive allows for the acceptance of anonymous notifications, the Czech legislators decided not to include this possibility in the Act. Therefore, obligated entities are not bound to accept anonymous notifications, and such notifications do not fall under the protection of the Act. So, the notification should always include information on the whistleblower's name, date of birth, or other details from which it is possible to infer the identity of the whistleblower.  

According to the Act, the obligated entities must ensure that only the designated competent person, who is bound by the obligation of confidentiality under the Act, handles the notifications of the whistleblowers. The reason is the protection of the whistleblower's identity which should not be disclosed; only the designated competent person should have the information on the whistleblower's identity.

This protection can be achieved by implementing a consistent internal notification system that is secured against any data leakage and also by designating a trustworthy competent person who will handle the whistleblowing agenda.   

The internal notification system, and thus the individual internal notification channels (e.g., email address or telephone number), as well as the records of notifications received and the documents kept in this context, must not be accessible to anyone other than the designated competent person. The obliged entity should provide the designated competent person with appropriate conditions for the performance of their function, including the means to ensure the proper performance of their obligation of confidentiality and thus ensure the confidentiality of the identity of the whistleblower and other relevant facts.

Providing adequate information to the designated competent person about their rights and obligations, as well as informing the potential whistleblowers themselves through, for example, written internal rules and regulations or directly by the designated competent person, may also contribute to the protection of the whistleblower's identity and overall his/her protection under the Act.

Designated competent person

In the current practice in Czechia, the obliged entities usually encounter an issue of who to designate as the competent person for the whistleblowing agenda. Since high demands may be placed on the designated competent person, the obliged entities should pay attention to the selection of this person. The designated competent person should not only be generally trustworthy but should also be well educated in the area concerned, as he/she will be responsible for handling the entire whistleblowing agenda, such as assessing the validity of the notifications and proposing possible measures. However, the only legal requirements for the exercise of the designated competent person's function are the age of majority, full legal capacity, and impeccability.

The main obligations of the designated competent person are:

  • ensuring the functioning of the internal notification system by receiving and assessing the reasonableness of notifications submitted through it and informing the whistleblower within the statutory deadlines of certain important milestones in the progress of the case (e.g., receipt of the notification, outcome of the assessment of the reasonableness of the notification, action taken);
  • proposing measures to the obliged entities to remedy and/or prevent unlawful situations;
  • keeping records of notifications received;
  • complying with the instructions of the obliged entity unless these instructions jeopardize or obstruct the performance of its activities under the Act; and
  • complying with the obligation of confidentiality and impartiality.

The designated competent person shall not be penalized for the proper exercise of their function. Obligated entities shall provide to the designated competent person training on their rights and obligations under the Act. However, the obligated entities may also consider professional training for the designated competent persons, for example, from compliance or legal experts.

Control over compliance with obligations under the Act and relevant sanctions

Control over compliance with the obligations of obligated entities under the Act is exercised by the Czech Ministry of Justice and the Labor Inspectorate. In the case of employers, the control is primarily exercised by the Labor Inspectorate. If the Ministry of Justice finds a breach of an obligation during the inspection, it shall impose a corrective measure on the obligated entity and set a reasonable time limit for its fulfillment.

Failure to comply with the obligations under the Act may qualify as an offense punishable by a fine. The amount of the fine varies according to the extent of the offense:

  • if the whistleblower knowingly makes a misleading notification, they are liable to a fine of up to CZK 50,000 (approx. $2,000);
  • the designated competent person may also commit an offense if they refuse to accept the notification or fail to assess its validity, for which they are liable to a fine of up to CZK 50,000 (approx. $2,000); or
  • if the obliged entity fails to fulfill its obligations under the Act, it runs the risk of a fine of up to CZK 1,000,000 (approx. $43,000).

Another major risk for obligated entities, beyond fines, may be the damage to their reputation resulting from the publication of the notification. The whistleblower may, for example, resort to publication in the event that corrective action is not taken after their notification has been made through both the internal and external (or only the external) notification system, or if they have reasonable grounds to believe that the unlawful conduct referred to in the notification may lead to a threat to an important public interest.

Therefore, it is in the interest of obliged entities to establish a credible internal notification system and to respond to notifications in an appropriate and timely manner by taking corrective measures proposed by the designated competent person or other appropriate corrective measures. Depending on the situation, these measures may be of a general organizational nature (e.g., creating new internal rules to prevent illegal activities) or of a specific nature (e.g., opening an internal investigation of the reported issue, filing a criminal complaint, or providing assistance to the Police of Czechia or other competent authority).

Whistleblowing in the AML

Before the adoption of the Act, the AML had already included a provision requiring obligated subjects to establish an internal notification system in which employees and individuals who carry out activities for the obligated subject other than in the employment relationship can anonymously submit notifications of AML breaches. With the adoption of the Act, this provision was amended, and now the obligated subjects under the AML must manage the internal notification system in accordance with the Act.  

The obliged subjects under the AML have some additional obligations compared to obliged entities under the Act. Specifically, the obliged subject:

  • must ensure the receipt of anonymous notifications within the internal notification system;
  • cannot entrust a third party with the management of the internal notification system and cannot share the internal notification system; and
  • cannot narrow the range of persons who may use its internal notification system to submit notifications. In particular, it is compulsory to allow the submission of notifications not only by its employees but also by individuals who carry out activities for the obliged subject outside the employment relationship, such as shareholders, members of elected bodies, and contractual partners.

Practical recommendations

For the purpose of implementing the internal notification system under the Act, the obliged entities should especially consider taking the following steps:

  • setting up the internal notification system appropriately so that it is functional and credible, thus motivating whistleblowers not to use other reporting options;
  • providing professional training for the designated competent person so that they are properly informed of their rights and obligations under the Act and are familiar with situations that may arise;
  • ensuring data security so that the notifications received cannot be accessed by persons other than the designated competent person; and
  • ensuring that the designated competent person complies with the time limits for handling the notifications, especially notifying the whistleblower of the receipt of the notification (time limit of seven days from the date of receiving the notification) and of the results of its assessment (time limit of 30 days from the date of receipt of the notification; in cases of factual or legal complexity, this time limit may be extended by additional 30 days, but at most twice). This can be ensured, for example, by proper training of the designated competent person or by providing technical means.

In conclusion, it is apparent that the legal regulation of whistleblowing in the Czech Republic is still very recent due to the delayed implementation of the Directive and, therefore, it is not yet possible to form any comprehensive conclusions about its effectiveness or shortcomings. However, based on the experience so far, it seems that this regulation has not reached its full potential in the Czech Republic yet - based on the available information, it appears that the notification systems are used very rarely so far, and the whistleblowers submit only minimum notifications that fall under the protection of the Act.

Martina Šumavská Senior Associate
[email protected]
Jessica Vaculíková Junior Associate
[email protected]
GT Legal, Czechia


1 Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law

2 Act No. 253/2008 Coll. on Certain Measures against the Legalization of the Proceeds of Crime and the Financing of Terrorism

Feedback