[author: Jan Stappers LLM]
As we enter the second quarter of 2022, more EU countries are implementing their national transpositions of the EU Whistleblower Directive. Progress is being made, slowly but surely!
And perhaps this gradual implementation will be a relief for companies operating beyond EU borders. For, while the Directive is a step forward in Member States’ move towards a unified legal framework for whistleblowers, each territory has the freedom to extend the scope of the requirements stipulated at EU level – in fact, it has been encouraged by EU regulators. Now that the first handful of countries are complete, that’s exactly what’s happening.
In this article, we recap the basic requirements of the EU directive, summarize the national nuances of the countries whose whistleblower protection laws have come into effect so far, and highlight the implications these may have. for organizations in these countries.
Main requirements of the EU whistleblower directive
First of all, here is a little reminder of the standard requirements of the European directive.
- A secure channel for receiving whistleblower reports should be in place. Reporting must be possible in writing and/or verbally, via telephone lines or other voice communication systems.
- An acknowledgment of receipt of the report must be provided to the whistleblower within seven days.
- Feedback on the follow-up to the report must be given to the whistleblower within three months.
- An impartial person or service should be designated to handle reports, and reports should be followed up.
- Records must be kept for each report received, in accordance with confidentiality requirements.
- Any processing of personal data must be carried out in accordance with the GDPR.
- Clear and easily accessible information must be available on the conditions and procedures for internal and external reporting to the competent authorities.
Implications of the differences in the territorial transpositions of the European directive on whistleblowers
1. What is the definition of a whistleblower?
- According to the Directive: Whistleblowers working in the private or public sector who have obtained information on breaches in a professional context.
- Notable exceptions: Portugal applied a broad definition of a whistleblower as “a natural person who publicly denounces or reveals an infringement on the basis of information obtained in the course of his professional activity…”.
- Challenges for organizations: How can we reach potential non-employee whistleblowers? In which languages should the reporting channel be available? Which channel works best for different stakeholders?
2. What type of reporting channel is required?
- According to the Directive: Organizations must allow reporting in writing or verbally, or both.
- Notable exceptions: In Swedenreporting must be possible both verbally and in writing.
- Challenges for organizations: Do we have competent recipients in all entities? What roles are appropriate for receiving reports? How can we train recipients to be compliant across all channels and entities? Can we bring verbal and written reports together in a single repository to get an overview of potential trouble spots?
3. What counts as an information providing grounds for protection?
- According to the Directive: Breaches of Union law. Attacks on the financial interests of the Union. Internal market offenses and tax evasion.
- Notable exceptions: Denmark counts offenses relating to “serious offenses or other serious facts”. In France “Offences relating to a serious threat or harm to the public interest are included. Sweden says that “a matter of public interest in the disclosed misconduct” may be reported, and Portugal added “violent and/or organized crime” to the EU definition.
- Challenges for organizations: What to do with reports outside the scope? Can we still benefit from it? What about reports that are not made in good faith? How are we informed of divergent national regulations?
4. What are the facilitation and reward requirements for whistleblowers?
- According to the Directive: Legal entities must provide information to make an informed decision on whether, how and when to report. The EU directive is silent on rewards.
- Notable exceptions: Under the Lithuanian whistleblowing law, a competent authority may award compensation for whistleblowing reports.
- Challenges for organizations: To what extent should we communicate whistleblower rights? How much do we need to facilitate them? How to reward whistleblowers?
5. Is anonymous reporting covered by the EU Whistleblower Protection Directive?
- According to the Directive: The power is delegated to the Member States to decide whether legal persons in the private or public sector and the competent authorities are obliged to accept and monitor anonymous reports.
- Notable exceptions: Portugal went from being one of the last countries in the EU to ban anonymous reporting to one of the first to require permission for anonymous reporting.
- Challenges for organizations: Should we accept anonymous reports, even if we don’t have to? In this case, how do we provide feedback to the anonymous registrant in accordance with the directive?
6. What is the approach to reporting Group/subsidiary whistleblowers?
- According to the Directive: When a group is made up of entities with 50 or more employees, each of them must set up and operate its own internal channel.
- Notable exceptions: Organizations in Denmark may set up group-wide whistleblowing systems unless the Minister of Justice reverses this decision.
- Challenges for organizations: Are we compliant if we maintain multiple channels within a single system?
As more and more national differences emerge, monitoring and responding to these can create compliance complexity for large organizations and those operating across borders within the EU.
At NAVEX, we ensure that we have the latest information from all EU Member States regarding the transposition of EU Directive national legislation as it happens. Our legal team and EU Whistleblower specialists are connected to a network of legal partners across Europe to ensure that we are up to date and that our EthicsPoint Incident Management and WhistleB by NAVEX solutions help you prepare for compliance.
To stay informed, subscribe to our newsletter here.
See the original article on Risk & Compliance Matters