The EU Whistleblower Protection Directive: Are You Ready?

New rules come into force across the EU on Friday, 17 December 2021

Whistleblowers are a vital part of society, working to expose wrongdoing at the highest levels and often at great personal risk to themselves. That’s why the European Union passed legislation in 2019 to give whistleblowers more protection against retaliation. Every country in the 27-member bloc is expected to implement this directive into their national laws by Friday, 17 December 2021.

While some countries do lag behind, there are a minimum set of whistleblowing standards that should be adhered to. Companies doing business anywhere in the EU should ensure that their internal policies and procedures comply with the Whistleblowing Directive, regardless of upcoming changes to national laws. Some countries like the UK, France and Luxembourg have had whistleblower protections in place for some time.

Who is a whistleblower under the EU Whistleblowing Directive?

Any person in the private or public sector who has acquired information on breaches in a work-related context can be a whistleblower. This is known as a reporting person. These types of people can include:

  • Workers
  • Self-employed persons
  • Shareholders and persons involved in the administrative, management or supervisory body of a company
  • Volunteers
  • Paid or unpaid trainees
  • Any person working under the supervision and direction of contractors, subcontractors and suppliers

These people can make a report prior to their employment, such as during the recruitment process, during their employment, or after it has ended. Other people are also protected by the directive, including those who help someone report, third parties such as colleagues or family members, and any legal entities that the reporting person owns or is connected to.

When is a whistleblower protected under the EU Whistleblowing Directive?

The following conditions must be met in order for a reporting person to be protected by the Directive:

  • There are reasonable grounds to believe the information was true at the time of reporting
  • The information falls within the scope of the Directive
  • Reporting is carried out through the correct reporting method
  • If the reporting is carried out anonymously and the reporter’s identity was later exposed, the reporter shall nevertheless qualify for protection if they suffer from retaliation

What does a business have to do to comply with the EU Whistleblowing Directive?

Legal entities in the private and public sector with 50 or more employees must establish internal channels and procedures for reporting. Some countries might also make smaller organisations comply as well. Anyone who wants to make a report should start with their employer and make a report through an internal channel.

These channels should be designed, set up and operated in a secure manner and ensure the confidentiality of the identity of the reporting person and any third person mentioned in the report, and that prevents access to non-authorised staff members: This channel could be in writing, oral, over the phone or in person.

Once a report is received, the following procedures should happen.

  • Acknowledgement of receipt: The acknowledgement receipt must be delivered to the reporting person within seven days
  • Designation of an impartial person or department who is competent to follow up on the reports (this can be the same person as the one receiving the reports): This person will remain in communication with and provide feedback to the reporting person
  • Diligent follow-up by the designated person
  • A reasonable time frame to provide feedback on the claim: Feedback must be provided not more than 3 months from acknowledgement of receipt
  • Provisions of clear and easily accessible information regarding conditions and procedures for reporting externally to the competent authorities if internal reporting proves to be insufficient

The EU Whistleblowing Directive also requires countries to set up national authorities who can receive reports.

Legal entities should keep a record of every report received while making sure the records are in compliance with the confidentiality requirements. The reports should be stored for a proportionate amount of time, and for no longer than absolutely necessary.

If the report is made via phone call and the call was recorded, the conversation can be documented in writing and a transcript of the conversation should be made available for the reporting entity to review and amend as necessary. If the conversation isn’t recorded, minutes from the call can be taken instead.

If the report is made in a personal meeting, the conversation could be recorded, or complete and accurate records of the meeting can be written down as minutes. The reporting person should have the opportunity to rectify and agree to the minutes by signing them.

What about the UK and Brexit?

The UK is not required to implement the Whistleblowing Directive because it has already left the EU. However the UK applies with a great deal of what is required in the whistleblowing directive under the UK’s Public Interest Disclosure Act 1998 (PIDA).

The UK does not cover everything that the EU directive requires however, although the EU Commission deemed that the UK already gives adequate protection.

The key differences between the EU and UK rules are:

  • The EU protects self-employed people, shareholders, board members and facilitators of whistleblowing. PIDA doesn’t.
  • The EU covers specified sectors, such as procurement or privacy. PIDA focuses on categories of wrongdoing, like criminal offences. Essentially the the EU’s view on disclosures is objective, the UK’s subjective.
  • The EU requires organisations with 50 or more employees to establish reporting channels. PIDA does not require a reporting system or a policy.
  • The EU requires confidentiality of reporters. PIDA does not but case law have set out a similar position.
  • The EU prescribes records of reports. PIDA does not.
  • The EU requires feedback and timelines. PIDA does not set out timeframes or require feedback.
  • The EU requires a national oversight body. PIDA does not.

There are no specific requirements for the UK to update PIDA to cover these differences, although there are private members bills’ in the UK parliament considering options.

More broadly, UK companies who operate in the EU will have to comply with the directive, as they would have to comply with any other EU law. Currently EU whistleblowing rules are considered the strongest in the world, so a system compliant with EU rules, particularly a reporting system, could be adopted across multiple jurisdictions.

What can companies do to comply with the EU Whistleblowing Directive?

Whistleblowing: Understand Your Rights provides a comprehensive overview of whistleblower rights within the UK and across the EU. The aim of the course is to improve the culture in every organisation so that employees feel comfortable whistleblowing where necessary.

The course includes real-life scenarios where whistleblowing could have helped prevent disaster, examples of when whistleblowing has helped prevent disaster and a practical guide on how to whistleblow.

Contact us now to book your demo and make sure your business is compliant with the EU Whistleblowing Directive. You can also review our comprehensive guide to the new EU rules.



How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.