On October 7, 2019, the European Parliament and the Council of the European Union adopted the European Whistleblower Protection Directive (Directive) which aims to protect whistleblowers who report corruption, fraud, or violations of the law in the countries of the European Union (EU). These measures require covered employers to provide protected channels for reporting and prohibit any retaliation against those who report irregularities.
adopted the European Whistleblower Protection Directive which aims to protect persons who report breaches of EU law.
Companies subject to the Directive must understand every requirement for establishing a compliant, internal reporting channel and procedure for their employees and implement a detailed plan created by a cross-functional team to ensure seamless execution.
In this guide, we will walk you through the Directive and explain how to ensure compliance.
What Does the Directive Say?
The Directive protects whistleblowers who report a breach of EU law, including tax fraud, money laundering, bribery, corruption, or data protection breaches. The following are a few key points to keep in mind:
- The regulation not only affects employees, but also protects apprentices, volunteers, and self-employed workers.
- It requires organizations to take measures to protect whistleblowers, establish confidential reporting channels, and clear reporting processes.
- Whistleblowers are encouraged – not required – to report first through internal channels. Depending on the circumstances of the case, complainants may also contact the national competent authorities or the relevant EU institutions, organizations, offices, and agencies.In addition, whistleblowers may approach the public and the media, if appropriate action has not been taken after the initial report within the organization or by the authorities, or if there are immediate threats.
- Protections may vary across Member States but they must include at a minimum protection against various types of potential liability and compensation for damage suffered by whistleblowers, such as termination of their employment. Member states must provide effective, proportionate and dissuasive penalties for individuals or companies that retaliate against whistleblowers, hinder or attempt to hinder reporting, bring vexatious proceedings against whistleblowers or breach the duty to keep the identity of reporting persons confidential.
To Whom Does the Directive Apply?
The Directive applies to organizations in both the public and private sectors with over 50 employees, or with annual turnover or total assets of more than EUR 10 million. The compliance deadlines different depending on a company’s employee size. Companies with more than 250 employees must comply with the legislation by December 17, 2021, and those with 50-249 employees by December 17, 2023. For companies with less than 50 employees, EU members may demand that these organizations establish internal reporting channels only after evaluating the risk and nature of the organization’s activities. Additionally, the Directive applies to local authorities that provide services to more than 10,000 people. All organizations responsible for adhering to the Directive must create internal reporting channels.
The reporting process will differ depending on whether the report is internal or external. Internal reports are comprised of written or verbal communications that the complainant made within the organization. Workers submitting external reports, on the other hand, must acknowledge the authorities that each member state designates.
Who Does the Directive Protect?
The Directive offers protection to those who, by virtue of a public or private employment relationship, have information or evidence detailing any actions, omissions, or infringements that threaten or damage the public interest, including the following:
- Employees, public servants, managers, and supervisors;
- Self-employed workers, contractors, their employees, and their subcontractors;
- Suppliers;
- Volunteers and trainees;
- Shareholders;
- Ex-employees; and
- Candidates who obtain information during the precontractual selection or negotiation process
It is important to keep in mind that the Directive does not protect every citizen — there are separate categories for facilitators or third parties who assist or collaborate with an informant. The protection of journalists, trade unionists, and non-governmental organizations (NGOs) has yet to be addressed.
Who is Excluded from the Directive?
People reporting incidents outside of work or information regarding external matters are excluded from the Directive.
What Type of Violations can be Reported?
The categories (or types) of violations for which reporting channels should be available are as follows:
- Public procurement, to prevent and detect fraud and corruption
- Financial services, products, and markets
- Money laundering and terrorist financing
- Product safety, manufacturing, and distribution chains
- Transport security
- Environment
- Radiation and nuclear energy
- Food and feed safety
- Public health
- Consumer protection
- Privacy and data protection
- Unions’ financial interests
- Taxes and revenue
What Guarantees do Whistleblowers Receive?
The main guarantee the Directive provides whistleblowers is the protection of their identity. This guarantee ensures:
- Confidentiality
- Prohibition of disclosure of any information regarding the informer
- GDPR (General Data Protection Regulation) compliance
- Anonymity
- Protection against retaliation
- Prohibition of reprisals
Complainants are also entitled to receive free legal and financial assistance and psychological support.
How Can Organizations Prepare to Comply with the Directive?
The Directive proposes that whistleblowers first make contact through internal channels within the organization and then report to the authorities, if necessary.
This is beneficial for companies, as it is in their best interest of the company to obtain the information firsthand, so they can react and deal with the reported issue before it becomes public and triggers potentially irreparable damage the organization’s reputation. Therefore, one essential step to preparing for the Directive is to establish an internal reporting process to minimize or eliminate any negative impact or risk.
In order to prepare for the implementation of the Directive, it is important to keep these considerations in mind.
Internal Reporting Channels
This internal reporting process should be clear and easy to follow, and it must provide secure and anonymous channels of communication. These channels could include telephone hotlines, mailboxes, or digital reporting systems.
Local Regulations in Each EU Country
According to Barbara Mangan, Global Audit & Compliance Manager at Globalization Partners, it is especially important to stay informed about domestic regulations in each EU country because local authorities define how companies will have to establish the reporting channels.
Below are 17 of the 27 EU member states that either have a law underway or completed to align with the Directive.
The ISO 37002 standard
The ISO 37002 is an international standard that provides guidelines for establishing and implementing an efficient whistleblowing management system that is based on the principles of trust, impartiality, and protection — three factors that determine the success or failure of internal reporting channels.
This standard aligns perfectly with the Directive as an extra form of guidance on how to successfully adhere to the new directive.
The contents of the standard are strongly conditioned by the four steps it sets for handling complaints: receipt, evaluation, management, and conclusion. These steps will influence the content of internal policies (complaint management or investigations) in many organizations.
Due diligence obligations
There is a possibility that the Directive will frame due diligence obligations related to standards, such as the UN Guiding Principles on Business and Human rights. Therefore, companies should keep track of any related developments to provide channels for reporting human rights violations.
Final thoughts
The European Whistleblower Protection Directive will change the way organizations deal with compliance, and with so many factors to keep track of, navigating it can be complex.
The Globalization Partners global ethics hotline is a core compliance feature of our global employment platform. Some countries have passed legislation that requires companies to provide employees with a confidential means of reporting unethical behavior as well as protection from retaliation.
By establishing a global ethics hotline for all your team members on our global employment platform, we are staying far ahead of compliance requirements and ensuring everyone, everywhere has access to this important tool.