What is the EU Whistleblower Directive?

The deadline for the implementation of the Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law is approaching. The purpose of the directive is to oblige companies and public sector entities to implement procedures that will ensure that employees can confidentially report breaches of the law.

The personal scope of application

The entities indicated in the Directive as obliged to introduce procedures include:

1. Enterprises employing at least 50 employees, regardless of the nature of their activity,
2. Small and micro-enterprises, which, inter alia, take part in public procurement tenders, use EU funds, are exposed to money laundering, or belong to regulated entities in the financial services sector,
3. Legal entities in the public sector.

Practical consequences of implementing the Directive

The new obligations will include in particular:

1. Developing a safe and confidential internal and external whistleblower reporting procedure (the so-called reporting channels),
2. Ensuring anonymity and protection of whistleblowers against retaliation,
3. Conducting monitoring and records of received notifications,
4. Taking follow-up actions to stop the breaches of the law and prevent future incidents.

The new regulations bring for entrepreneurs the necessity to adjust the already existing procedures to the requirements included in the Directive or to create a comprehensive system within the company for the confidential reception, analysis, and transmission of information concerning infringements of the law. The operation of properly functioning systems may be handled by a trained employee, Data Protection Officer, or an external company.

Deadline for implementing the new requirements

Entities in the private sector with a minimum of 250 employees and entities in the public sector are required to implement reporting mechanisms by 17 December 2021 at the latest. The deadline for private sector legal entities with fewer than 250 employees has been extended to 17 December 2023.

Possible sanctions

Entities that fail to implement the procedures resulting from the Directive, and in particular fail to introduce safe reporting channels, will be subject to effective, proportionate, and dissuasive sanctions. The amount of the sanction will be determined by the national legislator.