The deadline for the implementation of the Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law is approaching. The purpose of the directive is to oblige companies and public sector entities to implement procedures that will ensure that employees can confidentially report breaches of the law.
The entities indicated in the Directive as obliged to introduce procedures include:
The new obligations will include in particular:
The new regulations bring for entrepreneurs the necessity to adjust the already existing procedures to the requirements included in the Directive or to create a comprehensive system within the company for the confidential reception, analysis, and transmission of information concerning infringements of the law. The operation of properly functioning systems may be handled by a trained employee, Data Protection Officer, or an external company.
Entities in the private sector with a minimum of 250 employees and entities in the public sector are required to implement reporting mechanisms by 17 December 2021 at the latest. The deadline for private sector legal entities with fewer than 250 employees has been extended to 17 December 2023.
Entities that fail to implement the procedures resulting from the Directive, and in particular fail to introduce safe reporting channels, will be subject to effective, proportionate, and dissuasive sanctions. The amount of the sanction will be determined by the national legislator.