Czech whistleblower protection law "Zákon č. 171/2023 Sb."

Zákon č. 171/2023 Sb., the Act on the Protection of Whistleblowers, is the Czech Republic's first standalone whistleblower law. It took effect on 1 August 2023. The act puts EU Directive 2019/1937 into Czech law. It spells out how reports are made, who must receive them, and how a person who reports is kept safe from payback. The Ministry of Justice oversees the system. It also runs a national reporting channel of its own. Below we cover who the law binds, what you must set up, and the fines.

What does the Czech whistleblower law cover, and who counts as a whistleblower?

The law sets a wide material scope. A report can flag a criminal offence. It can flag an administrative offence (a přestupek) that carries a fine ceiling of at least 100,000 CZK. It can flag a breach of the act itself. And it can flag a breach of EU law in 14 listed fields. Those fields run from finance and money laundering to product, transport, and food safety. They also take in the environment, consumer rights, data protection, and public procurement. On tax, the law reaches only corporate income tax. It does not reach tax rules in general.

"A report contains information about possible unlawful conduct that bears the marks of an administrative offence for which the law sets a fine with an upper limit of at least CZK 100,000."
Section 2(1)(b) of Act No. 171/2023 Coll.

A whistleblower (an oznamovatel) is anyone who learns of such conduct through work or a similar activity. The act reads that phrase widely. It reaches ordinary employees and civil servants, the self-employed, company officers, and shareholders. Volunteers, trainees, and people on work placements are in scope, and so are contractors and suppliers. The cover even reaches someone who only applied for a job. So protection can start before the first day of work.

Some matters sit outside the law. It does not touch classified information, the core security interests of the state, or the work of the intelligence services. Legal privilege is also out, which shields attorneys, notaries, prosecutors, judges, and court bailiffs. The same goes for medical confidentiality and the secrecy of confession.

Who must set up an internal reporting system?

The duty falls on an obliged entity. In the private sector, that means any employer with an average of 50 or more employees. The count is taken as of 1 January each year. Public contracting authorities are bound too. But small towns under 10,000 residents are left out. Some financial-sector bodies must comply whatever their size. That group includes banks, insurers, investment firms, pension institutions, and crypto-asset providers. These bodies handle money or sensitive markets, so the duty holds however few people they employ.

"An employer that, as of 1 January of the relevant calendar year, employs at least 50 employees [is an obliged entity]."
Section 8(1)(b) of Act No. 171/2023 Coll.

The duty arrived in two waves. Public bodies and larger employers had to be ready by 1 August 2023. Firms with 50 to 249 staff got more time. Their deadline was 15 December 2023. The law also lets smaller bodies team up. An obliged entity with up to 249 workers may share one system. It may also plug into a system another entity already runs. Towns that are obliged entities may share among themselves.

How do you set up the internal reporting channel?

First, name a competent person (a příslušná osoba) to receive and assess reports. The law is strict about who qualifies. The competent person must be an adult. They must be fully legally capable. And they must be of clean record, proven by a recent extract from the Criminal Records register. They alone may read incoming reports. They must keep those reports secret, even after they leave the role. And they cannot be punished for doing the job by the book.

Then publish how to report. An obliged entity must list the ways to reach the channel. It must name the competent person and give their contact details. Staff must be able to report in writing and by voice. They can also ask to report in person. If a report is spoken, the law lets it be recorded only with the reporter's consent. The reporter may then check the written note and add their own comments.

The clock then starts. The competent person must confirm receipt within 7 days. They must give the reporter the outcome within 30 days. Hard cases can stretch that by another 30 days, twice at most. Every report and its papers must be kept for 5 years. They sit in an electronic register that only the competent person can open.

The duty does not stop at logging a report. If the competent person finds a report well-founded, they propose a fix to the employer. The fix should put right the wrong, or stop it from happening again. The employer must then act. If it rejects the proposed fix, it has to take another suitable step instead. Either way, the reporter is told what was done. If a report turns out to be groundless, the competent person says so in writing. They also point the reporter to the option of going to a public authority.

WeMoral gives your competent person one place to receive, read, and assess reports, and only the person you name may open them. That fits the Czech rules closely. The law sets a real bar for who may hold that role, and the report file is theirs alone. WeMoral keeps it that way, and it holds the five-year register the act requires. It keeps you compliant with Zákon č. 171/2023 Sb. It works whether you appoint your own competent person or bring in WeMoral as the outside provider the law permits. As access-controlled whistleblowing software, it sets up without code, so staff trust the internal route instead of going straight to the Ministry of Justice. Our guide covers how to put the internal channel in place.

Can you report anonymously, or go to the Ministry of Justice?

Anonymity is not guaranteed. A report should carry the reporter's name, surname, and date of birth. It can also carry other data that identifies them. The law presumes that data is true. An employer may also decide not to accept reports from people who do not work for it. So whether you can report anonymously depends on the organisation.

Anonymity does not end protection, though. An anonymous reporter may be identified later. From that moment, the law's shield covers them. There is also a second route that never leans on your employer. Anyone can report straight to the Ministry of Justice. They can do so instead of the internal channel, or after it. Designated officials there take and assess reports. They work to the same 7-day and 30-day deadlines. And they pass suspected crimes to the proper authority. The Ministry does more than take reports. It also gives free advice and guidance on whistleblower protection. And it publishes a yearly report on its work. Going public, say to the press, is protected only in narrow cases.

"Protection under this Act belongs to a whistleblower who submitted the report through the internal reporting system, submitted it to the Ministry, or made it public [under the conditions the Act sets]."
Section 7(1) of Act No. 171/2023 Coll.

How are whistleblowers protected from retaliation?

Retaliation is banned outright. The act lists 13 forms of it. They run from dismissal and ending a fixed-term contract early to demotion, a pay cut, and a forced transfer. A worse work reference, blocked training, and harm to a person's good name are on the list too. Threats and attempts count as well.

"A retaliatory measure means an act, or its omission, connected with the whistleblower's work or similar activity, that was prompted by the making of a report and that may cause the whistleblower harm."
Section 4(1) of Act No. 171/2023 Coll.

The shield reaches well beyond the reporter. It also covers colleagues, relatives, and other close persons. It extends to people the reporter controls, companies they hold a stake in, and trusts they set up. The employer must make sure none of them face payback.

Anyone hit by retaliation has a right to adequate satisfaction. That means damages for the non-financial harm done. A worker cannot sign this protection away. Any such waiver is simply ignored. Identity is guarded throughout. It may be shared only with the reporter's written consent, or with a public authority. Even then, the reporter must be told first.

What are the penalties?

Fines run in Czech crowns. They can land on the organisation, on individuals who retaliate or leak who reported, and even on a person who files a knowingly false report. The Ministry of Justice handles most cases. The Labour Inspectorate takes employer breaches in its own field.

The 15 December 2023 deadline has passed. So every Czech employer with 50 or more staff should already run a working channel under a named competent person. Two things set the Czech approach apart. First, a knowingly false report is itself a finable offence, up to 50,000 CZK. The law asks reporters to act in good faith as firmly as it asks employers to listen. Second, the Ministry of Justice keeps its own channel open. That gives a worker who distrusts the internal route a real state backstop. To see how the Czech rules sit beside the rest of the bloc, our list of whistleblowing laws by country lays them side by side. If your channel is not live yet, start with the competent person. Then publish how staff can reach them.