Danish whistleblower protection law "Lov nr. 1436"

Lov om beskyttelse af whistleblowere (the Act on the Protection of Whistleblowers) is Denmark's whistleblower law. Denmark passed it on 24 June 2021 and became the first EU country to turn the EU Whistleblowing Directive into national law. The act took effect on 17 December 2021. It also goes further than the directive. It covers serious breaches of Danish law, not just EU law. Below we explain who must act, what you set up, the deadlines you have to meet, and the fines you risk.

Denmark moved first, and went further than Brussels asked

The EU gave member states until 17 December 2021 to bring in the directive. Denmark beat that deadline by almost six months. Its parliament, the Folketinget, adopted the act on 24 June 2021, ahead of every other country in the union.

The Danish law is broader than the directive. Brussels only required protection for people who report breaches of EU law. Denmark added a second track. Under the act you can also report serious offences and other serious matters under Danish law, such as fraud, bribery, sexual harassment, or grave breaches of workplace duties.

"The Act applies to the following: 1) Reports concerning breaches of EU law that fall within the scope of the directive on the protection of persons who report breaches of EU law. 2) Reports that otherwise concern serious offences or other serious matters."
Section 1(1) of Lov om beskyttelse af whistleblowere

Some matters stay outside the law. It does not cover classified information, the professional secrecy of lawyers and doctors, a court's private deliberations, or cases inside criminal procedure. Sector rules with their own reporting regimes keep running alongside the act.

Who does the law protect?

A whistleblower under the act is anyone who reports a breach they learned about through their work. We go into the full picture in our piece on who is a whistleblower. The act lists the people it covers:

• employees in the private and public sector;
• the self-employed;
• shareholders and members of the management or supervisory board;
• volunteers, and paid or unpaid trainees;
• people who work under contractors, subcontractors, and suppliers;
• former workers, even after the job has ended;
• job applicants who learned the information during the hiring process.

Protection reaches further than the whistleblower alone. It also covers facilitators who help with the report. Third parties tied to the whistleblower are covered too, such as colleagues or relatives who could face payback, along with companies the whistleblower owns or works for. One condition runs through it all. The whistleblower must have had fair reason to believe the information was true and fell within the act when they spoke up. Meet that test, and the act says you have not broken any duty of secrecy and carry no blame for the report.

Which employers must set up an internal whistleblower scheme?

The duty turns on headcount. Every employer with 50 or more employees has to run an internal whistleblower scheme where staff can report the matters the act covers.

"Employers with 50 or more employees shall establish an internal whistleblower scheme through which employees can report information covered by section 1(1)."
Section 9(1) of Lov om beskyttelse af whistleblowere

The start dates came in two waves. The public sector and private firms with 250 or more staff had to be ready by 17 December 2021, the day the act took effect. Smaller private firms, those with 50 to 249 staff, got two more years and had until 17 December 2023. The Minister of Justice can also extend the duty to employers under 50 staff after a risk assessment.

Smaller bodies do not have to act alone. Private firms with 50 to 249 staff may share resources to receive and look into reports. Groups of companies may run a joint scheme. Two or more municipalities may handle the work together or hand it to one of them.

How do you set up the internal reporting channel?

The act asks you to name an impartial person or department to run the scheme. That unit receives reports, follows up, and gives feedback to the whistleblower. You can hand the role to an outside third party, as long as they meet the same rules. The channel has to take reports in writing, by voice, or both, and on request let the whistleblower report at a physical meeting.

Two deadlines sit at the heart of the scheme. You confirm receipt of a report within 7 days. You give the whistleblower feedback as soon as you can, and no later than 3 months from that confirmation. The scheme has to keep the identity of the whistleblower and anyone named in the report confidential, block unauthorised access, tell staff in plain terms how to report, and keep written records of how it is run.

WeMoral is a compliant whistleblowing software built to satisfy Lov nr. 1436. It encrypts each report, keeps the whistleblower's identity away from anyone outside the impartial unit, and logs the 7-day acknowledgement and the 3-month feedback the act demands. You run it from day one with no code to write, and it ships with a guide to set up the reporting channel.

"An employer shall put in place appropriate procedures for the whistleblower scheme which ensure: 1) that the whistleblower receives an acknowledgement of receipt of the report within 7 days; 2) that reports are diligently followed up; 3) that the whistleblower receives feedback as soon as possible and no later than 3 months from the acknowledgement of receipt."
Section 12(2) of Lov om beskyttelse af whistleblowere

Reporting to the Data Protection Agency

Denmark did not build a new watchdog for whistleblowers. It handed the external channel to the Danish Data Protection Agency (Datatilsynet). The agency set up its own independent scheme to receive and handle reports. Two narrow areas have separate channels. The Ministry of Justice runs one for the security service (PET). The Ministry of Defence runs one for the defence intelligence service (FE).

The external channel works to the same shape as the internal one. It confirms a report within 7 days and gives feedback within 3 months, stretched to 6 months in well-founded cases. It can close a case that is clearly minor or that adds nothing to an earlier report. Bodies that run an external scheme publish information about their work at least once a year.

What protection is there against retaliation?

The core of the act is the ban on reprisals. A whistleblower who reports by the book may not face retaliation, nor a threat or an attempt at it, for having spoken up. If a dismissal breaks that ban, the act says it must be set aside and the job restored where the worker wants it. A whistleblower who suffers reprisals has a right to compensation.

The act also shifts the burden of proof onto the employer. The whistleblower does not have to prove that the harm was payback for the report.

"Where a whistleblower proves that they have made a report or disclosure under this Act and have suffered a detriment, it shall be for the other party to prove that the detriment did not constitute retaliation for the report."
Section 29(1) of Lov om beskyttelse af whistleblowere

Penalties for breaking the rules

Denmark backs the act with fines. There is no prison term in the law itself, and no reward or bounty for the whistleblower. Who pays, and for what, breaks down like this:

The confidentiality fine matters most in daily practice. Leaking who the whistleblower is, on purpose or through gross carelessness, is a criminal offence under the act. The law does not reach the Faroe Islands and Greenland, though it can be brought into force there by royal decree.

Denmark wrote its rules early, so its agencies and courts have had longer than most to put them to work. Several EU countries leaned on the Danish text when they drafted their own laws. Still, the words on paper are only the start. What counts is whether each report reaches the right person, stays confidential, and gets an answer before the deadline runs, month after month. To see how Denmark sits next to the rest of Europe, read our list of whistleblowing laws by country.