Finnish whistleblower protection law "ilmoittajansuojelulaki"
Finland's whistleblower law is the Act on the Protection of Persons who Report Breaches of EU and National Law. In Finnish it is the ilmoittajansuojelulaki (1171/2022). It took effect on 1 January 2023. It turns the EU Whistleblowing Directive into Finnish law. Below we cover who must act, the channel you build, the deadlines you meet, and the penalties you risk.
Key Takeaways
- Finland's whistleblower law took effect on 1 January 2023, about a year after the EU deadline.
- It covers employers with 50 or more staff and the whole public sector.
- Private firms with 50 to 249 staff had until 17 December 2023 to comply.
- You confirm each report within 7 days and give feedback within 3 months.
- One central channel at the Office of the Chancellor of Justice serves the whole country.
Why did Finland pass its law so late?
Finland missed the EU deadline by a wide margin. The directive gave member states until 17 December 2021 to act. Finland's parliament passed the law on 20 December 2022. It took effect on 1 January 2023. So Finnish workers and employers waited a full year longer than Brussels meant them to.
The act puts the EU Whistleblowing Directive into national law. It also reaches past EU matters. It covers breaches in named fields. These include public procurement, financial services, money laundering, and product and transport safety. They also cover the environment, food safety, public health, consumer rights, and data privacy. The law reaches the misuse of EU funds, state aid, competition rules, and corporate tax dodges too.
Which employers must set up an internal reporting channel?
The duty turns on headcount. Any employer with 50 or more staff must run an internal reporting channel. Staff use it to report the breaches the act covers. The rule sweeps in state bodies, wellbeing services counties, towns, parishes, most firms, and foundations.
"Organisations in which the number of persons in an employment or public-service relationship is regularly at least 50 must set up an internal reporting channel for reporting breaches and for the measures taken on the basis of a report."
Section 10(1) of the Act on the Protection of Reporting Persons (1171/2022)
The start dates came in two waves. Public bodies and large firms had three months from the day the law began. So they had to be ready by spring 2023. Smaller private firms, those with 50 to 249 staff, got until 17 December 2023. One group must act whatever its size. A supplementary pension fund needs a channel even with only a few staff.
Smaller bodies do not have to work alone. Private firms with up to 249 staff may share the people and tools that handle reports. Groups of firms may run one joint channel. Towns, parishes, and linked state bodies may team up the same way.
How does the internal channel work?
The employer names an impartial person or unit to handle reports. Only those named people may read them. The channel must take reports in writing or by voice. On request, it must let the whistleblower report at a meeting in person. Two deadlines anchor the work. You confirm receipt within 7 days. You tell the whistleblower what you did within 3 months.
"The organisation that has set up the channel must send the reporting person an acknowledgement of receipt within seven days of receiving the report."
Section 15(2) of the Act on the Protection of Reporting Persons (1171/2022)
Anonymous reports are a choice, not a duty. An employer may decide to take them. The act does not force it to. You may also hand the whole channel to an outside provider. You still stay on the hook for the law's duties.
WeMoral is a compliant whistleblowing software aligned with the ilmoittajansuojelulaki. The act lets you outsource the channel to an outside provider. WeMoral fills that role from the first day. It encrypts every report and hides the whistleblower's name from anyone outside the named handler. The tool also logs the 7-day acknowledgement and the 3-month feedback the law sets. You run it with no code to write, using its guide to set up the reporting channel.
Report internally first, then to the Chancellor of Justice
Finland puts internal reporting first. To keep your protection, you normally report inside your own employer before you go outside. You may skip straight to the authorities only in set cases. These include no internal channel, no action on your report, or a real fear of payback.
"As a condition of protection, a report of a breach observed in the activities of an organisation must be made primarily to that organisation's internal reporting channel, unless reporting directly to a competent authority is separately provided for."
Section 7 of the Act on the Protection of Reporting Persons (1171/2022)
Finland did not scatter the outside route across dozens of regulators. It built one central channel. The Office of the Chancellor of Justice (Oikeuskanslerinvirasto) runs it. That office does not investigate the reports itself. It passes each one to the authority that watches the field. The central channel does not take anonymous reports.
The outside route runs to set deadlines too. The central office confirms a report within 7 days. The right authority then gives feedback within 3 months. That can stretch to 6 months in hard cases. The authority can close a case that is clearly minor, or one that just repeats an earlier report with nothing new.
Who does the law protect?
The act protects anyone who learns of a breach through their work. That reaches far past regular staff. You can read more in our piece on who counts as a whistleblower. The law lists the people it covers:
- employees and civil servants;
- the self-employed;
- shareholders;
- board members and chief executives;
- volunteers and trainees;
- people still in job talks, and those whose job has already ended.
Protection also reaches the people around the whistleblower. It covers facilitators who help with the report. It reaches third parties tied to the whistleblower who could face payback, such as colleagues or relatives. Firms the whistleblower owns or works for are covered too. One test runs through all of it. The whistleblower must have had fair reason to believe the news was true and fell within the act.
What protects a whistleblower from retaliation?
The heart of the act is the ban on reprisals. An employer may not punish a worker for a report made by the book. A sacking, a demotion, worse terms, a layoff, or any other harm tied to the report is off limits. The ban also shields the wider circle the law protects.
The act backs the ban with two more tools. A whistleblower who reports by the law breaks no duty of secrecy. They carry no blame for the report. The act also shifts the burden of proof. If the worker shows harm after a report, the employer must prove it was not payback. Any contract that strips these rights away is void.
"Where, in a matter concerning a breach of the prohibition of retaliation, it can be presumed on the basis of the evidence presented that retaliation has taken place, the other party must, to rebut the presumption, show that the prohibition was not broken."
Section 25 of the Act on the Protection of Reporting Persons (1171/2022)
What are the penalties, and the gap Finland left?
Finland's penalties are light. They point more at the whistleblower than at the employer. The act sets no administrative fine for a firm that never opens a channel. The sanctions it does carry break down like this:
| Violation | Who is liable | Sanction |
|---|---|---|
| Knowingly reporting or publishing false information | The whistleblower | Criminal fine, prosecuted only on the injured party's complaint |
| Breach of the duty of confidentiality | The person handling the report | Punished under the Criminal Code |
| Retaliation against a reporter | The employer or organisation | Damages plus compensation to the whistleblower |
| Failing to set up an internal channel | The employer | No administrative fine in the act |
"A reporting person referred to in section 5 who, in a report under section 2, intentionally reports or discloses false information shall, unless the act is minor or a more severe penalty is laid down elsewhere, be sentenced for a violation of the Act on the Protection of Reporting Persons to a fine."
Section 36(1) of the Act on the Protection of Reporting Persons (1171/2022)
A whistleblower who suffers payback is not left empty-handed. The act gives a right to damages for the money lost. It gives a separate right to compensation that fits the harm. But the missing employer fine is a real hole. Many other laws threaten a firm that ignores the channel duty. Finland chose not to.
Data and confidentiality
The law guards the whistleblower's name and caps how long the data lives. Only the named handlers may process the data in a report. The employer must delete the reports five years after they arrive. It may keep them longer only for a legal right or duty. Data with no clear link to a report goes sooner.
Confidentiality is a strict legal duty. Anyone who learns the whistleblower's name while handling a report must keep it secret. Leaking it is a crime under the Criminal Code. The same duty binds the Chancellor of Justice's office and the authorities that get a report.
Finland reached the directive late and built a system with a soft edge. It fines a whistleblower who lies, yet leaves no fine for an employer who never opens a channel. So the law leans on the worker's nerve and the named handler's care, more than on the threat of a penalty. Whether that holds depends on each report reaching the right person and staying secret, month after month. To see how Finland sits next to the rest of Europe, read our list of whistleblowing laws by country.
Legal advisor specializing in business, commercial and IP law. Writes on whistleblower legislation, the EU Directive, and implementing reporting procedures.