Companies should take the new EU regulations for the protection of whistleblowers seriously. If they do not create internal channels for whistleblowers, the latter could choose external channels that heavily damage your company’s image while the whistleblowers would be legally protected. In the event of reported data protection violations, fines may also be imposed by the supervisory authorities.
What is the Whistleblower Directive?
On December 16, 2019, the EU Whistleblower Protection Directive (2019/1937) entered into force with an implementation period of two years. The Directive is widely welcomed, including by Věra Jourová, the Commissioner for Justice, Consumers and Gender Equality, who said:
“Whistleblowers should not be punished for doing the right thing. Our new, EU-wide rules will make sure they can report in a safe way on breaches of EU law in many areas. Whistleblowers can be crucial sources for investigative journalists. Therefore, protecting them also promotes media freedom. I urge Member States to implement the new rules without delay.”
The Directive not only aims at safeguarding public interest at the European level but also at ensuring that whistleblowers have adequate protections and that employees can confidentially and confidently raise concerns. Organisations and businesses need to be aware of whistleblower protections to ensure full compliance. In particular, the Directive implicates obligations and responsibilities concerning data protection that must be fulfilled, with sanctions waiting in case of non-compliance.
What does the EU Whistleblower Protection Directive cover?
The EU extends the scope of whistleblower protections, which now encompasses a wide range of areas to ensure comprehensive and coherent safeguards. It sets EU-wide standards, which is important because the levels of protection vary widely within the EU. The Directive defines breaches falling within the scope of protection, specifically those affecting the financial interests of the EU as well as those relating to the internal market.
Additionally, several other areas are included: public procurement; financial services, especially in the prevention of money laundering and terrorist financing; product safety; transport safety; environmental protection; radiation protection and nuclear safety; food safety, animal health and welfare; public health; consumer protection; and lastly, privacy and personal data protection and network and information systems security. The Directive covers infringements of data protection rules as indicated, and it allows for a more coherent reporting system, thereby putting pressure on businesses to ensure full compliance.
Furthermore, businesses must be particularly careful, as the personal scope comprises not only current employees who may report their concerns but also job applicants, former employees, trainees, and in some circumstances, third persons related to the whistleblowers. The Directive protects these groups of people from dismissal, degradation and other discrimination, such as unjustified employment termination or actions undermining the whistleblower’s credibility. Furthermore, the whistleblower can choose whether to report a concern internally within the company or decide for an external channel directly. Therefore, the burden is on the business to shape their procedures in a manner that encourages whistleblowers to report breaches internally, limiting the legal and reputational risks related to the disclosure of violations to public bodies or the press.
In terms of data protection compliance, the persistent message to businesses is that persons noticing or suspecting a violation are protected and have nothing to fear, while even encouraging individuals to report on company infringements. Besides the increased imposition of fines for GDPR violations by supervisory authorities, this should be another warning signal for companies to ensure they fulfil the obligations imposed by data protection law.
What does the EU Whistleblower Protection Directive oblige businesses to do and why is it relevant from a data protection point of view?
The Directive obliges businesses with more than 50 employees or with more than EUR 10 million annual turnover to integrate suitable internal reporting channels. Companies with more than 250 employees must fulfil these obligations within two years of adoption, and companies with 50 – 250 employees have two more years to comply. Furthermore, they must ensure that the identity of the whistleblower is kept confidential and that all personal data of the whistleblower, and possibly other persons, is handled under the GDPR. Internally, the business must implement a person to receive and follow up on the reports: the human resources director or a board member, for instance. Additionally, the business must confirm the receipt of the report within seven days, and provide information on the internal reporting process as well as on the reporting channel to the competent authority. Lastly, the business is obliged to keep the reports securely so they can be used as evidence where appropriate.
In addition, the Directive also includes details on possible sanctions. Accordingly, a business that obstructs the reporting of concerns, fails to keep the identity of a whistleblower confidential, or takes retaliatory measures against the whistleblower will be punished. The Directive allows the respective national legislators the discretion to determine the severity of the sanctions. Although the Directive’s main objective is to protect whistleblowers, it also provides businesses with the opportunity to identify and manage risks at an early stage, helping to avoid or limit financial or reputational damage. Regarding the GDPR, early internal identification of infringements may protect companies from fines by supervisory authorities or publication of data leaks to the press, which could significantly damage its reputation. Thus, we strongly advise businesses to put an effective internal reporting channel in place.
Businesses should keep the freedom of choice for the whistleblower at the forefront. If a whistleblower cannot find suitable internal reporting channels, he or she might choose to directly contact authorities or the press with severe outcomes for the business. The internal reporting channels should, therefore, be available 24/7, offer anonymity, be available in relevant languages, and have comprehensible explanations, and the responsible persons should communicate this internally.
An effective internal reporting channel will allow companies to identify and detect gaps in data protection compliance. Early rectification of data protection compliance leaks may help to avoid fines imposed by supervisory authorities for infringements and defiance of the GDPR or other data protection rules.