Companies should take the EU regulations for the protection of whistleblowers – the EU Whistleblower Directive – seriously. If they do not create internal channels for whistleblowers, the latter could choose external channels that heavily damage your company’s image while the whistleblowers would be legally protected. In the event of reported data protection violations, fines may also be imposed by the supervisory authorities.
What is the Whistleblower Directive?
On 16 December 2019, the EU Whistleblower Protection Directive (2019/1937) entered into force with an implementation period of two years. The Directive is widely welcomed, including by Věra Jourová, the Commissioner for Justice, Consumers and Gender Equality, who said:
“Whistleblowers should not be punished for doing the right thing. Our new, EU-wide rules will make sure they can report in a safe way on breaches of EU law in many areas. Whistleblowers can be crucial sources for investigative journalists. Therefore, protecting them also promotes media freedom. I urge Member States to implement the new rules without delay.”
The Directive not only aims at safeguarding public interest at the European level but also at ensuring that whistleblowers have adequate protections and that employees can confidentially and confidently raise concerns. Organisations and businesses need to be aware of whistleblower protections to ensure full compliance. In particular, the Directive implicates obligations and responsibilities concerning data protection that must be fulfilled, with sanctions waiting in case of non-compliance.
What does the EU Whistleblower Directive cover?
The EU extends the scope of whistleblower protections, which now encompasses a wide range of areas to ensure comprehensive and coherent safeguards. It sets EU-wide standards, which is important because the levels of protection vary widely within the EU. The Directive defines breaches falling within the scope of protection, specifically those affecting the financial interests of the EU as well as those relating to the internal market.
Additionally, several other areas are included:
- public procurement;
- financial services, especially in the prevention of money laundering and terrorist financing;
- product safety;
- transport safety;
- environmental protection;
- radiation protection and nuclear safety;
- food safety, animal health and welfare;
- public health;
- consumer protection;
- and lastly, privacy and personal data protection and network and information systems security.
The Directive covers infringements of data protection rules as indicated, and it allows for a more coherent reporting system, thereby putting pressure on businesses to ensure full compliance.
Furthermore, businesses must be particularly careful, as the personal scope comprises not only current employees who may report their concerns but also job applicants, former employees, trainees, and in some circumstances, third persons related to the whistleblowers. The Directive protects these groups of people from dismissal, degradation and other discrimination, such as unjustified employment termination or actions undermining the whistleblower’s credibility.
Furthermore, the whistleblower can choose whether to report a concern internally within the company or decide for an external channel directly. Therefore, the burden is on the business to shape their procedures in a manner that encourages whistleblowers to report breaches internally, limiting the legal and reputational risks related to the disclosure of violations to public bodies or the press.
In terms of data protection compliance, the persistent message to businesses is that persons noticing or suspecting a violation are protected and have nothing to fear, while even encouraging individuals to report on company infringements. Besides the increased imposition of fines for GDPR violations by supervisory authorities, this should be another warning signal for companies to ensure they fulfil the obligations imposed by data protection law.
Implementation of the EU Whistleblower Directive into national law
The Directive obliges businesses with more than 50 employees or with more than EUR 10 million annual turnover to integrate suitable internal reporting channels.
There are different time frames which stem from the Directive and its adoption into national law by the Member States. Member States were obligated to pass relevant national legislation by the 17 December 2021, as the first time period for compliance applicable to companies with more than 250 employees began running from adoption of the Directive on the 16 December 2019.
Companies with only 50 to 249 employees still receive the benefit of the second time grace period built into the EU Whistleblower Directive. These companies have four years from the 17 December 2019 to comply, therefore they only need to be compliant by the 17 December 2023.
Germany (among other Member States) unfortunately failed to implement the EU Whistleblower Directive in time. Germany´s Whistleblower Protection Act only having come into effect on 2 July 2023.
Germany´s late adoption of the Directive into national law now means companies with more than 250 employees in Germany are obligated to immediately comply with both the Directive and the Whistleblower Protection Act. Companies with 250 or more employees thus had to be compliant since the 2 July 2023 with no further grace period.
Why is it relevant from a data protection point of view?
Companies must ensure that the identity of the whistleblower is kept confidential and that all personal data of the whistleblower, and possibly other persons, is handled under the GDPR. Internally, the business must implement a person to receive and follow up on the reports: the human resources director or a board member, for instance. Additionally, the business must confirm the receipt of the report within seven days, and provide information on the internal reporting process as well as on the reporting channel to the competent authority. Lastly, the business is obliged to keep the reports securely so they can be used as evidence where appropriate.
In addition, the Directive also includes details on possible sanctions. Accordingly, a business that obstructs the reporting of concerns, fails to keep the identity of a whistleblower confidential, or takes retaliatory measures against the whistleblower will be punished. The Directive allows the respective national legislators the discretion to determine the severity of the sanctions.
Although the Directive’s main objective is to protect whistleblowers, it also provides businesses with the opportunity to identify and manage risks at an early stage, helping to avoid or limit financial or reputational damage. Regarding the GDPR, early internal identification of infringements may protect companies from fines by supervisory authorities or publication of data leaks to the press, which could significantly damage its reputation. Thus, we strongly advise businesses to put an effective internal reporting channel in place.
Businesses should take the national laws implementing the Directive into account when deciding on how to proceed. Companies in Germany must therefore either comply immediately, or at the very latest by the 17 December 2023, depending on the number of employees.
Companies must also keep the freedom of choice for the whistleblower at the forefront. If a whistleblower cannot find suitable internal reporting channels (e.g. a whistleblower system), he or she might choose to directly contact authorities or the press with severe outcomes for the business. The internal reporting channels should, therefore, be available 24/7, offer anonymity, be available in relevant languages, and have comprehensible explanations, and the responsible persons should communicate this internally.
An effective internal reporting channel will allow companies to identify and detect gaps in compliance. Early rectification of – for instance – data protection compliance leaks may help to avoid fines imposed by supervisory authorities for infringements and defiance of the GDPR or other data protection rules.