In recent years, whistleblowers have repeatedly made headlines. Most recently, the Wirecard scandal certainly attracted the most attention and is therefore probably the most prominent example of whistleblowing at the moment. The public discussion in connection with the handling of whistleblowers is getting louder and in 2019 an important legal impulse for the protection of whistleblowers was set with the entry into force of the EU Whistleblower Directive. What is a “whistleblower” and how is it defined more precisely under this new EU Directive?
What is a Whistleblower? [Definition]
Well-known cases of whistleblowers include Julian Assange and Edward Snowden, but what is a whistleblower actually?
First of all, a whistleblower is “only” a natural person who reports information about wrongdoing in companies or public institutions. The person must have obtained this information in connection with his or her work. There is no standard in terms of content – it can be information about grievances of considerable scope, such as criminal offences or general dangers for employees or the entire company. However, it can also be less serious incidents, such as ethics violations or violations of internal policies.
This definition is deliberately based on the EU Whistleblowing Directive, as it stipulates who is to be protected when reporting information via a whistleblowing system. The EU Directive is authoritative for national implementation in all EU member states (in Germany: Whistleblower Protection Act).
Who can be a whistleblower?
The above-mentioned natural persons protected by the EU Whistleblowing Directive include all employees of a company: i.e. not only current full-time or part-time employees, but also trainees, former and future employees.
Accordingly, employees constitute the largest group of potential whistleblowers. Members of the management or other persons in leading positions as well as members of the supervisory board and shareholders are also protected as whistleblowers under the EU Whistleblowing Directive. Outside the company, customers, contractors and suppliers can also be whistleblowers.
In summary, the EU Directive includes all groups of people who are connected to your company and can thus obtain information about wrongdoing.
What is the Whistleblower Directive?
The EU adopted a Whistleblower Directive for the first time in October 2019, which applies to almost all companies in the EU. The Whistleblower Directive had to be transposed into national legislation in the form of a Whistleblower Protection Act by the end of 2021 at the latest. This creates new challenges for companies. Find out in this article whether your company is covered by the directive. Read which requirements an internal reporting system in your company must fulfil and how you can protect yourself from whistleblowers disclosing company secrets to the public with impunity.
In the EU, the protection of whistleblowers has not been uniformly regulated until now. This leads to unequal treatment and legal uncertainty. In order to enable fair competition and a well-functioning internal market within the EU, uniform standards are to be introduced in all EU states with the implementation of the EU Whistleblower Directive.
Which issues are covered by the EU Whistleblower Directive?
For all EU states, any whistleblower who reports violations of EU rules should be protected:
- Public procurement, competition regulations
- Money laundering, corruption, tax evasion, financing of terrorism
- Data protection, security of network and information systems
- Food and feed safety, animal health and welfare
- Product safety, transportation safety
- Environmental protection and nuclear safety
- Public Health and Consumer Protection
The EU states now have to transpose the Whistleblower Directive into national law. However, the EU standard is not to be undermined in the process. States may be stricter and add additional national areas of application. What is the situation in Germany? Compared to other EU states, Germany has so far performed poorly in the legal protection of whistleblowers. In the past, EU directives were always implemented on time, with German thoroughness.
The implementation deadline for the EU Whistleblower Directive is the end of 2021. So far, the German government has not passed a Whistleblower Protection Act. Both draft bills submitted, the last one from April 2022, were rejected. After that, it was clear that the law would not be passed before the federal elections.
How must companies in the EU deal with whistleblowers in the future?
Affected companies should prepare for the implementation of the German Whistleblower Protection Act and meet the standards required by the Directive.
Before you ask yourself how the implementation of the EU Whistleblower Directive looks like in your company, you can find out below whether your company is affected and which requirements are specified by the EU Whistleblower Directive.
Is your company affected?
Affected are:
- all companies with more than 50 employees regardless of whether they work part-time or full-time
- All companies with an annual turnover of more than EUR 10 million, irrespective of the number of employees.
- All companies that fall under the Money Laundering Act, irrespective of the number of employees.
All authorities, state and regional administrations as well as municipalities with more than 10,000 inhabitants are also affected. Companies with up to 249 employees are expected to have an extended implementation period until 2023.
Expectations of companies
The expectations for reporting systems in companies are set out in great detail in the EU Whistleblower Directive. The most important for you in a nutshell:
- Reports must be able to be made in writing and orally.
- Channels must ensure the confidentiality of the identity of the whistleblower.
- Communication with the whistleblower must be possible without the whistleblower revealing his or her identity.
- An external or internal impartial person must be assigned to receive and process reports.
- This person should be independent in his/her function in order to exclude conflicts of interest.
- It must be ensured that unauthorised employees do not have access to the reports.
Companies must process the incoming reports as following:
- The whistleblower must receive an acknowledgement of receipt within one week.
- The whistleblower must be informed within 3 months of any action planned or taken on the report and the reasons for such follow-up.
- If the investigation takes longer, the whistleblower must be informed by when he or she can expect any further feedback.
- All reports must be documented in compliance with the GDPR and must be accessible at all times.
Our tips for installing a whistleblower reporting channel
Appoint at least two contact persons who are perceived by employees as neutral and trustworthy, so that responsibility is regulated transparently in the event of a substitution. In addition, appoint an external contact person. If the internal responsible persons then unexpectedly become unavailable, the functionality of the reporting channel can be preserved.
There are many different reporting channels for whistleblowers. Choose those that automatically monitor compliance with the deadlines for you.
How should a whistleblower be able to proceed?
According to the new EU Whistleblower Directive, a whistleblower should first inform his or her employer of the observed violation of the law through the internal reporting channel. It is important to look closely here. A whistleblower can directly contact the competent authorities and the public if:
- there is no internal reporting channel in the company that reliably protects the identity of the whistleblower and ensures anonymity.
- the whistleblower has not received an adequate response to his or her report within three or six months.
- the whistleblower is not employed by the company as an employee and the internal reporting channels can only be used by employees.
- the observed breach requires urgent action because of imminent danger to health, the environment or safety, or falls within the scope of money laundering and counter-terrorism.
Tips:
- Provide your employees with reporting channels that meet these criteria.
- Communicate to your employees that it is important to you to know when something is going wrong in the company and that you also want to be informed anonymously.
This way you can ensure that the information reaches you first and you can take necessary action.
Which link do the protected whistleblowers have to have with the company?
According to the EU Whistleblower Directive, a whistleblower worthy of protection is anyone who has obtained information about violations of the law in a professional context:
- Employees, even if they have already left
- Members of administrative, management or supervisory bodies
- Contractors and the workers you employ
Protection only exists if a whistleblower could assume that the information was true and fell within the scope of the Directive.
Tip:
With this in mind, you as a business owner should consider opening your reporting channels to suppliers as well. In this way, you ensure holistic protection of persons connected to the company.
- Open your reporting channels, e.g. for suppliers.
- Inform your employees what they should report. The best way is to formulate it clearly and positively.
- Should you also employ non-academic staff, this information should be simply worded for all to understand.
What about groups of people not mentioned in the Whistleblower Directive?
The fear of misuse often reflexively comes into focus. What happens if competitors want to boycott your company? What if other people want to publish information that could harm your company? These groups of people are not covered by the Directive’s protection. And most importantly, there is no statistical evidence that the introduction of a whistleblowing system leads to an increase in false reports or a wave of “whistleblowing” in the company.
What measures may a company take against whistleblowers?
Admittedly, if an employee goes directly to the authorities or to the public, the human disappointment is great. Why didn’t he say anything? Breach of loyalty, abuse of trust, betrayal … If a scandal then threatens, the call for revenge and retribution is great. The EU Whistleblower Directive has prevented this. The catalogue of prohibited reprisals is very comprehensive and reads like a “Who’s Who” of interpersonal instruments of torture. To the point:
Whistleblowers are to be protected from all direct and indirect reprisals! This also includes the protection of third parties who are in close contact with the whistleblower.
Attention:
- Confidentiality agreements or clauses in contracts designed to circumvent this protection are void.
- In doubt, you as a company will be left with the short end of the stick even if you take covert action against the whistleblower and will be sanctioned by additional penalties.
Conclusion - What is a whistleblower?
The EU Whistleblower Directive provides comprehensive protection for whistleblowers. At first glance, this puts companies at a disadvantage and puts them at high risk of disclosing company secrets. At second glance, the EU Whistleblower Directive is a great opportunity for companies. Employees, suppliers and governing bodies are the first to see when something goes wrong in the company. As a rule, it are individuals who harm the company with their actions. As an entrepreneur, you only find out about it if this behaviour can be reported internally without personal risk. As an entrepreneur, you can help to ensure that this happens.
Appoint external or internal persons of trust whom employees can also contact personally if they wish to submit reports confidentially but not anonymously. In addition, set up a whistleblower system that guarantees anonymity to whistleblowers. This should be easily accessible and very simple to use, regardless of education level. Talk positively about whistleblowing and its great importance for the long-term success of your company. Explain internal reporting channels in a way that is understandable and transparent for all employees.
Would you like to learn more about the lean and fast option of a digital whistleblowing system to implement the EU Whistleblowing Directive? Then feel free to contact one of our experts for a personal discussion and an appointment for a software demo.