The new EU Whistleblower Directive: A practical guide for companies
You are a company owner or managing director and want to know which requirements you should pay special attention to when implementing the new EU Directive on Whistleblower Protection and which reporting channels are actually possible for you? Then this practical guide will provide you with orientation and security – especially if you are running a company with more than 50 employees.
Background to the EU Whistleblower Directive
The EU Whistleblower Directive protects natural persons who report or publish violations of applicable law and are therefore often referred to as whistleblowers. In the future, employees of a company should have the possibility to report such violations to their own company anonymously. Therefore, since the end of 2021 the Directive requires companies to set up reporting channels for whistleblowers and to establish procedures for the processing of reports and the management of follow-up procedures.
Many companies, especially in the SME sector, are now faced with the challenge of introducing appropriate whistleblowing systems and procedures. The EU Whistleblower Directive imposes a number of requirements on a corresponding whistleblowing solution.
Overview: What requirements do you need to consider when implementing the EU Whistleblower Protection Directive?
Legal entities covered by the EU Whistleblower Directive (companies with more than 50 employees) are obliged to set up internal reporting channels.
The reporting channels of your company must fulfil the following requirements:
- It must be possible to report an incident in writing or verbally. At the whistleblower’s request, a personal exchange should be possible.
- All persons who are in contact with your company in the course of their professional activities, i.e. your own employees as well as your external business partners and their employees, can report.
- The potential whistleblowers must be given clear and easily accessible information about the reporting possibilities and further procedures. For example, this can be done on your company website.
- The processing of the reports in the reporting channels set up for this purpose must maintain the confidentiality of the whistleblower and must not allow unauthorised third parties to access the reports.
- All legal conditions of data protection or the GDPR must be respected at all stages. This applies to the personal data of all parties involved, i.e. the whistleblower, the persons affected by the whistleblowing and also any observers.
- If there is a works council, a consultation on the establishment of the whistleblower system must take place.
- The reporting channels can be operated internally. They can also be provided by a third party.
How must the company react after a report has been made?
You as the entrepreneur determine the procedure for processing the reports and taking follow-up action. In the process, you must consider the following aspects:
- First of all, you must select and appoint impartial persons to handle any reports and communicate with the whistleblower. Suitable persons are, for instance, the Head of Compliance, Head of Human Resources, Head of Finance or Head of Audit. The head of the legal department or the data protection officer may also be considered. The tasks can also be handed over to an external expert, e.g. a lawyer.
- This person must receive all incoming reports. No reports may be actively delayed or ignored by the company.
- The whistleblower must receive a confirmation of receipt within seven days.
- Follow-up action must be taken, in particular checking the validity of the report and arranging for investigations to be initiated.
- The whistleblower shall be informed of the follow-up measures taken after three months at the latest.
- All incoming reports and the measures taken shall be documented in a way that they could be used as evidence later in time.
Possible reporting channels for whistleblowers: What are the options? What are the respective advantages and disadvantages?
There are different options for setting up reporting channels for your company. The advantages and disadvantages can be summarised as follows:
Option 1: A letterbox or by post
In principle, a letterbox or postbox is very easy to implement for your company. However, it must be ensured that the document actually ends up with the person processing the information. Furthermore, the possibility of a dialogue is not possible or only possible to a very limited extent through correspondence. Anonymity is also only possible to a limited extent, as the person reporting the incident must also confirm receipt and the follow-up measures.
Option 2: An e-mail box
Also easy to implement, but confidentiality and data protection must be closely scrutinised. Special caution must be taken with email providers from the USA or generally with providers who process data outside the EU legal area. It also needs to be ensured that only the objective processor of the message has access to the email box (e.g. administrators of the email server must not have access to it, even with admin rights).
Option 3: A telephone hotline
The biggest disadvantage of using a hotline through a whistleblower is the threshold of inhibition for direct contact on the phone. This is statistically proven. You can facilitate access to the hotline by having an external ombudsperson receiving the telephone reports.
Option 4: Via chat or talk bot
A modern possibility is to introduce a system for written (chat bot) or spoken messages (talk bot). The second in particular makes it possible to deliver the notice in voice form. The system converts the voice message into text. However, such solutions are not easy to implement technically and very often require the support of external service providers.
Option 5: External ombudsperson
The ombudsperson is available for whistleblowers to make reports by telephone or email or for personal exchanges. Experience has shown that whistleblowers use the ombudsperson more than a defined internal contact person, especially if the ombudsperson is a lawyer who is bound to secrecy.
Option 6: Online platform
The premium class of reporting channels are online platforms provided especially for this purpose. With these, confidentiality, data protection and data security can be excellently guaranteed through state-of-the-art technology. A secure dialogue is possible at any time from any device with internet access via an integrated chat function and the possible upload of documents. You can embed such solutions as a link directly on your company website. For these and many other reasons, companies are increasingly turning to digital whistleblowing solutions.
When choosing a whistleblowing system, there is no “one-size-fits-all”. Find out which whistleblowing solution is right for your company and what to look for when choosing your whistleblowing software.
Operating the whistleblower system: How is confidentiality ensured?
The processing of reports should be carried out by independent persons who themselves are not exposed to any conflict of interest. This is particularly difficult to achieve in medium-sized companies that do not have an independent compliance department. If, for example, the human resources department or the finance department are heavily involved in operational processes and closely linked to the company management, the necessary distance and neutrality is often lacking.
In such constellations, an outsourcing solution offers itself: On the one hand, external experts with the appropriate experience ensure confidential communication with the whistleblower. On the other hand, such a model has the advantage that a professional operator of whistleblower solutions has more routine due to regular handling of whistleblowers and critical reports than an individual company that only receives a few reports per year.
Next steps for the implementation of whistleblower protection
The EU Whistleblower Directive obliges you as an entrepreneur to introduce reporting channels for whistleblowers and to take specific measures to follow up on incoming reports.
Digital solutions have been approved as suitable whistleblowing systems in practice. The professional, confidential and efficient processing of whistleblowing should be transferred to external service providers, especially in the case of medium-sized companies.
You were able to get insight and transparency about the next necessary steps through this article? Would you like to learn more about the lean and fast option of a digital whistleblower solution for the implementation of the Whistleblower Directive? Then feel free to contact one of our experts for a personal conversation.