EU Whistleblowing Directive
What companies need to know now
Whistleblowers are vital for maintaining an open and transparent society, as they expose misconduct or hidden threats. To ensure that they are better protected against negative consequences, EU Directive 2019/1937 on the protection of whistleblowers came into force on 16 December 2019. EU member states now have until 2021 to incorporate the directive into their own national laws.
The goals of the EU Whistleblowing Directive are:
§ To detect and prevent misconduct and breaches of laws and regulations,
§ Improve law enforcement by establishing effective, confidential and secure reporting channels to effectively protect whistleblowers from fear of retaliation,
§ To protect and enable whistleblowers by helping them to raise concerns confidently without fear of retaliation, including anonymity where required.
Are you also affected by the EU Whistleblowing Directive?
Companies with 50 or more employees or with annual revenue over 10 million euros, public institutions as well as local authorities of 10,000 inhabitants or more must provide secure internal reporting channels. Reports can be submitted in writing via an online system, by post and/or orally by telephone or voice messaging system. The following aspects must be taken into account:
Provide anonymity and information security
For all reporting channels, the identity of the whistleblower must be protected. All data must be handled in accordance with the GDPR.
Who should handle the report on breaches?
This could be the head of the compliance or human resources department, a compliance officer, a lawyer, a data protection officer, internal audit or a member of the board.
Internal or public reporting channels
If internal reporting channels should not be implemented, it should be clear that whistleblowers will only be able to report to the public authorities or media according to the EU Whisleblower Directive - with incalculable risks for the organisations.
What happens after a report?
Since all reports need to be documented, and follow up measures must be taken, each report needs to be easily accessible to, compliance officers for the management of the next steps.
Implementation timing for the BKMS® Compliance System
The implementation timing depends on the size and complexity of the organisational structure. In general this takes between a few weeks and a couple of months.
What is the status quo on the implementation in Europe?
The Directive still has to be implemented in December 2021 into national law of the member states while the national developments in the transposition of the EU Directive are quite different. Some countries have started public consultations, other governments have been brought up first drafts for their whistleblowing law which has to be discussed.