Under the 2019 EU Whistleblower Directive, legal entities are required to establish internal reporting channels and internal procedures for receiving and following up on reports of breaches. Here are some of the main takeaways for practitioners.
General thresholds to behold are 50 workers and/or 10.000 inhabitants. The requirement applies to legal entities in the private sector which have at least 50 workers. In some sectors this threshold does not apply at all.
In the public sector the requirement applies to all legal entities. However, one needs to refer to national law, as Member States are allowed to make exemptions from this general rule. They may exempt municipalities with fewer than 10.000 inhabitants or 50 workers, as well as other public sector entities with fewer than 50 workers
The internal reporting channel is required to be made available to entity’s workers. The whistleblowing law itself does not require the internal channel to be made available also to other persons (e.g. suppliers, subcontractors…) to report information on breaches. However, the latter are not prevented to submit their reports through external reporting channels as the use of these is not conditioned upon the prior use of internal reporting channels.
There is no requirement to accept and follow-up on anonymous reports of breaches.
The Member States are free to decide whether to make such a requirement or not. However, the decision to accept and follow-up only on reports with disclosed identities of reporting persons may prove challenging. Namely, the identification confirmation methods are limited and moreover, such a strategy is not in line with the best practice. Not accepting a report, regardless of its contents, only because it was made anonymously makes little sense, especially since remaining anonymous might in fact be the best protection for the reporting person against retribution.
The identity of the reporting person may be disclosed only with the explicit consent of this person, or when such disclosure is necessary and proportionate under Union or national law.
The reporting channel is required to ensure the protection of the confidentiality of the identity of the reporting person and of any third party mentioned in the report and to prevent access thereto by non-authorised staff members. The identity of the reporting person may not be disclosed to anyone beyond the authorized staff without the explicit consent of this person, or when such disclosure is necessary and proportionate under Union or national law. The reporting person needs to be informed of the latter prior to the disclosure unless such information would jeopardize the related investigations or judicial proceedings. The same duty of confidentiality also applies to any other information from which the identity of the reporting person may be directly or indirectly deduced.
The reporting channel is required to allow reporting in writing or orally or both. Every received report must be recorded.
For the purpose of oral reporting the reporting person may also request a physical meeting with the staff members within a reasonable timeframe. The meeting may be documented either by making a recording of the conversation in a durable and retrievable form or through accurate minutes of the meeting prepared by the staff members responsible for handling the report. The reporting person must be allowed the opportunity to check, rectify and agree the minutes of the meeting by signing them. Similar provisions apply for recording other oral reports, provided through telephone lines or other voice messaging systems. The time period a report may be stored depends on what is required and proportionate to comply with the requirements of the Directive or the Union law or national law.
Legal entities need to establish procedures for internal reporting and their diligent follow-up. The information must be clear and easily accessible.
The procedures hence need to regulate the reporting itself, as well as any action that will be taken by the recipient of a report to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure. The information regarding the use of internal reporting channels and regarding the procedures for reporting externally to competent authorities are required to be clear and easily accessible.
The reports can be handled internally or by a third-party provider.
A person or a department is required to be designated for operating internal reporting channels. The latter includes receiving the reports and maintaining communication with the reporting person, as well as asking for further information from and providing feedback to that reporting person.
This task may be outsourced to third-party providers such as external counsel, external reporting-platform providers, law firms, auditors, employees’ representatives and alike. Effective guarantees and safeguards in respect of independence, confidentiality, data protection and secrecy should be in place at the third-party service providers, as well.
The follow-up on the report may be conducted by a designated, competent and impartial person or department. This person or department may be the same as the one operating the reporting channel. Who this person or department is, depends on the size and structure of each individual organization. However, the most appropriate person or department should have such function in the organization that ensures independence and absence of conflict of interest. Usually such tasks are performed by a chief compliance or HR officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board. Private legal entities with 50 to 249 workers are allowed to share resources for receiving reports and for conducting any subsequent investigations.
The reporting person needs to be informed of the receipt of the report within 7 days and provided feedback no later than in 3 months.
The receipt of the report needs to be acknowledged to the reporting person within seven days of receiving the report. There is no exemption to this obligation, whereas when reporting externally the competent authority can omit such an acknowledgment when the reporting person explicitly requested so or where it reasonably believes that that would jeopardise the protection of the reporting person’s identity.
The internal procedures need to define a reasonable timeframe for providing feedback, which may not exceed three months from the acknowledgment of receipt or the expiry of the above mentioned seven-day period.
The feedback is required to be provided to the reporting person, informing him or her on the action envisaged or taken as follow-up and on the grounds for such follow-up. If no appropriate action is taken within this time period, the reporting person may decide to publicly disclose the breach while still qualifying for protection against retaliation under the Directive. Of course, the appropriateness of the follow-up is a legal standard and its assessment will depend on the circumstances of each case and of the nature of the rules that have been breached.
There is no defined time limit within which the follow-up actions would need to have been completed. However, the longer it takes the more likely it is that the actions, if any, will be considered inappropriate, hence motivating the reporting person to use external reporting channels or even make a public disclosure of the breach. In contrast to external reporting there is no explicit obligation to communicate to the reporting person the final outcome of investigations triggered by the report.