December 20, 2022
The Ultimate Guide to Complying with the EU Whistleblowing Directive
15 Min Read
Before European Parliament and the European Council adopted the EU Whistleblower Directive, whistleblower protection legislation in the EU – and beyond – was fragmented and inconsistent. The Directive marks an enormous step forward for whistleblower protection standards, and its impact will be felt globally. That means that your whistleblower hotline, retaliation policies, and compliance program at large may require a revamp – whether your company has employees in the EU or not.
Want to read up on the Directive later? Download our Ultimate Guide to the EU Whistleblower Directive
The EU Whistleblowing Directive presents some crucial, never-before-seen challenges to companies with a presence in the EU.
What is the EU Whistleblower Directive?
On September 25th, 2019, the European Parliament published a new directive on the “protection of persons who report breaches of Union law,” now referred to as the Whistleblower Protection Directive, EU Whistleblowing Directive, or EU Directive 2019/1937.
The Directive’s intention is to provide consistent protection for those who step forward and report breaches of EU law across all 27 Member States. Within the EU, it expands every dimension of whistleblowing and reporting – who can make a report, what can be reported, where issues can be reported and why. Not only that, but the Directive also expands the accountability that companies face when it comes to retaliation against whistleblowers. This presents some crucial, never-before-seen challenges to companies with a presence in the EU.
Adding to the complexity is the fact that this legislation takes the form of a Directive, and not a regulation. Regulations – like GDPR – apply consistently and immediately across all Member States. Directives, on the other hand, lay out a series of requirements and leave it up to each Member State to transpose into local law and thus decide how they will meet Directive requirements. This transposition will introduce nuances in each Member State, and thus complexity when it comes to regulatory compliance for companies operating in multiple countries.
While the Directive included a deadline of December 17, 2021 for Member States to do so, it is not unusual for Member States to miss such deadlines – and many of them did. To stay up-to- date on Member State progress, follow the DataGuidance EU Whistleblower Directive Tracker. While Member States continue to iron out the nuances of the Directive and transpose it into their own law, companies should implement the unequivocal requirements of the Directive as soon as possible.
Please note: this article does not constitute legal advice on the part of OneTrust. Since the Directive was adopted, our team has invested considerable resources into understanding its requirements. We have researched, partnered with European compliance experts, and worked closely with customers to compile this guide.
While our team does not provide legal advice, we can help companies implement a hotline that complies with Directive requirements on short notice. Please reach out to a member of our team for assistance on implementing a hotline.
What does the EU Whistleblower Protection Directive require?
The Directive requires that companies:
- Provide internal mechanisms for whistleblowing
- Educate employees and others about their whistleblowing options
- Protect whistleblowers who report breaches of EU law, and
- Prevent them from being retaliated against
It also includes requirements that Member States must follow – including establishing external reporting channels for whistleblowers who choose to report outside of their company.
Establishing internal reporting channels and external reporting channels
More specifically, Article 8 of the Directive says that Member States must require legal entities in both the public and private sectors to establish reporting channels – a whistleblowing hotline – and mechanisms for follow-up. These mechanisms can be operated by a company employee or department, or by a third-party provider. Regardless, the reporting and follow-up procedures must meet the following Directive requirements:
- Protects the confidentiality of the reporter and the privacy of any third party mentioned in whistleblowing reports, and prevents access to the report by unauthorized team members
- Acknowledges receipt of the report within seven days
- Allows for diligent and impartial follow-up, communication, and feedback – including for anonymously submitted reports – within three months of the report’s submission
- Allows whistleblower to review, approve, and edit initial report and subsequent interview notes
- Allows for reporting in writing, orally (through telephone or voice messaging, or a physical meeting if requested by reporter), or both
- Provides clear information on external reporting options
Support measures for whistleblowers
The Directive requires Member States to provide whistleblowers and potential whistleblowers access to support measures. Information on whistleblowing procedures, protection from retaliation, and whistleblower rights must be available to the public for free. In addition, Member States must provide protected parties with access to legal aid in criminal and cross-border civil proceedings and may also provide financial aid and psychological support.
Penalties for non-compliance
Within the Directive, Member States are required to establish “effective, proportionate and dissuasive penalties” to anyone who attempts to hinder a report, engage in retaliation, bring vexatious legal proceedings against protected parties, or breach confidentiality. In addition, those who knowingly report false information will also face penalties, and those affected by false reports may be entitled to damages.
Central reporting channels versus local channels for each subsidiary
While the Directive specifies that companies with between 50 and 249 workers may share resources for the purposes of reporting, there is – according to the EU Expert Group and the European Commission’s interpretation of the Directive – no similar exception for subsidiary companies. According to this interpretation, subsidiaries with 250 or more workers may no longer rely solely on their parent company’s central whistleblowing systems, and must have the ability to investigate reports locally rather than at the group, or corporate, level. Central reporting channels and case management may still exist, but whistleblowers must have the option to report at the local or group level.
Want to know more? Download our Ultimate Guide to the EU Whistleblower Directive
Who must comply with the EU Whistleblowing Directive?
The Directive applies within EU Member States to all companies, both public and private, with 50 or more employees, or with an annual turnover or total assets of more than €10M. Local authorities that provide services for more than 10,000 people are also subject to the Directive’s requirements. The Directive also applies to some companies that fall outside of these boundaries. Companies of any size that operate in Financial Services, or where there is a risk of money laundering or terrorist financing, must also heed the Directive’s requirements.
- EU-based companies with employees outside the EU
- While the Directive does not specify whether workers need to be physically located within the EU, it is reasonable to assume that any legal entity established in the EU that employs more than 50 workers will need to comply with the Directive, regardless of where the workers are located, be that inside or outside the EU.
- Companies based outside the EU with employees in the EU
- Similarly, it is unclear whether non-EU entities that employ more than 50 workers within the EU will need to comply with the Directive. Given that their employees located in the EU are subject to a raft of EU labor laws, it is highly likely that such entities will be subject to the Directive, regardless of their employer’s location.
- Does the EU Whistleblower Directive apply in the UK?
- In short, no. The UK already had comprehensive legislation in place to protect whistleblowers, namely the Public Interest Disclosure Act 1998 (PIDA). The UK Government has confirmed that it does not intend to adopt the Directive into UK law, given its departure from the EU.
Who is protected by the Directive?
The concept of a “worker” in the EU is broad, and the protective scope of the Directive has been cast particularly wide. It offers protection to anyone in what is termed “a work-based relationship,” regardless of the nature of their activities, whether it is paid, and whether or not they are EU citizens.
Consequently, the Directive protects:
- Current and former (part- or full-time) employees
- Non-executive directors
- Temporary workers
- Fixed-term contract workers
- The self-employed
- Members of professional-type bodies
- Job applicants
- Work applicants
- Interns (paid or unpaid)
- Third-parties or facilitators, such as colleagues or relatives, who could be affected by a disclosure report
- Those whose work-based relationship has yet to begin, such as through pre-contractual negotiations, or leavers where it has ended
In order to qualify for protection under the Directive, whistleblowers must have information on violations of EU law. Thus, protected whistleblowing under the Directive aligns with certain categories of law (though Member States may choose to add to this list).
The following areas and topics are covered by the Directive:
- Public procurement
- Financial services, products and markets
- Product safety and compliance
- Transport safety
- Protection of the environment
- Radiation protection and nuclear safety
- Food and feed safety, animal health and welfare
- Public health
- Consumer protection
- Protection of privacy and personal data
The EU is actively encouraging national lawmakers to extend coverage of wrongdoing to cover current national laws. In some cases, Member States are considering an extension to simply include “suspicious wrongdoing,” which will be a significant increase in scope.
How whistleblowers can submit reports according to the Directive
One of the fundamental shifts in the EU Whistleblowing Directive is its three-tier reporting structure.
The Three-Tier Reporting Structure
- Must be kept confidential
- Must be acknowledged within seven days and responded to within three months
- Competent authorities established by each Member State
- Cases must be dealt with within three months (or within six months in justified cases)
- Such as the media
- Reports may involve an imminent danger to the public interest, a risk of retaliation, or a failure to deal with concerns internally
Unlike previous laws in some Member States, which required whistleblowers to report internally before going to regulators or the media, the Directive specifies that there is no hierarchy or order of operations with these three reporting methods. Whistleblowers will be protected by the Directive regardless of the route they choose.
It remains in each company’s best interest to encourage employees to raise concerns first via internal channels, stressing the confidentiality of those reports and the support that your organization can offer.
Want to take this resource with you for future reference? Download our Ultimate Guide to the EU Whistleblower Directive
Retaliation and the EU Whistleblower Directive’s reverse burden of proof
Protecting whistleblowers from retaliation is at the heart of the EU Whistleblower Directive. Retaliation can be incredibly damaging to the person experiencing it – and the culture of a workplace that enables it. While they may require some adjustments to your company’s hotline and case management processes, the anti-retaliation requirements of the EU Whistleblower Protection Directive are a positive step forward for companies in the European Union.
Your company likely has an anti-retaliation policy in place, but it may not be enough to meet the new anti-retaliation requirements within the EU Whistleblower Protection Directive. Specifically, the “reverse burden of proof” means that your company must now be able to prove that no retaliation has taken place.
To learn exactly what your company must do to comply with these new anti-retaliation requirements, read our blog.
Whistleblowing hotline requirements under the EU Whistleblower Directive
You must, in order to empower potential whistleblowers, make your hotline as accessible as possible to all potential whistleblowers that are protected by the Directive. While the Directive specifies that reporting channels can be either written (through an online reporting platform, email, letter or complaint boxes) or oral (via telephone hotline, voice messaging system or in person), some Member States require companies to provide both a written reporting option and an oral reporting option.
In order to not deter reporting, companies are expected to provide transparent information and clear, easily accessible reporting channels. Accessibility is a key requirement of the Directive, and should include providing intake in local languages, making your hotline available on a public-facing landing page, and more. The more accessible your whistleblowing channels are, the more likely your employees, third parties, and others will be to rely on them rather than reaching out to external channels or the media.
Want to know more about whistleblowing hotline standards? Check out our blog on ISO 37002, a framework for best-practice hotlines.
Anonymity and confidentiality requirements of the EU Whistleblower Directive
Under the EU Whistleblowing Directive, the decision on anonymous reporting lies with each of the 27 EU Member States. Consequently, approaches to whistleblower anonymity will continue to differ, as they do now, based on local culture and history. However, the Directive is quite clear on confidentiality. We’ll dive into the subtleties of anonymity and confidentiality below.
Anonymity requirements of the EU Whistleblowing Directive
While the Directive leaves anonymity requirements up to the Member States to decide, there are four primary approaches available to Member States:
- No anonymous reporting
- Only anonymous reporting
- Anonymous reporting is allowed, but that ability is not publicized
- Anonymous reporting is allowed, but companies are not obligated to investigate anonymous reports
Currently, OneTrust’s Helpline and Case Management offers a fifth potential option: a partially anonymous capability where reporters provide their details only to OneTrust while remaining anonymous to their employer. This ability is not yet accounted for in whistleblowing legislation anywhere in the world, but is an option available to our customers.
Confidentiality requirements of the EU Whistleblowing Directive
Whistleblower confidentiality is required by the Directive. Ensuring that confidentiality requires scrutiny of the entire whistleblowing process from the point of a potential reporter looking up the hotline, to submitting a report, and on through case management, investigation, conclusion, and follow-up. Confidentiality has been broken in several high-profile cases (see the story of Wendy Addison for an example), and these occasions clearly influenced the thinking behind the Directive.
Confidentiality requires a selected and trained team of report handlers. Some reports must be shared outside this team, but policies, statements, and training all have a role to play in maximizing confidentiality for the reporter and the subjects of the report alike.
It can be difficult to maintain confidentiality in small companies or within small groups of employees, even with anonymous reporting. This issue should be recognized and proactively addressed to minimize the risk and consequences of a leak.
Hotline communications, awareness, and training
The EU Whistleblowing Directive extends the scope of required awareness and training to all protected whistleblowers, and that includes contractors, vendors, and other third parties. It’s worth reexamining your hotline awareness strategy and coming up with something that is effective, practical, and in line with Directive requirements.
Training employees on the EU Whistleblowing Directive
The Directive includes a requirement that employees and third parties are made aware of the Directive and the protections that whistleblowers are entitled to under it. That training must cover the three-tier reporting provision – where reporters are protected whether they report internally to the company, externally to a regulator or other recognized institution, or externally to the media. This training can be folded into regular compliance training or stand on its own; either way, it must happen.
Training case handlers
More detailed training on the Directive may be limited to managers, case handlers, and groups who interact more closely with ethics and compliance initiatives. This training may cover the extended requirements of the Directive, variations across Member States, and anti-retaliation strategies.
EU Directive requirements for hotline awareness extend beyond employees
Standard hotline awareness strategies include workplace posters, emails, and team briefings. Emails and meetings are easily expandable to your third-party work-based relationships. While workplace posters may be less visible to third parties, consider other materials that are passed back and forth through the course of business. Can you include a pamphlet on the hotline alongside your invoicing materials? Consider your ethics and compliance program’s online presence as well. If your Code of Conduct is accessible outside the firewall, add a QR code for it to all your third-party communications, as well as to employee materials like pass cards, pay slips, and more.
Overcoming reporting reluctance
When strategizing your hotline awareness communications, it’s imperative to see things from the perspective of a potential whistleblower. Address the key questions that will arise, like “Who will know about my report?” and “What will happen after I submit a report?” Proactively provide answers that can help address reluctance, and your awareness campaigns will be more effective.
GDPR and the EU Whistleblowing Directive
Invariably, whistleblowing hotlines handle and process personal data. The EU Whistleblowing Directive requires that such processing take place in compliance with EU data protection law, namely the General Data Protection Regulation (GDPR). GDPR does not specifically reference whistleblowing – but that doesn’t mean whistleblowing is any less protected. The potential risks to reporters and subjects of a report can’t be overstated, so data protection is crucial for all parties involved.
To learn more about the intersection of the EU Whistleblower Directive and GDPR, read our blog.
Finding a hotline vendor that will help you comply
Does your current hotline provider – if you have one – stand up to the scrutiny necessary to comply with the EU Whistleblowing Directive? Taking a critical eye to potential vendors and their offerings can be an overwhelming task. Beyond the requirements of this Directive in particular, consider that whistleblower regulations and privacy regulations are evolving at a rate never seen before. Perhaps the most essential element to consider as you evaluate vendors is how well they are positioned to adapt, evolve, and stay ahead of the ever-changing whistleblowing landscape.
Evaluate your whistleblower hotline vendor on the following categories to ensure their solution is compliant:
- Reporter communication: anonymous and named
- Data security and GDPR
- Call center
- Accessible intake methods
- Confidentiality and retaliation prevention
- Record keeping and retention
- Subsidiary-level intake channels and case management
Read our blog on how to find a Directive-compliant hotline provider
Still looking for a hotline vendor to help you comply? OneTrust can help. Please reach out to a member of our team for assistance on implementing a hotline that complies with EU Whistleblower Directive requirements.
Want to keep a copy of this article for future reference, or to share with your team? Download our Ultimate Guide to the EU Whistleblower Directive.