Whistleblowing Directive: All you need to know in 5 Q&A

By Iro Katrachoura 

Whistleblowing is defined as the activity of an employee or officer of a public or private organization who reports waste, fraud, abuse, corruption, or profit seeking to someone who is in the position to rectify the wrongdoing.  The EU Whistleblowing Directive [ (EU) 2019/1937] came into force on December 2019 and as the deadline for its implementation into national law is fast approaching (17 December 2021), companies with EU-based operations will need to establish or change their whistleblowing policy in order to comply with a series of new rules.

1.Who does it apply to?

The Directive refers to companies with more than 50 employees that must provide secure internal reporting channels. More specifically, companies with 250 or more employees will be expected to comply within two years of adoption and companies with between 50 and 250 employees have a further two years after transposition to comply.

2. What is it required?

If a company falls under the above categories, they should at least issue a ‘Whistleblowing Policy and Procedure’, to provide an internal mechanism for reporting, investigating, and providing remedies in the workplace and a Whistleblowing Privacy Notice, since all personal data -of the whistleblower and any accused person- must be handled in accordance with the GDPR.

3.Which are the reporting channels?

Regarding the reporting channels, the whistleblowers should be able to submit their reports in writing, orally (by telephone or through other voice messaging systems), or both. It is also possible, upon request by the reporting person, to report via a physical meeting within a reasonable timeframe. In any case, the companies should ensure the confidentiality of the whistleblower’s identity, regardless of which reporting channel is being used.

4.Which is the processing time?

The companies should acknowledge receipt of the report within seven days, and they should provide feedback of the actions taken within three months.

5.What about penalties?

As far as penalties are concerned, the Directive obliges member states to impose effective and proportionate sanctions on companies and public bodies that do not adhere to the reporting system, including failing to maintain the confidentiality of whistleblowers and submitting false reports.