Secure whistleblower channel. Offer -> implementation of whistleblower protection.

Protection of "whistleblowers" is a new obligation for organizations (private and public), subject to criminal sanctions.

On 7 October, 2019, the Council of the European Union officially adopted a new directive on the protection of persons who report breaches of Union law. The directive was published in the Official Journal of the European Union on 26 November, 2019 and entered into force on 17 December, 2019.

The directive aims to guarantee a high level of protection to those who publicly disclose information about breaches acquired in the work-related context (known as whistleblowers).

In accordance with Article 2, the material scope of the directive covers;

– public procurement;

– financial services, products and markets, and the prevention of money laundering and terrorist financing;

– product safety and compliance with requirements;

– transport safety;

– environmental protection;

– radiological protection and nuclear safety;

– food and feed safety, animal health and welfare;

– public health;

– consumer protection;

– protection of privacy and personal data as well as security of networks and information systems (this is an additional shield of supplementary protection to GDPR).

More information on the material scope is provided in Annex – Part I and Part II to the directive.

The EU will give whistleblowers broad protection in a number of sectors, including in the field of public procurement, financial services, prevention of money laundering, product and transport safety, public and consumer protection, and the protection of privacy and personal data

The directive requires creation of secure channels for reporting irregularities. These are to be channels both within organizations (private or public) and channels directed to public bodies. The new rules also offer whistleblowers broad protection against retaliation and oblige national authorities to adequately inform citizens, and train public officials and employees of the organization how to deal with whistleblowing.

One of the new responsibilities for the organization is to undergo a “specific training” for those people in the organization who will handle the reporting channels (Article 12, paragraph 5 – “The staff members referred to in paragraph 4 shall receive specific training for the purposes of handling reports.”).

The main assumptions of the directive are:

To establish effective and secure channels for reporting irregularities in organizations (private and public): the obligation would apply to companies with more than 50 employees and municipalities with more than 10,000 inhabitants. The Polish legislator may implement lower thresholds, as the directive does not limit the possibility of extending the above obligations to smaller companies and municipalities.

The headcount threshold does not apply to entities falling within the scope of the directive, listed in Parts I.B and II of the Annex;

(a) financial services, products and markets, and prevention of money laundering and terrorist financing:

Channel hierarchy: Whistleblowers would first use their organisation's internal channels and only then use external channels set up by public authorities. By no means would they lose protection if they decided to use external channels first

A large number of groups protected by the new rules: People with different statuses who, in a work-related context, may obtain information about violations of law, will be protected, e.g. employees (including national / local civil service), volunteers and interns, non-executive members, shareholders, etc.

Broad scope: The new rules cover areas such as public procurement, financial services, prevention of money laundering, public health, etc. For legal certainty, the Annex to the directive lists all EU legislation covered by it. Member States may go beyond this list when implementing the new legislation

Whistleblower support and protection: The new rules introduce safeguards to protect whistleblowers from retaliation such as suspension, demotion and intimidation. People helping whistleblowers, e.g. friends or family, will also be protected. The directive also lists the support measures that will be provided to whistleblowers

Feedback obligation for authorities and companies: The rules provide for an obligation to respond to whistleblower reports and follow-up within 3 months (up to 6 months in duly justified cases for external channels).

Why is whistleblower protection needed?

Whistleblowers are people who react to irregularities encountered in the professional context that may harm the public interest, e.g. harm the environment, public health, consumer safety or public finances.

Whistleblower protection is currently fragmented. Only 10 EU countries have comprehensive law in this matter. At EU level, law exists in only a few sectors (mainly in the field of financial services).

As shown by a 2017 study for the European Commission, the lack of whistleblower protection in public procurement alone exposes the EU to a loss of potential benefits of € 5.8-9.6 billion per year.

Personal scope

The directive applies to “reporting persons” who work in the private or public sector and obtain information about breaches in a work-related context. This includes workers, self-employed persons, managers, shareholders, volunteers, job applicants, persons whose employment is terminated, as well as persons under the supervision or direction of a contractor, subcontractor or supplier (Article 4). .

The directive also protects the “facilitator”; i.e. a natural person who assists the reporting person in the reporting process in a work-related context, and whose assistance should be confidential

“Work-related context” means current or future work-related activities in the public or private sector through which, irrespective of the nature of those activities, persons acquire information on breaches and within which those persons could suffer retaliation if they reported such information;

 Terms of protection

A whistleblower will be protected if they have reasonable grounds to believe that they have committed a breach:

– that the information was correct at the time of reporting; and

– that they fall within the scope of the directive (Article 5).

Internal reporting channels

Under the directive, Member States must ensure that legal entities having 50 or more workers should be subject to the obligation to establish internal reporting channels and procedures. For enterprises having up to 249 employees, it is possible to share the reporting channel with other companies. Reporting channel and procedure must be established to ensure the confidentiality of the reporting person. Acknowledgement of receipt of the report to the reporting person is required within seven days and follow-up within three months (Articles 7-9).

External reporting channels

Member States should encourage the use of internal reporting before using external measures. However, Member States also need to establish external reporting channels with relevant competent authorities, which are subject to the same confidentiality, acknowledgement and follow-up requirements as internal channels (except that follow-up may, in duly justified cases, be provided within six months). These external reporting channels must report information to the relevant EU institutions (Articles 10-14).

Public disclosure

If the person used internal and external channels, but no appropriate action was taken within the required timeframe; or if the reporting person had reason to believe that there is a risk of retaliation or there is a low prospect of the breach being effectively addressed; or if the breach may constitute an imminent or manifest danger to the public interest, the reporting person may be protected in the event of public disclosure (Article 15).

Protection measures

Reporting persons are protected against all forms of retaliation (including threats and attempts of retaliation, whether direct or indirect), in particular, of suspension, dismissal, demotion or withholding of promotion (Art. 19). In court proceedings, if the “reporting person” establishes that they have made a disclosure under the directive, the burden of proof is reversed and the employer will therefore have to show that the damage was not sustained as a result of the report (Article 21).

“Reporting persons” are also protected from liability for breaching the NDA and should not be held liable for obtaining relevant information, provided no crime has been committed (Art. 21).


Member States must provide for “effective, proportionate and dissuasive” penalties to prevent hindering (or attempts to hinder) reporting, retaliation against reporting persons, bringing vexatious proceedings against reporting persons, or breaching confidentiality obligations. Likewise, Member States should provide for “effective, proportionate and dissuasive” penalties to prevent false reports or false public information.

We will implement a whistleblower protection program and a management system

We implement whistleblower protection by examining the organization’s vulnerability to risk;

  • Context of the organization (understanding of the organization)
  • Audit of the entity (private or public)
  • Identification, analysis and assessment of compliance risk
  • External processes
  • Internal communication
  • Establishing controls and developing internal procedures
  • Development of internal policies, codes of conduct and other internal regulations
  • Implementation of whistleblower protection
  • Training, increasing the awareness of employees and management
  • Evaluation of the results
  • Monitoring, measurement, analysis and evaluation
  • Detection of non-conformities and corrective actions
  • Periodic training 
  • Evaluation of introduced procedures 
  • Constant monitoring of changes in regulations and adaptation measures to new regulations

Our interdisciplinary team

The Whistleblower Security Europe team consists of: Data Protection Officers, Compliance officers, lawyers, attorneys-at-law, legal advisers, IT specialists in the field of information security and cybersecurity, experienced practitioners and trainers in the field of Compliance implementation and personal data protection.

We will effectively implement a whistleblower protection system for your organization.


© All rights reserved