EU Regulation FAQ

The EU 2019/1937 Whistleblower Protection Directive is an EU directive that came into force in 2019 through drafting by the EU Commission and adoption by the EU Council.␣
It serves to protect whistleblowers who point out wrongdoing in companies. By December 17, 2021, the directive must be transposed into national law by the Federal Republic of Germany. Following the introduction of the national law, companies with 50 employees or more are required to set up appropriate procedures in their company organization. For companies with 250 or more employees, the expected implementation period is 2 years. For companies between 50 and 249 employees, the implementation period is expected to be extended by another 2 years. Furthermore, public corporations are also required to implement the directive organizationally. Municipalities with fewer than 10,000 inhabitants are exempt from this requirement.
A whistleblower is any person who, as an insider, obtains certain information about a company that demonstrates or indicates that processes within the company violate applicable laws and wishes to disclose these violations for reasons of conscience.
In addition to employees of the company, external employees, applicants or journalists are also conceivable as whistleblowers. The whistleblowers are to be protected against any reprisals within the company, such as dismissal or transfer to an unpopular position, by ensuring that the reporting procedure is anonymous from the outset.
The EU has compiled a list of legal violations that cover at least the facts that are intended to be covered by the directive in any case.

In addition, each member state can add further offences to this list :
  • public procurement (e.g. collusion in public tenders)
  • (Manipulation and abuse of) financial services, financial products and financial markets
  • (perpetration of) money laundering and terrorist financing
  • (Violations of) Product Safety and Conformity
  • (Infringement against) traffic safety
  • (Violations against) environmental protection, radiation protection and nuclear safety
  • (Violations of) food and feed safety, animal health and welfare, and public health and consumer protection.
  • (disregard for) privacy and personal data protection and security of network and information systems
  • Infringements of the Union's financial interests within the meaning of Article 325 TFEU and as further defined in relevant Union measures.
  • Infringements of internal market rules within the meaning of Article 26(2) TFEU, including infringements of competition and State aid rules, and infringements of corporate tax rules and regulations aimed at obtaining a tax advantage contrary to the object or purpose of the applicable corporate tax law.
The EU Whistleblower Directive requires the companies concerned to implement devices and systems in their operations that ensure internal and external reporting channels for whistleblowers.
The reports must be submitted in such a way that the identity of the whistleblower is not revealed and complies with national data protection legislation. In Germany, this is the Basic Data Protection Regulation (DSGVO).
Suitable systems can be any type of channel that enables the whistleblower to communicate the information to a neutral ombudsman or another suitable person in the company, such as a compliance officer, without the identity of the whistleblower being disclosed. Disclosure would be given if it were openly apparent to anyone that a specific employee had made the whistleblower report or this could be easily determined contrary to the provisions of the GDPR. The data of possible accused persons must also be treated in the highest confidence in accordance with national data protection legislation. Obligated companies between 50 and 250 employees, are authorized to implement joint whistleblower systems. Companies with a higher number of employees are obliged to set up their own system.
In addition to the internal disclosure of information through whistleblowing to the designated ombudsman or the internal compliance officer, the Directive provides that external disclosure to competent authorities should also be made possible. At this point, it is not the companies that are obliged to provide the necessary reporting channels, but the respective state institutions. Institutions of this kind already exist in Germany. For example, BaFin has had an online tool for whistleblowers in place for several years. However, the Directive provides for a so-called tiered solution, after member states commit to "giving preference to the use of internal channels over external reporting in cases where effective internal action can be taken against the infringement and the whistleblower does not fear reprisals." The use of internal channels will thus, according to general expectations, play the most important role. According to the Directive, information can be submitted via three technical channels: Firstly, by telephone via a free hotline, secondly via physical posting of a letter and, of course, via an electronic online tool. In addition to the internal forwarding to compliance officers or ombudsmen, as well as the external forwarding to authorities, the directive provides for a direct publication of the grievances. In this case, further confidentiality of the whistleblower is subject to the condition that no other possibilities of passing on the information were open to him, for example because further processing by internal or external means could not be guaranteed or because the whistleblowing is about to be discovered and the whistleblower is in acute danger as a result. In all cases, the whistleblower should be able to request a confidential personal meeting with a trusted person, if necessary, and this request must be complied with accordingly.
In accordance with the EU Whistleblowing Directive, the whistleblower must receive confirmation from the investigating body that his report has been received within seven days. After a further three months at the latest, the person making the report must be informed of the extent to which the information has been processed, what measures have been taken and what the results are.
According to the directive, companies have the obligation to inform their employees about the existing legislation and about the possibility of input via internal and external reporting channels. This can be done, for example, via circulars, newsletters or regular online training. The directive also stipulates that information must be provided to external parties, such as suppliers, consultants or customers.
Companies and organizations that violate the directive will face sanctions in the form of hefty fines. The amount of the fines is not yet known, as implementation in Germany has not yet been completed. Conceivable violations include disregarding the obligation to implement the whistleblowing system, obstructing reports to a competent body, not respecting the confidentiality of persons concerned or intimidating them, and exceeding deadlines in processing reports received.
The directive poses various questions for the organizations concerned. Some of these questions can only be answered conclusively once the national legislation has been passed or an overall accepted procedure has been established on the market for implementation ideas. The technical implementation of all envisaged reporting channels must be ensured and the complete and, due to personnel fluctuation, also regular education of employees must take place. Certain minimum standards will be established here on the basis of ongoing practice. Whistleblowing must become a natural part of general compliance, right down to the smallest link in the employee chain, through a proactively managed corporate culture. Whistleblowing must be perceived as an opportunity for corporate optimization and must not be seen as a kind of nest-feeding. It is to be expected that electronic whistleblowing systems will become the overwhelmingly most important reporting channels, so that appropriate considerations and measures should be initiated at an early stage on the IT side of the companies concerned.