EU regulation FAQ

The EU Whistleblower Protection Directive 2019/1937 is an EU directive that came into force in 2019 through drafting by the EU Commission and adoption by the EU Council. It serves to protect whistleblowers who point out wrongdoing in companies. The directive must be implemented in national law by the Federal Republic of Germany by December 17, 2021. Following the introduction of the national law, companies with 50 or more employees are obliged to set up appropriate procedures in their company organization. For companies with 250 or more employees, the deadline for implementation is expected to be 2 years. For companies with between 50 and 249 employees, the implementation period is expected to be extended by a further 2 years. Furthermore, public corporations are also required to implement the directive organizationally. Municipalities with fewer than 10,000 inhabitants are exempt from this requirement.
{% trans "Als Whistleblower gilt jede Person die als Insider an bestimmte Informationen über ein Unternehmen gelangt, welche darlegen oder darauf hinweisen, dass Vorgänge im Unternehmen gegen geltende Gesetze verstoßen und diese Verstöße aus Gewissensgründen offenlegen möchte. Neben Mitarbeitern des Unternehmens sind als Hinweisgeber auch externe Mitarbeiter, Bewerber oder Journalisten denkbar. Die Hinweisgeber sollen gegen jedwede Repressalien im Unternehmen, wie zum Beispiel einer Entlassung oder einer Versetzung in eine unbeliebte Position, geschützt werden, indem das Meldeverfahren von vornherein anonym verläuft.
The EU has compiled a list of offences that at least cover the offences that are supposed to be covered by the Directive in any case. In addition, each member state can add further offences to this list :
  • public procurement (e.g. collusion in public tenders)
  • (Manipulation and abuse of) financial services, financial products and financial markets
  • (perpetration of) money laundering and terrorist financing
  • (Violations of) Product Safety and Conformity
  • (Infringement against) traffic safety
  • (Violations against) environmental protection, radiation protection and nuclear safety
  • (Violations of) food and feed safety, animal health and welfare, and public health and consumer protection.
  • (disregard for) privacy and personal data protection and security of network and information systems
  • Infringements of the Union's financial interests within the meaning of Article 325 TFEU and as further defined in relevant Union measures.
  • Infringements of internal market rules within the meaning of Article 26(2) TFEU, including infringements of competition and State aid rules, and infringements of corporate tax rules and regulations aimed at obtaining a tax advantage contrary to the object or purpose of the applicable corporate tax law.
The EU Whistleblower Directive requires the companies concerned to implement devices and systems in their operations that ensure internal and external reporting channels for whistleblowers. The reports must be made in such a way that the identity of the whistleblower is not revealed and must comply with national data protection legislation. In Germany, this is the General Data Protection Regulation (DSGVO). Suitable systems can be any type of channel that enables the whistleblower to communicate the information to a neutral ombudsman or another suitable person in the company, such as a compliance officer, without the identity of the whistleblower being disclosed. Disclosure would be given if it were openly apparent to anyone that a specific employee had made the whistleblower report or this could be easily determined contrary to the provisions of the GDPR. The data of possible accused persons must also be treated in the highest confidence in accordance with national data protection legislation. Obligated companies between 50 and 250 employees are authorized to implement joint whistleblower systems. Companies with a higher number of employees are obliged to set up their own system.
In addition to the internal disclosure of information through whistleblowing to the designated ombudsman office or the internal compliance officer, the directive provides that external disclosure to competent authorities should also be made possible. At this point, it is not the companies that are obliged to provide the necessary reporting channels for this, but the respective state institutions. Institutions of this kind already exist in Germany. For example, BaFin has had an online tool for whistleblowers in place for several years. However, the directive provides for a so-called tiered solution, after member states commit to "giving preference to the use of internal channels over external reporting in cases where effective internal action can be taken against the violation and the whistleblower does not fear reprisals." The use of internal channels will thus play the most important role, according to general expectations. According to the directive, the possibility of submitting information should be possible via three technical means: First, by telephone via a free hotline, second, by physically dropping off a letter and, of course, via an electronic online tool. In addition to internal forwarding to compliance officers or ombudsmen, and external forwarding to authorities, the directive also provides for direct publication of the grievances. In this case, further confidentiality of the whistleblower is subject to the condition that there were no other options for passing on the information, for example because further processing by internal or external means could not be guaranteed or because the whistleblowing is about to be discovered and the whistleblower is in acute danger as a result. In all cases, the whistleblower should be able to request a confidential personal meeting with a trusted person if necessary, and this request must be complied with accordingly.
In accordance with the EU Whistleblowing Directive, the whistleblower must receive confirmation from the investigating body that his report has been received within seven days. After a further three months at the latest, the person making the report must be informed of the extent to which the information has been processed, what measures have been taken and what the results are.
According to the directive, companies have the obligation to inform their employees about the existing legislation and about the possibility of input via internal and external reporting channels. This can be done, for example, via circulars, newsletters or regular online training. The directive also requires that information be provided to external parties, such as suppliers, consultants or customers.
Companies and organizations that violate the directive will face sanctions in the form of hefty fines. The amount of the fines is not yet known, as implementation in Germany has not yet been completed. Conceivable violations include disregarding the obligation to implement the whistleblowing system, obstructing reports to a competent body, not respecting the confidentiality of persons concerned or intimidating them, and exceeding deadlines in processing reports received.
The directive poses various questions for the organizations concerned. Some of these questions can only be answered conclusively once the national legislation has been passed or an overall accepted procedure has been established on the market for implementation ideas. The technical implementation of all envisaged reporting channels must be ensured and the complete and, due to personnel fluctuation, also regular education of employees must take place. Certain minimum standards will be established here on the basis of ongoing practice. Whistleblowing must become a natural part of general compliance, right down to the smallest link in the employee chain, through a proactively managed corporate culture. Whistleblowing must be perceived as an opportunity for corporate optimization and must not be seen as a kind of nest-feeding. It is to be expected that electronic whistleblowing systems will become the overwhelmingly most important reporting channels, so that appropriate considerations and measures should be initiated at an early stage on the IT side of the companies concerned.