What information is required for the Whistleblower Policy?


What information is required from companies in relation to the Whistleblower Directive?

A storm in a teacup or an urgent need for action? Originally, the EU Whistleblower Directive was supposed to come into force by December 17, 2021. However, the legislative process failed during the last legislative period. Do (medium-sized) companies still have to implement a whistleblower protection system in their company? At the very least, preparations should be made immediately, as Germany must implement the directive as quickly as possible. The following information shows what companies can expect and how they can prepare for this.

Directive (EU) 2019/1937 ("Whistleblower Directive") is to be transposed into German law by the end of December 2021. However, the legislative process initiated in the last legislative period initially failed, meaning that the transposition deadline could not be met. Nevertheless, the public sector must assume that the directive is directly applicable and there is already an acute need for action. Private companies can, in principle, wait for the directive to be transposed into German law - but here too, the directive may already have an indirect impact in individual cases. All companies should therefore address this issue as soon as possible. The transposition of the EU Directive into national law is expected shortly.

In its coalition agreement, the governing coalition has clearly committed to protecting whistleblowers and to a "legally secure and practicable" implementation of the directive. It can even be assumed that Germany will go beyond the minimum requirements of EU Directive 2019/1937. The national whistleblower protection law will not only apply to reports of breaches of EU law, but also to reports of "significant breaches of regulations or other significant misconduct, the disclosure of which is in the particular public interest."

The exact form of the national whistleblower protection law has not yet been finalized. At the very least, however, the requirements of the EU Whistleblower Directive must be transposed into German law. Companies can already use this as a guide and start with the organizational implementation.


Which companies are affected?

In particular, private companies with 250 or more employees or an annual turnover of more than 10 million euros must provide secure internal reporting channels - the aforementioned EU directive already provides for this from December 17, 2021. It can therefore be assumed that the requirements of European law will be implemented quickly. Public institutions, authorities and municipalities with a population of 10,000 or more must also introduce whistleblowing systems - it can already be assumed that the EU directive will apply directly to them.

Private companies with 50 to 249 employees must introduce a whistleblower system by the end of 2023.


What types of whistleblower systems are possible?


There is a certain amount of leeway in the exact design of the whistleblower system. Three types of whistleblower systems are possible:

  • Setting up an internal company mailbox;
  • Appointment of an ombudsperson to receive relevant information;
  • Establishment of an electronic reporting system.


In any case, the reporting channels must be designed in such a way that the information can be given in writing or verbally. In addition, a personal meeting within a reasonable timeframe should also be made possible at the request of the whistleblower.

In any case, the confidentiality (anonymity is not a prerequisite) of the whistleblower must be maintained.

The various reporting options can be combined with each other. Which solution is to be preferred in individual cases depends on the specific circumstances, such as the size, structure and scope of the company organization, and whether a suitable person can be identified.

In addition, people outside the company should also have the opportunity to use the whistleblower system. If possible, companies should design the reporting channel in such a way that it is also open to employees of business partners of the company or group of companies. This applies in addition to persons who receive information from the company in the course of their professional activities. This includes temporary workers, members of the company's executive bodies and shareholders, job applicants, self-employed persons and former employees.

In addition to setting up an internal reporting system, companies must also provide their employees as potential whistleblowers with understandable and easily accessible information on the possibilities of external reporting to certain authorities.

Unlike in the past, internal reporting no longer has priority. The whistleblower can decide whether to report breaches internally or externally to an authority. Companies should therefore ensure that internal reporting systems are in place and create incentives.


Which reports enjoy whistleblower protection?


According to the EU Directive, whistleblowers are entitled to report breaches that fall within the scope of the EU legal acts listed in the Annex and in particular concern the following areas:

  • Public procurement,
  • Financial services, financial products and financial markets as well as the prevention of money laundering and terrorist financing,
  •  Product safety and conformity,
  • Road safety,
  • Environmental protection,
  • Radiation protection and nuclear safety,
  • Food and feed safety, animal health and animal welfare,
  • public health,
  • Consumer protection,
  • Protection of privacy and personal data as well as security of networks and information systems.


Whistleblower report - and then?


If the company receives a report from a whistleblower, the confidentiality of the identity of the whistleblower and the third parties named in the report must be protected. Unauthorized employees must not have access to the report. The establishment of anonymous whistleblowing systems or the possibility of anonymous whistleblowing is not required. The whistleblower must receive confirmation of receipt of the report within seven days.

On the basis of the reports, companies must appoint an impartial person or department to take follow-up measures such as internal investigations and inquiries. This may be the same person or department that receives the reports. In addition, whistleblowers must provide feedback on the response to the report within a reasonable period of time, in particular within a maximum of three months.

The company must document the incoming reports. If necessary, the documentation should be made available to the whistleblower for review.

As whistleblowers have the option of reporting internally or externally, companies should urgently create professional internal structures to avoid reporting to external bodies. If whistleblowers trust that companies will take reports seriously, follow them up carefully and investigate and appropriately sanction crimes and irregularities, they will use internal reporting structures.


Protective effect for the whistleblower


Whistleblowers only enjoy legal protection if, at the time of reporting, there were reasonable grounds to believe that the reported information about violations was true. This is because they submitted the information via the specified internal or external reporting channels. Under these conditions, the EU Whistleblower Directive prohibits any form of retaliation, discrimination or disadvantage. Whistleblowers who report properly do not have to fear any consequences under employment law. In the event of a complaint under employment law, the Directive provides for a reversal of the burden of proof in favor of the whistleblower. This means that the employer must prove that there was no connection with the employee's report to the whistleblower. In addition, the Directive provides for sanctions, which in some cases involve substantial fines.

There is no time to lose - action must be taken now!

The implementation of the Whistleblower Directive will have a significant impact on small and medium-sized companies in particular, as these companies generally do not yet have whistleblower systems in place. It is therefore advisable to start implementing such a system at an early stage and to entrust the relevant people with the tasks. In order to create an incentive for internal reporting and thus prevent possible reputational damage caused by the disclosure of misconduct, companies should set up a transparent internal reporting system from the outset if possible and inform employees about it. It is crucial that a whistleblower policy is included in the code of conduct or accompanied by an internal whistleblower policy.

These measures should be started as early as possible in order to clarify the technical requirements and the legal framework, such as possible co-determination rights of the works council and data protection requirements.

Share this post :