Alliance: Legally compliant whistleblowing in your company - country update

Whistleblowing in the company

Most countries of the European Union have already transposed Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law within their legal systems. There are some legal differences in how the Whistleblower Directive has been transposed into the various laws.

In the following pages of this newsletter, we provide an update on the current status of the Directive’s transposition in each of the countries of our partner law firms.

Legal compliance through SCHINDHELM WHISTLEBLOWING SOLUTION

Our SCHINDHELM WHISTLEBLOWING SOLUTION offers whistleblowers a completely anonymous, legally compliant way to report enterprise abuses and meets all the requirements of the EU Whistleblowing Directive and the national transpositions thereof. With our SCHINDHELM WHISTLEBLOWING SOLUTION, we are happy to help you implement all important whistleblowing provisions regarding Data Protection and Compliance & Corporate Governance.

When establishing an internal reporting system, other legal areas, such as labour law, criminal law, etc., are also affected and must be considered in addition to the regulations of the national transposition act. Our lawyers bundle the entire range of expertise required in order to execute your internal reporting system and to successfully implement the resulting legal steps.

Country overview

Austria

1. Is there an update regarding the transposition of the directive into national law?

The national transposition already took place on 25 February 2023 with the “Whistleblower Protection Act” (HinweisgeberInnenschutzgesetz, HSchG).

2. What should companies bear in mind in the context of implementation?

Companies with more than 249 employees have until 25 August 2023 and those with 50 to 249 employees have until 17 December 2023, at the latest, to establish an internal office. However, it is possible to transfer the tasks of the internal office to a joint office within the group or to commission third parties (e.g., law firms) with the tasks of the internal office. Specialised lawyers can strengthen the potential whistleblower's confidence in the internal system, especially in small and medium-sized businesses, and ensure that only predefined individuals obtain knowledge about abuses within the enterprise. When implementing a whistleblowing platform, it is important to ensure actual compliance with the reporting (and response) deadlines established by law. Furthermore, the HSchG stipulates that the identity of whistleblowers must be protected and that a corresponding system must be set up for this. The question remains as to whether enabling anonymous reports is also mandatory, although the law does not provide an explicit regulation in this regard. It is particularly important to observe the material scope of the HSchG, in other words the legal categories for which whistleblowers can submit reports, when setting up and designing the content of the whistleblowing platform. The design in terms of content entails consequences under both labour law and data protection law.

Czech Republic

1. Is there an update regarding the transposition of the directive into national law?

In the Czech Republic, the Act on the Protection of Whistleblowers, which was published in the collection of laws under No. 171/2023 Coll., has been in effect since 20 June 2023. This law entered into force on 01/08/2023, and the public sector and large companies must have set up an internal channel for receiving reports and fulfilled the other obligations established by the law by this date.

2. What should companies bear in mind in the context of internal implementation?

Entgegen der Stellungnahme der EU-Kommission aus dem Juni 2021 hat sich der deutsche Gesetzgeber ausdrücklich dafür ausgesprochen, dass auch Konzernobergesellschaften für die Konzern(unter-)gesellschaften ein Hinweisgebersystem als „Dritte“ im Sinne des Hinweisgeberschutzgesetz zur Verfügung stellen dürfen. Die Konzernobergesellschaften dürfen diese Aufgabe wiederum auch an externe Dienstleister delegieren, die dann ebenfalls als Dritte einzustufen sind. Unabhängig davon, ob jede Gesellschaft ein eigenes Hinweisgebersystem betreibt oder es zentral über einen Dritten bereitgestellt wird, ist es zwingend, dass die Vertraulichkeit der Meldungen innerhalb des Konzerns gewahrt bleibt. Auch die Verpflichtung zum Abstellen des Verstoßes liegt bei jeder einzelnen Gesellschaft. Daher ist es für den Fall, dass die Konzernobergesellschaft das Hinweisgebersystem betreibt, von besonderer Bedeutung, dass der Hinweisgeber verpflichtend angibt, für welche Gesellschaft der Hinweis gemeldet wird.

France

1. Is there an update regarding the transposition of the directive into national law?

On 16 February 2022, Law No. 2022-401 to transpose European Directive 2019/1937 was definitively passed in France. It was validated by the constitutional court on 17 March 2022 and officially published on 21 March 2022 and entered into force on 1 September 2022. Implementation Decree No. 2022-1284 was published on 3 October 2022 and entered into force on 5 October. This law, presented as “the best protection for whistleblowers in Europe” by Assemblyman Sylvain Waserman, corrects the inadequacies of the existing French legal arsenal by going beyond the protection afforded by the European Directive. It is thus a successful manoeuvre by French lobbyists, who sought a rapid transposition of the Directive with provisions that go beyond the minimum level of protection provided by the Directive.

2. What should companies bear in mind in the context of internal implementation?

Companies with at least 50 employees are still required to establish an internal procedure for gathering reports. In addition, the law stipulates that this is also a processing procedure and that the Social and Economic Committee must be consulted before this procedure is established. A decree is expected to define the rules for the deadlines for receiving and returning information.

For corporate groups with more than 250 employees, the procedure can be centralised at the group level.

Companies with more than 500 employees and revenue of more than €100,000,000 are obligated to introduce the special mechanism pursuant to Art. 17 of the Sapin II law (measures for preventing and detecting corruption and bribery).

Germany

1. Is there an update regarding the transposition of the directive into national law?

On 2 July 2023, the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) entered into force after an agreement was reached by the Mediation Committee and approval by the Bundesrat. The implementation deadline for enterprises with at least 250 employees was the date of the HinSchG’s entry into force, but fines for failing to establish a reporting channel will not be charged until 1 December 2023 at the earliest. For enterprises with between 50 and 249 employees, the implementation deadline is 17/12/2023. Thus, there is now an urgent need for enterprises with at least 50 employees to act and set up a reporting channel for whistleblowers. The key results of the Mediation Committee are as follows: 1. reduction of the fine in the event of intentional obstruction of a report or failure to maintain confidentiality from €100,000.00 to €50,000.00; 2. abolishment of the claim to compensation for whistleblowers in the event of reprisals; and 3. no obligation to allow for anonymous reports.

2. What should Companies bear in mind in the context of internal implementation?

Contrary to the European Commission’s opinion from June 2021, the German legislature has expressly come out in favour of group parent enterprises also being allowed to provide a whistleblower system for the group (sub-)enterprises as “third parties” within the meaning of the Whistleblower Protection Act. The group parent enterprises may, in turn, delegate this task to external service providers, who are then also to be classified as third parties. Regardless of whether each enterprise operates its own whistleblower system or whether it is provided centrally via a third party, it is mandatory for the confidentiality of the reports to be maintained within the group. Each individual enterprise also has the obligation to remedy the violation. In the event that the group parent enterprise is operating the whistleblower system, therefore, it is particularly important that the whistleblower be obliged to state the enterprise for which the report is being filed.

Italy

1. Is there an update regarding the transposition of the directive into national law?

In principle, the process of transposing the Directive was completed in Italy with the adoption of the legislative decree (Decreto legislativo No. 24/2023 of 10 March 2023); the regulation entered into force on 15 July 2023. All enterprises with 250 or more employees are therefore already obligated to introduce a whistleblowing system, whereas this obligation will not go into effect for enterprises with fewer employees until 17 December 2023. Generally speaking, the rules for the private sector are largely aligned with the Directive’s guidelines, while the national anti-corruption agency has introduced a number of further specific obligations for the public-administration sector.

2. What should companies bear in mind in the context of internal implementation?

From a corporate perspective, perhaps the most significant, or organisationally most burdensome, deviation from the pure content of Directive 2019/1937 is regulated in Art. 13 para. 6 of the transposing Legislative Decree No 24/23, which stipulates that all enterprises have the obligation “to develop technical and organisational measures suitable for guaranteeing an appropriate level of security compared to the specific risks resulting from the data processing and to do so on the basis of a data protection impact assessment” before introducing a whistleblowing system. Every enterprise that intends (or is obligated) to introduce a whistleblowing system is therefore required to perform a [data protection] impact assessment (DPIA) in accordance with Art. 35 of the GDPR before the system’s introduction.

Poland

1. Is there an update regarding the transposition of the directive into national law?

In Poland, the whistleblower law has not yet been adopted. Due to the upcoming general elections in October 2023, it is currently not possible to estimate when it will take place. The draft law is currently being revised in pre-parliamentary proceedings.

Although the law in Poland is still pending, employers are implementing preparatory whistleblowing measures in their businesses. The draft law provides for a two-month period for the law to enter into force; in practice, however, establishing the internal channels for the disclosure of violations takes even longer.

We therefore recommend already taking preparatory measures now: consider which channel to choose and where the reports will be submitted. It is also important to consider whether the reports can only relate to the infringements specified in the law or to other areas as well. Employers in Poland can decide for themselves whether they want to expand the range of reports, to include issues of labour law for example.

2. What should companies bear in mind in the context of internal implementation?

From the perspective of the Polish draft law, it must first be clarified whether the internal channel to be set up by employers can exclude anonymous reports. Reading the applicable legal provisions leads to the conclusion that it is left to the employer to decide whether to permit anonymous reports. The employer’s internal reporting procedure should be sure to indicate whether anonymous reporting is permitted and, if so, how such a whistleblower is to be contacted. However, there is nothing to rule out the exclusion of this option.

The second interesting question concerns the form of the reporting channels. The law stipulates that the report can be submitted in writing or verbally. It therefore seems that employers are not obligated to set up both a written and a verbal reporting channel. However, we must wait for the provisions relating to this question since this interpretation does not seem compatible with the requirements of Directive 2019/1937.

Romania

1. Is there an update regarding the transposition of the directive into national law?

The Romanian government plans to develop detailed application standards and to implement them by means of a government decree. Regulations for large and medium-sized enterprises will differ.

2. What should companies bear in mind in the context of internal implementation?

Since there has been no implementation so far, we cannot provide any information on the law’s application or interpretation at the moment, nor can we identify any other practice-related problems.

Slovakia

1. Is there an update regarding the transposition of the directive into national law?

In Slovakia, an amendment to Act No. 54/2019 Coll. on the protection of whistleblowers from [sic: of] socially harmful activities was adopted with effect as of 1 July 2023. Although, prior to this, the original wording of the law regulated most of the fundamental rules that were defined by Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (hereinafter “DIRECTIVE”), the DIRECTIVE has now been fully transposed within the scope of the Slovak legal system as a result of the amendment. Most of the amendment’s provisions entered into force on 1 July 2023; the remaining provisions then entered into force on 1 September 2023.

2. What should companies bear in mind in the context of internal implementation?

The group of people who can enjoy protection has been expanded; in addition to employees, for example, this also includes members of the executive bodies of a legal entity, employer, etc. The group of obligated parties (employers) who must have an internal reporting system has also been expanded. It is now possible to report issues in connection with business secrets.

A clear obligation has been established for employers to designate one of their employees as the person responsible for reviewing reports and communicating with the whistleblower; this also applies when the tasks related to receiving and reviewing reports are performed by external parties on the basis of a contract with the employer.

Employer fines were introduced for violations of the law (e.g., for taking retaliatory measures), or the already applicable fines were increased.

Spain

1. Is there an update regarding the transposition of the directive into national law?

In Spain, the Whistleblowing Directive was transposed by introducing Law 2/2023 of 20 February on the protection of persons who report regulatory breaches. The law entered into force on 13 June 2023 and aims to strengthen the compliance culture of public and private enterprises by protecting whistleblowers who report known misconduct in the work or professional environment.

2. What should companies bear in mind in the context of internal implementation?

Companies with more than 250 employees are obligated to set up a confidential internal whistleblower system within a period of 3 months from the law’s entry into force. For enterprises with more than 50 but fewer than 250 employees, the period extends to 1 December 2023. Failure to implement this requirement may result in sanctions depending on the severity of the breach. The respective enterprise’s management is responsible for the implementation. They must consult with the employee representatives for this purpose. With regard to the management of the system and the processing of notifications, the obligated companies should appoint an internal manager for the information system. In addition, Law 2/2023 stipulates that the obligated enterprises must include all internal channels for reporting possible breaches (e.g., channels for preventing bullying, for preventing criminal offences, etc.).

PDF Download