Find out today what the legal world will be talking about tomorrow.
Video: Lexology Webinar on the EU Whistleblower Directive:
You can access the webinar recording on the Lexology webinar page.
On December 16, 2019, EU Directive 2019/1937 on the protection of persons who report breaches of EU law entered into force. The Directive requires all companies with at least 250 employees to set up a compliance whistleblower reporting system by December 17, 2021 at the latest. Smaller companies with 50 to 249 employees have until Dec. 17, 2023. EU Member States now have until 2021 to transpose this Directive into their own national laws. Currently, no transposition is underway in Germany. However, the experts from SKW Schwarz pointed out that it is worth considering the transposition of the Directive now. After all, companies have a number of tasks ahead of them.
More information can be found in our detailed article EU Whistleblower Directive entered into force – What needs to be done?
FAQs: Frequently asked questions from our participants
General information on the Whistleblower Directive
Are registered non profit clubs and associations to be regarded as undertakings within the meaning of the Directive and fall within its scope?
Yes, the scope of the Directive also applies here.
What effect will Brexit have on the transposition of the Directive for companies based or established in the UK?
In 2018, the United Kingdom already enacted a law governing disclosed internal information (Public Disclosure Bill of 2018). However, it has some gaps compared to the provisions of the Whistleblower Directive. Although the UK is no longer obligated to transpose the Whistleblower Directive into national legislation due to its withdrawal from the EU (Brexit), a bill has been introduced into the legislative process to close these gaps. The Public Interest Disclosure Bill 2019-21 (services.parliament.uk/bills/2019-21/publicinterestdisclosureprotection.html) has not yet been passed or enacted as of early 2021. However, as a result of this initiative, it is expected that comparable regulations will also apply in the UK at least by the start of the transposition period for the EU Member States in December 2021.
The Whistleblower Directive requires organizations to have "secure reporting channels” for whistleblowers. Does this mean that companies must implement an automated reporting system and are not able to use a dedicated email system or telephone hotline?
On the one hand, the Directive is deliberately formulated in a technology-neutral way and does not stipulate any specific technology for the reporting channels. Both written and oral reports are to be made possible, by mail, via a physical or digital complaint box, through an online platform, whether it be on an intranet or internet platform, or by voice messaging systems and telephone hotlines, or by means of physical meetings.
On the other hand, there is no obligation to set up automated systems. Manual processing of received reports may also be sufficient. It is important that all reports are documented in such a way that they can be used for all subsequent judicial and extrajudicial proceedings.
Can we use the existing system in place – this is a system that encourages employees to report issues anonymously. Or does a separate system have to be set up?
This can only be answered in the specific individual case. The existing system must be checked to see whether the requirements specified in the transposition law are met. In any event, the continued use of existing systems is not ruled out.
What are the restrictions on keeping records in the whistleblowing system after the closure of a case?
As a general rule, data may only be stored for as long as there is a reason for doing so. It must be examined whether specific time limits are specified in the national transposition law or whether general provisions on possible claims and statutes of limitations must be used.
What is the scope of application of the Whistleblower Directive? Are the protection and whistleblower systems also to be made available to persons who are not employees, such as suppliers or customers?
A key objective of the Directive is to protect whistleblowers from disadvantages of any kind. Therefore, it protects first and foremost "employees" who perform services for and under the direction of another person, in return for which they receive remuneration. However, other natural persons who are not "employees" but who can play a key role in exposing breaches of Union law and who may be in a position of economic vulnerability in the context of their work-related activities are also to be protected. This expressly includes suppliers, interns, former employees and job applicants, shareholders and management; even if the prohibited retaliation is only indirectly directed against the whistleblower and, for example, directly against his or her employer. In the case of customers, it will have to be examined on a case-by-case basis whether they are in such an economic vulnerability position that they could face economic disadvantages as a result of a whistleblower, e.g., through entry in "black lists," termination of important supplier relationships, or damage to their reputation, against which they must be protected by the national laws transposing the Directive.
What is the situation if I as a processor receive information from a whistleblower: What information = data may/must I disclose to the data controller? At what point in time? How secure must the indications be?
We assume that the question relates to a whistleblower regarding breaches at the client level. In principle, in such a case, the processor is not obligated to follow up on whistleblower reports in accordance with the Directive, since only its own breaches must be "investigated" and "followed up." However, it may be possible to derive such a duty, or at least an obligation, from the order processing agreement that the whistleblower information is at least forwarded to the client. Depending on the design of the client’s whistleblower system, persons working under the supervision or management of contractors may pass the breach directly to the client. However, since a case-by-case examination is recommended, the data protection officer should be contacted in any event.
Information concerning the client's own breaches must be pursued by the client in accordance with the Directive, irrespective of the order processing relationship.
What is the procedure if the whistleblower wishes to remain anonymous?
Reporting via WhistleB is anonymous.
On the subject of the USA: could data not be based on Article 49 (1) (d) (important reasons of public interest) and (e) (establishment, exercise or defense of legal claims)? Such situations do not occur regularly, so that this should also be permissible in the opinion of the EDPB.
This may well be a possible solution in certain cases to respond to CJEU case law (Schrems II). However, since only the Directive exists to date and there is no transposing law yet, one should also wait with the final justification for lawful data transfer.
What applies to Teams will also apply to the Azure Cloud: Access by third parties and especially by the USA cannot be ruled out, can it?
3rd level support will hardly be preventable, but then the encryption must take effect.
In light of Schrems II, is it sufficient that data is stored in the EU for the Azure Cloud?
The choice of location is definitely helpful, but as described, all cloud systems offer at least support access from the USA. Encryption and anonymization are again important.
Update on international data transfer / Schrems II:
- The European Data Protection Board (EDPB) published recommendations for third country transfers on November 10, 2020. Information can be found here, among other places:
What is the recommendation when it comes to dealing with cases where there is no works council? It must also be possible to credibly communicate internally that the issues have really been addressed.
If whistleblowers use tools (such as that of WhistleB), they will inevitably know whether their report has been followed up, as employers will respond via this tool. In addition, the Directive stipulates – and we expect that something similar will be included in the transposition law – that the employer must respond no later than three months after receipt of the report. If no one responds to the whistleblower's report, the whistleblower has justified reason to suspect that the matter is not being investigated – and the whistleblower can then legitimately turn to state whistleblower offices that have yet to be established. In order to test the general functionality, a test phase can be started before the platform goes live, during which non-critical messages can be sent – which should of course be answered by the company to demonstrate the functionality of the platform to the employees.
Provided that there is a works council, should I then promptly start negotiations on a works agreement?
There is still no legal obligation – at least on the occasion of the Whistleblower Directive – to implement a whistleblower system, which is why a certain restrained approach towards the works council is advisable. Nevertheless, the message should already go out to the works council and the workforce that the employer is committed to protecting whistleblowers and will agree appropriate instruments with the works council in the 2021 calendar year to safeguard the integrity of the company.
How is the number of workers calculated (as basis for the transposition obligation): on local GmbH level or as a global company headcount number?
Based on the wording of the Directive, the number is calculated per legal entity; however, the recitals of the Directive indicate that reporting lines can also be implemented on a group level and not on a local level only.
If your whistleblowing system is already in place in Germany prior to a works council being established, would you need to reconsult with the works council before continuing with the system?
No, you are not obligated to do so. A related obligation might arise once the transposition law is in place as the system might then not meet the statutory requirements any longer.
If a company (parent) is established in one of the Member States and has two subsidiaries in the same Member State, and the parent has more than 250 workers but the subsidiaries each have between 50 and 249 workers, do the compliance deadlines apply to parent and the subsidiaries individually? i.e., December 2021 and December 2023 respectively.
Based on the wording of the Directive, this strict formal perspective is indicated. However, the recitals provide for a practical approach that only one system is established – however, it needs to be accessible for the workers of the subsidiaries as well.
Should we make a clear distinction between a whistleblowing policy and a grievance policy which concerns individual complaints regarding the employment terms or colleagues’ behavior ?
The Directive only intends to sanction any non-compliance with Union law, so a distinction in this regard is recommended. However, it is likely that some Member States will include non-compliance with local laws into the transposition law, e.g., Germany. It might be possible to merge such policies into one large whistleblowing policy.
Questions for WhistleB
So no personal data is collected directly. What about data for personal identification (IP, GeoLoc, etc.)?
The report can be absolutely anonymous, so that no IP address or the like is processed.
Does WhistleB also provide a phone option? Is that not also a requirement of the Directive?
WhistleB primarily provides a web-based reporting system and a case management tool. Although we still support existing customers with telephone reporting, year after year our customers indicate that web-based reporting is preferred over telephone reporting. This is due to the very small number of telephone reports received, compared to web-based reports. Also, the quality of telephone reports is far lower compared to web-based reports, particularly as those allow for documents to be attached.
The EU Whistleblower Directive states that provided the confidentiality of the identity of the reporting person is ensured, it is up to each individual legal entity in the private and public sector to define the kind of reporting channels to establish. Regarding internal reporting, whistleblowing channels "shall enable reporting in writing and orally. Oral reporting shall be possible by telephone or through other voice messaging systems and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe." In other words: there is no obligation to provide all of those channels simultaneously for internal reporting. Organizations may choose the most suitable channel form. For external reporting, the Directive states that "external reporting channels shall enable reporting in writing and orally."
What is the relationship between WhistleB and Navex, and how are the systems interlinked?
WhistleB is a subsidiary of NAVEX Global. However, apart from customer administration and invoicing elements, WhistleB continues to operate as it used to do in the past, with GDPR compliance as one of its main pillars. The WhistleB and NAVEX Global reporting solutions are not interlinked in any way.
Is there a notification to the whistleblower at the WhistleB System once the company posted an answer or asked a follow-up question?
As the whistleblower remains totally anonymous from a technical point of view during the entire process, it is not possible to address the whistleblower directly. It is at the whistleblower's discretion to log in to the WhistleB communication channel and see whether any messages were received. The whistleblower will never receive any notification through the WhistleB solution, which is proof of its technical anonymity.
How does WhistleB provide a solution to the problem that you open Pandora’s box with the whistleblower hotline, i.e., now everyone will post every hunch he/she has about a wrongdoing?
Some organizations that do not have experience with offering a whistleblowing channel indeed fear to be overwhelmed with reports once they do. Although the WhistleB channel is easy to use, organizations are unlikely to see this fear becoming reality if there is a culture of compliance within their organization. Various elements are aiding in improving such an environment, strengthening the value of a professional reporting solution, such as trainings and active encouragement of proper whistleblowing, while clearly indicating where and how to report on other matters. This is supported by the findings of our yearly customer survey; customers typically do not experience a flood wave of malicious or useless reports.
According to the EU Directive, the company in question has to give feedback within 3 months about what has become of the case. How much does this feedback have to go into detail?
The Directive indicates that the idea behind this provision is that where the appropriate follow-up is still being determined, the reporting person should be informed about this and about any further feedback to expect. While the idea to get back to the whistleblower within three months is to promptly address the reported matter and to avoid unnecessary public disclosures, the Directive does offer a possibility to extend the timeframe to six months where necessary due to the specific circumstances of the case, in particular the nature and complexity of the subject of the report, which may require a lengthy investigation. "Feedback means the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up."
How is it facilitated technically to give feedback to a whistleblower who decides to stay anonymous?
A whistleblower may remain anonymous, while being able to engage in further dialogue, by providing a unique login and password at the end of the report. This means that without tracking any data, the whistleblower may decide to access the externally hosted environment where the feedback can be sent to. In this way, a dialogue can develop, while the whistleblower remains anonymous.
Our experts will gladly answer any further questions you may have. Please feel free to contact us! We look forward to exchanging ideas with you.
All information about WhistleB can be found on the company's website. If you have any questions, please feel free to contact Jan Tadeusz Stappers, LL.M., PgDip, CIPP/E, firstname.lastname@example.org or Tim-Bendix Tondar, email@example.com.