Issuers in the European Union will have an additional regulation to comply with from December 2021 and now is the time to ensure you are ready for that deadline. Directive (EU) 2019/1937 of the European Parliament is more commonly known as the EU Whistleblowing Directive. It seeks to protect those persons who expose illegal activity by people and organisations that they witness as part of their job. Each issuer with 250 or more employees must have a whistleblowing process in place before 17 December 2021, with those employing between 50 and 249 staff facing a deadline of 17 December 2023.
Table of content
1 The EU Whistleblowing Directive
2 The whistleblowing process
Background to SRD II
This directive is a natural consequence of recent events. There have been a number of scandals uncovered by whistleblowers, including:
- The infamous 2015 case where several officials at FIFA were arrested in Zurich after a whistleblower report. This large-scale corruption that was revealed within the governing body of football is said to have totalled more than €125 million.
- The anonymous whistleblower, given the name John Doe, who informed German journalist Bastian Obermayer from the newspaper Süddeutsche Zeitung about the Panama Papers.These were a series of documents from Panamanian law firm Mossack Fonseca that showed more than 200,000 offshore entities were creating shell companies to avoid tax, carry out fraud and circumvent international sanctions.
Although this new directive is yet another piece of legislation that issuers must factor into their operations, the ability to safely raise a concern and expose wrongdoing or malpractice without fear of retaliation is essential for the pursuit of justice. This is why the EU Whistleblowing Directive exists.
The EU Whistleblowing Directive
Below is a summary of the key elements of the EU Whistleblowing Directive.
- Issuers must provide employees with a confidential internal reporting system by the deadline required for a company of their size
- Organisations should train staff on how to file a report
- All affected organisations must appoint impartial staff or departments to monitor and manage reports
- Each organisation needs to take steps to comply with the General Data Protection Regulation (GDPR) during the whistleblowing reporting process
- Organisations must protect whistleblowers from retaliation following their reports, as well as knowing which other individuals require protection as a result of the report
The directive forms the minimum standards relating to the treatment of whistleblowers and their reports. Many EU member states also have additional whistleblowing policies to which issuers within their jurisdiction must adhere. Here are some examples:
|Country||Additional whistleblowing legislation|
|Belgium||There is no additional whistleblowing law in place in Belgium, but employers have a contractual duty of mutual respect when it comes to rules governing abusive dismissals, which whistleblowers could use in legal challenges. There are also rules against bullying and harassment in the workplace, which would apply if the whistleblower suffered retaliation for reporting.|
|France||The French Sapin II law applies to companies with more than 500 employees and is aimed at preventing corruption. Among a wide range of requirements is the one that businesses must put in place an internal reporting system.|
|Ireland||The Protected Disclosures Act 2014 is also called the Whistleblower Legislation and offers redress to people who have been penalised for disclosing wrongdoing in the workplace.|
|Netherlands||Huis voor Klokkenluiders, or the Dutch Whistleblowers’ Authority, was established in 2016 as an independent body to advise, support and offer guidance to whistleblowers as well as to investigate criminal activity in organisations and retaliation against whistleblowers.
The organisation was established under the Dutch Whistleblowers Authority Act, which requires organisations of 50 or more employees to create an internal reporting procedure.
The authority also produced an Integrity Guide for organisations to help them establish the best possible processes.
|Portugal||The Portuguese Criminal Code features some clauses that apply to whistleblowers.
The whistleblowing process
This is the process for receiving, processing and investigating a whistleblowing report, as designated by the EU Whistleblowing Directive. The directive encourages reporting persons to use internal channels within the organisation for protected disclosure of information.
1. Sending a report
The whistleblower uses one of the internal reporting systems open to them to make their report. When developing your reporting methods, you should bear in mind the right to anonymity of the reporting person as well as anyone else mentioned in the report, including people mentioned in relation to committing criminal behaviour.
It should also comply with GDPR and be secure so that unauthorised persons cannot access the details of the report.
For the purposes of the directive, the whistleblower could be any of the following:
- Board members (including non-executives)
- Freelance workers
- Anyone in a senior manager role
- Former employees
- Prospective employees
2. Processing the report
A designated, impartial person or department must acknowledge receipt of the report within seven days.
They must then follow up on the report, maintain communication with the whistleblower and ask them for more information if needed before they start the formal investigation.
4. Formal investigation
The directive demands a “diligent follow-up” on the whistleblower’s report.
The organisation must provide the whistleblower with a resolution to their report within three months of receipt. The individual or competent department responsible should include details of the grievance procedure if the outcome does not meet the reporting person’s expectations.
This can include details of escalating the matter to competent supervisory bodies. If they still do not receive the resolution they require, they can make their report through the media or press as long as it is a public concern.
Here are some examples of internal whistleblowing reporting systems you could use within your business, as well as the advantages and disadvantages they bring in terms of compliance.
|Digital whistleblowing platform||
Introduce a whistleblowing policy
Compliance with the EU Whistleblowing Directive requires issuers to have a process in place to receive, investigate and resolve reports, whilst also protecting the people who make disclosures. This requires an internal policy that adheres to the legal obligations set forth by the directive and any additional regulations within your country.
You should choose the reporting channels that fit your business the best and make meeting the legal requirements as easy as possible. These channels should be described in your policy.
Promote your policy
Your staff need to know how the policy works, how it can protect them if they make a report and the consequences if they retaliate against a colleague who makes a report. Publishing it on your intranet is a good way of helping employees find and understand the policy easily and assuaging any fear of reprisals.
Reassure your employees
One of the major fears for whistleblowers is that they will suffer retaliation in the form of unfair dismissal, pay cuts, being passed over for promotion, bullying, coercion or any other detriment as a result of making their report in good faith. The protections that you offer should form a key part of your messaging to ensure employees feel comfortable with the idea of blowing the whistle should they need to. You should detail disciplinary proceedings that will take place for anyone attempting to intimidate a reporting person.
It is essential that you provide training to employees on all levels on how to raise awareness of criminal offences. Not only is it a legal requirement, but it could save your organisation money and prevent reputational damage.
If your employees feel confident about the ease of the whistleblowing process, this will increase the likelihood that they will report any potential legal violations and unethical conduct early and before they become more widespread.
If your leadership, from top-level managers to line managers, are aware of the process of dealing with disclosures, they will be able to promote an open culture where whistleblowing is seen as normal.
The culture of the organisation is important for encouraging people to report complaints of unlawful behaviour and to show you take the safety of the individual seriously. If you are shown to prize openness and honesty throughout the workplace, at every level, this helps embolden employees to use the whistleblowing system.
Do whistleblowers have legal protection?
The EU Whistleblowing Directive requires issuers and other organisations to provide free legal advice to whistleblowers. It also makes it illegal for anyone to retaliate against a whistleblower. The directive states that “it is crucial that reporting persons who do suffer retaliation have access to legal remedies and compensation.”
The legal remedies and compensation available depend on the seriousness of the issues and the nature of the retaliation committed on the reporting person who made the allegations.
If you do not have your whistleblowing process in place, there is still time, but you must act quickly. You should choose your procedures carefully and opt for the whistleblowing systems that work best for your organisation and allow you to comply with the timelines, privacy, security and confidentiality requirements of the directive.
If you choose to implement a digital whistleblowing system, IntegrityLog can help. The platform is fully compliant with the EU Whistleblowing Directive and provides easy, safe reporting. The interactive dashboard helps you keep track of all open cases and approaching deadlines. You can try IntegrityLog here.
References and Further Reading
- IntegrityLog: Digital Whistleblowing System
- Implementing the Whistleblowing Directive
- How to Encourage Whistleblowing
- Equality and Human Rights of Whistleblowers
- The European Commission on Whistleblowing