The EU Commission enacted the new EU Whistleblower Directive EU 2019/1937 in October 2019. So it is not all that new. However, it has now come back into focus because the implementation deadline for member states expired in mid-December 2021. Germany, like many other EU countries, has not yet implemented a law to protect whistleblowers and has thus violated EU law.
At the latest since Edward Snowden published details about intelligence surveillance projects, whistleblowers have become a household name for almost everyone. Although for a long time they had the negative image of traitors, many companies have now recognized the value of whistleblowers: They can save them from serious damage to their image.
What is a whistleblower?
Whistleblowers are referred to as whistleblowers in German. They report unethical or illegal behavior that has previously taken place in secret, and thus uncover cases of corruption, human rights violations, fraud, bribery or data protection violations, for example. They usually report their knowledge anonymously to a corresponding reporting office in order to bring this misconduct to light.
Goal of the EU Whistleblower Directive: Protection for whistleblowers
The aim of the EU directive is to protect whistleblowers from reprisals. The aim is to encourage whistleblowers to disclose violations of EU law or unethical behavior in companies without fear of sanctions.
The EU Commission initiated infringement proceedings in January 2022, including against Germany. Since the current coalition agreement also plans to implement the law, the draft bill for the German Whistleblower Protection Act (HinSchG-E), which has already been on the table since 2020, will certainly be taken up again soon. This is even intended to include regulations that go further than those of the EU Directive.
To whom does the EU Whistleblower Directive apply?
The following companies and authorities fall under the scope of the EU Directive:
- Companies with 250 or more employees
- Companies operating in the financial sector
- Public sector entities
- Public authorities
- Municipalities with more than 10,000 inhabitants
The German draft law provides for even tighter limits: For example, German companies with more than 50 employees and companies with annual sales of more than 10 million euros must also be prepared for the fact that the obligation could affect them – but the draft has not yet been passed. Currently, companies with 50 to 249 employees also have an extended transition period until December 17, 2023 – so they don’t have to do anything yet.
Obligations under the EU Whistleblower Directive
Companies are required by the EU Whistleblower Directive to provide an internal reporting channel through which whistleblowers can share information securely and confidentially. The goal is to keep the identity of the whistleblower confidential and not make it public. In addition, the directive stipulates that at least one acknowledgement of receipt must be sent within seven days and further processing deadlines must be met. The transmitted data must be processed in compliance with the GDPR.
To ensure that every whistleblower can benefit from the additional protection, not only the company’s own employees must be informed about the reporting channel in a comprehensive and easily understandable manner, but also business partners, suppliers and other service providers.
In addition to these internal reporting channels, member states should establish external channels through which whistleblowers can report if there is no suitable option within the company. However, companies should have a high interest in creating adequate internal contact points. This is the only way they can help to ensure that sensitive data does not leave the company and enter the public domain. This could have a fatal effect on the company’s image.
Implementation of the whistleblower directive for employers
Employers with more than 250 employees are already in a bind – because even though the EU Whistleblower Directive has not yet been transposed into national law, it must already be complied with. The transition period expired on December 17, 2021. And even companies with fewer employees should prepare for the transfer of the directive into national law. This overview will help with step-by-step implementation:
- Contact person: There must be a central contact person for reports, who is preferably independent of the company, such as an externally commissioned data protection officer.
- Reporting channel: How companies implement the internal reporting channel is initially up to them. However, the system must be secure from unauthorised third parties and accessible around the clock. Ideally, the system should offer the possibility to conduct dialogue. E-mail boxes are a simple solution, but this variant neither preserves the anonymity of the whistleblower nor guarantees a secure exchange of information. It makes more sense to use special whistleblower software that meets the requirements.
- Shifting the burden of proof: Whistleblowers are only really protected from reprisals if they do not have to prove the reported information themselves – which is usually difficult in practice. The Directive therefore standardises a reversal of the burden of proof. If the whistleblower claims that the company put pressure on him or her, the company must prove the opposite. If, for example, a dismissal was announced a short time later, the employer must prove that this was not related to the information provided. If he cannot provide this evidence, he may even be liable for damages. However, the reversal of the burden of proof does not apply if the whistleblower intentionally or grossly negligently reports false facts.
- Documentation: If employees who are whistleblowers are found to have violated their duties, these must be documented in detail. This is the only way to ensure that the necessary evidence can be provided in the event of consequences under labour law.
- Involvement of the works council: When introducing a whistleblowing system, employers must involve the works council (section 87, paragraph 1, nos. 1, 6 BetrVG).
Employers should take action now
To avoid negative consequences, companies should now promptly seek appropriate solutions to implement the EU Whistleblower Directive. It is only a matter of time before German legislation follows suit. Therefore, it makes sense to deal with the requirements of the draft law today and implement them directly if possible.
Even if it initially causes a lot of effort, the reporting system can also have a positive effect internally. It signals to the staff that whistleblowers are taken seriously and that misconduct should be reported. At the same time, companies avoid the risk of misconduct – which can never be completely prevented – becoming public.
You might also be interested in: