Published on: 07.04.2023
Note
This article is for informational purposes only and should not be considered legal advice. Some information in this article may not be up-to-date with the changing legal landscape. Consult legal professionals or relevant authorities in your jurisdiction(s) for precise guidance on compliance and legal matters. Personio provides the technical prerequisites and the tool for Whistleblowing and assumes no liability.
If you are interested in getting access to the Whistleblowing app, you can request further information and get an individual consultation from our Customer Growth & Success Team (page only available in English and German).
This article outlines the 2019 EU Whistleblowing directive and key considerations for compliance.
Overview of Directive (EU) 2019/1937
Background
On 16 December 2019, the European Union passed a directive to protect whistleblowers across member states. It covers a wide range of areas, and encourages individuals to report breaches of EU law, like corruption, fraud, tax evasion, or threats to public safety or the environment. Many countries have already adopted their own interpretation of the law.
Who is a whistleblower?
The European Commission defines a whistleblower as a person who reports or discloses information on a wrongdoing obtained in a work-related context, helping prevent damage and detecting threat or harm to the public interest that may otherwise remain hidden
Who is affected by the directive?
- Companies with 50 or more employees
- Public sector institutions and authorities
- Municipalities with 10,000 or more inhabitants
Requirements
While each member state of the EU can apply this directive differently, the EU directive requires the following:
- Established internal reporting channels that allow whistleblowers to report wrongdoing in an organization or workplace.
- These channels should be easily accessible, guarantee confidentiality, and protect against retaliation.
- All report-related data must be handled in compliance with data privacy regulations.
- Designation of an impartial person or department to follow up and investigate. This could be a:
- Compliance officer, Head of HR, Legal counsel, Chief Financial Officer (CFO), Executive board member or management.
- Non-authorized persons (non case managers) must not be allowed to access the system and gain knowledge of the reporter or the content of the report itself.
- Whistleblowers must receive confirmation of receipt of their report within seven days. A substantial response from the organization must follow within three months.
- Companies can outsource report processing, for example, to an external regulator.
- In some scenarios, companies with locations in different countries must have a reporting channel per country.
- Companies with 250 or more employees must comply within two years of adoption.
- Companies with between 50 and 250 employees must comply within four years of adoption
- In some scenarios, companies with between 50 and 250 employees may use a shared reporting channel to obtain and identify evidence, provided that all obligations outlined are met.
Personio's Whistleblowing solution
We've developed a whistleblowing solution for anonymous tips. Organizations can use this to help follow the EU directive, and manage cases in one place. See Overview of Personio Whistleblowing and Implement Personio Whistleblowing for more information about getting started with Personio Whistleblowing. See this page to express your interest in our feature that offers:
Help with compliance
Our solution follows the 2019 EU Whistleblower Directive and GDPR and helps you follow regulations surrounding:
- Anonymity
- Confidentiality
- Two-way communication
- Statutory update periods as directed by the whistleblowing legislation
Anonymity
With our safe and anonymous reporting solution, whistleblowers are empowered to speak up and be heard, creating a company culture where everyone can feel safe without fear of retaliation.
- Employees and external parties can submit whistleblowing reports and receive updates without having to expose their identity.
- The Personio Whistleblowing feature will have a secure, password protected anonymous postbox for each report, and each reporter is in full control of what information they share.
Case management
Easily manage cases in one place with our ticketing-like system. This will ensure that you never miss a Whistleblowing report and always know the status of open cases
- Assign new cases to ensure ownership and transparency.
- Track, respond to, and resolve cases from a single place.
- Monitor statutory periods to acknowledge and update each case.
Considerations for compliance
Familiarize yourself with national legislation
- Each EU member state implements the directive through their national laws.
- Study the legislation specific to your country or countries to understand reporting requirements, channels, and protections available to whistleblowers.
- Remember that your organization could face multiple jurisdictions where the Directive might be implemented differently
- Seek legal advice where necessary
Establish internal reporting procedures
- Develop clear and accessible reporting procedures within your organization.
- Consider whom to appoint as a dedicated individual or department to handle incoming reports.
- What does your triage for incoming reports look like?
- Establish quality standards and communication guidelines for case managers.
- Ensure your system processes reports from individuals who aren't employees.
Train employees and raise awareness
- Educate your workforce about whistleblowing rights and obligations.
- Empower senior leadership to uphold responsibilities.
- Ensure your staff is aware of the anti-retaliation requirements and implications.
- Find or create resources and materials to help you train employees and raise awareness about the importance of whistleblowing. Provide communication guidelines for case managers.
Ensure confidentiality and data protection
- Safeguard the personal information of whistleblowers and reported incidents in compliance with data protection regulations.
Prevent retaliation
- Consider implementing policies and procedures to protect whistleblowers from retaliation.
- Establish a culture that encourages reporting and ensures non-discriminatory treatment for individuals who come forward.
Review existing policies and contracts
- Update your internal policies, employment contracts, and codes of conduct to align with the EU directive.
Best practices
As mentioned, it's important to set up your Whistleblowing solution according to the legal requirements in your jurisdiction(s). When establishing your solution, consider the following:
- How many employees do you have in an office and/or entity? More than 49 or more than 249?
- Do you need a separate reporting channel per country?
- If you have a multi-entity set-up in one country, do you need a separate reporting channel per entity?
Note
This is not legal advice, and it is the responsibility of the customer to review if they are compliant with local legislation.
More information
Personio Whistleblowing resources
- Personio Whistleblowing
- Overview of Personio Whistleblowing
- Implement Personio Whistleblowing
- Personio Whistleblowing for reporters
General Whistleblowing resources
- 2019 EU Whistleblowing Directive
- Protection for whistleblowers
- EU Whistleblowing Monitor
- Whistleblowing International Network EU Whistleblowing Monitor
- Whistleblowing International Network Resources List
These links were last updated on 27 July 2023. Consult legal professionals or relevant authorities in your jurisdiction(s) for the most up-to-date information.