Of interest.

Protection of whistleblowers – new obligations for employers

The bill on reporting person protection introducing institutional reporting person protection in the Czech Republic, published as Chamber of Deputies document No. 352 (the “Act”), was approved by the Chamber of Deputies on 21 April 2023 and referred to the Senate for consideration.

The Act transposes into Czech law the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breach of Union law (the “Directive”), the transposition deadline for which expired on 17 December 2021.

Completion of the legislative process
The Senate is to consider the Act by 1 June 2023 at the latest. The Senate has scheduled consideration of the Act for its 12th session on 31 May 2023 and therefore has little time left. The amendments submitted by the Senators so far are of a rather technical and formal nature and it can be expected, also in view of the late transposition, that the Senate will either approve the Act as submitted to it or will not comment on it and it will thus be considered approved as of 1 June 2023.

Subsequently, the Act, including the accompanying amending law, will be submitted to the President for signature and published in the Collection of Laws and the legislative process can be expected to be completed by the end of June 2023.

The protection of reporting persons has, in principle, taken on final dimensions, the basic outlines of which we would like to introduce you to in this, our first article in a forthcoming series on reporting person protection in the Czech Republic.

Effectiveness of the Act
The Act should enter into force as early as 1 August 2023; this is assuming that it is published in the Collection of Laws by the end of June 2023. If publication does not take place until July, the Act will enter into force on 1 September 2023.

However, the selected obliged entities will have longer to comply with the Law. Legal entities obligated under the Act (hereinafter the “Obliged entity”) apart from public procuring entities and entities employing at least 50 and less than 250 employees on the date of the Act’s entry into force, will be obliged to implement an internal reporting system (up to) 15 December 2023 – but of course, they may implement it earlier.

Reporting person protection in general
Reporting breach, also known as whistleblowing, is a key element in the modern corporate environment that aims to promote compliance with legal and ethical standards in the operation of the company. Companies are supposed to enable employees and others to safely report illegal conduct that could harm the company or third parties and is occurring within the company.

Companies that are committed to social responsibility, transparency, and sustainability already support relevant processes and create an environment that protects reporting persons from retaliation and ensures that reports are properly investigated. Thus, it is an integral part of organizations’ implementation of ESG standards and non-financial reporting to help create a corporate environment based on ethical principles and compliance with laws and social norms.

Report, breach and reporting person
The report shall be made by a natural person (the reporting person) and shall contain information about a possible unlawful act that has occurred or is about to occur in the case of a person for whom the reporting person, even indirectly, has performed or is performing work or other similar activity, or in the case of a person with whom reporting person has been or is in contact in connection with the performance of work or other similar activity.

According to the Act, the unlawful conduct to which the whistleblowing may relate may be conduct that:
(a) has the elements of a criminal offence; or
(b) has the characteristics of an offence for which a fine of at least CZK 100,000 may be imposed; or
(c) breaches the Act; or
(d) breaches any other legislation or regulation of the European Union (as determined by the Directive and the Act).

The Ministry of Justice will publish a list of relevant EU regulations in the relevant areas, mainly in the areas of financial services, corporate income tax, prevention of money laundering and terrorist financing, consumer and environmental protection, and others.

The law expressly provides that the report must also include the name, surname, and date of birth or other data from which the identity of the reporting person can be inferred. Thus, the Act does not bring so-called anonymous reports under its regulation. The Obliged entity may voluntarily decide to accept anonymous reports and handle them under the regime of the Act or under its regime.

The reporting person is then an identifiable natural person who has made or is making the report. In the case of an accepted anonymous report, the protection of the reporting person would become relevant at the point at which it would become apparent which person made the report – it would then no longer be an anonymous report.

Obliged entities may choose not to accept reports under the Act from selected groups of reporting persons – but this right cannot be denied to employees, interns, volunteers, or trainees.

 Who is the Obliged entity?
Among the Obliged entities, the Act includes, among others, the following entities:
(a) any employer who employed an average of at least 50 employees in the previous calendar quarter;
(b) a public contracting authority under the law governing public procurement, except for a municipality with less than 10,000 inhabitants;
(c) a public authority exercising competence in the field of administration of corporate income tax or administration of the levy for breach of budgetary discipline and other selected public authorities;
(d) a person authorised to grant or arrange consumer credit; and
(e) other specified employers (irrespective of the number of employees) engaged in capital market business, insurance business, as well as investment companies, investment funds, banking, and others.

Overview of the obligations of the Obliged entity
The basic obligations under the Act include in particular:
(a)  establish an internal reporting system;
(b) appoint a designated person who will be responsible for the compliance of the Obliged entities; and
(c) allow reporting persons to submit reports through the implemented internal reporting system.

Internal reporting system
Obliged entities must set up an internal reporting system, regardless of whether it will be the Obliged entity’s technical solution and/or outsourced to a third party – usually a provider of a comprehensive software solution. Obliged entities that employed on average 249 or fewer employees in the last calendar quarter may also share an internal reporting system.

An Obliged entity may delegate the management of the internal reporting system to another person, without prejudice to its responsibility for the fulfilment of its obligations.

Within the framework of the internal reporting system, the Obliged entity shall ensure:
(a) the possibility for the reporting person to submit a report through the internal reporting system, both in writing and orally, or in person at the request of the reporting person;
(b) posting information on its website about: the methods of report through the internal reporting system and to the Department, the identification of the appropriate person, his or her telephone number and electronic mail or other address for service, and whether the Obligated entity excludes the receipt of reports from certain persons permitted by the Act,
(c) advising the relevant person of his or her rights and obligations under the Act;
(d) that only the relevant person may inspect the notices given and that the prohibition on disclosure is complied with,
(e) an assessment by the relevant person of the validity of the report,
(f) notifying the reporting person of the receipt of the report and of the results of the assessment of the reasonableness of the report; and
(g) taking appropriate action to remedy or prevent unlawful conditions following the report.

Designated person
The designated person designated by the Obliged entity must be of legal age, legal capacity, and good character. The designated person may generally be an employee of the Obliged entity but may also be an external (outsourced) person who provides services to the Obliged entity in this area.

Designated person:
(a) receive and assess the reasonableness of the report submitted through the internal reporting system,
(b) propose to the Obliged entity measures to remedy or prevent the unlawful situation following the report,
(c) comply with the instructions of the Obliged entity, unless they jeopardise or obstruct the performance of its activities,
(d) act impartially in the performance of its activities,
(e) maintains confidentiality of the facts of which it has become aware in the course of its activities, even after the termination of those activities.

The designated person shall not disclose the data of the reporting person to a third party, except in compliance with the obligation to disclose data to public authorities, and shall keep an electronic record of reports and retain the reports received for a period of 5 years from their receipt.

Obliged entities should be advised, to maintain compliance with their obligations under the Act, impartiality, and fungibility, to designate multiple designated persons, both an internal designated person or persons and an external designated person.

Hierarchy of report systems?
As an alternative to the internal reporting system, the Act establishes an external reporting system operated by the Ministry of Justice (here).

The Act has abandoned the originally proposed hierarchy of internal and external reporting systems, and it is thus entirely up to the reporting person to decide whether to use the internal and/or external reporting system operated by the Ministry of Justice to submit a report.

Not only in view of this fact, but it should also be an incentive for the Obliged entity to implement a truly functioning and trustworthy internal report channel, which will motivate the reporting person to use it and allow the Obliged entity to handle any reports internally.

Under the conditions set out in the Act, if the internal reporting system is not functioning or if there is a reasonable fear of failure to deal with a report in a timely manner, or of retaliation, the reporting person may then make a public report under the protection of the Act – i.e., make it public.

Retaliatory measures
The basic principle of reporting person protection is, on the one hand, the possibility for the reporting person to submit a report and, on the other hand, the protection of the reporting person from possible retaliation by the Obliged entity against the reporting person.

Retaliation is defined as an act or omission in connection with the work or other similar activity of the reporting person which is triggered by the making of a report and which is likely to cause harm to the reporting person. Examples of retaliation include termination of employment, removal from a managerial position, reduction in pay or failure to grant a bonus, transfer to another job, rescheduling of shifts, introduction of night work, etc.

Not only does the law protect the reporting person, but the reporting person must not be subjected to retaliation, for example:
(a) the person who provided assistance in identifying the information that is the subject of the report, filing the report, or assessing the validity of the report;
(b) a person who is close to the reporting person;
(c) a person who is an employee or colleague of the reporting person;
(d) a person in which the reporting person has an interest or is a member of its body, a person controlling it, a person controlled by it or a person who is controlled by the same controlling person as the legal person; or
(e) a person for whom the reporting person performs work or other similar activity.

Penalties for offences
Failure to comply with obligations under the Act will be classified as an offence for which a fine may be imposed. Penalties may be imposed not only on the Obliged entity but also on the person directly concerned or on anyone who obstructs the reporting person in any way from making a report.

In principle, they may then commit an offence:
(a) the Obliged entity – a fine of up to CZK 400,000 (failure to disclose obligatory information or failure to take corrective action within the specified time), or up to CZK 1,000,000 for other offences (e.g., the reporting person was subjected to retaliatory measures);
(b) the designated person – a fine of up to CZK 20,000 (failure to inform of the outcome of the assessment within the time limit or failure to notify the loss of integrity), or up to CZK 50,000 (refusal to accept the report, failure to assess the reasonableness, frustrating/undermining the purpose of the report, providing information about the identity of the reporting person without consent) and up to CZK 100,000 (in case of intent);
(c) reporting person – a fine of up to CZK 50,000 for making a knowingly false report; or
(d) any person – a fine of up to 50.000 CZK for preventing another from making a report and up to 100.000 CZK (in case of intent).

Recommendation and conclusion
The adoption of the legal framework for the protection of reporting persons in the Czech Republic is at the very end of the legislative process and the Act will come into force for all Obliged entities already this year.

In view of the above, it is high time for Obliged entities, especially those in the private sector with more than 249 employees, to start implementing a credible comprehensive internal reporting persons protection instrument, which will include the introduction of an internal reporting system and the assignment of a designated person directly responsible for the proper functioning of the system.

Along with this, it is necessary to prepare the related internal legal documentation that will set the rules for the use of the internal reporting system and define the patterns of conduct of the relevant person and the process for the assessment of the reports in question in accordance with the Act. To make the implemented system truly credible, training of employees and the relevant person on their rights (and obligations) specifically in relation to reporting person protection may also be recommended.

We are at your disposal if you need legal support on the topic of reporting person protection.


Mgr. Jakub Málek, managing partner– malek@plegal.cz

Mgr. Tomáš Maux, junior lawyer – maux@plegal.cz




31.05. 2023