In the spring of this year, the European Parliament approved a proposal of the Directive of the Protection of Persons Reporting on Breaches of Union law (hereinafter the „Directive”), which, as the name implies, sets common minimum standards for the protection of persons reporting breaches of European Union (EU) law in selected areas of legal regulation. The Council is expected to approve the Directive and publish it in the Official Journal shortly.
The Directive shall introduce mechanisms to facilitate reporting of breaches of EU law and sanctions for retaliatory measures against whistleblowers who report on breaches of EU law and aim to provide protection and means of reporting illegal acts for those whistleblowers.
Protected areas of interest
Protected areas of interest under the Directive include in particular procurement, financial services, products and markets and the prevention of money laundering and terrorist financing, product safety, transport safety, environmental protection, radiation protection and nuclear safety, food and feed safety, health and good animal welfare; public health; consumer protection, privacy and personal data protection and network and information system security, infringements against the financial interests of the European Union, infringements on the internal market, including breaches of competition and state aid rules. Member States may then extend this list and thus the scope of legal regulation of whistle-blower’s protection.
Personal scope, or who can be a whistleblower?
The Directive should provide protection to whistleblowers working in the private or public sector who have been informed on breaches of EU law in the working context, at least including:
a) persons having worker (employee) status;
b) persons having the status of self-employed persons;
c) shareholders and persons belonging to the governing body of the company, including non-executive members as well as volunteers and unpaid trainees;
d) all persons who work under the supervision and instructions of contractors, subcontractors and suppliers.
The Directive also applies to reporting persons whose employment relationship has not started yet, in cases where information on the breaches has been obtained during recruitment or other pre-contractual negotiations.
The definition of the reporting person (whistleblower) as set out in the text of the Directive is broad, but in our opinion meets the basic premise of the legislation, namely that the regulation in question is intended to protect persons who are in subordinate (organizational, legal, economic, etc.) relationship with a person who violates the law.
Obligatory entities under the Directive
In addition to the general prohibition of retaliatory measures against whistleblowers, the Directive also imposes certain obligations on more specific entities, which are primarily obliged to establish secure internal channels and internal reporting procedures and follow–up notification.
Obliged entity in the private sector will be following ones:
a) entities with 50 or more employees;
b) entities with an annual sales or balance sheet of annual balance of EUR 10 million or more;
c) entities of any size operating in the field of financial services or prone to money laundering or terrorist financing.
Obliged entity in the public sector will be following ones:
a) state administration bodies;
b) regional and district authorities;
c) municipalities with more than 10 000 inhabitants; and
d) other bodies governed by public entity.
Internal reporting procedures
The Directive provides that the following basic principles should be reflected in the internal procedures of obliged entities in relation to whistleblowers:
a) channels (even externally operated) for receiving, in writing and personally, notifications, which shall be designed, established and operated in a manner that ensures the confidentiality of the reporting person’s identity and prevents unauthorized personnel from gaining access;
b) the designation of the person or department responsible for taking follow-up action to the report;
c) taking follow-up action to the report by the designated person or department;
d) reasonable time limits not exceeding three months from the submission of the report to provide the notifying party with feedback on the follow-up to the report;
e) comprehensible and easily accessible information on procedures and information on how and under what conditions report may also be made externally to the competent authorities or institutions.
As regards external reporting, the Directive provides that public authorities must establish independent and autonomous channels for the external reception of information from whistleblowers. These channels shall be designed, established and operated in such a way as to ensure the completeness, integrity and confidentiality of the information and to prevent unauthorized access.
Protection of whistleblowers
Under the conditions laid down by the Directive, the reporting person is entitled to protection under the Directive if, at the same time, has legitimate reasons to believe that the information communicated was true at the time of the report and that this information falls within the scope of the Directive.
Member States are then required to introduce measures to protect such reporting persons in their national legislation, including sanctions to discourage obstruction of report retaliatory measures against whistleblowers.
In particular, any retaliatory measures relating to the report made are expressly prohibited against the reporting person if they comply with the requirements of the Directive. These include, for example, temporary suspension, dismissal from employment, downgrading or unreasonable refusal of promotion, reduction of salary or change of work time or work place, changes in working hours, negative performance or work benchmarking, discrimination, disadvantage or unfair treatment or premature termination or cancellation of a contract for the supply of goods or services.
How can we prepare for the new legislation?
Although the transposition deadline of the Directive will expire in more than a year, in particular larger companies should start addressing preparations for new legislation now. Below is an overview of the general recommendations that can be put in place to facilitate preparation for the introduction of mandatory whistleblower protection in the Czech legal order.
- Evaluation and identification of the current state of reporting procedures in the company
- Study the options for setting up internal reporting procedures
- Considering and assessing relationships with external partners in relation to reporting of breaches
- Reviewing existing internal processes regarding the future regulation of reporting of breaches – personal data protection, criminal liability of legal persons, anti-corruption policy, etc.
- Initiation of the process of implementation of compliance with the Directive – preparation of guidelines, procedures, related documentation, human resources and training
- Adequate and appropriate awareness raising in relation to reporting of breaches within the company
- Practical implementation and pursuance of established procedures for reporting of breaches in accordance with the Directive, respectively national legislation
- Use established practices to enhance the company’s reputation
Transposition and further development
The deadline for transposition into the national legislation of the Member States expires on 15 May 2021 and by that time the Directive should also be reflected in the Czech legal order. Member States are expressly permitted by the Directive to introduce or maintain provisions which are more favorable to the rights of reporting persons than those contained in the Directive.
In our opinion, it seems appropriate that the Directive should already be taken into account in the proposal of a new law – an Act on Protection of Whistleblowers in the Czech Republic, of which we informed you in our article The protection of whistleblowers in the Czech Republic?.
The EU itself will play a crucial role in the future of whistleblower protection, respectively the competent authority within the European Commission, and hence the national authorities, to disseminate proper and fair awareness of whistleblowing and new legislation, so that whistleblower protection becomes an integral and natural part of the company’s internal compliance systems, which will be spread employees.
This could create a natural symbiosis where the law is not violated and, in the case of excesses, these excesses are properly reported and resolved. It should not be a bullying tool. Accurate and high-quality transposition, as well as sophisticated and transparent internal systems in companies and institutions will also be important.
We will keep you informed about further developments of the legislative process at EU level in relation to the Directive as well as in relation to the proposal of a new law – an Act on Protection of Whistleblowers in the Czech Republic.
In addition, we would like to point out, that within the good governance of business companies and other institutions, it should already be borne in mind that the internal processes governing reporting undesirable and illegal acts at the workplace and procedures for the protection of whistleblowers as well as the protection of business companies and other institutions shall be established.
In case of any questions we are at your disposal, please do not hesitate to contact us.
Mgr. Jakub Málek, partner – email@example.com
19. 09. 2019
The Directive available here: https://eur-lex.europa.eu/legal-content/CS/TXT/?uri=CELEX%3A52018PC0218