Implementing Laws At-a-Glance
Implementing Laws At-a-Glance
EU Member States are in various stages of drafting and finalizing national laws which will implement the EU’s Directive on the protection of persons who report breaches of European Union law (the “Directive”), which needed to be adopted by EU Member States by December 17, 2021. As EU Member States finalize their implementing laws, we will add below a brief Q&A-style summary of the main issues in each implementing act to keep you informed about the overall progress.
Last Updated: 27 July 2023
1. Has the implementing law been adopted?
Yes, the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz) (the “Act”) was adopted on February 16, 2023. It will enter into force one day after it has been published in the Official Gazette (not yet published).
2. Under the implementing law, which organizations must establish internal reporting channels?
Public and private organizations with at least 50 employees or civil servants must establish internal reporting channels. Private organizations in the following sectors must establish internal reporting channels, irrespective of the number of employees or civil servants: (i) financial services, products, and markets, (ii) prevention of money laundering and terrorist financing, (iii) transport safety, and (iv) protection of the environment.
Private organizations with 50 to 249 employees have until December 17, 2023 to establish their channels. All other eligible organizations are expected to establish internal reporting channels within a period of six months after the Act enters into force.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see the response to Q2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Act also includes criminal corruption offenses, such as bribery.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Federal Office for Preventing and Combating Corruption (Bundesamt zur Korruptionsprävention und Korruptionsbekämpfung) is the Competent Authority, although other authorities have also been appointed for specific sectors under the Act:
If a Competent Authority receives reports under the remit of another Competent Authority, the former is required to direct such reports to the appropriate Competent Authority after informing the whistleblower.
8. Does the Competent Authority have specific investigative and enforcement powers?
Under the Act, the Competent Authority is required to conduct any necessary further investigations within its competence itself or request the appropriate Competent Authority, the public prosecutor’s office, or the competent court to investigate the matter. Further, the Competent Authority may take any follow-up measures it deems appropriate.
If the whistleblower’s report creates a suspicion that a crime has been committed, the Competent Authority has specific investigative and enforcement powers under the Austrian Code of Criminal Procedure and the Act on the Federal Office for Preventing and Combating Corruption.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The following non-compliance with the Act is subject to a fine of up to EUR 20,000, or EUR 40,000 in case of a repeated offense:
1. Has the implementing law been adopted?
Yes, the Law on the protection of persons who report violations of Union or national law found within a legal entity of the private sector (Loi sur la protection des personnes qui signalent des violations au droit de l’Union ou au droit national constatées au sein d’une entité juridique du secteur privé – available in French and Dutch) (the “Law”) was published in the Official Gazette on December 15, 2022 and entered into force on February 15, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations in the private sector with at least 50 workers must establish internal reporting channels.
Private organizations with between 50 to 249 workers have until December 17, 2023 to establish their internal reporting channels.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, the Law is addressed to organizations in the private sector only.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report tax and other matters as specified in the Law.
5. Does the implementing law permit anonymous reporting?
Yes; however, organizations with fewer than 250 workers are not required to accept anonymous reports.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Reports must be kept for the duration of the work-related relationship between the whistleblower and the organization. It is not currently clear how organizations should comply with this obligation for reports received from any individual with whom the organization has no contractual relationship.
Organizations must consult with applicable “social partners” before establishing internal reporting channels, which ‒ depending on the specific circumstances ‒ may include works councils or workers’ representatives.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Competent Authority will vary depending on the field in which the violation is committed. The Belgian government will designate the Competent Authority for each sector. Where the government has not done so, the Federal Ombudsmen will be the Competent Authority.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes, the Competent Authority has the power to impose administrative measures (or criminal sanctions if the Competent Authority is a judicial body). Administrative measures involve fines, suspensions, injunctions to engage in certain activities, or withdrawal of permits/authorizations. The specific measures will depend on the remit of the Competent Authority appointed in that specific field.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Organizations may be subject to criminal fines from EUR 24,000 to 576,000 or administrative fines from EUR 2,400 to 24,000 under Article 101 of the Social Criminal Code for failing to meet the requirements of the Law that relate to their internal reporting channels. Note that both sets of fines can be further increased depending on the number of employees involved with the infringement, in accordance with specific formulae set out under Belgian law.
Criminal sanctions are also applicable if organizations (or their personnel) (i) obstruct or attempt to obstruct reporting, (ii) retaliate against reporting individuals, (iii) initiate unnecessary/vexatious proceedings against reporting individuals, or (iv) breach the confidentiality of a reporting individual. In such cases:
1.Has the implementing law been adopted?
Yes, Bulgaria has implemented the Directive by adopting the Law on the Protection of Whistleblowers or Public Disclosures of Infringements(Закон за защита на лицата, подаващи сигнали или публично оповестяващи информация за нарушения) (the “Law”).
The Law shall enter into force on May 2, 2023.
2.Under the implementing law, which organizations must establish internal reporting channels?
Public organizations and private organizations with 50 or more workers must establish internal reporting channels. Private organizations with 50 to 249 workers have until December 17, 2023, to establish their channels. All other eligible organizations are expected to comply starting on the date when the Law enters into effect (i.e., May 2, 2023).
3.Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4.Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Law allows reports to cover violations about areas of the law such as general criminal law and employment law.
5.Does the implementing law permit anonymous reporting?
While an organization may choose to accept, and initiate an investigation based on, anonymous reports, the Law does not provide protections for anonymous reporting, and organizations are not required to investigate anonymous reports. However, persons who have submitted anonymous reports not under this Law (but under another legal act) will be afforded protection against retaliation.
6.Does the implementing law impose any other significant deviations from the Directive, relating to:
How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Proceedings cannot be initiated on reports relating to violations committed more than two years prior to the time of the report.
Whistleblowers may choose to report using one or a combination of the three possible reporting methods simultaneously. This is a deviation from the Directive that limits the circumstances in which a whistleblower will qualify for protection if they do not use internal or external channels before reporting publicly.
Organizations must review their internal reporting rules and follow-up at least once every three years, carry out an analysis of the practice on the application of the Law, and, if necessary, update their rules.
Organizations must use specific forms (approved by the Competent Authority (as defined below)) to register reports, which shall include, among other things: (i) full name; (ii) address; (iii) telephone number; (iv) email address; (v) the names of the person against whom the report is filed; (vi) his/her place of work (if the report concerns known persons); and (vii) details regarding the specific violation. Before a whistleblower can be deemed to have “reasonable grounds” to make a whistleblowing report and therefore benefit from protection under the Law, they must provide the information in (i) – (vii).
Organizations must appoint one or more responsible persons for handling reports. The Law states that, if the organization has a data protection officer (“DPO”), the DPO would be the appropriate responsible persons, but organizations without DPOs may appoint other individuals to manage reports.
Organizations must establish and maintain a non-public register of submitted reports, containing information about: (i) the person who received the report; (ii) the date of submission of the report; (iii) the person concerned (if available); (iv) a summary of the alleged violation; (v) any connection between the report and other reports made; (vi) information provided as feedback to the whistleblower; (vii) follow-up actions taken; (viii) the results of report checks; and (ix) the period of storage of the report. The Competent Authority is required to specify the procedure for keeping this register and may prescribe specific retention periods for the register (which are currently undetermined). Organizations must also regularly submit statistical information from this register to the Competent Authority (although the process for this has not yet been established by the Competent Authority).
Organizations must provide implicated individuals with: (i) the opportunity to provide their own explanations and evidence; and (ii) the opportunity to object to collected evidence within seven days (subject to the protection of the whistleblower). Organizations must balance protecting the identity of the whistleblower and complying with this obligation on a case-by-case basis.
The Law permits entities of all sizes within corporate groups to share a common internal reporting channel.
7.Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Commission for Personal Data Protection has been designated as the Competent Authority.
8.Does the Competent Authority have specific investigative and enforcement powers?
Yes.
9.What are the sanctions for non-compliance with the Directive and the implementing law?
Sanctions vary depending on the type and nature of the non-compliance in question.
Administrative fines may be imposed where organizations:
Either (i) take action for the purpose of retaliation against the whistleblower or against a person related to them or (ii) initiate legal proceedings if they are carried out only with the intention of harming the whistleblower (ranging from BGN 2,000 – 8,000 (approx. EUR 1,000 – 4000)); and
Fail to establish internal channels for reporting (ranging from BGN 5,000 – 20,000 (approx. EUR 2,500 – 10,000) (or BGN 10,000 – 30,000 (approx. EUR 5,000 – 15,000) for repeated violations)); and
Administrative fines ranging from BGN 400 – 4,000 (approx. EUR 200 to 2,000) may also be imposed for:
Obstructing or attempting to impede the submission of a report;
Failing to take or deliberately delaying the necessary follow-up actions on the report
Failing to provide to the whistleblower (within three months of acknowledging receipt) information on the follow-up actions taken; and/or
Violating confidentiality obligations.
1. Has the implementing law been adopted?
Yes, the Law on the Protection of Reporters of Irregularities (the “Law”) entered into force on April 23, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations employing at least 50 employees must establish an internal reporting channel. Organizations with fewer than 50 employees may establish an internal reporting channel if they wish to do so. Organizations carrying out the following activities must establish an internal reporting channel, irrespective of the number of employees: (i) financial services; (ii) financial products and markets; and (iii) prevention of money laundering and terrorist financing.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
All organizations with 50 or more employees must set up an internal reporting channel by June 23, 2022. The Law does not provide the additional time for private organizations with 50 to 249 employees to establish internal reporting channels that the Directive allowed for EU Member States.
4. Is the scope of reportable concerns the same as in the Directive?
Yes.
5. Does the implementing law permit anonymous reporting?
The Law does not explicitly permit anonymous reporting; however, it refers indirectly to persons making anonymous reports being entitled to protection irrespective of the fact that they have come forward anonymously, which would indicate that anonymous reporting is permitted. There is no specific regulatory guidance about anonymous reporting at this time.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations that are subject to the Law are required to designate (i) a “confidential person” and (ii) a deputy who will take on the role of the confidential person when the confidential person is not available. The confidential person and deputy can be individuals employed by the organization, or third-party individuals, who are to be responsible for overseeing whistleblowing compliance and the organization’s internal reporting channels. There is no information at this time about the eligibility requirements for a confidential person or deputy.
The confidential person must provide feedback to the whistleblower and “take action” to investigate the reported issue within 30 days where possible (or within 90 days at the latest). There is no definition in the Law for what constitutes “take action” and there is no regulatory guidance at this time.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Ombudswoman.
8. Does the Competent Authority have specific investigative and enforcement powers?
The Ombudswoman may only (i) refer matters relating to whistleblowing to the Misdemeanor Court for review or (ii) receive and forward whistleblowing reports to the relevant body for further investigation. The relevant body will depend on the subject matter of the report, although there is no direction in the Law as to which body is responsible for which types of reports. The Ombudswoman does not have any enforcement powers.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Organizations may be fined by the Misdemeanor Court between HRK 10,000 and 30,000 (approx. EUR 1,300 and 4,000) for failing to:
a) Implement the Law within two months of the Law going into force (i.e., by June 23, 2022);
b) Establish an internal reporting system;
c) Protect the personal data received via a whistleblowing report;
d) Appoint a confidential person within three months of the Law going into force (i.e., by July 23, 2022);
e) Keep adequate records; or
f) Take measures to remedy acts or omissions that are unlawful.
In addition, responsible persons at an organization (i.e., individuals responsible for conducting the business affairs of the organization, e.g., a director) or small business owners (i.e., individuals who run unincorporated companies, in accordance with the Trades and Crafts Act) may be fined between HRK 1,000 and 10,000 (approx. EUR 130 and 1,300) for failing to implement the Law within two months of the Law going into force.
Organizations may also be fined between HRK 30,000 and 50,000 (approx. EUR 1,300 and 6,600) if they:
a) Prevent or attempt to prevent individuals from reporting acts or omissions that are unlawful;
b) Initiate malicious proceedings against acts or omissions that are unlawful (malicious proceedings are proceedings with no real basis, e.g., discrimination or defamation);
c) Disclose or attempt to disclose the identity of a person making a report;
d) Retaliate against a person making a report;
e) Fail to protect a person making a report from retaliation; or
f) Influence or attempt to influence those taking action to protect a report or a reporting person (e.g., negatively influence those individuals who are tasked with keeping a whistleblower’s identity confidential and ensuring that they do not suffer retaliation).
In addition, responsible persons at an organization and small business owners may be fined between HRK 3,000 and 30,000 (approx. EUR 400 and 4,000) for preventing or attempting to prevent individuals from reporting acts or omissions that are unlawful.
1. Has the implementing law been adopted?
Yes, the Law on the Protection of Persons Reporting Violations of Union and National Law 2022 (ο περί της Προστασίας Προσώπων που Αναφέρουν Παραβάσεις του Ενωσιακού και Εθνικού Δικαίου Νόμος του 2022) (the “Law”) entered into force on February 4, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
Private companies with 50 or more employees, and all public sector entities (excluding local authorities with fewer than 5,000 inhabitants or 25 employees), must establish internal reporting channels.
Private organizations with between 50 to 249 employees have until December 17, 2023 to establish their internal reporting channels. All other eligible organizations are expected to comply starting on the date when the Law went into effect.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover acts or omissions related to criminal offenses, non-compliance with any legal obligation, and other matters as specified in the Law.
5. Does the implementing law permit anonymous reporting?
The Law does not explicitly permit anonymous reporting; however, it refers indirectly to individuals anonymously making reports, which would indicate that anonymous reporting is contemplated. There is no specific regulatory guidance about anonymous reporting at this time.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations must delete personal information contained within records of the reports (i) three months after the investigation is closed, or (ii) in the event of legal or disciplinary proceedings, one year after the completion of legal proceedings.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
A Competent Authority has not been appointed at this time.
8. Does the Competent Authority have specific investigative and enforcement powers?
No.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide penalties against organizations that fail to set up an internal reporting channel; however, an organization may be fined up to EUR 30,000 if, through lack of supervision or control, it fails to prevent an individual from committing the following offenses:
There is no regulatory guidance as to when an organization is deemed to have a “lack of supervision or control.”
Individuals may also be imprisoned for up to three years or fined up to EUR 30,000 for various offenses, including obstructing or attempting to prevent a report, or breaching confidentiality obligations regarding the whistleblower’s identity.
Prepared with assistance from Michal Nulicek of Rowan Legal in Prague, Czech Republic.
1. Has the implementing law been adopted?
The law on the protection of whistleblowers (the “Law”) was published in the Collection of Laws on June 20, 2023, and will enter into force on August 1, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations in the private or public sector with at least 50 workers on 1 January of the relevant calendar year must establish internal reporting channels. In addition, organizations subject to specific anti-money laundering requirements under the Act on Certain Measures against the Legalization of Proceeds of Crime and Terrorist Financing must establish such channels regardless of the number of their workers. Municipalities with at least 10,000 inhabitants are also required to established internal reporting channels.
Organizations with at least 50 but no more than 249 workers must establish an internal reporting system by December 15, 2023.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see the response to Q2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, under the Law, whistleblowers can also report any criminal offence, certain misdemeanours, and other violations of the Law.
5. Does the implementing law permit anonymous reporting?
Yes, although organizations are not required to investigate anonymous reports and anonymous whistleblowers are not entitled to protection from retaliation under the Law, unless their identity is subsequently revealed after they issue an anonymous report.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
The list of retaliatory measures that whistleblowers should be protected from states that it includes, but is not limited to, the measures included in the Directive (e.g., withholding training, blacklisting a supplier, demotion, or withholding a promotion). This suggests that the Law’s scope of what amounts to retaliation seems to be wider than the scope of the Directive and that the list in the Law is not exhaustive.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Ministry of Justice (the “Ministry”) is the designated Competent Authority in most cases, except for the imposition of fines on employers for breaches of the Law, in which case the Competent Authority is the Work Inspectorate.
The Ministry will (i) act as an external reporting channel for whistleblowers; (ii) provide assistance in whistleblower protection matters; and (iii) perform other tasks that are included under the Law (e.g., imposing fines on Competent Persons).
8. Does the Competent Authority have specific investigative and enforcement powers?
Both the Ministry and Work Inspectorate have the ability to issue fines. However, only the Ministry has the ability to fine a Competent Person or a municipality directly. The Ministry is not responsible for conducting investigations, rather, it shall refer cases to other applicable public authorities (e.g., to the data protection authority in the event of a data breach).
The Work Inspectorate has the ability to fine employers as well as to conduct investigations relating to breaches of employment law (reports about such offenses fall within the scope of the Law. See the response to Q4 above).
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Organizations may be fined:
Competent Persons may be fined by the Ministry:
1. Has the implementing law been adopted?
Yes, the Whistleblowers Protection Act (Lov om beskyttelse af whistleblowere) (the “Act”).
2. Under the implementing law, which organizations must establish internal reporting channels?Public and private organizations with 50 or more employees.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also include, among other topics, concerns about serious breaches of Danish law (such as theft) or other serious matters (such as “MeToo”-type complaints).
5. Does the implementing law permit anonymous reporting?
Not addressed in the Act.
6. Does the implementing law impose any other significant deviations from the Directive relating to:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
Datatilsynet, the Danish data protection authority.
8. Does the Competent Authority have specific investigative and enforcement powers?
Not addressed in the Act.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
1. Has the implementing law been adopted?
Yes, the Act on the protection of persons reporting violations of European Union and national law (Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta) (the “Act”) entered into force on January 1, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
Public and private organizations that regularly have 50 or more employees must establish channels.
Private organizations with at least 250 employees and public sector organizations with at least 50 employees must establish internal reporting channels within three months of the Act entering into force (by April 1, 2023). Private organizations which regularly have 50 to 249 employees have until December 17, 2023, to establish their internal reporting channels.
The Act does not specify what “regularly” means in this context and it would have to be determined on a case-by-case basis under Finnish law.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. The Act also allows whistleblowers to report certain violations of national legislation based on the issues set out in Article 2 of the Directive (e.g., product safety and compliance) and any matters that can seriously endanger the goals and broader aims of such legislation.
5. Does the implementing law permit anonymous reporting?
Yes, although organizations are not required to accept anonymous reports. In addition, the external reporting channel operated by the Office of the Chancellor of Justice does not accept anonymous reports.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
The Act requires that any relevant personal information (received through notification channels) must be deleted five years after receipt of the report, unless (i) otherwise required under law or (ii) in circumstances where the information is used to prepare or defend a legal claim. If the reports are appropriately anonymized, they can be retained indefinitely.
The Act permits entities of all sizes within corporate groups to share a common internal reporting channel, provided there is a close operational and administrative link between the entities.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Act does not specifically name any Competent Authority, although the Office of the Chancellor of Justice is responsible for managing the external reporting channel. The Office of the Chancellor of Justice must forward reports that it receives to the relevant authority responsible for the issues described in the whistleblower’s report that fall within the scope of the Act.
8. Does the Competent Authority have specific investigative and enforcement powers?
No.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Act imposes undefined civil sanctions (also known as “community fines”) for breaches of the Act. These sanctions will be determined on a case-by-case basis by the Competent Authority.
1. Has the implementing law been adopted?
Yes, France has implemented the Directive in its national legislation by adopting two new laws to amend its existing law on transparency and fight against corruption (law n° 2016‑1691 “LOI relative à la transparence, à la lutte contre la corruption et à la modernisation de la vie économique,” referred to as the “Sapin II” law):
as well as an implementing decree concerning the procedures for collecting and processing whistleblower reports and establishing the list of external authorities (decree n° 2022-1284 relatif aux procédures de recueil et de traitement des signalements émis par les lanceurs d’alerte et fixant la liste des autorités externes instituées par la loi n° 2022-401 visant à améliorer la protection des lanceurs d’alerte) (the “Decree”).
The Law entered into force on September 1, 2022, and the Decree on October 5, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
Public and private organizations with 50 or more employees. The Decree clarifies that the threshold of whether an organization has 50 or more employees is to be assessed by calculating the monthly average number of employees across the organization’s previous two financial years. The procedures for calculating these thresholds are set out in Article L. 130 1 of the Social Security Code.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
The Law encourages organizations with fewer than 50 employees to establish internal reporting channels, by stating that individuals may report to their direct or indirect supervisor, employer, or other point of contact designated by the organization, even if the organization is not required to establish internal reporting channels.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report concerns relating to crimes and offenses under national law and other specified matters.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Whistleblowers can choose to report directly to an external authority (including a Competent Authority as defined below), without first using internal reporting channels.
The Decree clarifies that organizations (including private organizations) must consult with the relevant “social dialogue bodies” before establishing their internal reporting procedures. In practice, for private organizations, this will involve consulting with employees’ representatives or works councils.
If the whistleblower requests a videoconference or an in-person meeting, the meeting should take place no later than 20 working days following the request.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Défenseur des droits (“Defender of Rights”) is the key Competent Authority, although others have also been appointed for specific sectors (see a full list in the Annex to the Decree ) under law n° 2017-55 “LOIportant statut général des autorités administratives indépendantes et des autorités publiques indépendantes”.
If the Defender of Rights receives reports under the remit of another Competent Authority, it is required to direct such reports to the appropriate Competent Authority.
8. Does the Competent Authority have specific investigative and enforcement powers?
Under the Law, the Defender of Rights is expressly tasked with supporting whistleblowers. The Defender of Rights has the power to issue an official opinion to “certify” whistleblowers (this would involve verifying that the whistleblower’s report was valid and that the individual should be protected as a whistleblower). This certification may be used if a whistleblower suffered retaliation for making a report and then later commences legal proceedings against the individual or organization who retaliated against them.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide penalties against organizations that fail to set up an internal reporting channel.
The Law increases the fine that may be levied against an individual who retaliates against a whistleblower to EUR 60,000 and against an organization to EUR 300,000 in addition to any supplemental measures to publicize the decision condemning any retaliation. In addition, any person who obstructs a whistleblower’s report may be sanctioned up to one year’s imprisonment.
The Law also permits imposing: (i) a fine of up to EUR 30,000 against an individual or EUR 150,000 against an organization; or (ii) a sanction of two years’ imprisonment against any person who discloses the confidential aspects of a whistleblower’s report (including the identity of the whistleblower and any implicated individuals).
1. Has the implementing law been adopted?
Yes, the Whistleblower Protection Act (Gesetz für einen besseren Schutz hinweisgebender Personen sowie zur Umsetzung der Richtlinie zum Schutz von Personen, die Verstöße gegen das Unionsrecht melden - Hinweisgeberschutzgesetz) has been adopted by the German parliament (Bundestag) on May 11, 2023 and by the German Council (Bundesrat) on May 12, 2023. The Whistleblower Protection Act (the “Act”) will enter into force on July 2, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
Public and private organizations with 50 or more workers, as well as “highly regulated companies,” regardless of their number of workers. These highly regulated companies are listed in the Act and are comprised of:
Private organizations with 50 to 249 workers have until December 17, 2023, to establish their channels. All other eligible organizations are expected to comply when the Act enters into force on July 2, 2023.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see the answer to Question 2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Act also allows whistleblowers to report all violations that are punishable by law, as well as certain violations that are subject to fines, insofar as the violated regulation serves to protect (i) life, limb, or health of individuals; or (ii) the rights of employees or their representatives.
5. Does the implementing law permit anonymous reporting?
Yes. Although there is no obligation to set up anonymous reporting channels, companies are required to accept any anonymous reports that they receive.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
According to Section 16 of the Act, internal reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports and the persons assisting them in fulfilling these tasks have access to the incoming reports. The identity of the whistleblower may only be known to the persons responsible for processing a report. Information about the identity of a whistleblower or a person who is the subject of a report may only be disclosed in exceptional cases, such as in criminal proceedings at the request of the prosecuting authorities.
Oral reports must be possible by telephone or by means of another type of voice transmission.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
A central external reporting office will be established at the Federal Office of Justice (Bundesamt für Justiz). In addition, the authorities which are competent to oversee the regulated financial sector, the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (Bundeskartellamt), are designated as further external reporting offices with special responsibilities for the financial sector.
The Act does not specify which authorities are responsible for enforcement; therefore, general principles under German law will apply, which means that authorities will vary from state to state. For example, in Bavaria, the Competent Authorities listed will enforce violations of the Act.
8. Does the Competent Authority have specific investigative and enforcement powers?
The external reporting offices are required to establish and operate reporting channels, check the validity of reports, and carry out procedures described in Section 28 of the Act. They can also impose follow-up measures such as requesting information from involved persons, the employer, third parties, or other authorities, and they may also refer a case to another authority.
Penalties for non-compliance with the Act are enforced by the applicable administrative authority which has jurisdiction in accordance with the German Act on Misdemeanours (OWiG).
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The references in the Act to Sections 30 and 130 of the German Act on Misdemeanours mean that the maximum limit for fines can be increased tenfold in the case of serious violations.
1. Has the implementing law been adopted?
Yes, the Law on the protection of persons reporting violations of Union law (Προστασία προσώπων που αναφέρουν παραβιάσεις ενωσιακού δικαίου) (the “Law”) entered into force on November 11, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
All private organizations in the following sectors must establish internal reporting channels regardless of the number of workers:
All other organizations (both public and private) with 50 or more workers must also establish internal reporting channels.
Private organizations with 250 or more workers and public sector organizations with at least 50 workers must establish internal reporting channels within six months of the Law entering into force (i.e., by May 11, 2023). Private organizations with 50 to 249 workers have until December 17, 2023, to establish their internal reporting channels.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
Yes.
5. Does the implementing law permit anonymous reporting?
Yes, this is implied as the Law offers protection for individuals who report anonymously and are identified at a later stage (provided that they have met the necessary criteria).
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Private organizations with 250 or more workers and public sector organizations with at least 50 workers must appoint a responsible person for receiving and monitoring reports (“Responsible Person”)within six months of the Law entering into force (i.e., by May 11, 2023). Private organizations with 50 to 249 workers have until December 17, 2023, to appoint a Responsible Person. The Responsible Person may be a worker or a third party and is responsible for maintaining the internal reporting channel and its procedures (including receipt, confirmation of, and response to such reports). All private organizations must notify the Labour Inspectorate or the Competent Authority within two months of appointing their Responsible Person.
The requirement to designate a Responsible Person is triggered when an organization reaches 50 workers. Organizations must maintain a Responsible Person for two years after the year in which they trigger this requirement. For example, organizations with 50 or more workers in 2023 must maintain their Responsible Person until at least the end of 2025. After this two-year period, organizations can decide whether or not to continue having a Responsible Person if they no longer have 50 workers. For private organizations, the term of a Responsible Person should last at least one year, unless there are just and proper grounds to terminate their position earlier.
7. Which National Authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The National Transparency Authority has been designated as the Competent Authority.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes, the Competent Authority can determine the criteria for calculating the relevant fine amount when imposing fines on organizations that have failed to implement internal reporting channels.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law sets out criminal sanctions (including imprisonment) and monetary fines against infringing individuals and organizations for the following acts:
Failure to implement the necessary internal reporting channels can result in a fine being imposed on an organization by the Labour Inspectorate or the Competent Authority.
For any breaches committed for the benefit of or on behalf of an organization, the minimum fine is EUR 10,000 and the maximum fine is EUR 500,000. The final amount will take into account the seriousness of the infringement and the level of culpability involved.
Prepared with assistance from Ádám Liber and Tamás Bereczki, Provaris Varga & Partners in Budapest, Hungary
1. Has the implementing law been adopted?
Yes, the Act XXV of 2023 on complaints, public interest disclosures, and the rules on reporting abuse regulating the protection of persons who report breaches of the law and on combating corruption (the “Law” (available in Hungarian) was published in the Official Gazette on May 25, 2023. The Law enters into force on July 24, 2023, 60 days after its publication in the Official Gazette.
2. Under the implementing law, which organizations must establish internal reporting channels?
The following organizations must establish internal reporting channels when the Law enters into force:
The following organizations must establish internal reporting channels by December 17, 2023:
The following organizations must establish internal reporting channels by January 1, 2025:
However, local municipal entities and budgetary authorities employing fewer than 50 persons or local municipalities with fewer than 10,000 inhabitants are exempt.
Local municipalities and the budgetary bodies under their control may also set up joint internal reporting channels.
For the purposes of the Law, a person is employed if they are performing an activity for and under the direction of an organization for consideration or for their own account.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see Q2.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also be made about any illegal acts, omissions, or other misconduct. However, whistleblowers will only be protected under the Law if their concern is included in the Directive.
5. Does the implementing law permit anonymous reporting?
Reports may be made anonymously; however, an investigation is not legally required if a report is submitted anonymously.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
If a person who is the subject of a report submits a data subject access request, the person who submitted the report must not be disclosed to the requester.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Labour and Occupational Health and Safety Department of County and Government Offices is the Competent Authority.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes, the Competent Authority has specific powers that are included in the provisions of Act CXXXV of 2020 on services and subsidies to promote employment and on the supervision of employment.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Competent Authority may issue public reprimands to organizations that do not comply with the law but it does not currently have the power to issue monetary fines or prohibitions from engaging in activities.
Yes, Ireland has implemented the Directive in its national legislation by adopting the Protected Disclosures (Amendment) Act 2022 on July 21, 2022, to amend its existing whistleblowing law, the Protected Disclosures Act 2014 (together, the “Act”); the Act went into effect on January 1, 2023 (by virtue of a commencement order, dated October 12, 2022).
Organizations with 50 or more employees and public bodies must establish internal reporting channels. Private organizations with 250 or more employees are expected to comply with the Act as of the date that it goes into effect (i.e., January 1, 2023). Private organizations with between 50 to 249 employees have until December 17, 2023 to establish their internal reporting channels.
Yes, the Minister for Public Expenditure and Reform has the power to order organizations with fewer than 50 employees to establish internal reporting channels, taking into consideration the activities of the employers concerned and the potential levels of risk for areas of public interest such as the environment and public health.
No, the scope is broader than the Directive. For example, reports can also include concerns about a person failing to comply with a legal obligation under an employment contract and certain other specified matters under the Law.
Yes. Under the Act, organizations are given the discretion (but not the obligation) to decide if it is appropriate to accept and follow up on anonymous reports.
The Act allows the whistleblower to request further feedback at intervals of three months until the report is closed. This is in addition to the requirement under the Directive for organizations to provide feedback to the whistleblower within three months from when the report was received.
The Office of the Protected Disclosures Commissioner (OPDC).
Yes, only in relation to where the Competent Authority receives a report via its own reporting channel. In that case, the Competent Authority may request and examine any record, book, or document, and order on-site inspections. The Competent Authority can also request a warrant if an authorised officer is prevented from entering any premises as part of investigations into a report.
The Act provides the following penalties against individuals and organizations:
1. Has the implementing law been adopted?
Yes, the Italian Legislative Decree 24/2023 (the “Decree”) was published in the Official Gazette on March 15, 2023. The Decree will enter into effect on July 15, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
The following organizations must establish internal reporting channels by July 15, 2023:
Private organizations that do not fall within any of the other criteria above with an average of 50 to 249 employees on permanent or fixed-term contracts (based on the employee headcount from the previous year) have until December 17, 2023 to establish internal reporting channels.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see Q2.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover administrative, accounting, civil and criminal offences, as well as certain other types of unlawful conduct set out under the Decree.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations can (but are not required to) retain personal information processed in relation to the operation of their internal reporting channels for five years.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The National Anti-Corruption Authority.
8. Does the Competent Authority have specific investigative and enforcement powers?
The Competent Authority can receive communications relating to retaliation suffered by whistleblowers and/or other persons protected under the Decree and exercising investigative powers in this regard.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Non-compliance with the Decree is subject to a fine of between EUR 10,000 and EUR 50,000 (depending on the gravity of the infringement) if the organization is found to have:
1. Has the implementing law been adopted?
Latvia adopted its implementing law (Trauksmes celšanas likumu) (the “Law”) on January 20, 2022, and it entered into force on February 4, 2022 after the Law was published in the Official Gazette on February 3, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see the response to Q2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, a whistleblower may also report issues in respect of violations that are prejudicial to the public interest.
5. Does the implementing law permit anonymous reporting?
No, the Law requires that whistleblower reports contain sufficient information about the whistleblower in order to verify their identity, including the whistleblower’s full name and personal identification number, as well as their contact information (e.g., address or telephone number).
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations must:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Latvia has designated:
8. Does the Competent Authority have specific investigative and enforcement powers?
No.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide penalties against organizations that fail to set up an internal reporting channel. Organizations face administrative fines for:
Individuals may also be fined for (i) knowingly providing false information using a whistleblowing channel or via the media, (ii) acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., causing emotional distress), or (iii) obstructing whistleblowing reports in any way.
1. Has the implementing law been adopted?
Yes, the Law on the Protection of Whistleblowers No. XIII-804 (Pranešėjų apsaugos įstatymo Nr. XIII-804 pakeitimo įstatymo projektas) (the “Law”). It amends Lithuania’s existing whistleblowing law (Law 2018-18760), and entered into effect on February 15, 2022. All eligible organizations must comply by this date. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations with 50 or more workers.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also include concerns related to violations of law, as well as certain other specified matters under the Law.
5. Does the implementing law permit anonymous reporting?
No. Whistleblowers are required to state their (i) full name and (ii) personal identification number or date of birth. The requirement to provide a personal identification number is specific to Lithuania, and used for legal processes (including the submission of whistleblowing reports).
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations must:
Whistleblowers may bypass an organization’s internal reporting channel under certain circumstances, including, but not limited to, when the infringement is of substantial importance for the public interest or when the whistleblower cannot use the internal channel because they do not have an employment, service, or other legal relationship with the organization.
Organizations may provide remuneration to whistleblowers who have provided valuable information. The remuneration is not limited to a specific amount.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Public Prosecutor’s Office.
8. Does the Competent Authority have specific investigative and enforcement powers?
The Competent Authority can investigate reports using its full prosecutorial powers, including the ability to initiate and carry out prosecution of the offending party or parties.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide for any sanctions against organizations. Only individuals who violate the Law may be found liable, in accordance with Code of Administrative Offences of the Republic of Lithuania. Where an organization does not comply with the Law, sanctions are likely to be applied to the CEO (or an equivalent person who has been formally designated to be in charge of the organization).
1. Has the implementing law been adopted?
Yes, the Law of May 16, 2023, transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019 on the protection of persons who report violations of Union law (Loi du 16 mai 2023 portant transposition de la directive (UE) 2019/1937 du Parlement européen et du Conseil du 23 octobre 2019 sur la protection des personnes qui signalent des violations du droit de l’Union) (the “Law”) was published in the Official Gazette on May 17, 2023, and entered into force on May 21, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
Private organizations with more than 50 workers for a period of 12 consecutive months and all public entities, except for municipalities with less than 10,000 inhabitants, must establish channels. Private organizations with 50 to 249 workers have until December 17, 2023, to establish their channels. All other eligible organizations were expected to be in compliance starting on the date when the Law entered into effect on May 21, 2023.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Law includes any unlawful act or omission which is contrary to national or EU law.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Private organizations with between 50 and 249 workers may share resources with respect to receiving and following up on reports. This does not preclude the obligations of such entities under the Law to maintain confidentiality, provide feedback, and remedy the reported violation.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Office des Signalements (the “Reporting Office”) is the key Competent Authority, although others have also been appointed for specific sectors, such as the supervisory authorities for the banking sector (Commission de Surveillance du secteur financier) and for the insurance sector (Commissariat aux assurances), the labour and mines inspection authority (Inspection du travail et des mines), and tax administrations, as well as professional associations (the full list of Competent Authorities is listed in Article 18 of the Law).
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes, the Reporting Office has the power to issue investigate violations and issue administrative fines.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Anyone who retaliates or brings vexatious proceedings against a whistleblower may incur a fine between EUR 1,250 to EUR 25,000.
Organizations may face a fine between EUR 1,500 and EUR 250,000, which may be doubled in cases of repeat offenders, for the following activities:
A whistleblower who reports false information will be liable to a prison sentence between eight days to three months and/or a fine between EUR 1,500 to EUR 50,000.
Yes, Malta adopted its implementing law by amending the Protection of the Whistleblower Act (the “Act”). The amendments were adopted on December 18, 2021 and entered into force on December 24, 2021.
The following organizations are required to establish internal reporting channels:
Yes, the Act also applies to certain voluntary organizations (see above).
No, the scope is broader than the Directive. For example, reports can also cover damage to the environment and corrupt practices as well as certain other specified matters in the Law.
Yes, but anonymous reports are not treated as “protected disclosures” under the Act. This means that the requirements for organizations to acknowledge receipt of the report and provide feedback do not apply to anonymous reports.
However, if after reporting to the public, the identity of the whistleblower is made public and they subsequently suffer retaliation, their disclosure will still be protected provided that:
The Act provides additional possibilities for whistleblowers to report externally without first using internal reporting channels, in addition to those set out in the Directive. For example, a whistleblower may report directly to a Competent Authority (as defined in Q7 below) where the head of the organization is (or may be) involved in the issue, or where reporting directly to a Competent Authority is justified by the urgency of the matter.
Malta has nominated various Competent Authorities, depending on the subject matter/context of the report (for a full list, see the table in the First Schedule of the Act).
No.
The Act does not provide penalties against organizations, e.g., in case an organization does not set up an internal reporting channel or otherwise does not comply with the Act. It is possible that penalties for organizations will be added to the Act in the future by means of an additional amendment. It is currently unclear whether the Maltese government intends to make such an amendment, and further regulatory guidance is needed on this matter.
The Act does, however, provide criminal sanctions against individuals who take certain actions (such as using or threatening to use violence) with the purpose of preventing a whistleblower from making a report under the Act.
Furthermore, if a whistleblower believes that they have been retaliated against for making a report under the Act, they are also entitled to file an application to the civil court to request an injunction or an order (including an order to pay damages) against an individual. The Act specifies that whistleblowers who have suffered retaliation for making a report are entitled to compensation, but it does not explain if or when organizations (rather than specific individuals) will be liable to pay such compensation.
1. Has the implementing law been adopted?
Yes, the General regime for the protection of persons who report violations (Regime geral de proteção de denunciantes de infrações) (the “Act”), which is now in force.
2. Under the implementing law, which organizations must establish internal reporting channels?Organizations located in Portugal employing 50 or more workers.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover violent crimes such as trafficking of narcotics and weapons.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Portugal has nominated various Competent Authorities, depending on the subject-matter/context of the report (for a full list, see Article 12 of the Act, in Portuguese only).
Where no Competent Authority has been assigned to deal with the report or where a report implicates a Competent Authority, such report must be addressed to the National Anti-Corruption Mechanism (Mecanismo Nacional Anticorrupção), an independent administrative entity.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes. The National Anti-Corruption Mechanism is responsible for prosecuting violations of the Act and imposing the relevant administrative fines, except where sector-specific legislation designates another enforcement authority (e.g., the Securities Market Commission under national financial services regulations).
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Varying administrative fines, depending on the seriousness of the violation.
1. Has the implementing law been adopted?
Yes, Romania has implemented the Directive by adopting the Law regarding the protection of whistleblowers in the public interest (Lege privind protecția avertizorilor în interes public) (the “Law”).
The Law entered into force on December 16, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
Public and private organizations with 50 or more employees must establish internal reporting channels. Private organizations with 50 to 249 employees have until December 17, 2023, to establish their channels. All other eligible organizations are expected to comply starting on the date when the Law went into effect.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover actions or omissions that constitute violations of legal provisions.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Reporting individuals have the discretion on whether to report internally or externally to the Competent Authority (as defined in Question 7 below). This is a departure from the Directive which requires reporting individuals to exhaust internal options first before reporting externally.
Reports, unless made anonymously, must contain the following information: (i) the name and contact details of the reporting individual, (ii) the work-related context in which the information was obtained, (iii) the implicated individuals (if known), (iv) a description of the facts, (v) any evidence in support of the report, and (vi) a date and signature. Any reports that do not contain the name, contact details, or signature of the whistleblower should still be examined if they contain substantial indications of violations of law. However, if the reports do not contain a name, contact details, or the whistleblower’s signature, or if the information set out in clauses (ii)–(v) above has not been included, the report may be closed without carrying out an investigation, provided the whistleblower is informed of the reason for closing the report.
Records of reports must be kept for five years and then destroyed at the end of the five-year period.
In addition to providing an update to reporting individuals three months after the date that the report was acknowledged or should have been acknowledged, organizations must also provide subsequent updates on the investigation of a whistleblowing report.
If an organization ultimately decides to hold a disciplinary meeting to impose a sanction against the whistleblower (as a result of the whistleblower’s report), the whistleblower may request that the organization invite the press, a representative of a trade union or professional association, or an employee representative to the meeting. Upon a whistleblower’s request, the organization must announce the meeting on its website at least three working days before the meeting takes place. If disciplinary action is taken by an organization without complying with these requirements, the action against the whistleblower will be void.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The National Integrity Agency is the Competent Authority and it may allocate reports to other public authorities for investigation.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law contains civil and criminal penalties:
Courts can also (i) award damages if a whistleblower has suffered retaliation and/or (ii) where a court order has been issued in relation to the same whistleblowing report more than two times, issue supplementary orders to stop or remediate the retaliatory conduct and/or issue a fine of up to 40,000 lei (approx. EUR 8,000).
If an individual claims that they have been retaliated against, the burden of proof will rest with the organization that allegedly committed the retaliatory conduct. In such a case, a court can also order the organization to publish an extract of the judgment which found that the organization retaliated against the whistleblower in a local or national newspaper at its own expense.
Prepared with assistance from Peter Oravec and Elena Cervenova at PRK Partners in Slovakia.
1. Has the implementing law been adopted?
Yes, on May 10, 2023, the National Council of the Slovak Republic approved Act No. 189/2023 Coll. (the “Act”) which amends Act No. 54/2019 on the Protection of Whistleblowers (the “WPA”). It was published in the Official Law Journal on June 1, 2023, and will enter into force on July 1, 2023, with certain provisions entering into effect on September 1, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations that employ at least 50 employees;
Organizations that provide financial, transport safety, or environmental services (regardless of the number of employees); and
Public authorities with at least five employees.
While the obligation to establish internal reporting channels already applies to employers with at least 50 employees and public authorities under the WPA, the obligation to set up internal reporting channels for employers that provide financial, transport safety, or environmental services only becomes effective on September 1, 2023.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see the answer to Question 2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, whistleblowers can report any anti-social activities.
The Act distinguishes between “anti-social activities” and “serious anti-social activities.” While there is no definition of “anti-social activities,” the term is broad and will likely include unethical practices in the workplace and any issues that have a negative impact on society.
When whistleblowers are reporting “serious anti-social activities,” the Act provides additional protections. Serious anti-social activities are defined to include various administrative and criminal offenses.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations must appoint a person or department to be responsible for internal reporting channels.
If an organization suspects that a crime has been committed, it must refer the case to the law enforcement authorities. Failure to do so is a criminal offense under Slovakian law. The organization is also required to inform the whistleblower in advance of such referment, unless this could impact the investigation. To the extent permitted by law, the organization is required to request the results of the investigation from the law enforcement authority and to inform the whistleblower of the results within 10 days of receipt.
Organizations are required to take action (e.g., disciplinary action) against employees who hinder a whistleblower from making a report or keeping records of whistleblower reports.
When investigating a report, the Competent Authority (as defined in Question 7 below) can require the relevant organization to share its own investigation findings.
Whistleblowers who are employees receive additional protections from retaliation if they file a report about serious anti-social activities. Specifically, organizations are required to seek approval from the Competent Authority prior to taking any employment measure that could be perceived as retaliation (such as dismissal or a demotion) against an employee whistleblower who issued a report about serious anti-social activities. The request for approval must include information prescribed by the Act.
7. Whistleblowers also have the right to ask the Competent Authority to suspend any measure that could amount to retaliation within 15 days from the day that they learned of the measure.Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Competent Authority is theWhistleblower Protection Office.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes. The Competent Authority may request documents and records as well as warn and advise organizations about how to proceed. The Competent Authority can also issue fines, as set out below in Question 9.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Fines of up to EUR 30,000 can be imposed on organizations that:
Fail to take measures to remedy violations of law identified in a whistleblower’s report, or
Fail to submit to the Competent Authority a written report on the measures taken to remedy the identified violations of law.
Fines of up to EUR 50,000 may be imposed on organizations that employ fewer than 250 employees and that violate the requirements to establish internal reporting channels.
Fines of up to EUR 100,000 may be imposed on organizations that:
Employ 250 or more employees and that violate the requirements to establish internal reporting channels;
Take disciplinary action against an employee whistleblower without the permission of the Competent Authority (where permission is required); or
Threaten to retaliate against, or attempt to retaliate against, a whistleblower.
Fines of up to EUR 6,000 can be imposed for an offense committed by any person who:
Threatens to, attempts to, or sanctions a whistleblower for making a report;
Breaches the duty of confidentiality regarding the identity of the whistleblower or the identity of the implicated individuals; or
Attempts to prevent or obstruct whistleblowers from making reports.
Prepared with assistance from Alenka Antloga, State Supervisor for Personal Data Protection at the Information Commissioner of the Republic of Slovenia.
1. Has the implementing law been adopted?
Yes, the law on the protection of persons who report violations of EU law listed in the Directive (Zakon o zaščiti prijaviteljev – available in Slovenian) (the “Law”) was published in the Official Gazette on February 7, 2023, and entered into force on February 22, 2023.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations in the private or public sector with at least 50 workers must establish internal reporting channels.
Organizations in the private or public sector between 10 and 50 workers must also establish internal reporting channels if they perform their main registered activity in the field of healthcare or in the areas of water collection, purification and distribution, handling of sewage, assembly, and removal of waste and handling it and obtaining secondary raw materials and in the fields of environmental remediation and other waste management.
Irrespective of the number of workers, internal reporting channels must also be established by certain ministries and administrative department units, governmental services, public agencies, and self-governing local communities (municipalities).
Organizations with more than 250 workers must establish internal reporting channels within 90 days after the Law enters into force. Organizations in the private sector with up to 249 workers have until December 17, 2023, to establish internal reporting channels.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see Q2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the Law allows individuals to report on all violations of the national legislation in Slovenia, in addition to the scope of reportable concerns included within the Directive.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations required to establish internal reporting channels must appoint one or more “trustworthy persons or an organizational unit” among workers to receive and process reports.
In judicial proceedings that concern the termination of a whistleblower’s employment, the whistleblower will be able to receive injunctions faster, such proceedings will also be considered urgent, and the whistleblower will be exempt from paying court fees. The Law also establishes the presumption that the damage that the whistleblower suffers in such proceedings is a consequence of any retaliation measures from their employer.
A whistleblower is not entitled to protection under the Law if the report is submitted two or more years after the violation ceased.
Organizations will be required to report statistics on the reports that they receive each year to the Commission for the Prevention of Corruption (the “Commission”) (Komisija za preprečevanje korupcije: https://www.kpk-rs.si/en/), who will publish statistics about the number of reports received from all organizations responsible for internal and external reporting channels. The annual report from the Commission will be published by April 1 of each year.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
Several Competent Authorities have been established, as set out in Chapter 5 and Article 14 of the Law. The Commission has specific powers to advise whistleblowers under the Law.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes, and they have the power to issue fines.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Legal entities may be fined by Competent Authorities:
Between EUR 2,000 and EUR 6,000 for failing to:
Provide information to whistleblowers about internal reporting channels;
Appoint an organizational unit to receive a report;
Attempting to identify the whistleblower, related persons, or an intermediary or attempting to retaliate against such persons; or
Report data about the reports that it has received to the Commission;
Between EUR 20,000 and EUR 60,000 for:
Disclosing the identity of a whistleblower, related persons, or an intermediary; or
Retaliating against a whistleblower, related persons, or an intermediary.
Prepared with assistance from Claudia Gálvez Correa, Gómez-Acebo & Pombo Abogados, S.L.P., in Madrid, Spain.
1. Has the implementing law been adopted?
Yes, Law 2/2023 of 20 February, on the protection of persons who report breaches of the law and on combating corruption (the “Law” (available here in Spanish)) was published in the Official State Gazette on February 21, 2023. The Law entered into force 20 days after its publication (i.e., March 13, 2023).
2. Under the implementing law, which organizations must establish internal reporting channels?
Private organizations with 50 to 249 workers and municipalities with less than 10,000 inhabitants must establish their channels by December 1, 2023. Private organizations with 250 or more workers and all other public entities must establish their channels within three months of the Law entering into force.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the Law also allows whistleblowers to report acts or omissions that may constitute a criminal offense or a serious or very serious administrative offense under Spanish law. The Law does not include a specific list of these offenses but gives as an example offenses involving financial loss to the Public Treasury and to the Social Security system and violations in the area of health and safety at work.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
La Autoridad Independiente de Protección del Informante, A.A.I. (the “Independent Authority for the Protection of Informants” or AAI) will be the Competent Authority. However, the Competent Authority has not yet been officially established by the Spanish government.
8. Does the Competent Authority have specific investigative and enforcement powers?
Yes, the Competent Authority has the power to penalize organizations for non-compliance with the Law. The Law provides that decisions of the Competent Authority may only be appealed before courts.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law prescribes sanctions for “very serious infractions,” “serious infractions,” and “minor infractions”:
If individuals are responsible for the infraction, they can be fined EUR 1,001‒10,000 for minor infractions, EUR 10,001‒30,000 for serious infractions and EUR 30,001‒300,000 for very serious infractions.
If organizations are responsible for the infraction, they can be fined up to EUR 100,001 for minor infractions, EUR 100,001‒600,000 for serious infractions and EUR 600,001‒1,000,000 for very serious infractions.
For very serious infractions, the Competent Authority may also impose a penalty, including: (i) releasing a public reprimand or publishing the infraction in the Official State Gazette; (ii) prohibiting new subsidiaries or other tax benefits for a maximum term of four years; and (iii) prohibiting contracts with the public sector for a maximum of three years.
1. Has the implementing law been adopted?
Yes, the Law on the protection of persons who report misconduct (Lag om skydd för personer som rapporterar om missförhållanden) (the “Act”).
2. Under the implementing law, which organizations must establish internal reporting channels?Organizations that at the beginning of the calendar year had 50 or more workers.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope appears to be broader. Individuals may, for example, also report violations of laws or other regulations covered in Chapter 8 of the Instrument of Government.
5. Does the implementing law permit anonymous reporting?
The Act’s legislative history/preparatory works allows for anonymous reporting.
6. Does the implementing law impose any other significant deviations from the Directive relating to:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
Sweden has nominated a total of 30 competent authorities to handle whistleblowing reports (see the regulation in Swedish only). However, the Swedish Work Environment Authority has been appointed as the authority with overall oversight.
8.Does the Competent Authority have specific investigative and enforcement powers?
9. What are the sanctions for non-compliance with the Directive and the implementing law?
1. Has the implementing law been adopted?
Yes, the law updating the Whistleblowers Protection Act to implement the Directive (Wet van 25 januari 2022 tot wijziging van de Wet Huis voor klokkenluiders en enige andere wetten ter implementatie van Richtlijn (EU) 2019/1937 van het Europees Parlement en de Raad van 23 oktober 2019 – available in Dutch) was published in the Official Gazette on February 3, 2023. The law entered into force on February 18, 2023. A consolidated version of the Whistleblowers Protection Act (the “Law”) is available in Dutch.
2. Under the implementing law, which organizations must establish internal reporting channels?
Public and private organizations with 50 or more workers must establish internal reporting channels. Private organizations with 50 to 249 workers have until December 17, 2023, to comply with the Law and establish their channels. All other eligible organizations are expected to comply when the Law enters into force.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report acts or omissions having an impact on the public interest, as well as certain other matters as specified in the Law.
5. Does the implementing law permit anonymous reporting?
Yes.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
An organization that is required to establish internal reporting channels, but which has not set up a works council or staff representational association (and is not obliged to do so), must obtain the consent of more than half of its workers when setting up its internal reporting channels. This consent is not required if internal reporting channels are already regulated by a collective labor agreement.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Huis voor klokkenluiders (“Whistleblowers’ House”) is the key Competent Authority, although other authorities have also been appointed for specific sectors under the Law:
Financial Markets Authority (Autoriteit Financiële Markten)
Data Protection Authority (Autoriteit persoonsgegevens)
Netherlands Central Bank (Nederlandsche Bank)
Health Care and Youth Inspectorate (Inspectie Gezondheidszorg en Jeugd)
Dutch Health Care Authority (Nederlandse Zorgautoriteit)
Nuclear Safety and Radiation Protection Authority (Autoriteit Nucleaire Veiligheid en Stralingsbescherming)
If a Competent Authority receives reports under the remit of another Competent Authority, it is required to direct such reports to the appropriate Competent Authority, provided that it first obtains the prior consent of the whistleblower to do so.
8. Does the Competent Authority have specific investigative and enforcement powers?
Under the Law, the Whistleblowers’ House is expressly tasked with informing and supporting whistleblowers. In addition, the Whistleblowers’ House also has the power to launch ex officio investigations.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Organizations may be fined by the Whistleblowers’ House if they (a) fail to implement an internal reporting channel, (b) fail to provide information regarding the reporting procedures, (c) fail to act on the recommendations of the Whistleblowers’ House, or (d) retaliate against a whistleblower. The Law does not currently determine the amount of the fines, this shall be determined by a decree, which will be incorporated in the Law as an annex.