Four years after its adoption, several EU member nations have yet to implement the EU’s Whistleblower Directive. Regardless, organizations have worked on revising or developing whistleblower policies in accordance with the EU’s guidance. This article provides a summary of what companies operating within the EU should know about the Whistleblower Directive.
Who Must Comply?
Organizations with over 50 employees operating within the EU must have a whistleblower function. It is important to note that requirements may vary from country to country, and this summary is based on the most common practices among EU countries implementing their legislation.
If your organization has over 250 employees, you must meet these requirements as soon as possible. For companies with between 50-250 employees, the deadline for compliance is Dec. 17, 2023.
Internal Reporting Channels
Compliance with the directive requires organizations with over 50 employees to have internal reporting channels that ensure confidentiality and security for whistleblowers, including adherence to GDPR regulations. Anonymous whistleblowing can be refused, but it is highly recommended to allow people to make anonymous reports.
Protection Against Retaliation
Whistleblowers must be protected against any retaliation that may result from their decision to blow the whistle. The protective measures extend beyond termination to other forms of retaliation, such as non-promotion, demotion, alterations in working conditions, disciplinary sanctions, non-renewal of employment contracts, and threats or harassment.
The EU GDPR applies to whistleblowing activities. Failure to comply with those requirements may result in violations of the GDPR, which can lead to severe financial consequences. Enabling anonymous reporting simplifies compliance with the GDPR and emphasizes the importance of secure and rigorous whistleblower systems.
Whistleblowers should be allowed to report cases verbally and in writing, and they should also have the option to schedule a physical meeting. Specific requirements for documenting interactions must be strictly adhered to.
Feedback and Follow-Up
Compliance professionals must send a confirmation that the case has been received to the whistleblower within one week. A follow-up must be conducted within three months, and the investigation’s results or measures that have been taken, or will be taken, should be shared during the follow-up. Information in a case must be deleted from the whistleblower system after a few years.
A whistleblower policy should include all relevant information that employees within the organization need to know, which channels they can use to blow the whistle, and all other relevant information that can be good to know.
Appointing Recipients of Whistleblower Cases
Appointing independent and relevant recipients of whistleblower cases, or case managers, is crucial to complying with the EU whistleblowing directive. Independent case managers can assess the facts presented without any undue influence or bias, ensuring that the whistleblower’s report is taken seriously and investigated appropriately. Case managers could be internal or external, such as lawyers or other experts.
Your Next Steps
Companies operating within the EU with 50 or more employees must comply with the Whistleblower Directive. This includes having internal reporting channels, protecting whistleblowers from retaliation, adhering to GDPR regulations, providing multiple reporting channels, conducting feedback and follow-ups, and having a whistleblower policy. Independent and relevant case managers should be appointed to handle the cases. Adhering to these guidelines will ensure the proper handling of whistleblowing cases and provide protection for whistleblowers.
For more information, please email us: firstname.lastname@example.org
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com