Directive (EU) 2019/1937, also known as the Whistleblower Directive, came into effect on December 16, 2019. This directive marked the beginning of heightened protections for those who report breaches of EU law within their professional environment. It required Member States to align their national laws, guaranteeing a consistent protection level for whistleblowers throughout the EU.
Objective: Its primary intent is to set a baseline and align national legislations across the EU regarding the protection of individuals who disclose violations of Union law.
Implementation Timeline
General Adoption: EU Member States had a deadline until December 17, 2021, to enact laws and regulations in line with the Directive’s requirements.
Specific Provisions for Medium-Sized Entities: The Directive stipulates that private sector and legal entities employing between 50 and 249 individuals have until December 17, 2023,to implement an Internal Reporting Channel (IRC).
The establishment of this IRC must emphasize the following pillars:
Confidentiality: Ensuring the privacy of the whistleblower.
Prompt Acknowledgment: Recognizing received reports within a 7-day window.
Impartial Management: Appointing an impartial person designated specifically for handling reports.
Timely Feedback: Committing to provide feedback on reports within a span of three months.
Transparent Reporting Avenues: Ensuring protection for whistleblowers who report truthfully within the Directive’s scope. Safeguards include strict confidentiality, assistance from authorities, legal aid and protection against retaliation, including the exclusion of liability in certain cases and a reversed burden of proof.
Additionally, entities are obligated to preserve all records pertaining to reports and their accompanying documentation, in order to comply with the requirements imposed.
Key aspects and objectives of the EU Whistleblower Directive
Broad Scope of Application: The directive covers a wide range of areas, including public procurement, financial services, money laundering, product and transport safety, nuclear safety, public health, consumer protection, environmental protection, and more.
Multiple Reporting Channels: Whistleblowers are encouraged to use internal reporting channels within their organizations first, but if these are not effective or could lead to retaliation, they can also report directly to competent national authorities or even make a public disclosure in certain circumstances.
Protection Measures: The directive sets out that member states should prohibit any form of retaliation against whistleblowers, including dismissal, demotion, harassment, and other forms of unfair treatment.
Confidentiality: The identity of whistleblowers must remain confidential unless they give their express consent to disclose their identity.
Public and Private Sector: The directive applies to both the public and private sectors. In the private sector, it applies to entities with more than 50 employees, unless a special provision is made for entities with fewer employees.
Burden of Proof: If any adverse actions are taken against the whistleblower, presumably in retaliation to a report, then the burden of proof shifts to the person who has carried out the detrimental action to demonstrate that they acted for reasons other than retaliation.
Support and Assistance: Member states are required to provide information, advice, and even free legal aid to whistleblowers to ensure they know their rights and are supported throughout the process.
IMPORTANT: iubenda has built a dedicated tool to help you manage written whistleblower reports, but the Directive also requires businesses to set up in-person and oral reporting methods within their internal channel (and to provide all the same protections to whistleblowers who use it).
iubenda’s Whistleblowing Management Tool helps EU businesses ensure compliance. We’ve designed our product to streamline management within organizations, protect whistleblowers, and ensure businesses consistently adhere to the law.
Our tool offers an easy-to-use reporting form for employees and other stakeholders and allows businesses to manage the entire process from an intuitive all-in-one dashboard.
IMPORTANT: Even if your company is based outside the EU,if you have an EU branch with at least 50 employees, it also needs to comply with the directive.
⚠️ iubenda’s Whistleblowing Management Tool is included in the Ultimate Plan, it can be activated with one click. No configuration needed.
1. Activate the Whistleblowing Management Tool
From your iubenda Dashboard, simply click on “Activate“
⚠️ Once you’ve activated the Whistleblowing Management Tool, be sure to click on the “Embed” button within the Whistleblowing tile to proceed with the form embedding. If you don’t do so, you won’t be able to receive any whistleblower reports. See below how to embed your Whistleblowing Management Tool ⬇️
2. Embedding
💡 Remember, a clearly visible form ensures that anyone who wishes to report can easily do so.
After activation, click on “Embed” to integrate the reporting form for easy access by employees or other potential reporting persons.
Next, in this section, you’ll find all the options to embed the form:
Direct link: Use a direct link if you wish to send your users to your form directly, rather than using a modal window. Copy it, and then paste it strategically on your website, intranet, whistleblower policy, or wherever else you need it.
Add a widget to the footer: Use the provided code to embed the form directly on your site. You can choose to have the button in white, black, or remove the styling altogether. Just copy and paste it in the body of your website, wherever you wish to display the button. When users click this button, the form will open in a modal.
Embed the form in the body: Embedding the form directly into the body of your webpage integrates it as if it were part of your website. For this, copy the JavaScript snippet and paste it into the HTML of the specific page you’ve designated for this purpose.
Printable PDF with QR code: It serves as an offline extension of the online form. Designed for physical distribution. Simply print the PDF and display or distribute it as needed. The PDF includes a QR code that, when scanned, directs users to the associated online whistleblower reporting form.
⚠️ Tips:
Using a direct link guarantees that the form displays consistently across different platforms.
Ensure the form is easily noticeable, regardless of the chosen embedding method.
While the site’s footer is recommended for universal access, consider other strategic locations based on your organization’s structure.
Where do I put the iubenda Whistleblowing link?
That depends entirely on you. But the rule of thumb is your site’s footer. It’s a good way for it to be seen from every page.
3. User Reporting
Once activated, reporting persons can choose to report either anonymously or by providing their identity using the form embedded on your website. They can specify details such as the type of wrongdoing or misconduct, provide an exact date, and describe the facts. Once completed, they simply click on “Submit report” to send it.
After submitting the form, reporting persons will automatically receive an acknowledgment of receipt.
3.1 Appointing a Whistleblowing Manager
❗️ Direct Appointment Through Our Tool
Appoint a Whistleblowing Manager efficiently and seamlessly within our tool, making the process smoother and more integrated. This eliminates the need for a separate appointing form.
Dashboard Access Message
When someone without the necessary permissions tries to access the Whistleblowing Dashboard, they’ll see this message:
You don’t have the necessary permissions to access this tool.
Whistleblowing Dashboard access is limited to Whistleblowing Managers only. If you require access to this dashboard, please contact the account admin to request a Whistleblowing Manager role. For admins, role management can be handled via the ‘Teams’ section located in the ‘Account & Billing Info’ page. Please note: Admins cannot assume the role of Whistleblower Managers due to role-specific restrictions & cannot use certain embedding features like pdf downloads, preview, etc.
Steps for Admins
Go to ‘Teams’: This is found in the ‘Account & Billing Info‘ page in the top right drop-down menu.
Assign the Role: Click on “+ Add user” and then choose the appropriate team member to be the Whistleblowing Manager by entering their email address.
Send Invitation: The chosen member will receive an email to accept this role.
Role Acceptance: Once accepted, they can access the Whistleblowing Dashboard.
Note for Admins
Admins can’t be Whistleblowing Managers due to specific role restrictions. This ensures a clear separation of duties within the organization for better compliance and management.
4. Whistleblower dashboard
When a reporting person submits a report, the Whistleblowing Manager immediately receives an email notification. The Whistleblowing Manager can then access all reports from the Dashboard, and quickly identify the status of each.
In your Whistleblowing Management Dashboard you have full access to all the requests, with all the necessary details — the Creation Date, Type, Reporting Person, Status and a Detail Icon.
When you click on a report, all report details become visible. This allows you to promptly address any reported issues while ensuring a secure and confidential channel for whistleblowers.
From this “Report details” panel, you have the capability to assign different statuses, add notes, and see the full history for each report, helping you track the different phases of report processing.
The status of each report is now clearly marked, making it easier to track where each report stands in the process.
Step-by-Step Status Confirmation
Review Before Proceeding: A Whistleblowing Manager must review and confirm the current status before moving to the next. This ensures that each phase of the report is properly handled.
Confirmation Required: It’s no longer possible to skip ahead without confirming the current status. This adds an extra layer of diligence to the process.
Option to Leave Notes
Add Context: Whistleblowing Managers can now leave notes for each status. This is great for adding details or context, making the report handling more transparent and informative.
Easy Tracking: These notes help keep a clear record of thoughts, actions, and decisions made at each stage.
Detailed Log for Every Report
Chronological Order: At the bottom of the details modal of each report, you’ll find a detailed log. This log lists all the status changes in chronological order.
Full History: This feature provides a complete history of each report’s journey through the process, making it easier to review and understand the actions taken.
These updates to status management and the addition of a detailed log improve the overall process of managing whistleblowing reports. They provide clarity, ensure accountability, and make it easier to maintain a thorough record of each report’s handling.
Consider that each status in the whistleblowing report process represents a specific stage. Here’s what they mean and how to manage them:
Received: Once a report is received, review it and advance to the next step. Remember that upon submission, by default, the online form displays an acknowledgment receipt to the whistleblower. For non-anonymous reports, consider reaching out to the whistleblower in writing within 7 days.
Admissibility → Admissible/Not admissible: Your initial task is to assess the report’s admissibility. If the report meets the set criteria and is deemed admissible, continue with its processing. However, if it’s found inadmissible, consider the processing complete. For non-anonymous reports, inform the reporting person.
Processing (relevant only if admissible): After marking a report as admissible, ensure diligent follow-up. As per the Whistleblower Directive, advance to the subsequent step and provide feedback to the reporting individual within 3 months from the acknowledgment date.
Feedback Provided (relevant for non-anonymous reports only): Upon completion of the follow-up activities, share your assessment and subsequent steps taken with the reporting person, if their identity is known. As stipulated by the Whistleblower Directive, offer this feedback within 3 months of acknowledgment.
Processed: At this point, you’ve executed all requisite actions, deeming the report processed. Assess if additional steps are necessary for further follow-up or internal purposes before contemplating deletion.
Information Deleted: In accordance with the Whistleblower Directive, reports must be retained only for the duration necessary and proportionate to comply with the requirements of the directive or other mandates from Union or national law. In instances where national legislation specifies deletion requirements, ensure compliance. Exercise caution when deleting, as this action is irreversible.
Additional Resources
To help our users and enhance the efficiency of managing whistleblowing, we’ve prepared a set of downloadable resources:
📜 Customizable Whistleblowing Policy Template — The whistleblower policy serves as a foundational blueprint for organizations to personalize, featuring a section that allows for the addition of a link to the form for online submissions, while offering flexibility for customization to meet the organization’s unique needs and operational style. It establishes clear guidelines, ensuring that the team knows exactly how to proceed when encountering unethical or illegal behavior.
👥 Appointment Template: Assigning Responsibility — We prepared an appointment template for the designation of a person or department to handle whistleblowing reports. It helps streamline the reporting and investigation process, ensuring accountability and that concerns are addressed by those best equipped to handle them.