Whistleblowing, a vital mechanism for maintaining organizational ethics and accountability, involves employees reporting suspected wrongdoing or misconduct within their organization. For whistleblowing to be effective, it is imperative to have a well-defined and transparent reporting process.
In the European Union, whistleblowing is regulated by Directive (EU) 2019/1937, also known as the Whistleblower Directive, which came into effect on December 16, 2019. The Directive enhances protection for people reporting breaches of EU law in their work environment and it requires Member States to align their national laws to provide an adequate level of protection throughout the EU.
The Whistleblower Directive applies to:
In order to comply, companies must:
The whistleblowing reporting process is made of different phases.
The first phase, which starts the reporting process, is the recognition of wrongdoing within a company. Whistleblowers can report a wide range of issues in several areas, including but not limited to:
Once the wrongdoing has been documented, the whistleblower can report it by choosing either an internal or external reporting channel.
Internal reporting channels are usually preferred, but if these are not effective or could lead to retaliation, they can also report directly to competent national authorities or even make a public disclosure in certain circumstances.
Once the report has been received, the organization needs to address it. Each organization should have a clear whistleblowing policy, that defines how the reporting process will be handled and designate an impartial person or department to receive and follow up on reports.
The designated team will then start the investigation, determining the soundness of the complaint and whether additional information is necessary. In certain cases, the company may also need to inform the people concerned of the allegations made against them.
The whistleblower should expect a first follow-up within 7 days. This is a formal acknowledgment that the report has been received and investigations will start.
Once the investigation is completed and the company has taken any necessary action, the report can be considered complete. The whistleblower should receive another feedback on the report within 3 months maximum.
Directive (EU) 2019/1937, also known as the Whistleblower Directive, particularly stresses the importance of protecting whistleblowers from any kind of retaliation. Employees should feel safe in reporting any wrongdoing within their working environment, without fearing being fired, demoted, or harassed.
That’s why it is essential that a company establishes both a clear policy on whistleblowing and a safe and confidential reporting channel.
Moreover, whistleblowers can also choose whether to remain anonymous or to disclose their names. The identity of the whistleblower can be disclosed only if they grant their consent. In either case, the organization has to safeguard their identity and avoid any type of retaliation.
Lastly, reporting persons should be offered strong legal protection. This includes, but is not limited to:
According to the EU Whistleblower Directive, people can report wrongdoing in the workplace in three ways:
Let’s go through each one of them.
Internal reporting channels are the preferred method for whistleblower complaints. According to the EU Directive, all private companies with 50 or more employees and all public entities must set up effective and confidential reporting channels. Remember: the deadline for complying with this requirement is December 17th, 2023.
Whistleblowers should be able to submit their complaints in writing, orally, or in person.
To submit a report orally or in person, the whistleblower should contact the designated team or person who is in charge of whistleblowing within the organization. In these cases, anonymity can’t always be guaranteed, but the company still needs to ensure confidentiality.
To submit a report in writing, an organization can either create an internal procedure – for example, setting up a specific email address to which to send the complaints – or rely on a third-party platform. Usually, these platforms allow streamlining the whistleblowing process, while ensuring anonymity and confidentiality.
Tailored for the EU Whistleblower Directive, our tool helps keep you compliant with a secure channel for submitting and managing whistleblower reports. Maintain an easy-to-use reporting form for employees and other stakeholders, and manage the whole process from an all-in-one dashboard.
If the internal reporting channel isn’t considered safe or confidential, or if the report could lead to retaliation, the whistleblower can also report directly to competent national authorities.
The EU Whistleblowing Directive requires Member States to designate a competent authority, which should receive the complaints, investigate and then give appropriate follow-up to the reports.
Here is a list of the competent authorities in Europe:
| Country | Competent Authority |
|---|---|
| Austria | Austrian Federal Competition Authority (AFCA) |
| Belgium | Federal Ombudsman |
| Bulgaria | Commission for Personal Data Protection (CPDP) |
| Croatia | Ombudswoman of Croatia |
| Czech Republic | Ministry of Justice |
| Denmark | National Whistleblower Scheme |
| Finland | Chancellor of Justice |
| France | Several competent authorities depending on the subject matter: here’s a list. The French Defender of Rights is the centralized contact point for whistleblowers. |
| Germany | Federal Office of Justice |
| Greece | Office of Complaints of the General Secretariat against Corruption (GSAC) |
| Ireland | Protected Disclosures Commissioner |
| Italy | Anti-Corruption Authority (ANAC) |
| Latvia | Several competent authorities depending on the subject matter. The State Chancellery is the centralized contact point for whistleblowers. |
| Lithuania | Prosecutor’s Office of the Republic of Lithuania |
| Luxembourg | Several competent authorities depending on the subject matter: here’s a list. |
| Malta | Office of the Ombudsman |
| Netherlands | Authority for the Financial Markets for the Netherlands |
| Norway | Several competent authorities, such as the Norwegian Labour Authority, the police and the Data Protection Authority. |
| Portugal | National Anti-Corruption Mechanism |
| Romania | National Integrity Agency |
| Slovakia | Whistleblower Protection Office |
| Slovenia | 22 different state institutions are responsible for receiving and handling the external reports. |
| Spain | Independent Authority for the Protection of Informants |
| Sweden | Several competent authorities depending on the subject matter. The Swedish Work Environment Authority is the centralized contact point for whistleblowers. |
The last-resort reporting channel is public disclosure, which should only be used in certain conditions. A few examples are:
Public disclosure can happen via web platforms, social media, the press, elected officials, civil society organizations, etc. Even in this case, the whistleblower should be granted the same level of protection.
To sum up, there are three important steps that each organization should follow to implement a solid whistleblowing reporting process:
iubenda’s Whistleblowing Management Tool helps EU businesses ensure compliance. We’ve designed our product to streamline management within organizations, protect whistleblowers, and ensure businesses consistently adhere to the law.
