Whistleblower Protection Law FAQ
Which companies are obliged to implement the Whistleblower Protection Act?
All private and public companies with more than 50 employees are obliged to implement the Whistleblower Protection Act, the national implementation of the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. You can download the complete FAQs and the White Paper regarding the EU Directive on this page. There are different deadlines of the national laws. You can find the respective deadlines in the downloadable PDF of the respective country. Furthermore, the country-specific industries that are exempt from the minimum number of employees are also listed here (please download the full FAQ).
What are the obligations of the company?
All obligated companies must set up an internal reporting office that enables employees to report (possible) breaches. In addition, the company is obliged to process the reports, conduct internal investigations and take corrective measures to eliminate the causes of the breaches.
The internal reporting office can be partially or fully outsourced. Furthermore, the reports must be processed in a timely manner. Within 7 days, the whistleblower must receive notification of receipt of the report. Within three months, a status report must be sent to the whistleblower on the status of the internal investigation.
What sanctions can be expected for breaches of the Whistleblower Protection Act?
If someone tries to prevent a report or impose unjustified sanctions, or if someone intentionally or recklessly disregards the duty of confidentiality, this can be sanctioned with fines. The amount of the country-specific fines can be found in the respective downloadable PDF.
What are the requirements for the internal reporting office?
The internal reporting office should be staffed by a limited number of persons who have the appropriate background to clarify reports of breaches of the law.
Companies with up to 249 employees can set up and operate a joint reporting office. However, compliance with the law, the duty to clarify and the taking of corrective measures remain the duty of the management of the respective company.
In practice, a joint reporting office among sister companies is conceivable. The responsibilities are to be contractually agreed accordingly and controlled by the management.
What is the Smart Integrity Platform?
The Smart Integrity Platform is a modular compliance and risk management platform for legal compliance. The Whistleblowing module fulfils the legal requirements of the European Directive 2013/1937 on the technical level and helps the company to comply with the deadlines and documentation requirements.
Who will process the reports?
The company appoints analysts, who are employees or independent externals who have completed the Smart Integrity Platform Analyst training, to receive and process the report.
How is the anonymity protected?
The platform enables anonymous reporting. However, this option is not compulsory and can be switched on at a later date. Furthermore, the metadata of the file attachments are removed. The user creates an account for further anonymous communication with the caseworker. Blackening of file attachments must be done in advance.
What are the minimum requirements for a digital whistleblowing system software?
An externally hosted anonymous reporting system should meet the following criteria:
- Easy to use and accessible site for users.
- Access restriction for different user roles
- Submission of written and oral reports (recording of audio files)
- Removal of file attachment metadata for the anonymous reporting option
- MFA for users with administrative rights
- Hosting in the EU at an ISO 27001 certified data centre
- Encryption of case-related communication, TLS 1.2 or 1.3
- (A)symmetric encryption of messages (databases), file attachments (containers)
- ISO 27001 certified software provider
- Deletion routines for obsolete data
- Four-eyes principle and documentation for deletion of sensitive data
- Administration of notifications and deadline management
- Optional: risk and task management for documentation of investigation measures and corrective actions
- Audit-proof logging of accesses and changes in the system.
Get the know-how of experts
Learn more about the national implementation of the Whistleblower Protection Directive. Get the knowledge to implement it in your company today. Get an overview of the obligations and practical recommendations.