The law of 16 May 2023 (the “Law”) implements Directive (EU) 2019/1937 of the Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the “Directive”) into Luxembourg law.
1. Scope of application
However, the Law has a wider scope than the Directive, as it pertains to the report of breaches of Union and of Luxembourg laws (the “Breach”). It is also intended to complete specific pre-existing frameworks, which are already in place in i.a. the financial and insurance sectors.
In a business context, any person of any status (public or private sector employees, including those whose employment contract has not started or has ended, volunteers and trainees, subcontractors, suppliers, self-employed persons, shareholders and members of the administrative, management or supervisory body- the “Whistleblower”) may report information about Breaches, including reasonable suspicions, of actual or potential Breaches, that have occurred or are very likely to occur in his/her business (the “Information”).
To benefit from the protective regime provided for by the Law, the Whistleblower must (i) have reasonable grounds to believe that the Information is true at the time of reporting and that the Information falls within the scope of application of the Law and (ii) have complied with the reporting procedures, as described in the Law.
2. Reporting channels
The Law provides for three reporting channels: an internal reporting channel, an external reporting channel and a public disclosure. Persons wishing to report violations are encouraged to give preference to reporting through internal reporting channels before reporting through external reporting channels, where it is possible to remedy the violation effectively internally and they believe that there is no risk of retaliation. Public disclosure should only be considered as a last resort where it is clearly impossible to do otherwise.
Both private and public entities have an obligation to establish channels and procedures for internal reporting. This obligation does not apply (but remains a possibility) for private and public entities with less than fifty employees during a period of 12 consecutive months and municipalities with less than ten thousand inhabitants. In addition, legal entities in the private sector with between 50 and 249 employees can share resources for receiving and following up on reportings. The internal reporting channel may be managed internally by a designated person or department or provided by a third party. Such channel must ensure the confidentiality of the identity of the Whistleblower, who may use written and/or oral reporting in one of the three administrative languages (i.e., French, German, Luxembourg) or in any other language allowed by the legal entity, by telephone, voice mail or face-to-face meeting. The implementation of internal reporting channels, for entities with between 50 and 249 employees, shall apply as from 17 December 2023.
Independent and autonomous external reporting channels for the reception and processing of Information are set up by competent authorities, such as the supervisory authorities for the banking sector (Commission de Surveillance du secteur financier, CSSF) and for the insurance sector (Commissariat aux assurances, CAA), the labour and mines inspection authority (Inspection du travail et des mines, ITM), tax administrations, professional associations.
Public disclosure is strictly regulated: a person who makes a public disclosure is entitled to protection under the Law if one of the following conditions is met:
- the person has first made an internal and external report, or has made an external report directly but no appropriate action has been taken in response to the report within the time provided by the Law;
- the person has reasonable grounds to believe that:
- the breach may represent an imminent or obvious danger to the public interest, such as where there is an emergency situation or a risk of irreversible harm; or
- in case of an external report, there is a risk of retaliation or there is little likelihood that the breach will actually be remedied, due to the particular circumstances of the case, such as where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.
3. Protection against retaliation
All forms of retaliation, including threats and attempts at retaliation, are prohibited against persons who have carried out a reporting pursuant to the Law. In particular, the following are notably prohibited: suspension of an employment contract, layoff, dismissal, non-renewal or early termination of a fixed-term employment contract or equivalent measures; demotion or refusal of promotion; transfer of duties, change of workplace, reduction of salary, change of working hours; suspension of training; disciplinary measures imposed or administered, reprimand or other sanction, including a financial penalty; (…).
Furthermore, reporting channels must comply with Regulation (EU) 2016/679 (the “GDPR”). In order to ensure the compliance of the reporting channel with the GDPR, it is strongly advised to carry out a personal data protection impact assessment ("DPIA") on such reporting channels.
Finally, a reporting authority (“Office des signalements”) is set up and organised under the Law.