Protection of whistleblowers: What are the employer’s obligations?

As the new directive on whistleblowers must be transposed at the latest by 17 December 2021, employers should start thinking about how to implement their future obligations.

Following the major scandals revealed by whistleblowers, a European directive 2019/1937 on the protection of persons who report breaches of Union law was adopted on 23 October 2019 and will enter into force on 16 December 2019 (the Directive); the Member States will have to transpose it into national law at the latest by 17 December 2021 and the Luxembourg government has already announced that it intends to do so quickly and to broaden the scope. It is therefore useful to start an internal reflection on the issue in order to prepare for the new obligations that will be imposed on employers.

An extended and strengthened protection regime

The Directive aims at protecting the freedom of expression of whistleblowers. To this end, it establishes a protection for persons who, in the course of their professional activities, report or disclose certain/specific infringements. These infringements may cover various areas such as: financial services, the prevention of money laundering and terrorist financing, the protection of privacy and personal data, the security of networks and information systems, etc. The list of reported infringements that lead to protection is thus much broader than under the current regime.

Protection provided by reporting channels and legal remedies for whistleblowers

In order to ensure the protection of whistleblowers, the Directive presents two main courses of action:

  • The establishment of internal and external reporting channels, as well as in some cases, the possibility of public disclosure, and
  • The introduction of legal protection for whistleblowers and their relatives, which includes the establishment of legal remedies in the event of reprisals (such as dismissal, non-renewal of a fixed-term contract, refusal to promote, change of place or working hours, intimidation, etc.), the latter being prohibited and punished in all their forms.

Protection not limited to the employees of the company

The protection provided by this directive will not only apply to employees, but also to trainees, volunteers, self-employed workers, job applicants, former employees, etc. Its scope is very broad.

How should employers prepare?

In undertakings, notably those with more than 50 employees, it will be necessary to set up internal reporting channels, to inform of the implementation and use of this system (e.g. who will process the information? how will internal investigations be conducted?) and to ensure that infringements reported by whistleblowers are taken seriously and followed up.

In order to prioritise internal reporting and thus minimise the financial and reputational risk of public disclosures, it is recommended to ensure an easy and efficient use of internal reporting channels. In this respect, the implementation of an electronic/online whistleblowing system, compliant with the GDPR, has the advantage of guaranteeing the security and anonymity of whistleblowers.