Servicesarrow Organization security
Organization security

Whistleblower Protection

The new obligation related to the establishment of communication channels and the protection of whistleblowers requires the organization to develop and implement a procedure related to whistleblower protection, ensure openness to communication with whistleblowers and secure an appropriate, secure communication channel.

Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on on the protection of persons reporting breaches of EU law, i.e. the Directive on the protection of the rights of whistleblowers, comes into force on 17 December 2021. It obliges entities employing over 250 employees to implement appropriate mechanisms of reporting irregularities and protecting Whistleblowers from 17 December 2021. Entities employing 50 to 249 have this obligation from December 17, 2023. We also pay attention to the requirements for entities using EU funds.

Who is a Syganlist?

A whistleblower is a person who reports breaches of EU law in an organization.
Anyone can be a whistleblower: an employee, associate, contractor, member of the management board, supplier, subcontractor, client, apprentice.
A whistleblower is a person reporting an action or practice that constitutes a breach of the law. Whistleblowers can generate reports from a wide variety of areas, such as:
public procurement, financial fraud, legal inconsistencies, product safety, transport safety, environmental protection, consumer protection, GDPR, including but not limited to:

  • bribery,
  • paid protection,
  • abuse of powers by an officer in order to gain financial or personal benefits,
  • money laundering,
  • participation in organized crime,
  • disruption of the public tender,
  • forgery of invoices with a significant amount of receivables,
  • credit fraud,
What requirements do we have to meet?

According to the EU Directive on the protection of persons who report breaches of EU law, in order for a whistleblower to be protected he must have a reasonable belief that he is reporting truthful information and make the report lawfully. The whistleblower protection procedure is to take into account:

  • reporting method, communication and accountability channels,
  • a detailed method of whistleblower protection,
  • how to protect whistleblowers’ personal data,
  • course of activities after receiving the notification and deadlines for the implementation of activities

It is our responsibility to protect whistleblowers against repression, discrimination and unfair treatment.

What should the procedure contain?

The procedures are to ensure full confidentiality and prevent (directly or indirectly) identification of the whistleblower.
Whistleblowers must be able to report violations anonymously, in writing or orally. In the case of written submissions, regardless of the choice of the form of communication (i.e. mailbox, dedicated e-mail address, IT system), it must meet the criteria of anonymity and confidentiality.

Employers are obliged to take actions following from whistleblowers’ reports. The follow-up is intended to assess the allegations and to develop remedial actions. These activities include internal investigations, investigations and improvement actions.
The procedure is to include:

  1. Description of reporting channels designed, established and handled in a manner ensuring confidentiality and protection of the whistleblower’s identity.
  2. Description of the appointment of impartial people / roles to act on reports and to communicate with the whistleblower.
  3. Indication of the deadlines for providing feedback (not longer, however, than three months from the confirmation of receipt of the notification),
  4. Information on procedures for external reporting to competent authorities.
Protection of the Syganilsta

The directive emphasizes the prevention of retaliation against the whistleblower.

The whistleblower shall not be liable in connection with obtaining the information that is the subject of the notification, if such obtaining does not constitute a separate prohibited act.

We must ensure adequate protection of the personal data of the Whistleblower and the persons concerned by the report.

We are obliged to ensure the confidentiality of the Whistleblower’s data, if he so wishes, or provided a confidential report.

Reversed burden of proof will apply before the court or other body examining the case of the damage suffered by the whistleblower in connection with the follow-up activities conducted against him.

The protection of personal data is to be carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680, taking into account the rules regarding the processing of personal data specified in art. 5 of Regulation (EU) 2016/679, art. 4 of Directive (EU) 2016/680 and Art. 4 of Regulation (EU) 2018/1725.

How to ensure a safe channel of communication with Whistleblowers?

A secure communication channel that ensures the confidentiality of communications while ensuring the authenticity and effectiveness of follow-up feedback is not at all obvious.

We may indicate an e-mail address as the appropriate communication channel. We may ask you to encrypt the message and send the message in a file. The only question is whether the first solution is safe and the second is convenient and understandable for an average user.

We propose the use of a dedicated platform managed independently of our IT services and providing an appropriate level of communication security. We invite you to the website: to see how it works.


BPM cyber
Whistleblower protection implementation process
Analysis of existing roles and reporting channels in the area of compliance and incident management
Development and implementation of a governance and compliance policy
Development and implementation of a whistleblower protection procedure
Providing a secure communication channel
Building awareness
Do you have questions about Whistleblowers?
Contact arrow