Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on on the protection of persons reporting breaches of EU law, i.e. the Directive on the protection of the rights of whistleblowers, comes into force on 17 December 2021. It obliges entities employing over 250 employees to implement appropriate mechanisms of reporting irregularities and protecting Whistleblowers from 17 December 2021. Entities employing 50 to 249 have this obligation from December 17, 2023. We also pay attention to the requirements for entities using EU funds.
A whistleblower is a person who reports breaches of EU law in an organization.
Anyone can be a whistleblower: an employee, associate, contractor, member of the management board, supplier, subcontractor, client, apprentice.
A whistleblower is a person reporting an action or practice that constitutes a breach of the law. Whistleblowers can generate reports from a wide variety of areas, such as:
public procurement, financial fraud, legal inconsistencies, product safety, transport safety, environmental protection, consumer protection, GDPR, including but not limited to:
- paid protection,
- abuse of powers by an officer in order to gain financial or personal benefits,
- money laundering,
- participation in organized crime,
- disruption of the public tender,
- forgery of invoices with a significant amount of receivables,
- credit fraud,
According to the EU Directive on the protection of persons who report breaches of EU law, in order for a whistleblower to be protected he must have a reasonable belief that he is reporting truthful information and make the report lawfully. The whistleblower protection procedure is to take into account:
- reporting method, communication and accountability channels,
- a detailed method of whistleblower protection,
- how to protect whistleblowers’ personal data,
- course of activities after receiving the notification and deadlines for the implementation of activities
It is our responsibility to protect whistleblowers against repression, discrimination and unfair treatment.
The procedures are to ensure full confidentiality and prevent (directly or indirectly) identification of the whistleblower.
Whistleblowers must be able to report violations anonymously, in writing or orally. In the case of written submissions, regardless of the choice of the form of communication (i.e. mailbox, dedicated e-mail address, IT system), it must meet the criteria of anonymity and confidentiality.
Employers are obliged to take actions following from whistleblowers’ reports. The follow-up is intended to assess the allegations and to develop remedial actions. These activities include internal investigations, investigations and improvement actions.
The procedure is to include:
- Description of reporting channels designed, established and handled in a manner ensuring confidentiality and protection of the whistleblower’s identity.
- Description of the appointment of impartial people / roles to act on reports and to communicate with the whistleblower.
- Indication of the deadlines for providing feedback (not longer, however, than three months from the confirmation of receipt of the notification),
- Information on procedures for external reporting to competent authorities.
The directive emphasizes the prevention of retaliation against the whistleblower.
The whistleblower shall not be liable in connection with obtaining the information that is the subject of the notification, if such obtaining does not constitute a separate prohibited act.
We must ensure adequate protection of the personal data of the Whistleblower and the persons concerned by the report.
We are obliged to ensure the confidentiality of the Whistleblower’s data, if he so wishes, or provided a confidential report.
Reversed burden of proof will apply before the court or other body examining the case of the damage suffered by the whistleblower in connection with the follow-up activities conducted against him.
The protection of personal data is to be carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680, taking into account the rules regarding the processing of personal data specified in art. 5 of Regulation (EU) 2016/679, art. 4 of Directive (EU) 2016/680 and Art. 4 of Regulation (EU) 2018/1725.
A secure communication channel that ensures the confidentiality of communications while ensuring the authenticity and effectiveness of follow-up feedback is not at all obvious.
We may indicate an e-mail address as the appropriate communication channel. We may ask you to encrypt the message and send the message in a file. The only question is whether the first solution is safe and the second is convenient and understandable for an average user.
We propose the use of a dedicated platform managed independently of our IT services and providing an appropriate level of communication security. We invite you to the website: signals.com to see how it works.
Related blog articles
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych