Compliance with the EU Directive on whistleblowing and other legal considerations related to misconduct reporting

Compliance with the EU Directive on whistleblowing and other legal considerations related to misconduct reporting
03/02/2021 Vault Platform

Publication of a joint whitepaper produced by Bird & Bird and Vault Platform 

Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context. 

By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society. 

However, potential whistleblowers, whether reporting internally to stakeholders within their organisation or to an external body such as a regulator or the Ombudsman, are often discouraged from reporting their concerns or suspicions for fear of retaliation. 

In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level.

On 7 October 2019, the Council of Ministers of the EU adopted the European Union’s Directive for the protection of persons reporting on breaches of Union law (the “EU Whistleblower Directive”), which must be implemented in the EU member states no later than 17 December 2021.

According to article 1, the purpose of the Directive is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law.

December 2021 is now months away and international businesses (particularly those with operations in a large number of EU jurisdictions, where the time needed to agree changes to policies and then translate these can be significant) can avoid a last-minute rush to compliance by preparing now to:

  • Review their standards of business conduct and reporting arrangements, including internal whistleblower solutions or reporting systems, to ensure compliance with the Whistleblowing Directive and continued compliance with GDPR; and
  • Implement internal whistleblowing policies (or adapt their existing policies to ensure they take account of the new legislation).

The WB Directive obliges both companies (with more than 250 employees from 2021 and more than 50 employees from 2023) and authorities in general to introduce whistleblower schemes, which must be available to all employees in the company/authority. With the new WB Directive, it is also possible that the scheme also influences external partners, e.g. clients or consultants. 

Establishing a whistleblower scheme

The scheme can be established in various ways, i.e. in writing and submit reports by post, by physical complaint box(es), or through an online platform, whether it be on an intranet or internet platform, or to report orally, by telephone hotline or other voice messaging system, or both. 

The online platform is expected to be the most common and effective way of implementing the requirement for a whistleblower scheme. According to the WB Directive premise (33):

“Reporting persons normally feel more at ease reporting internally, unless they have reasons to report externally. Empirical studies show that the majority of whistle-blowers tend to report internally, within the organisation in which they work. Internal reporting is also the best way to get information to the persons who can contribute to the early and effective resolution of risks to the public interest (…) “

To embrace this opportunity inside Europe, an online platform (as well as any other scheme established) must follow the rules and requirements laid down in the WB Directive and in relation to the processing of data in accordance with the General Data Protection Regulation (GDPR).

The WB Directive sets up requirements for the whistleblower scheme to be put in place. Some of these are mandatory and must – as a minimum – be implemented in the specific jurisdiction and thus in the system used. Some of these are, however, also considered as guidelines, but recommended to be implemented in the system.

This whitepaper has been prepared by Vault Platform, a digital platform for misconduct reporting and resolution in the workplace, and the law firm Bird & Bird.

The aim is to inform HR, Compliance and Legal professionals about the requirements under the upcoming WB Directive, and to outline how Vault Platform enables public and private companies to meet these key regulatory requirements in relation to the establishment of an internal reporting platform.

Topics covered  in this whitepaper include:

  •       An overall description of the WB Directive
  •       A description of the process through which the reporting takes place and actions being taken etc.
  •       How Vault Platform enables compliance with the various requirements under the WB Directive
  •       How Vault Platform deals with the rights of individuals who report via the  Platform

At the conclusion of this whitepaper, the reader will have a good overview of all important aspects of the Whistleblower Directive, and considerations when using a digital platform for compliance purposes, such as Vault Platform. 

The paper can be downloaded here.