The European Union Regulation protects whistleblowers who report a violation of EU law. Some examples include legal violations such as tax fraud, money laundering, or data protection violations. This new regulation doesn’t only apply to employees, but it also protects trainees, volunteers, and self-employed workers. The Directive requires companies with more than 50 employees to take measures to protect.

The procedure of whistleblowing

Whistleblowers are encouraged to report observations first through internal channels. Depending on the circumstances of the case, whistleblowers may also contact the competent national authorities or the competent EU institutions, bodies, offices and agencies. In addition, whistleblowers can also approach the public and the media with impunity if, for example, no appropriate action has been taken after the initial report to the company or the authorities, or if there is an immediate or obvious threat to the public interest. Whistleblowers (and their supporters) benefit from special legal protection against all forms of retaliation (such as dismissal, degradation or intimidation). In addition, they are given access to legal, financial, and psychological support.

Requirements on the nature of the whistleblowing channel to be provided

  1. Confidentiality of the identity of the whistleblower:
    The procedures for reporting and following-up of reports shall include channels for receiving the reports which are designed, set up and operated in a secure manner that ensures the confidentiality of the identity of the reporting person and any third party mentioned in the report, and prevents access to non-authorized staff members.
  2. Response times:
    The procedures for reporting and following-up of reports shall include an acknowledgment of receipt to the reporting person within no more than seven days. The law also sets a time limit of three months from the receipt is set up to provide feedback to the reporting person about the follow-up.
  3. Contact persons:
    The procedures for reporting and following-up of reports shall include the designation of an impartial person or department competent for following up on the reports (…) and which will maintain communication with and, where necessary, ask for further information from and provide feedback to the reporting person.





  4. Follow-up:
    The procedures for reporting and following-up of reports shall include diligent follow-up to the report by the designated person or department, diligent follow–up where provided for in national law as regards anonymous reporting, and a reasonable timeframe to provide feedback to the reporting person about the follow-up to the report.
  5. Communication & information:
    The procedures for reporting and following-up of reports shall include clear and easily accessible information regarding the conditions and procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union.
  6. GDPR Compliance:
    Any processing of personal data carried out pursuant to the Directive must comply with the GDPR.
  7. Record keeping of the reports:
    Authorities, private and public legal entities must keep records of every report received, in compliance with the confidentiality requirements provided for. Reports shall be stored for no longer than it is necessary and proportionate.

Internal Whistleblowing channels

The EU whistleblowing rules give whistleblowers the flexibility to contact internal hotlines within the company first or go directly to external bodies (authorities, journalists, the public). From the company’s point of view, however, it is desirable to obtain information internally first as much as possible. In this way, it is possible to react at an early stage and potentially deal with misconduct before the public becomes aware of it.

Internal reporting channels that provide security and anonymity to whistleblowers(ideally) must be established. Only then will whistleblowers be motivated to turn to internal departments first. There are several options when deciding on an internal reporting channel, like email, phone hotlines and digital systems. Digital whistleblowing systems offer a lot of security and anonymity and are easy for whistleblowers to access.