EU Whistleblowing Directive: Key challenges and expert insights

Facts in a nutshell

• On December 16, 2019, the EU Directive 2019/1937 on the protection of whistleblowers came into effect. 

• According to the directive, all companies both public and private, with 50 or more employees in any European Union country must design and implement secure and effective internal reporting channels. They also need to give whistleblowers confidentiality.  

• The purpose of the EU Whistleblowing Directive is to enable whistleblowers to raise their concerns without fear and provide them a greater protection across EU countries.  

We had the pleasure to sit down with Dr Frank Schemmel, Practice Lead International Privacy & Compliance at DataGuard, to talk about what whistleblowing means for companies operating in the EU and why it is important.  

He shared with us what he sees in the whistleblowing and privacy space, what companies can do when a report is filed, and how DataGuard can help them to become more secure and compliant. 

First things first: Why should companies care about whistleblowing? 

Whistleblowing is essential for any company that wants to promote a culture of accountability and integrity. There are multiple reasons why whistleblowing is important.  

1. Prevents wrongdoing 

It allows employees to file complaints internally about things such as corruption, power abuse, and discrimination without fear. That actually helps organisations to address these issues immediately. In most cases, whistleblowers generally have an insider perspective on the issues reported, so they know the company inside out. Therefore, they can provide insightful details of the issues. 

2. Creates a safe environment for employees 

A major concern for whistleblowers is confidentiality. Encouraging employees to communicate openly and protecting their identities helps to build commitment and trust, and can even increase productivity. 

3. Encourages transparency 

A transparent workplace builds trust among management and employees. It provides a sense of fairness in how they are managed and rewarded. In today's world, transparency is necessary for a sense of justice in the workplace and for effectively handling any issues. 

Who must comply with the EU Whistleblowing Directive? What are the deadlines? 

The EU Whistleblowing Directive applies to all companies, both public and private, with an operation in the EU. Since its introduction in 2019, EU Member States had until December of 2021 to enforce whistleblowing laws. However, only half the Member States have implemented these laws to date. Due to the fact it is just an EU directive, it is not directly applicable without such national transposition law. 

Important dates  

There are two important dates organisations must keep in mind, and they depend on the workforce size. 

• Businesses and government bodies with 250 or more workers must be compliant as of 17 December 2021. 

• Businesses and government bodies with between 50 and 249 workers must be compliant by 17 December 2023. 

Note that if you have 250 or more workers, you should already be compliant – provided you are operating in a Member State that has already introduced a national whistleblowing law. 

Watch our recent webinar: Whistleblowing 101: An introduction to the new EU directive for more information.  

Can whistleblowing be done without data protection compliance? 

Put simply, the answer is no.

Data protection and data privacy rights play a key role in whistleblowing procedures. The respective case management and internal investigation depends on data protection compliance. This means that data protection compliance is a necessity. Keep in mind that privacy is of utmost interest to data subjects in whistleblowing cases because they seek identity protection. 

Take privacy seriously  

Investigation experts say that one of the biggest challenges they have during internal investigations are privacy related matters. So, if you want to gather evidence through measures such as email screening, take privacy seriously from the start. This is also useful later for evidence to be provided lawfully at court. 

What are typical privacy challenges and the legal bases for processing when a report is filed by a whistleblower? 

There are four main areas that are usually relevant in terms of privacy. These include: 

• Legal bases of processing 

• Transparency/information obligations 
• Retention/deletion periods 
• Responsibilities of the processing  

First, you need to know what legal basis is applicable and outline it. When you implement whistleblowing systems, there are two legal bases for processing personal data. These include the processing for compliance with a legal obligation, or processing based on legitimate interest. 

When the EU Whistleblowing Directive or national law is applicable, then you can base the processing on article 6(1)(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject) in conjunction with the respective national whistleblowing law. 

When the EU Whistleblowing Directive is not applicable, then you have to base your processing on legitimate interest.  

In Germany, there are specific legal bases for employment matters  (German Federal Data Protection Act Section 26), but the scope is narrow. There could also be collective agreements between employer and work councils in place, but that does not bind outside parties.  

What is the biggest challenge for whistleblowing and privacy? 

Transparency and information obligations. 

Legal or compliance departments are responsible for the incoming reports, and they have a vital interest in gathering evidence. These departments must be careful not to tip off the involved parties about the ongoing investigation. They need to gather enough evidence during the internal investigation to stop infringements and prevent current and future harm from the company. They should be careful about withholding information from the accused parties as well. 

In Germany, there are specific regulations in the data protection act for this. The main issue is that a lot of commentators and particular data protection authorities consider these national German specific regulations not compliant with EU law.   

So, what can companies do about it? 

The new Whistleblowing directive clearly states that national regulations can provide exceptions for transparency and information obligations. You can defer information as long as one of three reasons is applicable: 

1. There is a risk that the facts cannot or no longer can be clarified.
2. Assertion exercise or defence of civil claims would be impaired.
3. Preparation of criminal charges would be considerably impeded. 

What are the key information obligations used in whistleblowing cases? 

Whenever you need to decide whether to withhold information or not, you need to do a balancing of interests test. This test must be carried out on a case-by-case basis, where you can make an assessment to balance interests. 

There is also case law in general that you do not have to disclose the identity of the whistleblower to the accused or involved parties.  

Let’s talk a little bit about data retention and deletion. How do these apply to whistleblowing? 

Currently, there is some controversy about the time period of which data can be retained.  

German laws state that documentation must be deleted 2 years after the conclusion of the procedure. However data protection authorities mention the time frame as 2 months. 

A big issue in practice is what the triggering event may be. A triggering event that concludes the procedure has yet to be more specifically discussed and implemented. 

Looking forward:  

It is clear that the Whistleblowing Directive presents never before seen challenges to companies with a presence in the EU. It expands the accountability that they face when it comes to retaliation against whistleblowers. 

The good thing is that a digital whistleblowing system can help you tremendously in dealing with the new challenges. It provides an essential building block for an effective compliance management system. It also helps protect your employees, reduce corruption risk and keep you updated and compliant with mandatory EU laws. Finally, it empowers you while meeting the highest data security and data protection requirements under the GDPR. 

How can DataGuard help companies with Whistleblowing? 

At DataGuard, we focus on helping our clients to protect their businesses and ensuring digitising compliance. Our Whistleblowing solution provides you with the specialist legal advice and software you need to comply with the EU Whistleblowing Directive. 

If you enjoyed reading this, you might also be interested in our free whitepaper: Digitising Compliance: How Compliance Managers Benefit From Cloud-Based Solutions 

Schedule a free demo with our compliance experts today to see DataGuard’s Whistleblowing-as-a-Service solution in action.