Whistleblower Protection Act: New Whistleblowing Duties Affect Medium-Sized Companies
- New Act stipulates new duties for all companies with more than 50 employees, including freelancers.
- From December 2021 at the latest, affected companies are to set up their own whistleblowing system for employees, customers, suppliers and other third parties so that they may anonymously report (alleged) irregularities in the company.
- Whistleblowers are allowed to inform the authorities or the public directly if the company does not offer its own anonymous whistleblowing system.
- Affected companies must therefore offer their own whistleblowing system in order to comply with their new legal duties and to prevent whistleblowers from contacting authorities or the public.
- New liability risks for management in case of passivity.
- The national Act implementing EU law has been published and does not provide for any relief for companies.
What is the EU Whistleblowing Directive?
The Directive determines new compliance duties. Specifically, companies must create opportunities for employees and third parties to anonymously report alleged and actual irregularities (= internal whistleblower system). The idea is that the company's management will thereby become aware of (alleged) irregularities and be able to react. The national legislation must to transpose the Directive. The corresponding draft bill is now available and can be downloaded here (in German): Link.
Who is affected?
The EU Whistleblowing Directive applies to all companies with 50 employees or more and to companies with a turnover of EUR 10m per year or more. Companies in the financial services sector must establish internal whistleblowing systems regardless of the number of employees.
Furthermore, the EU Whistleblowing Directive now provides extensive protection for employees. They can report irregularities both to their own company as well as to external bodies (authorities) without having to fear labour law sanctions. This is especially true if there is no internal whistleblowing system.
Which violations may employees report?
Employees, customers, suppliers and other third parties may ‑ as of today ‑ report violations of EU law (e.g. data protection law), violations of national law (e.g. working time violations) as well as violations of internal policies to the internal or external whistleblowing system.
What do affected companies have to be prepared for?
The legislator has the explicit goal that especially medium-sized companies deal more actively with the topic of compliance and take first measures. In order to enforce these goals and increase the pressure, authorities must now provide their own, so-called external whistleblowing systems.
In this way, authorities are to become aware of wrongdoings within companies. Employees are also allowed to report grievances directly to the public if companies or authorities do not follow up on their tips. All in all, companies must prepare themselves for the wind blowing a little harder from the legislator which will focus in particular on grievances and breaches of rules within the private sector.
Are there new liability risks?
Yes, there are. Compliance violations often lead to personal liability of those involved. Compliance violations may also lead to personal liability of (uninvolved) directors, unless they have taken precautionary measures, such as establishing an internal whistleblowing system. The breach of the new obligation to establish such an internal whistleblowing system further increases the liability risks.
How must reports be handled under data protection law?
The Whistleblowing Directive stipulates that data processing may not violate the General Data Protection Regulation. This does not make it any easier to establish whistleblowing systems in practice. After all, the Whistleblowing Directive protects the individual whistleblower, while the GDPR protects the accused in addition to the whistleblower. This may lead to conflicts.
Do affected companies have to act now and prepare the whistleblowing system?
Companies should apply the necessary judgment. Specifically, it is good advice to talk to an expert about the initial situation in one's own company and to establish one's own internal whistleblowing system with extra time before the new regulations come into force on 17 December 2021, i.e. in the 2nd or 3rd quarter of 2021. Here, the commissioning of an external compliance trust agency which can provide such a whistleblowing system as an external service provider (at low cost), is an option. Then the management would be exempt from liability while the company fulfils the new obligations.
Dr Maximilian Degenhart
Lawyer, Compliance Officer (TÜV)