The EU Whistleblowing Directive – An Overview
The EU Whistleblower Directive was published in December 2019 and introduces minimum standards for the protection of individuals reporting breaches of EU law governing different areas of public interest, which are specified in the annex to the EU Whistleblower Directive. These include inter alia privacy and personal data protection as well as security of network information systems. The Directive aims to protect individuals who have become aware of such breaches in a work-related context, irrespective of their status from an employment law prospective. Employees, civil servants, self-employed service providers, freelance workers as well as volunteers and trainees and even shareholders will now be protected under the Whistleblower Directive.
Status of implementation in the EU Member states
EU member states are obliged to adapt the Whistleblower Directive into national law until December 17th, 2021. So far, the implementation is in process for at least 21 Member States.
Legislative proposals have been drafted in the following member states, and are up for discussion in their respective parliaments:
- Belgium,
- the Czech Republic,
- Denmark,
- France,
- Romania,
- the Netherlands.
First legislative steps have been taken in the following member states, where drafts are currently being planned or prepared:
- Bulgaria,
- Croatia,
- Estonia,
- Finland,
- Greece,
- Ireland,
- Latvia,
- Lithuania,
- Poland,
- Portugal.
Slovakia and Slovenia have enacted laws in first reaction to the Directive, however new laws for a full implementation are underway. In Germany, there is currently no comprehensive law that implements the Whistleblower Directive. At the time of this writing, a number of proposals are in development. The concrete implementation of the Directive in Germany has remained controversial between the governing parties. A draft bill of the Whistleblower Protection Act (Hinweisgeberschutzgesetz) submitted by the Federal Ministry of Justice was rejected within the government at the end of April 2021 because it provided for stricter regulations than the EU Directive. A new draft is yet to be passed on to the next stage.
Naturally, operating channels and procedures for internal reporting of EU law breaches will inevitably involve the processing of personal data, and the EU legislators were clearly aware of the consequences, as the Whistleblower Directive generally states that any processing of personal data pursuant to the Whistleblower Directive must be carried out in accordance with EU data protection law and the General Data Protection Regulation (GDPR) in particular.
What this means for companies in the EU
In order for companies to understand how to comply with the EU Whistleblower Directive, it is important for businesses to keep the following data protection elements in mind:
- Handle reports and the personal data of the reporter/whistleblower according to the principles of Art. 5 GDPR: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability;
- Have a legal basis for the processing of personal data and whistleblower reports (in this case Art. 6 para. 1 lit. c GDPR plus if applicable national data protection law in conjunction with the EU Whistleblower Directive);
- Purpose limitation and data minimization for reports through Privacy by Design and Default (configuration of the reporting tool in a way that allows only data relevant to the report to be collected, irrelevant data should be deleted without undue delay);
- Limit access to the reports by responsible employees only based on a strict and detailed authorization concept (Need-to-Know basis);
- Ensure that the identity of the reporter/whistleblower remains confidential;
- Inform all (potential) reporters/whistleblowers about the data processing activity in relation to the report and the following investigation process according to Art. 13 GDPR and the protection of their identity (preferably implemented in the reporting tools, so that the reporter/whistleblower is properly informed);
- Documentation of the processing activity in a Record of Processing Activities according to Art. 30 GDPR;
- Enter into GDPR compliant Data Processing Agreements with relevant service providers, if applicable;
- Have applicable and GDPR compliant Technical and Organizational Measures in place;
- Have a Retention Schedule in place (recommended deletion of personal data within two months after completion of the investigation unless legal proceedings follow);
- Keep reports local unless necessary to disclose to other group entities due to the reports affecting other locations.
To date, there is very little official guidance available from EU data protection regulators. Sooner or later, EU data protection regulators will have to either issue updated guidance before the transposition laws at EU Member State level kick in or will encourage industry stakeholders to draw up a code of conduct for whistleblower reporting.
On the business side, successful implementation can protect your business and promote a better workplace culture. The Directive establishes three options for the reporting of information by whistleblowers:
- Internal reporting channel within the business which are mandatory according to the Directive for businesses with 50 or more employees,
- External reporting Channels facilitated through relevant authorities on a national or EU-level,
- Under certain circumstances, the whistleblower can decide to publicly report the information, e.g. via social media.
These channels can either be:
- Written – online reporting platform, email or post,
- Verbal – phone hotline with messaging system or in-person.
We recommend staying updated on the developments on the EU Whistleblower Directive and the status of implementation within the EU member states. In the meantime, if you have questions on how the EU Whistleblower Directive might impact your business in Germany and the EU, do not hesitate to contact us.