Central vs. Local Intake and Case Management under the EU Whistleblower Protection Directive 

Breaking down the hot topic for questions and conversation

Since the publication of the EU Whistleblower Protection Directive in 2019, one requirement has been interpreted, debated, questioned, and resisted more than any other. Throughout Convercent by OneTrust’s recent series of in-person and virtual EU Whistleblower Protection Directive events, the question of central versus local intake and case management generated the most discussion.

Today, we’re mapping out the EU Commission and Expert Group’s record of comment on this requirement and breaking it down so we can better understand it.

The Takeaway:

Throughout a series of letters to officials and public comments, the EU Commission has been quite clear, with no room for interpretation, on the following:

  1. Only having a centralized, corporate-level reporting channel does not meet the Directive’s requirements for legal entities with 50 or more employees
  2. Local reporting channels must be made available for medium-sized (50-249) and large (250+) legal entities, even if they are a part of the same group
  3. The whistleblower can make an informed decision to either report locally or at the group level, but a local reporting channel must be available alongside other options
  4. The centralized function is allowed to maintain governance oversight over local reporting channels
  5. Only medium-sized companies (with 50-249 employees) can benefit from shared investigatory resources

If you want more clarity on these issues, keep reading for a deep dive into this hot-button topic concerning compliance with the EU Whistleblower Protection Directive and the local versus centralized intake and case management requirement.

Master the Requirements of the EU Whistleblower Protection Directive with our free series of expert-led webinars.

The EU Directive’s Timeline on Local Reporting Channel Requirements

Central vs. Local Intake and Case Management under the EU Whistleblower Protection Directive
The EU Whistleblower Protection Directive Timeline

Let’s start by orienting ourselves about what the EU Commission and Expert Group has said about the requirement to implement a local reporting channel at any legal entity with 50+ employees (effective December 2023) or any legal entity with 250+ employees (effective December 2021). The EU Whistleblower Protection Directive, as we know it, was published in October of 2019 and since then, there have been two different bodies who have opined on it: the Commission itself and their Expert Working Group, established by the Commission to interpret the questions about the Directive coming from Member States, interest groups, and other parties. The graphic below shows a timeline of six instances where either the Commission or Expert Group talked about the local intake requirement.

October 23, 2019 (Directive)

Over the course of our 27 EU Whistleblower Protection Directive roadshow events, many attendees voiced their frustration with understanding the Directive’s requirements around local and central reporting. Their frustrations are understandable, considering the text of the Directive itself does not actually contain language spelling out the requirements for a local reporting channel. Going back to the basics, the EU Commission issued a Directive to the 27 Member States. A Directive differs from a Regulation (such as GDPR) in that a Regulation is binding, as-is, across Member States and is not flexible; a Directive, however, is flexible in its local implementation and can be adjusted by each Member State’s local implementation as they see fit. The EU Whistleblowing Protection Directive establishes the floor, rather than the ceiling and each Member State is required to implement it into their own law, so by default, the law is local. Because each Member State must implement the Directive, the Commission never stated the requirement for local intake; that doesn’t mean, however, that their omission hasn’t opened the floodgates for confusion and conjecture! There are two specific sections of the EU Whistleblower Protection Directive we can zoom in on for a better understanding of local reporting.

Recital 55

(55) Internal reporting procedures should enable legal entities in the private sector to receive and investigate in full confidentiality reports by the workers of the entity and of its subsidiaries or affiliates (‘the group’), but also, to any extent possible, by any of the group’s agents and suppliers and by any persons who acquire information through their work-related activities with the entity and the group.”

Article 8

  • Paragraph 1: “Member States shall ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up, following consultation and in agreement with the social partners where provided for by national law.”
  • Paragraph 3: “Paragraph 1 shall apply to legal entities in the private sector with 50 or more workers.”
  • Paragraph 6: “Legal entities in the private sector with 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out. This shall be without prejudice to the obligations imposed upon such entities by this Directive to maintain confidentiality, to give feedback, and to address the reported breach.”

Recital 55 and Article 8 have been subject to debate and scrutiny, because some interpret them as being contradictory. One tells you that you need to have a separate local reporting channel (Recital 55) and one says that you need to have oversight of internal reporting channels (Article 8). Since the original publish date of the EU Whistleblower Protection Directive, we’ve seen a lot of discussion, from both the Commission and the Expert Group, interpreting and understanding how these two provisions in the Directive interact with each other.

September 29, 2020 (Expert Group) – Medium-Sized Companies

Many interest groups wrote letters asking about how to best interpret Recital 55 and Article 8. The Expert Group came out with updated guidance in September of 2020, stating that “medium sized companies (50-249 employees)” can pool their resources and benefit from shared receipt and investigations of either their parent company or otherwise.

“The possibility to pool resources as regards the receipt of reports and possibly also the conduct of investigations, thus reducing costs and achieving economies of scale, is meant to help medium-sized companies meet their obligations under the Directive as regards setting up internal channels…

Only private entities with 50-249 employees (medium-sized companies) can benefit from this possibility… this applies both to distinct companies with no link to each other and to companies that belong to the same group (while being distinct legal entities).”

June 2, 2021 (Commission Letter) – Group Level is Insufficient

Over the past several years, the Commission has written letters in response to questions from certain interest groups that might not be accessible to the broader population. During the course of our event series, attendees shared a letter the Commission sent to about seven interest groups, breaking down why only having a group-level reporting channel would be insufficient under the EU Whistleblower Protection Directive. They’re not saying that you can’t have a central function, rather they say it is necessary, but not sufficient. The Commission is making clear here that they’re requiring a local intake function and you can also choose centralized functionality. From their letter:

Article 8(3), which provides that “Paragraph 1 [the obligation to establish channels and procedures for internal reporting] shall apply to legal entities in the private sector with 50 or more workers”, does not make any exemption for distinct legal entities belonging to the same corporate group.

“This entails that reporting channels cannot be established in a centralized manner only at group level; all medium-sized and large companies belonging to a group remain obliged to have each their own channels.”

Second, mindful of the more limited resources of medium-sized companies (companies with 50 to 249 workers) and with a view to helping them meet their obligations under the Directive, the Directive (Article 8(6)) allows them to share resources as regards the receipt of reports and any investigation to be carried out. Only medium-sized companies can benefit from this possibility, but this applies both to distinct companies with no link to each other and to companies that belong to the same group (while being distinct legal entities).”

June 2, 2021 (Commission Letter) – Shared Investigative Capacity

In the same letter, the Commission states that medium-sized companies can benefit from the investigative function at the parent level, however it does still say that reporting channels must exist and remain available at the subsidiary level. In practice, this looks like identifying a trusted and competent individual at the local level, who can operate under the local law. This means that checks exist throughout an investigation, to ensure that you’re doing the right thing to protect a whistleblower’s interests. It isn’t about data, rather the core of this law is about protecting and respecting a whistleblower’s choice to come forward and where they choose to make a report.

Third, based on Article 8(6), where in a given corporate group compliance programs are organized at headquarters level, it could be compatible with the Directive that a subsidiary company benefits from the investigative capacity of its parent company provided that:

  1. The subsidiary company is medium-sized (has 50 to 249 workers);
  2. Reporting channels exist and remain available at the subsidiary’s level;
  3. Clear information is provided to the reporting persons as to the fact that a designated person/department at headquarters level would be authorized to access the report (for the purpose of carrying out the necessary investigation), and the reporting person has the right to object to that and to request that the reported conduct is only investigated at the level of the subsidiary;
  4. Any other follow-up measure is taken and feedback to the reporting person is given at subsidiary level.
  5. The rationale behind the third condition is that it must remain the whistleblower’s choice whether to have his/her report handled only at subsidiary level (because, for example, s/he suspects the headquarters to be involved in the breach) or not. In fact, if this choice were not left in the hands of the whistleblower, s/he would directly turn to external reporting channels, thereby depriving the company of the chance to swiftly address the matter without incurring reputational and/or financial damage.”

June 2, 2021 (Commission Letter) – Central Oversight is Allowed

This area of the EU Whistleblower Protection Directive, allowing for central oversight, has raised more questions than any other area. Other legislation such as Sarbanes-Oxley (SOX) requires centralized oversight, seemingly contradicting the Directive. This commission letter is clear in how to address that requirement. At the group level, according to our interpretation, you can have knowledge that a case exists along with the information (with the appropriate redactions) available through your reporting dashboard. This gives the whistleblower the choice to protect the information in their case details. The sensitive information (who, what, when, where, why etc.) contained in a report could spell disaster for a reporter if it were made public, triggering retaliation or worse.

Fifth, it should be recalled that – as indicated in Recital 55 – “internal reporting procedures should enable legal entities in the private sector to receive and investigate in full confidentiality reports by the workers of the entity and of its subsidiaries or affiliates (‘the group’)”. This relates to cases where persons working in a subsidiary would decide to report to the parent company of the group (for instance because they feel safer or because they consider that the breach might be most effectively resolved by the parent company – e.g. it is not clear where the decision for the breach was taken/where the breach occurred, etc.). In such cases, the parent company should accept and follow up on the report.

Finally, turning to the need to see through possible breaches across the group, to which you refer in your letter, it should be stressed that, even where the whistleblower objects to sharing the report with the headquarters, the Directive does not prohibit sharing the outcome of a given case at group-level for instance for ex-post auditing, compliance or corporate governance or other duly justified purposes, provided the confidentiality requirements laid down in the Directive are respected.

June 14, 2021 (Expert Group) – No Exceptions

The minutes from the EU Expert Group meetings are public, unlike the letters excerpted above and in following sections. The Expert Group, clarifying their firm stance on the matter, stated that there is no exception for corporate groups in establishing local reporting channels. Corporate groups can benefit from investigations at the parent company level, but local reporting channels must be made available. Remembering the spirit of the EU Whistleblower Protection Directive, the notes below are all about making the right reporting channels available and accessible for whistleblowers. While the Commission doesn’t go as far to provide a definition as to what satisfies a local reporting channel, our best judgement says the objective is to provide accessibility to local employees.

“COM reported that large corporate group associations are reaching out to argue in favor of an interpretation of the Directive according to which it is sufficient if a corporate group has one central reporting channel.”

  • “As a main point, COM stressed that Article 8(3) lays out the basic rule: each legal entity in the private sector with 50 or more workers is required to establish channels and procedures for internal reporting. There is no exception from this rule exempting from this obligation legal entities belonging to the same corporate group.”
  • Therefore, national transposition laws that would allow corporate groups to only establish reporting channels in a centralized manner at group level would constitute an incorrect transposition of the Directive.”

“Based on Article 8(6): it can be compatible with the Directive that medium-sized subsidiary companies in a corporate group benefit from the investigative capacity of the parent company. This applies only provided that:

  1. Reporting channels remain available at subsidiary’s level,
  2. Clear information is provided to the reporting persons as to the fact that a designated person/department at headquarters level would be authorized to access the report (for the purpose of carrying out the necessary investigation), and the reporting person has the right to object and to request investigations at the level of the subsidiary;
  3. Any other follow up measure is taken and feedback to the reporting person is given at subsidiary level.”

October 28, 2021 (Commission Letter) – No Room for Interpretation

The tone of the letters changes here, with no room for interpretation in Article 8(3). We have never seen the Commission be this direct and clear before, so requiring and operationalizing internal reporting is obviously a priority for them.

Article 8(3) of the Directive leaves no room for interpretation: each legal entity with 50 or more workers is required to set up its own channels and procedures for internal reporting.

This provision does not make any exemption for distinct legal entities belonging to the same corporate group. This entails that reporting channels cannot be established only in a centralized manner at group level; rather, all medium-sized and large companies belonging to a group are obliged to each have their own channels. Any different interpretation would be contra legem.”

Local Intake Channel Requirements: The Key Points

  1. Only having a centralized, corporate-level reporting channel does not meet the Directive’s requirements for legal entities with 50 or more employees
  2. Local reporting channels must be made available for medium-sized (50-249) and large (250+) legal entities, even if they are a part of the same group
  3. The whistleblower can have the choice between reporting locally or at the central/corporate level, but a local option must be made available
  4. The centralized function can still maintain governance oversight over local reporting channels
  5. Only medium-sized companies can benefit from shared investigatory resources

The Advantages of Local Reporting Channels

Across our industry, we see the challenges of implementing local reporting channels. Change is always a challenge, and we hear concerns about shifting operations to comply with the scope of the EU Whistleblower Protection Directive. But just because these changes and processes are hard to enact and manage, that does not mean that there aren’t some exciting benefits to a compliant program. The lift doesn’t need to be a heavy one and, with the help of an agile technology partner, it can create some great opportunities to connect with whistleblowers and the critical issues they raise. Failure to implement local reporting channels is associated with fines and jail time, so it is in your company’s best interest to comply. Because whistleblowers have the option to make a report externally, making the local reporting channels as accessible as possible is also in your best interest. You are required to educate your workforce on the three-tier reporting process, but that doesn’t mean that it won’t sting (or worse, cause reputational harm in the marketplace) to see your organization’s name dragged through the press if a whistleblower decided to go to the press.

  • Avoid fines and legal consequences
  • Establish trust amongst whistleblowers and increase speak-up culture
  • Provide comfort and local language support
  • Empower local handlers
  • Gain visibility on what is happening locally and ability to remediate/address issues in a timely manner
  • Allow to inject locally trusted boosters with the local trusted person who will disseminate your code of ethics/conduct, making you closer to your employees and make them comfortable about speaking up
  • Enable better handling of local cultural issues (ex: what seems trivial for an American could be a serious offense in France)

A Few Practical Tips for Local Reporting Channels

  • The Directive allows for the forwarding of a critical case to a centralized unit, if the local reporting channel doesn’t have the required skills to investigate. Remember to redact all personal data before forwarding, in order to comply with local privacy laws and GDPR.
  • Consider the structure, expertise, and resources of your local reporting channel and integrate that channel into a structured “triage” workflow. This way, a local reporting channel can deal with small cases and the more critical/serious cases will be forwarded to the designated central investigation unit for timely address and resolution.
  • Identify a local internal employee, known as the go-to person people that people feel comfortable talking with. Often, small reports can be avoided by having someone to listen and address a doubt/worry/feeling.  Talking to that trusted person would facilitate a legitimate report or simply render the report unnecessary.
  • Sometimes we overthink a matter, building a mountain out of a molehill, and simply expressing our thoughts out loud and being heard is sufficient to realize a formal report isn’t worth it. Remember how you’d like to be treated when coming forward with a potentially sensitive concern and replicate those essential factors in the structure of your internal reporting channel.

Overcoming the Challenges of Local Reporting Channel Requirements – Steps for Success

In order to establish a culture of comfort and security at your organization, whether you’re a small company operating in a single EU Member State or if you’re a giant multinational corporation, follow the steps listed below:

  • Use technology:
    • that offers local reporting channels and handling for each Member State where required under the Directive
    • that allows the whistleblower to make an informed decision to report either locally or globally
  • Identify a local trusted and impartial person in each entity
    • Train instead of hire
  • Apply highest standard across all entities
  • Update internal policies, code of conduct and workflow procedures

Are you ready to comply with the EU Whistleblower Protection Directive? Download our comprehensive ebook below and make sure your organization is prepared.