EU Whistleblowing Protection Directive: Hotline Reporting Requirements

The Who, What, Where, When, Why, and How Behind the Directive

We need to remember to emphasize the “protection” element in the EU Whistleblower Protection Directive. The Directive will greatly expand every dimension of whistleblowing and reporting – who can make a report, what can be reported, where issues can be reported, and why. It is all too easy to get bogged down with the nitty-gritty details that will shape your compliance endeavors, rather than connect your efforts to the real world, lived experiences of whistleblowers. Remember that empowering whistleblowers is the mission of the Directive, and your hotline is crucial for arming whistleblowers with the tools they need to come forward and speak up. Today, we will examine the who, what, where, when, why, and how of the new EU Whistleblower Protection Directive. Discover the reporting challenges—and opportunities—for companies under the Directive, and the actions needed to prepare for compliance.

Need help finding a hotline vendor that will help you comply? Visit our previous blog on the subject here, here or schedule a demo of Convercent’s Helpline & Case Manager by clicking this link.

The full 131-page text of the Whistleblower Protection Directive can be found in English here.

Who is subject to the EU Whistleblower Protection Directive’s requirements? 

  1. All companies and organizations, both public and private, with 50+ employees or with an annual turnover of assets of more than 10 million Euros.
  2. Local authorities that provide services for 10,000 people.
  3. All companies and organizations of any size that operate in Financial Services or where there is a risk of money laundering or terrorist financing.
  4. All EU companies and public bodies:
    • with 250+ employees from December 2021
    • with 50+ employees from 2023

The Directive sets out to define requirement thresholds that companies are subject to, looking at employee count, assets, and beyond. These thresholds establish the floor, and your compliance program should overachieve wherever possible and create a new gold standard. There will be 27 local variations, with each Member State empowered to define their own vision of the Directive, around scope of reporting, employee thresholds, and anonymity. Clearly, the challenge is to monitor those variations and then implement your compliance program. Remember that complying with the Directive, or even exceeding its recommendations, will only protect your organization from future scrutiny or liability.

Warm up to the idea of compliance as soon as you can, before you absolutely must, in order to prevent whistleblowers without a hotline to submit their report to, from coming forward to public entities or the media. Don’t risk the potential reputational harm; the default should be to implement a hotline as soon as possible, regardless of your company size.

Who is protected under the EU Whistleblower Protection Directive? 

Current and former employees, plus those engaged in a “work-based relationship,” includes the following:

  • Directors
  • Non-executive directors
  • Temporary workers
  • Fixed-term contract workers
  • Subcontractors
  • The self-employed
  • Freelancers
  • Suppliers
  • Vendors
  • Shareholders
  • Members of professional bodies
  • Leavers
  • Work applicants
  • Trainees
  • Interns (paid or unpaid)
  • Volunteers

A “worker” in the EU is a broadly-defined term. The protective scope of the Directive is a widely-cast net, ensuring broad protection to whistleblowers who have acquired information on violations of EU law in their “work-based relationships.” By including more categories of workers, regardless of the nature of their activities, whether it is paid, or whether they are EU citizens or not, there is a much higher likelihood that someone will be empowered to come forward to report violations of EU law. Notably, the Directive extends protection to third -parties or facilitators, such as colleagues or relatives, who could be affected by a disclosure report. Protection even extends to “joiners,” or individuals whose work-based relationship has yet to begin, but because of pre-contractual negotiations, they are also engaged in a “work-based relationship.”

Because so many different types of workers can come forward as whistleblowers, protected by the scope of the Directive, your reporting channel communication plans and processes are vital. Think about every category of worker above and imagine how they might realistically access information. Putting up a few posters in company break rooms is simply insufficient when so many different groups need to access your reporting resources. Prioritize external access to your helpline, ensuring the ability to access it outside your firewall, supplier/vendor portals, and specific phone numbers and email addresses.

Remember that external reporting will undoubtedly collect issues such as customer complaints, and you will also need to establish processes to address that type of issue. Remember that wide net we cast? Think of the collection of these types of complaints like a giant net that also happens to pick up neighboring fish. Simply toss them back in the ocean (or direct them to your customer support team!).

What types of whistleblower reports are protected under the EU Whistleblower Protection Directive? 

The following areas and topics are covered by the Directive:

  • Public Procurement
  • Financial services, products and markets
  • Product safety and compliance
  • Transport safety
  • Protection of the environment
  • Radiation protection and nuclear safety
  • Food and feed safety, animal health and welfare
  • Public health
  • Consumer protection
  • Protection of privacy and personal data

Now that we’ve unpacked who can come forward, we can drill down into what they can report under the Directive. The main goal of the EU Whistleblower Protection Directive is to prevent breaches of EU law, which is what we strive for as ethics and compliance professionals. The good news is that you probably won’t need to start from scratch here, as the policies and procedures currently in place at your organization are already tangentially related to these ten topics. Consider your company’s approach to the General Data Protection Regulation (GDPR). If you have already adapted your policies concerning data protection, privacy, and personal data to comply with GDPR, it is more than likely that you’ve already set yourself up for compliance under the EU Whistleblower Protection Directive. The EU is actively encouraging national lawmakers to extend coverage of wrongdoing to cover current national laws. In some cases, undoubtably, this extension, to simply include “suspicious wrongdoing” will be significant.

Where will the EU Whistleblowing Directive and its various provisions apply? 

As we have previously discussed, the Directive will cover all 27 Member States. But it is worth mentioning that, although not expressly stated in the Directive, any legal entity established in the EU, employing 50+ workers, will need to comply with the Directive regardless of where the workers are located. It is also unclear whether non-EU entities employing 50+ workers located in the EU will need to comply with the Directive; but given that their employees in the EU are subject to other EU labour laws, it is highly likely that that such entities will be subject to the Directive, regardless of their employer’s location.

Regarding the United Kingdom, a previous EU Member State, the EU recognizes that the UK already has solid whistleblower protection legislation in place, namely the Public Interest Disclosure Act 1998 or “PIDA.” The UK will therefore not adopt the Directive into law, but since a consequential number of companies are including the UK in their Directive implementation, they will be covered by the scope of the Directive anyway.

When will the EU Member States transpose the Directive? 

 Hopefully, if you’re an organization with 250+ employees, you’ve already circled December 17, 2021 on your calendar! If you’re late to planning your compliance, don’t be afraid; although the days are quickly ticking by, compliance is still possible before the deadline. By starting the hotline implementation process now and executing a compliance strategy, you will be joining the club of overachievers such as Denmark (who became the first to enshrine the Directive in local law on June 24, 2021) and Sweden (who transposed the EU Whistleblowing Directive into local law on September 29, 2021). For smaller companies, employing 50+ people, the deadline for implementation is December 17, 2023. Still want to ace the Directive’s requirements, but are an even smaller company? Take the lead from Czechia (or the Czech Republic), who has lowered that 50+ employee threshold to 25 employees!

Though the deadline for transposing the directive into local law is December 17, 2021, Member States frequently fail to implement Directives on schedule. Clearly, the Whistleblower Directive has suffered because of the COVID-19 pandemic, and because the legislation is very sensitive in some Member States. Our current estimate is that about 45% of Member States will implement the Directive on time, although that figure is likely to rise as the deadline approaches and some Member States implement, but perhaps omit or delay elements of the legislation.

A Directive requires transposition into national law in order to become effective. However, a Directive may still have limited direct effect (known as the vertical effect under EU law) when its provisions are what’s termed “unconditional”—where the Directive’s requirements are clear and precise and have not been transposed into national law by the required date. When these conditions are met, individuals may rely on the Directive against an EU Member State in court. So—if a Member State fails to transpose a Directive on schedule, then it becomes effective, but with provisos and subject to interpretation by judges in court.

All that said, companies should implement the unequivocal requirements of the Directive now, and then evolve and edit as appropriate, recognizing the individual Member State implementations as/when they are published. This will certainly save last-minute work and provide the benefits that a helpline/hotline can bring; for example, 19% of fraud is found by auditors, but 43% is found via whistleblowing.

Why was the EU Whistleblower Protection Directive created? 

The purpose of the Directive is to provide greater protection for those seeking to expose breaches of EU law, across Member States. Whistleblower protection legislation has been very fragmented, and the EU Whistleblower Protection Directive will give greater consistency across the 27 Member States. Under the Directive, whistleblowers will be protected from dismissal, suspension, demotion and other forms of retaliation. A crucial challenge of the Directive is extending protection to all workers in a “work-based relationship” (see above) and to related third parties.

How can whistleblowers submit their reports under the EU Directive?

The Three-Tier Reporting Process

  • Internal Channels
    • Should be kept confidential and responded to within three months
  • External Channels
    • Such as competent authorities at EU Member State level
    • Cases must be dealt with within three months (or within six months in justified cases)
  • Public
    • Such as the media
    • May involve an imminent danger to the public interest, a risk of retaliation or a failure to deal with concerns internally

Employees should be encouraged to raise concerns first via internal channels, stressing the confidentiality of those reports and the support that your organization can offer. The second tier enables employees to report concerns to external “competent authorities” at EU or Member State level. The third tier enables whistleblowers to voice their concerns through the media or other high visibility means. Such reports come with the potential for consequences, triggering imminent danger to the public interest, a risk of retaliation, or a failure to deal with concerns internally in the required timeframe. There is no hierarchy or order of operations with these three reporting methods, and their use will vary.

Meeting the spirit of the Directive is paramount here. You must, in order to empower potential whistleblowers, make your internal hotline as accessible as possible. Accessibility looks like sharing a variety of reporting channels, either in writing (through an online reporting platform, email, letter or complaint boxes) or orally (via telephone hotline, voice messaging system or in person). In order to not deter reporting, companies are expected to provide transparent information and clear, easily accessible reporting channels. Don’t force whistleblowers to reach out to external channels or the media; prioritize your internal reporting channels by securing and adopting a hotline.

This is the third edition of our eight-part EU Whistleblower Protection Directive Masterclass series! If you missed our first two entries, check out the first one here and the second one here. Join us next week for a fourth round of discussion around hotline reporting under the EU Whistleblower Protection Directive. Stay tuned-in here over the weeks leading up to December 17, 2021 for more resources on how to comply with the Directive.

Master the Requirements of the EU Whistleblower Protection Directive  

Prepare to comply with the requirements of the EU Whistleblower Protection Directive by the deadline of December 17, 2021 with this free series of eight expert-led webinars.

Sign up for the Masterclass Series