Zum Hauptmenü Zum Inhalt

Mandatory whistleblower reporting mechanisms

According to the EU directive, companies with more than 249 employees, legal entities under public law (such as cities and municipalities) and companies owned or controlled by the latter have to set up an internal whistleblower reporting channel by December 17th. Two years later, companies with more than 50 employees will also be required to do so. The basis is a still-to-be-enacted law that will implement the EU’s Whistleblower Directive (2019/1937). But what does that mean in detail?

The stated aim of the directive is to introduce minimum standards for effective whistleblower protection. However, the idea of a whistleblowing system is not entirely new. Back in 2014, the Council of Europe developed principles for the protection of whistleblowers, which aimed to encourage member states to create a set of rules. So far, however, only selective solutions exist in specific areas of law, such as criminal law and financial market law.

Implementation of the Whistleblower Directive is long in coming

In principle, EU directives are not directly applicable; they first have to be incorporated into national law. Such a law to implement the Whistleblower Directive has not yet been passed in Austria. The Federal Ministry of Labor, which is entrusted with the implementation, intends to submit a draft to Parliament this fall. However, the most important key points can already be identified:

Companies with more than 50 employees as well as all public companies and legal entities under public law are generally obliged to set up a whistleblowing system. However, the legislator is free to extend the scope of application to smaller companies or to exempt municipalities with fewer than 10,000 inhabitants or 50 employees from this obligation. The system is intended to apply to various kinds of breaches of EU law, such as public procurement, transport and environmental protection, consumer and data protection, the prevention of money laundering and terrorist financing, and many others.

Multi-level reporting system

The directive provides for a multi-level reporting system. Initially, violations are to be reported via an internal channel. The directive stipulates that the reporting channels have to be designed, set up and operated in such a way that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is preserved and that unauthorized employees are denied access to them. It has to be possible to report in writing or orally. There are no technical requirements. If no measures are taken, external reporting channels (e.g. with authorities) will provide a remedy. If no measures have been taken after an internal or external report or if there is a threat to the public interest, the final escalation stage is to go public. Companies should not allow themselves to be taken to the latter two stages: If a report is sent to the authorities, companies no longer have a chance of being exempt from punishment, for example by filing a leniency application with the Federal Competition Authority or by filing a voluntary report with the tax office.

Duty to respond

The guideline also establishes organizational rules on how to respond to reports. Confirmation of receipt has to be given to the whistleblower within seven days. He or she is then to be given the name of an impartial person or department who will remain in contact with him or her, request further information if necessary, and take proper follow-up action. After a maximum of three months from the confirmation of receipt of the report or after the expiry of the 7-day period following receipt of the report, the whistleblower has to receive feedback on the measures taken, the status of the internal investigation and its outcome.

However, it remains to be seen how to proceed if the whistleblower submits a report anonymously. In this case, it is up to the legislator to decide whether there should be an obligation to accept anonymous reports of violations and to take follow-up measures. However, anonymous whistleblowers are covered by the scope of protection if they are subsequently identified.

But it remains to be seen how to proceed if the whistleblower reports anonymously. In this case, it is up to the legislature to decide whether there should be an obligation to accept anonymous reports of violations and to take follow-up measures. Nevertheless, anonymous whistleblowers are covered by the scope of protection if they are subsequently identified.

Whistleblower protection vs. data protection?

However, the protection of the whistleblower is offset by the rights of the data subject to information and disclosure under the GDPR. This inevitably creates tension between the Whistleblower Directive and the GDPR. The legislator will have to restrict certain rights of the data subject in order to prevent them from attempting to influence the whistleblower’s reports. However, these measures must always be proportionate. It remains exciting to see what the Austrian regulation will look like here.

Protection of whistleblowers against reprisals

In addition, the directive provides that any form of reprisal against whistleblowers and certain related persons, including threats and attempts, are to be prohibited by necessary measures. Companies that obstruct or attempt to obstruct whistleblowing, take reprisal measures or wanton legal action against whistleblowers, or violate the duty to maintain the confidentiality of whistleblowers’ identities will be subject to sanctions. In addition, whistleblowers cannot be held liable under civil, criminal or administrative law for a report if they had reasonable grounds to believe that the reported violation was true at the time of the report, the report was necessary to uncover a violation, and the information was not obtained through a criminal offense. It is sufficient if the whistleblower has reasonable concern or suspicion; clear evidence is not necessary. Conversely, there are to be appropriate sanctions against whistleblowers for knowingly making false reports. The minimum standards set out in the directive cannot be waived or restricted by civil law agreements.

The most important facts about the Whistleblower Directive

  • The directive has to be implemented into national law by December 17th, 2021. Provisions regarding legal entities with 50 to 249 employees do not have to be implemented by December 17th, 2023.
  • The directive has not yet been implemented in Austria.
  • Legal entities in the private sector with 50 or more employees, legal entities in the public sector (such as federal, state and local authorities) as well as companies owned or controlled by the latter have to set up a whistleblowing system.
  • Existing, former and future employees, (unpaid) interns and external natural and legal persons who are connected to the organization in question and who have obtained information in a professional context can report violations via this whistleblowing system. In particular, illegal violations of Union law and (non-illegal) abusive practices that run counter to the aim or purpose of Union law should be reported.
  • The report can be made (primarily) within the organization or externally to the authorities.
  • The whistleblower and certain persons who have a relationship with the whistleblower are protected from reprisals and sanctions.

The Whistleblower Directive presents challenges in a wide variety of legal areas. In order to be able to optimally handle this topic, interdisciplinary work is required. Our experts Fabian Blumberger (employment law), Birgit Meisinger (public procurement law), Edeltraud Muckenhuber (compliance and public authority management), Thomas Riesz (data protection), Laura Viechtbauer (criminal law) and Bernd Wiesinger (criminal law) are happy to answer any further questions you may have on this topic.


This article is for general information only and does not replace legal advice. Haslinger / Nagele assumes no liability for the content and correctness of this article.

Note: This article appeared in the daily newspaper Die Presse on September 29, 2021.


29. September 2021

Go back to News
  • Referenz | Haslinger / Nagele, Logo: JUVE Awards
  • Logo JUVE
  • Promoting the best. Women in Law Award