Whistleblowing reporting systems
We help with implementation and processing!
According to the EU directive, companies with more than 249 employees, legal entities under public law (such as cities and municipalities) and companies owned or controlled by the latter should have set up an internal whistleblower reporting channel by December 17th, 2021. Two years later, companies with more than 50 employees will also be required to do so. The basis is a still-to-be-enacted law that will implement the EU’s Whistleblower Directive (2019/1937). Although this directive should have already been implemented by no later than December 17th, 2021, the legislative process is still pending in Austria. Read up on 4 reasons why your company should now set up such a system here:
The stated aim of the directive is to introduce minimum standards for effective whistleblower protection. However, the idea of a whistleblowing system is not entirely new. Back in 2014, the Council of Europe developed principles for the protection of whistleblowers, which aimed to encourage member states to create a set of rules. So far, however, only selective solutions exist in specific areas of law, such as criminal law and financial market law. But what does that mean in detail?
In principle, EU directives are not directly applicable; they first have to be incorporated into national law. Such a law to implement the Whistleblower Directive still has not been passed in Austria. The Federal Ministry of Labor, which is entrusted with the implementation, intended to submit a draft to Parliament last fall. We already know the content of the Ministry’s first draft bill, which is, however, still incomplete and has not yet been subjected to the parliamentary procedures.
In principle, EU directives are not directly applicable; they first have to be incorporated into national law. Such a law to implement the Whistleblower Directive has not yet been passed in Austria. The Federal Ministry of Labor, which is entrusted with the implementation, intends to submit a draft to Parliament this fall. However, the most important key points can already be identified:
Companies with more than 50 employees as well as all public companies and legal entities under public law are generally obliged to set up a whistleblowing system. However, the legislator is free to extend the scope of application to smaller companies or to exempt municipalities with fewer than 10,000 inhabitants or 50 employees from this obligation. The system is intended to apply to various kinds of breaches of EU law, such as public procurement, transport and environmental protection, consumer and data protection, the prevention of money laundering and terrorist financing, and many others.
The directive provides for a multi-level reporting system. Initially, violations are to be reported via an internal channel. The directive stipulates that the reporting channels have to be designed, set up and operated in such a way that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is preserved and that unauthorized employees are denied access to them. It has to be possible to report in writing or orally. There are no technical requirements. If no measures are taken, external reporting channels (e.g. with authorities) will provide a remedy. If no measures have been taken after an internal or external report or if there is a threat to the public interest, the final escalation stage is to go public. Companies should not allow themselves to be taken to the latter two stages: If a report is sent to the authorities, companies no longer have a chance of being exempt from punishment, for example by filing a leniency application with the Federal Competition Authority or by filing a voluntary report with the tax office.
The guideline also establishes organizational rules on how to respond to reports. Confirmation of receipt has to be given to the whistleblower within seven days. He or she is then to be given the name of an impartial person or department who will remain in contact with him or her, request further information if necessary, and take proper follow-up action. After a maximum of three months from the confirmation of receipt of the report or after the expiry of the 7-day period following receipt of the report, the whistleblower has to receive feedback on the measures taken, the status of the internal investigation and its outcome.
However, it remains to be seen how to proceed if the whistleblower submits a report anonymously. In this case, it is up to the legislator to decide whether there should be an obligation to accept anonymous reports of violations and to take follow-up measures. However, anonymous whistleblowers are covered by the scope of protection if they are subsequently identified.
But it remains to be seen how to proceed if the whistleblower reports anonymously. In this case, it is up to the legislature to decide whether there should be an obligation to accept anonymous reports of violations and to take follow-up measures. Nevertheless, anonymous whistleblowers are covered by the scope of protection if they are subsequently identified.
However, the protection of the whistleblower is offset by the rights of the data subject to information and disclosure under the GDPR. This inevitably creates tension between the Whistleblower Directive and the GDPR. The legislator will have to restrict certain rights of the data subject in order to prevent them from attempting to influence the whistleblower’s reports. However, these measures must always be proportionate. It remains exciting to see what the Austrian regulation will look like here.
In addition, the directive provides that any form of reprisal against whistleblowers and certain related persons, including threats and attempts, are to be prohibited by necessary measures. Companies that obstruct or attempt to obstruct whistleblowing, take reprisal measures or wanton legal action against whistleblowers, or violate the duty to maintain the confidentiality of whistleblowers’ identities will be subject to sanctions. In addition, whistleblowers cannot be held liable under civil, criminal or administrative law for a report if they had reasonable grounds to believe that the reported violation was true at the time of the report, the report was necessary to uncover a violation, and the information was not obtained through a criminal offense. It is sufficient if the whistleblower has reasonable concern or suspicion; clear evidence is not necessary. Conversely, there are to be appropriate sanctions against whistleblowers for knowingly making false reports. The minimum standards set out in the directive cannot be waived or restricted by civil law agreements.
The Whistleblower Directive presents challenges in a wide variety of legal areas. In order to be able to optimally handle this topic, interdisciplinary work is required. Our experts Fabian Blumberger (employment law), Birgit Meisinger (public procurement law), Edeltraud Muckenhuber (compliance and public authority management), Thomas Riesz (data protection), Laura Viechtbauer (criminal law) and Bernd Wiesinger (criminal law) are happy to answer any further questions you may have on this topic.
This article is for general information only and does not replace legal advice. Haslinger / Nagele assumes no liability for the content and correctness of this article.
Note: This article appeared in the daily newspaper Die Presse on September 29, 2021.
29. September 2021