Skip to main content

What should be considered in a whistleblowing system?

What should be considered in a whistleblowing system? The Whistleblowing Directive (EU DIRECTIVE (EU) 2019/1937 of 23 October 2019) sets out minimum requirements for the protection of persons reporting breaches of Union law. The EU Whistleblowing Directive requires transposition into national law by 17.12.2021 or 17.12.2023 at the latest.

Which companies are subject to the obligation to set up a whistleblowing system?

Article 8 regulates that legal persons in the private and public sectors must establish channels and procedures for internal reporting and follow-up.

The channels and procedures must allow workers of the legal person to report information on violations.

This obligation applies to legal persons in the private sector with 50 or more employees and takes effect from 17.12.2021. For companies with 50 to 249 employees, it is still open whether this obligation will only take effect from 17.12.2023 (Art. 26 para. 1,2 of the Whistleblowing Directive).

Legal entities in the private sector with 50 to 249 employees may share resources for receiving reports and for investigations that may be carried out. This is without prejudice to the obligation imposed on these legal persons by this Directive to maintain confidentiality, provide feedback and take action against the reported breach.

whistleblowing system

What breaches must be reported under the new Whistleblowing Directive?

Article 2 of the Whistleblowing Directive regulates a reporting obligation for the following violations

  • 1.

    public procurement

  • 2.

    financial services, financial products and financial markets, and the prevention of money laundering and terrorist financing,

  • 3.

    Product safety and conformity

  • 4.

    Transport safety

  • 5.

    Environmental protection

  • 6.

    Radiation protection and nuclear safety

  • 7.

    Food and feed safety, animal health and welfare

  • 8.

    public health

  • 9.

    Consumer protection

  • 10.

    Protection of privacy and personal data and security of network and information systems

  • 11.

    Infringements of the Union’s financial interests within the meaning of Article 325 TFEU and as more precisely defined in relevant Union measures

  • 12.

    Infringements of internal market rules within the meaning of Article 26(2) TFEU, including infringements of Union rules on competition and State aid, as well as infringements of internal market rules in relation to acts which breach corporate tax rules or in relation to agreements aimed at obtaining a tax advantage contrary to the object or purpose of the applicable corporate tax law


Whistleblowing system: Whistleblowing Directive sets high standards of confidentiality

Article 16 sets out the following minimum requirements to ensure the confidentiality of a whistleblower when implementing a whistleblowing system:

It shall be ensured that the identity of the whistleblower is not disclosed to any person other than to the authorised staff responsible for receiving reports or taking follow-up action on reports, without the whistleblower’s express consent. This also applies to any other information from which the identity of the whistleblower can be directly or indirectly inferred.

Competent authorities receiving information on infringements and containing business secrets shall not use or disclose such business secrets for purposes beyond what is necessary for proper follow-up.

It is still open whether the German legislator will implement the possibility contained in the EU Whistleblower Directive to delay the obligation to introduce an internal reporting channel for legal entities with a number of employees between 50 and 249 by two years. It should therefore be noted that the obligation for companies with more than 250 employees will in any case come into force from December 2021.


Whistleblowing system: protection of the whistleblower from reprisals

Article 19 explicitly regulates the prohibition of reprisals. A whistleblowing system must also include measures prohibiting any form of reprisals against the persons referred to in Article 4, including threats of reprisals and attempts at reprisals. This includes in particular the following reprisals:

  1. Suspension, dismissal or similar action;
  2. demotion or denial of promotion;
  3. Transfer of duties, change of place of work, reduction of salary, change of working hours;
  4. refusal to participate in further training;
  5. negative performance appraisal or issuance of a bad reference;
  6. Disciplinary action, reprimand or other sanction including financial sanctions;
  7. coercion, intimidation, bullying or exclusion;
  8. Discrimination, disadvantageous or unequal treatment;
  9. Failure to convert a fixed-term employment contract into a permanent employment contract in cases where the employee had a legitimate expectation of being offered a permanent employment contract;
  10. Non-renewal or early termination of a fixed-term employment contract;
  11. Damage (including reputational damage), particularly on social media, or causing financial loss (including loss of contracts or revenue);
  12. blacklisting of the whistleblower on the basis of an informal or formal sectoral or industry-specific agreement, with the consequence that the whistleblower will no longer be able to find employment across the sector or industry;
  13. Early termination or cancellation of a contract for goods or services;
  14. withdrawal of a licence or permit;
  15. psychiatric or medical referrals


 Stricter rules for internal investigations?

With the future VerSanG, stricter rules apply to internal investigations. The combination of internal association investigations and corporate defence, according to the explanatory memorandum, weakens the credibility of the results of internal association investigations and can lead to conflicts with the criminal defence mandate.

Internal association investigations serve to objectively clarify the facts of the case, including all incriminating and exculpating circumstances. Due to the potential conflicts arising from a combination of internal association investigations and criminal defence, the separation of internal association investigations and representation in administrative offence proceedings is already widespread today (cf. Leitner/Rosenau-Wimmer, Wirtschafts- und Steuerstrafrecht, § 152 StPO marginal no. 16).


New rules of the WpIG on the whistleblower system

Update: With the Securities Institutions Act, the provisions of § 13 Whistleblower system and record-keeping obligation are now also

(1) Securities institutions shall be obliged to establish a procedure that enables employees, while maintaining the confidentiality of their identity, to report possible breaches of supervisory law and potentially criminal acts within the company to appropriate bodies. The procedure may be provided by social partners, provided that the same level of protection is granted to the reporters as under § 4d of the Financial Services Supervision Act.

(2) Securities institutions shall record all transactions and document the systems and procedures subject to this Act and Regulation (EU) 2019/2033 in such a way that the Bundesanstalt or a person authorised by it can verify at any time whether the securities institution complies with this Act and Regulation (EU) 2019/2033. The internal control procedures and the administrative and accounting procedures of the investment institution shall enable the supervisory authority to verify compliance with these provisions at any time.