New EU Directive on Notified Bodies
The new EU Whistleblower Directive will apply from December 17, 2021. This will initially require companies with at least 250 employees and, from December 17, 2022, companies with at least 50 employees to set up a clear structure for whistleblowers to report facts or incidents. The additional German law that has been passed will probably also cover violations in the area of working time overruns, non-payment of the minimum or collectively agreed wage, or false information on tender requirements, and will offer even greater protection for whistleblowers in Germany.
But what do companies need to know and observe with regard to the new EU directive on whistleblowers? Here is a brief overview.
Initial situation
Even before the creation of international standards, reliable whistleblowers have been important for a well-functioning company. About 43 % of all white-collar crime incidents ("fraud cases") in companies are detected with the help of internal whistleblowers.
Nevertheless, the protection of whistleblowers is still inadequate in most companies. Potential whistleblowers often feel pressured not to submit their reports, and in many places there is a lack of structured and organized processes for submitting and processing such reports. However, with a reliable whistleblower system, fraud cases can be identified more quickly and processed more effectively.
Change due to the EU Directive on Notified Bodies
The EU Whistleblower Directive is intended to make the reporting of possible misconduct and threats easier and more legally secure, especially for the whistleblower.
The directive requires a minimum level of protection for the respective whistleblower. In addition, however, each member state can also make regulations that go beyond this minimum level, but it must not fall below it. Thus, the current debate in German legislation also indicates that the German law wants to extend the protection even further. For example, the German draft law provides for protection of whistleblowers even in the case of tips about other criminal offenses. The ulterior motive is that otherwise there would be unequal treatment of whistleblowers, which is precisely the consequence that the directive was intended to eliminate: That whistleblowers do not submit their report for fear of consequences.
Who is protected
The EU Whistleblower Directive protects all persons who have obtained information about violations in their professional environment. These individuals are protected regardless of whether they work in the public or private sector.
Also covered are whistleblowers who have obtained a tip in the context of an already terminated employment relationship.
A tip is any information that the whistleblower had reasonable grounds to believe to be true at the time of the report and then reported.
What is protected
The Directive protects the confidentiality of the identity of the whistleblower and third parties named in the report. The company must also protect these persons from disadvantages such as discrimination and dismissal.
The primary aim is to protect reporting via internal reporting channels. However, the whistleblower is in principle free to make an external report (e.g. to an appropriate authority) instead of using internal channels. This will then also be protected under the directive.
Sanctions
If companies take negative action against the whistleblower, violate the confidentiality of the report, or obstruct or attempt to obstruct the report, this will be sanctioned under the Directive.
Requirements for whistleblower systems
The most practical relevance for companies is probably that the directive sets requirements for whistleblowing systems.
The company must establish appropriate internal procedures for receiving reports and processes for proper follow-up. Reports should be able to be made in writing or verbally and, at the whistleblower's request, in person. In all cases, the confidentiality of the whistleblower's identity shall be maintained. Acknowledgement of receipt should be sent to the whistleblower within seven days of the report, and the whistleblower should be informed of the actions taken or that have been taken within three months at the latest.
The draft German law also stipulates that MROS should maintain contact with the whistleblower in order to obtain any further information that may be necessary. In this way, it should be possible to check the validity of the information more effectively and take appropriate measures (initiation of internal investigations, referral of the whistleblower to the responsible office, submission of the investigation to the responsible authority, etc.).
In addition, according to the draft, the report is to be documented for permanent retrieval while maintaining confidentiality. In this way, the whistleblower should also have the opportunity to correct his report at a later date.
The internal reporting office should also provide clear and easily accessible information on the options for reporting to external bodies.
It is left up to the company itself to decide how these reporting channels are specifically designed and which department is appointed as the reporting office. It should be noted, however, that the reporting office must be independent and unbiased. The reporting office can also be operated externally by independent third parties. In this case, it is advisable for companies to seek expert advice.
Particularly when implementing technical systems in the reporting system, areas of data protection, labor law and simply practicality are quickly affected, where the questions that arise can quickly get on top of the company. Professional advice is essential here.