On 23 October 2019, the European legislator adopted the new EU Whistleblower Directive (2019/1937). This created a legal framework on how to protect, for example, employees, customers or suppliers who anonymously or in a personalised manner report information on violations of applicable law or company policies. The EU member states now have until 17 December 2021 to transpose the directive into national law.

Establishment of reporting channels mandatory

The main component of the new EU Whistleblower Directive is the obligation to implement a whistleblower system. Stakeholders of companies should be able to submit anonymous or personalised reports on violations. The reports will then be processed internally and, if necessary, further follow-up measures, such as investigations or criminal charges, will be initiated. Companies are free to receive reports by telephone or digitally, among other options. In doing so, the data must be processed in accordance with the General Data Protection Regulation (“DSGVO”): Data protection and data security must be maintained.

Large number of companies in Europe affected

Very many companies in Germany and Europe are affected by the new Whistleblower Directive and must take appropriate measures. Legal entities in the private sector with 50 or more employees as well as all legal entities in the public sector, including entities owned or controlled by such a legal entity, must in principle provide reporting channels.

Implementation of whistleblower systems already makes sense today

But even before the obligation to implement a whistleblower system, it is advisable for companies to take initial preventive measures today. Whistleblower systems can help to reduce material damage and image impairment or avert imminent violations. Whistleblower systems are an essential part of a functioning compliance management system of a company.
But besides the economic protection of the company, whistleblower systems offer further advantages to drastically improve the working climate. Interpersonal offences, such as sexual harassment or bullying, are not always reported. The implementation of whistleblower systems for anonymous reporting increases the willingness to report abuses that have just been pointed out.

Requirements for whistleblowing systems must be met

In addition to the functionality for submitting cases, whistleblower systems must fulfil further requirements. Since whistleblowing systems are mainly used to transmit and store sensitive and business-damaging information, they must comply with all data protection laws, which have been further tightened by the GDPR. State-of-the-art encryption should also be mandatory for whistleblower systems.
In addition, it is advisable to pay attention to the certification of the hoster when hosting the whistleblower system. ISO 27001 certification is one of today’s minimum standards for offering a cloud infrastructure.

HINTBOX offers conformity to the EU Whistleblower Directive

Our software maps the requirements of the Whistleblower Directive in a legally compliant manner and also reliably supports you in processing incoming cases. You can find information and descriptions of the features of the HINTBOX on our homepage or in the FAQ.

If you have any further questions on the implementation of a whistleblower system or on the EU Whistleblower Directive and its implementation, please feel free to contact us without obligation and free of charge. Also follow us on LinkedIn to never miss any news.

We will also inform you about the current status of the transposition of the EU Directive into German law on all our channels. Thus, we will prepare you in the best possible way for the start of the new directive in Germany.