EU Whistleblower Directive and its implementation

On October 23, 2019, the European legislator adopted the new EU Whistleblower Directive (2019/1937). This created a legal framework with regard to how employees and citizens who report anonymous or personalized information about violations of applicable law or company policies are to be protected. The implementation of this EU Whistleblower Directive is mandatory for all companies with 50 or more employees and all legal entities in the public sector. With our HINTBOX, we support you as an ISO-27001 certified company in the legally compliant and simple implementation of this Whistleblower Directive.

Despite failed draft law: Implementation of EU whistleblower directive clearly recommended

The main component of the new whistleblower directive is the obligation to implement a whistleblower system. Stakeholders of companies are to be able to submit anonymous or personalized reports of violations via this system. The reports are then processed internally within the company and, if necessary, further follow-up measures, such as investigations or criminal charges, are initiated. European Union member states had until Dec. 17, 2021, to transpose the EU Whistleblower Directive into national law. Although a national bill for the implementation of the EU Whistleblower Directive in Germany failed in 2021, the implementation is nevertheless mandatory and will take place soon. Therefore, companies are already recommended to implement a whistleblower system that is not only compliant with the law and DGSVO, but also easy to use.

Despite the effort: The advantages of a whistleblower system outweigh the disadvantages

Regardless of the uncertain legal situation, it makes sense for companies to take initial measures to prevent legal violations even before a national whistleblower protection law is enacted in Germany. It is possible that the implementation of reporting channels in accordance with the EU Whistleblower Directive may meet with resentment among companies, because the establishment of a whistleblower system causes additional work. However, a whistleblower system that complies with the EU Whistleblower Directive provides companies with several advantages that can have a positive impact on company growth, the working atmosphere and other areas in a variety of ways.

For example, by identifying legal violations at an early stage in accordance with the EU Whistleblower Directive, entrepreneurs can initiate countermeasures in good time and thus avoid penalties that could jeopardize growth or even their very existence. Whistleblower systems can also help to reduce or avert image damage. In addition, systems for compliance with the EU Whistleblower Directive are an essential component of a functioning compliance management system.

Furthermore, there is the prospect that whistleblower systems optimize employee satisfaction and the general working atmosphere. After all, in addition to the economic protection of the company, whistleblower systems offer the advantage of punishing or preventing interpersonal offenses such as sexual harassment or bullying through early reporting.

Establishment of reporting channels in accordance with the EU Whistleblower Directive mandatory for large number of companies in Europe

However, even before the obligation to implement a whistleblower system, it is advisable for companies to take initial preventive measures today z

Companies in Germany and Europe that can be assigned to one of the categories in the following two points are affected by the new EU Whistleblower Directive and should or must take appropriate measures:

  • Companies and legal entities in the private sector with 50 or more employees
  • All companies and legal entities in the public sector, including entities owned or controlled by such legal entity

The measures required by the EU Whistleblower Directive include the establishment of reporting channels. Ideally, these reporting channels take the form of a whistleblower system.

Employees and company stakeholders can use this digital whistleblowing system to submit anonymous reports of violations. The reports are then processed internally and further follow-up measures, such as investigations or criminal charges, are initiated.

Freedom of choice for internal reporting channels to comply with the EU Whistleblower Directive

In addition to the functionality for submitting cases, whistleblower systems must fulfill other requirements. Since whistleblowing systems are mainly used to transmit and store sensitive and business-damaging information, they must comply with all the data protection principles laid down by the German Data Protection Act.

Under the EU Whistleblower Directive, companies are free to accept reports by phone or digitally, as long as they comply with data protection and data security laws. Our whistleblower system provides you, your employees, and others with up to three internal reporting channels to report breaches or issues.

In principle, a digital reporting channel in the form of software is already sufficient. Thanks to the facilitated connection of our SaaS solution ("SaaS" stands for "Software-as-a-Service") to existing systems, you can optimally implement the HINTBOX into existing digital systems of your company.

Due to the specific advantages of other reporting channels, such as the advantage of permanent availability in the case of the telephone reporting channel and the advantage of familiarity in dealing with e-mail reporting channels, it may be that other reporting channels are also recommended in your company for implementing the EU Whistleblower Directive. We would be happy to advise you on how best to implement the EU Whistleblower Directive in relation to your individual situation.

GDPR and security: These requirements for whistleblower systems must or should be met!

The EU Whistleblower Directive requires the use of systems that comply with the standards and requirements of the GDPR. The consequences of using a whistleblower system without the encrypted data transmission required by the EU Whistleblower Directive were demonstrated by the case of Bologna Airport in Italy, which was fined €40,000: The airport's operators used the whistleblower system of a provider that did not comply with a legal requirement.

In addition to the functionality for submitting cases, whistleblower systems must fulfill numerous other requirements. Since whistleblower systems are mainly used to transmit and store sensitive and business-damaging information, they must comply with all data protection basics; these basics have been tightened again by the GDPR. State-of-the-art encryption is also mandatory for whistleblower systems.

In addition, it is recommended to pay attention to the certification of the hoster when hosting the whistleblower system. ISO 27001 certification is one of today's minimum standards for secure cloud infrastructures. We at HINTBOX meet these and other requirements and also go beyond the scope of the specifications in the EU Whistleblower Directive with our whistleblower systems.

HINTBOX offers conformity to the EU Whistleblower Directive

Our software maps the requirements of the EU Whistleblower Directive in a legally compliant manner and also reliably supports you in processing incoming cases. Information and descriptions about the features of the HINTBOX can be found additionally in the FAQ.

If you have any further questions regarding the implementation of a whistleblower system or the EU Whistleblower Directive and its implementation, it is best to contact us without obligation and free of charge. You are also welcome to follow us on LinkedIn to make sure you don't miss any news. On all our channels, we keep you informed about the current status of the implementation of the EU Whistleblower Directive into German law. Thus, you are best informed about changes in the requirements for companies and legally compliant with your company.