Ready to try Vispato in your organization?
Schedule a demo and get set up today – without any consulting upsells or lengthy roll-out process
The EU Whistleblowing Directive is the biggest shake-up
to company compliance in years.
Not since the EU introduced the now-infamous GDPR law back in 2016 has there been a more important change for companies to be aware of, and implement.
As you’ll see from our infographic, and this article, the EU Whistleblowing Directive is:
Most companies are now starting to make changes ahead of compliance becoming mandatory from late 2021. So how will it impact your business? And what do you need to do?
To help you understand your company’s responsibilities, we’ve decoded the full 40 page EU Whistleblowing Directive into a simple infographic and FAQ.
The short answer, as can be found in Paragraph 48 of the Directive, is that any enterprise in an EU member state that has 50 or more workers should be subject to the obligation to establish internal reporting channels, irrespective of the nature of their activities, based on their obligation to collect VAT.
However, there are a few important points that need to be taken into account:
In fact, the Directive states that “protection should, thus, also be granted to workers in non-standard employment relationships, including part-time workers, fixed-term contract workers, as well as persons with a contract of employment or employment relationship with a temporary agency…”. In other words, if someone is being remunerated for their contribution towards the company, regardless of their formal employment status, they’re likely to be classified as a ‘worker’.
As the EU published this as a directive and not as a regulation, it’s up to EU Member States to transpose it into their national laws. The EU Whistleblowing Directive specifically lays out that EU Member States may choose to go further, for instance, requiring companies with under 50 workers to comply, if there are “significant risks that may result from their activities”.
Article 26 of the Directive says that each Member State must bring it into force by 17 December 2021 at the latest. However, it also says that Member States don’t have to make it mandatory for private sector companies with between 50-249 workers until 17 December 2023. Given this leeway is optional, you’ll need to check the specific national law to find out if it applies.
In addition, some Member States already have whistleblowing laws in force that cover similar requirements as set out in the EU Whistleblowing Directive. For example, in France the Soi Sapin II has applied to companies of at least 50 workers since January 2018 and has wide-ranging protections for whistleblowers.
If your business is based in the EU and has over 50 ‘workers’, then you will almost certainly be covered by these new whistleblowing rules.
Even if this isn’t the case, you may still be covered as there is ambiguity within the EU Whistleblowing Directive on how it applies to non-EU companies.
For example, if you are a non-EU company, but still have 50+ workers and a presence in the EU, or have 50+ EU-based workers, it’s likely the Directive could still apply.
The EU Whistleblowing Directive empowers whistleblowers to report any breach of EU law. Article 2 of the Directive specifically lists the following categories as examples:
Very importantly, the Directive also says that this is the minimum required and that Member States may extend protection further under national law. This means more common company concerns, such as those connected with HR and recruitment could also be included.
The EU Whistleblowing Directive does not just protect workers.
Instead, as set out in Article 4, it encompasses a very broad range of public and private sector stakeholders – from job applicants, all the way to the relatives or colleagues of a ‘reporting person’.
The Directive specifically lists the following people as protected:
The Directive places a large emphasis on protecting whistleblowers from any forms of workplace retaliation. In Chapter 6, Article 19 of the Directive, there is an extensive list of specific retaliation measures that are included such as; demotions, reputational harm, negative performance assessments, etc.
It’s also stated that the identity of whistleblowers should be protected for as long as investigations are ongoing – i.e. the right of anonymity.
In terms of support, Article 20 of the Directive instructs Member States (not necessarily companies) to provide help to whistleblowers in the form of:
According to Article 6 of the EU Whistleblowing Directive, these protections apply to anyone reporting a potential breach, providing that they:
(a) had reasonable grounds to believe that the information they reported was true at the time and that it fell within the scope of the Directive.
And, (b) reported it internally, externally, or via a public disclosure (including to any relevant institutions, bodies, offices, or agencies)
Protections still apply to whistleblowers whose identities are leaked and who suffer retaliation.
According to Article 9 of the EU Whistleblowing Directive, there are a few principles that organizations should be aware of when handling internal reports:
No. The EU Whistleblowing Directive is clear that whistleblowers can report concerns internally, externally, or via public disclosure.
The following definitions for each of them are given within the Directive:
At first glance, the requirements of the new EU Whistleblowing Directive are incredibly complex and overwhelming – particularly for businesses without dedicated compliance departments.
Furthermore, for millions of companies with more than 50 workers, compliance will be mandatory. So whether you like it or not, this is something that can’t be ignored. The risks of fines, legal issues, unreported wrongdoing, and reputational issues will weigh heavily on non-compliant companies.
So the question most companies are now asking themselves is:
We believe the answer is Vispato.
Vispato is a modern, secure, and anonymous whistleblowing system. It works by creating a dedicated online portal for employees and stakeholders to make anonymous reports. All you do as a company is share the URL (e.g. via a company intranet, internal emails, on your website, etc), and respond to reports if they come in.
As you will have seen in our infographic and this article, there are numerous requirements of the EU Whistleblowing Directive to comply with. Here are some of the ways Vispato is designed to help your company do just that:
Have any questions or need more information? We’re always happy to talk.
Please be aware that nothing in this article should be construed as legal advice. Full access to the EU Whistleblowing Directive is available here.