We’ll be at Ethisphere’s 2024 Global Ethics Summit in Atlanta, April 22-24. Learn more about the show here.


What is the EU Whistleblowing Directive?

What is the EU Whistleblowing Directive?

In 2021, all EU Member States will have to comply with the latest whistleblower legislation, ensuring protection for those who report misconduct.

In 2021, the new EU Whistleblowing Directive will start working alongside the GDPR to protect whistleblowers who report violations of EU law. The Directive outlines minimum standards for responding to and addressing reports, leaving certain details up to each Member State (including whether or not they want to permit anonymous reports).

Over this next year, many companies should be getting to work on understanding the Directive and becoming compliant. Start here to learn more about the Directive and an employer's role in protecting EU whistleblowers.

Case management software can help you stay on top of reports and meet privacy requirements. Read the eBook to learn what else our software can help you do.

Main Elements in the Directive

Member States have to draft whistleblowing legislation that applies to private organizations with more than 50 workers and local authorities that serve more than 10,000 people. The EU Whistleblowing Directive doesn’t explicitly say that all 50 workers need to be physically located in the EU or if that number includes remote workers located in other countries.

The Directive uses a broad definition of the term “worker”. It includes people who, for a certain period of time, perform services for and under the direction of another person, and receive remuneration in return. The term “worker”, therefore, would include regular full-time employees, part-time workers, trainees, interns and contractors.

Specific Violations Whistleblowers Can Report

Whistleblowers can report on a long list of legal violations, including public procurement, financial services, product safety, environmental protection, food safety, animal welfare, public health, consumer protection, personal data protection and more. (For a full list go here).

Member States have the authority to broaden the scope further to include violations of other laws.

Intake Mechanisms

Under the EU’s Whistleblowing Directive, organizations are responsible for creating an intake method that individuals can use to report a violation.

Organizations may want to offer intake mechanisms in a variety of formats, including an online web form, a telephone hotline and a physical complaint box. Organizations can also choose to hire a third party to receive reports on their behalf, but must find a vendor that meets the standards for confidentiality, data protection and secrecy.

i-Sight (now Case IQ) offers a powerful end-to-end solution from intake to analysis. Every report is captured and funneled into the case management system in a way that complies with your country's laws. Learn more about that here.

Protection from Retaliation

Whistleblowers will be protected from retaliation even if they're not EU citizens or a paid worker. As long as the whistleblower obtained the information in a “work-based relationship,” and has reasonable grounds to believe their concerns are true, they will be protected. This means even job applicants and volunteers will be protected.

Common examples of retaliation include negative performance ratings, discrimination and transfer of duties.

Obligations & Action Steps for Companies

In addition to providing internal reporting channels, organizations must also raise awareness of the reporting process, maintain high levels of data security, designate an impartial person who will be responsible for responding to reports and meet deadlines set by the Directive.


Raise Awareness of the Reporting Process

The Directive mandates that organizations provide workers with sufficient information about the internal and external reporting process. Consider updating employee handbooks or other company documents with this information.

Improve Security and Privacy

Organizations are also obligated to make sure that their intake mechanisms and investigation process are secure. All private data about the whistleblower and any third party mentioned in the report must be kept confidential and in accordance with the EU GDPR.

As mentioned earlier, if the organization uses a third party to manage the intake process, it is their responsibility to ensure the vendor can meet these confidentiality requirements.


Designate an Impartial Person or Team

Every applicable organization must designate an impartial person (or team) who will take on the responsibility of receiving, responding to and investigating reports.

The Directive explicitly states this must be an impartial individual, free of conflict of interest and capable of carrying out these duties without influence.

Be Timely and Meet the Deadlines

The Whistleblowing Directive gives organizations up to three months (or, when justified, six) to provide feedback to the whistleblower. This means that organizations have an obligation to maintain communication with the whistleblower and keep them updated. An organization should modify any processes that may hinder their ability to meet this deadline.

Use this time now to prepare your business properly. Whistleblower protection is an important part of reducing serious misconduct, and a great deal of the responsibility belongs to the organizations at which they are employed.