EU Whistleblowing Directive: crucial aspects for companies
Ethical behavior is doing the right thing, even when no one else is watchingAldo Leopold
This quote of Aldo Leopold reflects how companies have been facing new challenges over the years, and how complying with regulations, establishing ethical values and understanding the importance of developing a “Compliance culture” is decisive to success nowadays.
Scandals like the “Enron Scandal” have changed how everyone understands business, and companies need to understand how important it is to prevent, detect and react to possible risks, so they can reduce not only economic, but reputational and financial costs. In this sense, complying with legal obligations is essential, and a big part of the success on this matter are employees (as well as management and directors) reporting illegal actions.
With all of this being said, companies need to establish a system which allows employees and others to report any possible misconduct, in a safe and confidential manner.
And here it is where Whistleblowing channels and EU Whistleblowing Directive come into action.
In the words of the European Commission, unlawful activities may happen in any organization, private or public, with many forms like corruption or fraud.
Employees may also be in contact with responsables, being in a privileged position to inform.
Whistleblowers are essential to build a transparent and legally compliant company, and to ensure that employees and every part of a company is able to report misconducts and illegal actions.
However, the European and national level of protection to whistleblowers was uneven and fragmented, making it difficult for them to report their concerns for fear of retaliation.
The EU Whistleblowing Directive is aware of this, as the primal goal is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law.
Protecting whistleblowers and helping them to report their concerns in a confidential way is essential, and proper measures must be taken in order to protect them from retaliation. If situations like fraud, harassment or even corruption are taking place in a company, employees must have a safe space where they can communicate these situations, feeling safe and protected at all times.
Regarding the confidential and safe aspects of the Whistleblowing channels, the Directive says that “potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation”. So, what are the implications of the Directive for your company and what are the key concepts you need to know about it?
Implications of EU Whistleblowing Directive: is my company affected?
As we said before, the main focus of the Directive is to establish a legal framework for protecting whistleblowers, safeguarding at the same time the public interest at European level.
To understand the scope of the Directive, your company must keep in mind that EU Whistleblowing Directive establish the following:
- Personal scope. The Directive applies to persons working in the private or public sector (they should have reasonable grounds to believe, in light of the circumstances and the information available to them at the time of reporting, that the matters reported by them are true). It also applies to ex-employees, part-time workers, trainees, etc.
- Material scope. The material scope of the Directive is very wide (public procurement, protection of privacy and personal data, prevention of money laundering, tax fraud…).
- Obligations to establish internal reporting channels. This is very crucial, because the Directive says that Member States shall ensure that legal entities in the private and public sector establish channels and procedures for internal reporting, and this obligation applies to:
- Legal entities in the private sector with 50 or more workers (so, here is a key aspect to keep in mind).
- All legal entities in the public sector, including any entity owned or controlled by such entities.
If your company meets this definition, it is crucial to implement an adequate Whistleblowing system, which complies with the EU Whistleblowing Directive. Your company must set up a channel for reporting in this case, and the Directive establishes that they can be received from different vias, such as online forms or personal meetings.
Your company must understand what the Directive means, and to educate not only workers but stakeholders, as well as to set up Whistleblowing channels, ensuring that workers feel safe reporting law breaches.
How GDPR affects the EU Whistleblowing Directive
Data protection is fundamental when we talk about Whistleblowing, and in the context of European Companies, the GDPR is always going to be a concern. They need to understand what are the key factors relating to this Directive under Data Protection Regulations.
Once we have described how the new EU directive affects companies, we must point out the effects of GDPR.
The information that takes place in Whistleblowing channels is very sensitive. Processing this information will be inevitable, as it’s necessary for the proper functioning of the Whistleblowing channels.
The importance of this matter is such that the EU Whistleblowing Directive specifically refers to it in article 17, saying that “Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, shall be carried out in accordance with Regulation (EU) 2016/67”.
From information relating to witnesses, people suspected of wrongdoing, this information must be processed in line with the GDPR.
This means that every data processing carried out by Whistleblowing channels is subject to the GDPR principles and provisions, such as confidentiality, data quality, as well as rights of data subjects, like right to access.
Data controllers also need to ensure lawfulness of the data processing, and in this sense, two main legal bases take place for processing personal data in this context: legitimate interest and legal obligations.
As the European Data Protection Supervisor (EDPS) says, relating to confidentiality, information about the whistleblower and the accused person “should be processed with utmost confidentiality”. This is crucial, because one of the main purposes of the EU Whistleblowing Directive is to protect Whistleblowers from the fear of retaliation.
But one of the most important parts of this is about security measures. If we say that companies need to comply with the GDPR in the context of Whistleblowing, protecting this kind of sensitive information is of utmost importance. They need to implement security measures which prevent data breaches or unintentional disclosures, adopting technical and organizational measures in order to prevent and mitigate risks.
As we can see, there are many implications concerning GDPR and the Whistleblowing directive. Companies need to be very cautious about how this information is processed, and they have to comply with their obligations in this matter. By doing so, they are investing in identifying risks and avoiding them.