On 16 April 2019, the European Parliament approved new rules on the protection of whistle-blowers (the "Directive"). The European Commission proposed such EU-wide rules last year, in the aftermath of scandals such as "Luxleaks" and "Panama Papers" (See Van Bael & Bellis on Belgian Business Law, Volume 2018, No. 4, p. 6, available at www.vbb.com). These scandals showed the importance of revelations made by whistle-blowers in order to detect and prevent breaches of EU law that are harmful to the public interest. 

The Directive aims to better protect those disclosing information on illegal conduct or abuses of law in the workplace. The protection for reporting breaches of EU law covers a wide range of areas, including competition, public procurement, financial services, money laundering, product and transport safety and public health as well as consumer and data protection.

The new rules establish safe reporting channels for reporting both within an organisation and to public authorities. For example, the Directive provides that companies with more than 50 employees are obliged to set up channels and procedures to report safely. The new rules explicitly prohibit reprisals and introduce safeguards to prevent the whistle-blower from retaliation, such as suspension, dismissal or demotion. In addition, persons assisting whistle-blowers, such as facilitators, colleagues or relatives, are protected.

During the whistleblowing procedure, sensitive personal information will be processed. This applies, for example, to personal information of the whistle-blowers, alleged wrongdoers, witnesses and other persons appearing in the report. Therefore, the Directive explicitly refers to the General Data Protection Regulation ("GDPR") and stipulates that "any processing of personal data carried out pursuant to this Directive, including the exchange of personal data by the competent authorities, shall be made in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680". Furthermore, in line with the principle of data minimisation, personal data which are "manifestly not relevant for the handling of a specific case" should not be collected or, if accidentally collected, deleted without undue delay.

Explicit reference is also made to a duty of confidentiality requiring Member States to ensure that the identity of the reporting person is not disclosed without the explicit consent of this person to anyone beyond the authorised staff members competent to receive and/or follow up on reports. Only if a necessary and proportionate obligation is imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, the identity of the reporting person may be disclosed (including with a view to safeguarding the rights of defence of the person concerned).

The new rules still have to be approved by the Council of Ministers. The Member States will then have two years to implement the rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.