On 23rd of October 2019, the European Parliament and the European Council adopted the Directive (EU) 2019/1937 (hereinafter ''the Directive'') on the protection of persons who report breaches of Union law1. The deadline for the implementation of the Directive by the EU Member States into their national law is the 17th of December 2021.

The important feature of this Directive is to provide protection for the whistleblowers who report breach of the Union that are harmful to the public interest. The protective measures for the whistleblowers are acknowledged on a national as well as an International Level.

A breach means any unlawful act or a breach affecting the financial interest of a Union, or a breach relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

The protection exists for employees, job applicants, former employees, supporters of the whistleblower and journalists. These persons are protected from dismissal, degradation, and any type of discrimination. Protection applies only to reports of wrongdoing relating to EU law, such as tax fraud, money laundering or public procurement offences, product and road safety, environmental protection, public health and consumer and data protection

The whistleblower can choose whether to report a concern internally within the company or directly to the competent supervisory authority.

With these safeguards the EU is signaling to whistleblowers their safety and encourage them to report on company infringements.

The obligations of a Member State under the Directive apply to legal entities in the private sector with 50 or more employees who will have an obligation depending on the activities of the entities and the ensuing level of risk, in particular, the environment and public health, Member States may require legal entities in the private sector with fewer than 50 employees to establish internal reporting channels and procedures.

At present, there are approximately 10 Member States that have set out their legal framework. In Cyprus, the Directive has not been enacted yet into the national legislation, but the Ministry of Justice and Public Order is in the process of for the creation and establishment of the proposed legal requirements under the Directive

The current national legislation does provide certain protection and safeguards regarding civil service, corruption and bribery offences, competition law and termination of employment but it seems that additional amendments and channel portals of this piece of Directive must be developed in order to ensure the smooth enactment with the Directive. The Members States must also ensure that there is a competent authority in charge for the 'whistleblowing', who will be responsible of undertaking the external reports of a 'whistleblower'.

It is contradictory that there is no definition in the Directive of the action of 'whistleblowing' but there is a reference for the protection of individuals of reporting a breach of the EU Law.

A. SCOPE

The Directive aims to provide to any employee in the private and public sector, having received information related to a breach of the EU Law in the workplace to proceed with a report in good faith and have reasonable grounds of believing that the content of the report is true at the time of making the report. Any person holding and reporting such information is allowed to be protected under the Directive.

The Directive, itself provides a core protection in relation to a 'whistle blower'. It is upon the discretion of each Member State to adopt the Directive by enacting it into its national legislation. The Member State must evaluate the potential EU breach it may hold for each sector i.e. money laundering, environment, public health, financial services, corporate tax etc.

B. WHO IS PROTECTED?

  • workers and self-employed individuals, freelance workers, contractors, and subcontractors
  • shareholders
  • members of an administrative, management or supervisory body
  • volunteers or trainees
  • new employees who have not yet begun working
  • facilitators
  • third persons connected with the reporting person
  • legal entities that the reporting person is connected to

C. TO WHOM IT APPLIES?

The Directive affects all businesses and government bodies with 50 or more employees. Companies with 250 or more employees must comply with the Directive beginning 17 December 2021.

Businesses with between 50 and 249 workers will have to begin complying with the Directive by 17 December 2023.

There currently are no plans at the EU level to apply the Directive to companies with fewer than 50 employees.

D. WHO CAN BE REPORTED?

  • financial services, products and markets, and prevention of money laundering and terrorist financing
  • public procurement
  • product safety and compliance
  • transport safety
  • protection of the environment
  • radiation protection and nuclear safety
  • food and feed safety, animal health and welfare
  • public health
  • consumer protection
  • breaches affecting the financial interests of the EU
  • breaches relating to the EU internal market
  • protection of privacy and personal data, and security of network and information systems

E. WHAT SHOULD WE DO?

If you are a company that falls under point C above should issue a 'Whistleblowing Policy and Procedures', to provide an internal mechanism for reporting, investigating and providing remedies in the workplace.

A company must outline the type of issues that can be raised, how to raise them, how they will be protected and what the actions of the company will be. The company must ensure that the Whistleblowing Policy and Procedures is in line with the GDPR laws of the company. Without receiving explicit consent, the reporting person's identity cannot be disclosed to anyone beyond the person handling the report.

Secure and direct the confidential and reporting channels must be provided within the company and designating appropriate personnel to investigate reports.

The company is liable to circulate and publish the Whistleblowing Policy and Procedures to every company personnel AND provide protection to any third party related to the whistleblower. Moreover, the company must have the relevant means to carry out investigation procedures and policies and have an effective record retention.

F. PENALTIES

In accordance with the Directive, penalties are imposed to organisations and individuals who get revenge against 'whistleblowers'; individuals who submit false reports and companies that failed through their internal policies and safeguard lines to keep confidential the identity of a whistleblower. The Directive gives authority to the national legislation of a Union for imposing sanctions.

G. REPORTING CHANNELS OF WHISTLEBLOWERS

It is mandatory for the companies to ensure that reporting channels are established, and every employee is familiar with this procedure. Through the reporting channels the whistleblower may have the right to submit a report either in writing or orally, however the identity of the whistleblower must always be kept confidential. Disclosure of the identity of the whistleblower and violation of the above may lead to serious imposition of penalties.

The company/organisation must designate an individual or a department for receiving the investigation reports. It is well expected that this role shall be undertaken either by a Compliance Officer, Head of Human Resource Department, an in-house entrusted lawyer, the CFO or a company's executive director. A designated person undertaking such a role may also be outsourced.

Acknowledgment of receipt by the designated person of the company must be given within 7 days and provide feedback within 3 months of the acknowledgment, however this could be extended to six months where necessary due to the specific circumstances of the case, in particular the nature and complexity of the subject of the report, which may require a lengthy investigation.

There is a permission in the Directive for cases where internal reporting channels either do not exist, are not compulsory or used but are not applied. For example, a whistleblowers' complaint was made relating to the managing director of a company and that same person is the designated person appointed by the company to receive such reports. In certain cases, the protection will be extended to public disclosures in situations where the internal or external channels are difunctional.

There are three stages regarding an alert: 1) The Internal Alert, 2) Where the company failed to take measures to permit such an Alert, and 3) the Alert must be addressed to the competent authorities. Failure to proceed with an Alert within 3 months, may lead to public disclosure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.