作者

Dr. Oliver Bertram

合伙人

Read More

Isabel Bäumer

律师

Read More

Mareike Christine Gehrmann

授薪合伙人

Read More

Dr. Martin Knaup, LL.B.

合伙人

Read More

Dr. Rebekka Krause

授薪合伙人

Read More

Jan-Patrick Vogel, LL.M. (Stellenbosch University)

授薪合伙人

Read More
作者

Dr. Oliver Bertram

合伙人

Read More

Isabel Bäumer

律师

Read More

Mareike Christine Gehrmann

授薪合伙人

Read More

Dr. Martin Knaup, LL.B.

合伙人

Read More

Dr. Rebekka Krause

授薪合伙人

Read More

Jan-Patrick Vogel, LL.M. (Stellenbosch University)

授薪合伙人

Read More

2022年1月27日

FAQ – Non-implementation of the Whistleblower Directive

  • In-depth analysis

EU Member States should have transposed the EU Whistleblower Directive (“EUWD”) into national law by Friday, 17 December 2021. Like many other EU Member States, the German legislator has let this implementation deadline pass. Many companies, especially those that have not yet implemented a whistleblower system at all, are therefore faced with an uncertain legal situation as from 18 December 2021.

We have compiled alphabetically the most important questions from the perspective of our compliance, legal and human resources departments. However, caution is advised when dealing with compliance issues, since it always depends on the specific circumstances in question. Legal advice is just as important when dealing with whistleblowers as ensuring confidentiality in the whistleblowing process. The FAQs do not replace an examination of the legal situation in individual cases and do not constitute legal advice.

Our whistleblowing experts Dr Oliver Bertram, Isabel Bäumer, Mareike Gehrmann, Dr Martin Knaup, Dr Rebekka Krause and Jan-Patrick Vogel, LL.M. can be contacted through the following channels:

 
Whistleblowing Hotline: +49 69 97130-283 
Whistleblowing Task Forcewhistleblowing@taylorwessing.com

Download our whistleblower FAQ

Webinars & information

FAQ – Non-implementation of the Whistleblower Directive

Anonymity: Does the whistleblower system have to allow anonymous reports or do they have to be processed by the company?

The EUWD does not establish an obligation for companies to accept anonymous reports. However, the fact that employees prefer to report violations anonymously speaks in favour of accepting anonymous reports. If this is not made possible, employees are more likely to turn directly to external reporting bodies. In order to maximise the knowledge gained by the company, it therefore makes sense from a compliance perspective to also allow anonymous reports. Since anonymous whistleblowers also enjoy whistleblower protection under the EUWD if their identity is disclosed, there are good arguments for taking this into account within the framework of a whistleblower system.

Scope of application: What is the scope of application of the EUWD?

The EUWD applies to all private and public employers (e.g.  municipalities). However, the obligation to establish internal reporting channels only applies to employers with at least 50 employees. For private employers with 50 to 249 employees, the EUWD also provides for an extended deadline for the establishment of internal reporting channels until 17 December 2023.

Employees: Who can submit reports via the company’s internal whistleblowing system?

The EUWD stipulates that the reporting channels must be open to all employees of the company. The term “employee” is interpreted in a broad sense, i.e. in accordance with EU law (e.g. trainees are also included). Civil servants are also included. In addition, the reporting channels can also be opened to other persons (see details on “external persons”).

Protection of the accused: Do the persons accused by the whistleblower also have to be protected by the company?

The EUWD requires reporting channels to be designed, set up and operated in a secure manner that not only protects the confidentiality of the identity of the whistleblower but also that of third parties mentioned in the report and prevents unauthorised employees from accessing such identity. In particular, striking a balance between the protection of the accused on the one hand and the protection of whistleblowers on the other often causes problems in internal company investigations.

Works Council: What role does the works council play in the implementation of a whistleblower system and the clarification of reports?

As a rule, the works council has a right of co-determination within the implementation of a whistleblower system, i.e. the whistleblower system may not be introduced without the prior consent of the works council. In group structures, the competence of the group works council, the central works councils and/or the local works councils must be carefully examined and, in case of doubt, delegation resolutions must be sought.

Reversal of the burden of proof: Who bears the burden of proof that a company has taken inadmissible measures under employment law against a whistleblower?

If a whistleblower demonstrates that he/she has reported or disclosed violations in accordance with the EUWD and has been discriminated against, the burden of proof shifts to the person who did the discriminating. This means that in such cases the company must prove that its actions were in no way connected to the report or disclosure made.

Compliance Management System: Does a whistleblower system need to be integrated into a company’s compliance management system (CMS)?

A functioning whistleblower system is a central component of an effective CMS and must therefore be linked to the other elements of a CMS. In addition to identifying compliance violations, the whistleblower system also serves to determine whether the preventive compliance measures taken are effective and whether any misconduct is avoided. To the same extent, a whistleblower system helps to identify necessary adjustments and improvements to the CMS and, at the same time, preserves the authority to interpret the facts underlying the respective report in favour of the company concerned.

Data protection: What must be observed in terms of data protection law, especially when using web-based whistleblower systems?

First of all, it must be examined on which legal basis the data processing can be legitimised. It must be taken into account that due to the lack of group privilege, every company within a group is considered a “third party”, which is why every data transfer within a group of companies requires a legal basis. If the data processing can be justified, the legal basis should be sufficiently documented. Furthermore, a data protection impact assessment must be carried out as part of the implementation. In addition, complete information about the data processing pursuant to Arts. 13 and 14 of the GDPR is required, usually in relation to all persons whose personal data are processed. If the whistleblower system is provided by a service provider, an agreement on commissioned processing must usually be concluded with the service provider. If processing also takes place outside the EU or the EEA (even if it is only access to data in the EU for support purposes), further safeguards are required to ensure an adequate level of data protection. If the whistleblower system violates these or other data protection requirements, serious sanctions may be imposed under the GDPR.

External reporting office: What is an external reporting office? Are whistleblowers also allowed to contact external bodies directly?

An external reporting office is an authority to which information about misconduct can be reported verbally or in writing.
The whistleblower may choose whether he/she first contacts the company internally and/or the competent authority externally. Accordingly he/she can also contact the external reporting office directly.
However, in the absence of an implementation law, the external reporting office has not yet been designated in Germany. Should this happen in the short term, companies should support an internal whistleblowing system even more intensively in order to set the strongest possible incentives that this is used as a matter of priority and that external whistleblowing is therefore avoided as far as possible.

External Whistleblowing Team: Is it permissible to use an external whistleblowing team for an internal whistleblowing system?

Reports via the internal whistleblowing system do not necessarily have to be received by a company’s internal whistleblowing team. The first contact can also be external, e.g. lawyers (see “Ombudsman's office”). However, it is still advisable to appoint responsible persons internally when implementing the whistleblowing system, who can then act as contact persons for the external persons after a report has been made.

Whistleblower: Who can be a whistleblower in the company?

Whistleblowers can be any natural person to whom the reporting channel is open, i.e. every employee of the company and, if applicable, company outsiders, and who report or disclose information on violations obtained in connection with their work activities.

Whistleblower protection: What measures must the company take to protect the whistleblower?

It is a core obligation for companies to:

  • protect whistleblowers from reprisals of any kind - directly or indirectly, including threats and attempts and
  • protect the confidentiality of the identity of whistleblowers.
International whistleblowing system: Can the whistleblower system of the parent company abroad be used for subsidiaries and sub-subsidiaries abroad?

If the data protection requirements for a cross-border data transfer have been met, the whistleblower system of the parent company can only be used as an additional tool. The subsidiaries and sub-subsidiaries must also maintain a local reporting channel (see comments on the “central whistleblower system”).

Internal Reporting Office: What is an internal reporting office and who in the company can perform this function?

A position within a legal entity in the private or public sector to which information about misconduct can be communicated verbally or in writing, especially a manager, compliance officer, HR manager, ombudsman (e.g. lawyers), company employee representative. For a better handling of a whistleblowing system, the department/person who performs the function of an internal reporting office in the company should be explicitly entrusted with this responsibility.

IT Department: Can my company's IT department have access to the whistleblower system for IT support and to ensure IT security?

According to the EUWD, only authorised staff members who are responsible for receiving or following up on reports may have access to information that reveals the identity of the whistleblower. As a rule, however, the IT department is not responsible for receiving and resolving reports, so the IT department must be shielded from the content of any reports.

Know-How Protection: Can trade secrets and/or confidential information of the company also be reported via the whistleblower system?

If the information reported is necessary to uncover a violation in accordance with the EUWD, trade secrets or confidential information may also be reported through the whistleblowing system. In other words, if the company does not have appropriate reporting channels, the company’s proprietary know-how may also be disclosed in other cases without the whistleblower having to fear any consequences (see “Disclosure”).
However, the competent authorities must ensure that these trade secrets are not used or disclosed for purposes that go beyond what is necessary for proper follow-up measures.
Classified information, on the other hand, remains unaffected by the protection of the EUWD, i.e. this information may not be disclosed.

 
Coalition Agreement: What has the new Coalition Government agreed in the Coalition Agreement on whistleblowing protection?

The Coalition Agreement specifically states: “We will implement the EU Whistleblower Directive in a legally secure and practicable manner. Whistleblowers must be protected from legal disadvantages not only when reporting breaches of EU law, but also material breaches of regulations or other material misconduct, the disclosure of which is in the particular public interest. We want to improve the enforceability of claims for reprisals against the damaging party and are looking into counselling and financial support schemes for this purpose.”
It should be highlighted here that

  • the material scope of application of a transposition law is likely to extend not only to infringements of EU law but also to infringements of national law, in particular those which are subject to criminal penalties or fines, and
  • offers of financial support should be examined, i.e. financial incentives for potential whistleblowers (compensation?) should also be considered, similar to what is the case in the USA.
 
Reporting channels: Which reporting channels may be used for the whistleblower system?

It is up to the company to decide which form of whistleblowing system to set up. Different types of reporting channels are conceivable in principle. For example, in addition to the technical and web-based whistleblowing systems, a designated e-mail address, telephone number or mailbox can also be considered as a reporting channel, whereby the design is quite challenging due to the requirements for confidentiality and feedback, among other things. At the whistleblower’s request, however, a face-to-face meeting with the unit acting as an internal reporting office must also be made possible.

Disclosure: Can trade secrets and/or confidential information of the company also be disclosed?

A whistleblower who discloses information to the public can only invoke the whistleblower protection provided for if no appropriate measures have been taken by the company (internally) and/or the authority (externally) within the prescribed time frame, or, in exceptional cases, if there is sufficient cause for the presumption of endangering the public interest, fear of reprisals or lack of perspective of clarification.

If the company does not maintain a suitable whistleblowing system, the whistleblower may therefore also disclose the alleged infringement directly under certain circumstances (e.g. by reporting to the law enforcement authorities or the media). This risk also exists after the transposition period has expired, as the courts must already interpret the national laws in conformity with the Directive. 

Public sector: Does the public sector also need to introduce whistleblowing systems?

Yes, the obligation to set up internal reporting channels and procedures for internal reporting and follow-up applies to legal entities in the private and public sectors as well as to municipalities with 10,000 or more inhabitants. In addition, the EUWD has already been directly applicable to the public sector since 18 December 2021 (see comments on “Direct effect”).

Ombudsman system: What is an ombudsman system? Can an external ombudsman still be used as a “reporting point”?

An ombudsman system usually involves external lawyers who are available as a contact point for whistleblowers. These lawyers pass on the information to the company, if necessary after carrying out a legal “first level check”.
Yes, the establishment of an ombudsman system continues to be a permissible reporting channel.

Reprisals: What measures constitute reprisals within the meaning of the EUWD?

All direct or indirect actions or omissions in a professional context that are triggered by an internal or external report or disclosure and that may cause unjustified disadvantage to the whistleblower (e.g. dismissal or suspension, warning, transfer or reassignment, failure to receive promotion, failure to receive training, social exclusion, mobbing, etc.).

Directive-compliant interpretation: Can courts apply parts of the EUWD even before the adoption of a transposition law?

After the transposition period has expired, the German courts should interpret the national laws in accordance with the EUWD. If, for example, the courts have to decide on the validity of an employee’s disciplinary action, they would have to take into account the provisions of the EUWD regarding the protection of whistleblowers.

Risks: What are the risks for companies that have not implemented a whistleblowing system?

Although the EUWD does not apply directly to private companies, there is a risk of an interpretation in conformity with the EUWD, a (legitimate) outflow of know-how due to public reports (in particular trade secrets) as well as a risk of reputational damage (see comments on “Sanctions”).
Furthermore, it cannot be ruled out that courts will deem the company’s compliance management system ineffective if it does not comply with the requirements of the EUWD.

Acknowledgement requirement: Does the company have to give an acknowledgement to the whistleblower?

The whistleblower should be informed as comprehensively as possible about the handling of his/her report. This includes both an acknowledgement of receipt and an explanation of the follow-up measures planned and taken as well as the results of any investigation.
Within a period of 7 days after receipt of a report, the whistleblower must be given acknowledgement of receipt of the report.
Within a reasonable time frame – max. within three months - the whistleblower will be given information on follow-up measures.

Sanctions: What sanctions will be imposed on the company if an EU-compliant reporting system is not in place by 18 December 2021?

The EUWD does not provide for any economic sanctions for the non-establishment of a whistleblower system that complies with the requirements of the EUWD, in particular no corresponding fines (see comments on “Risks”).

Transparency: How can company employees know whether they should report actions that has been observed or experienced in the whistleblowing system?

Often it is not easy for employees to judge whether actions they have experienced constitutes a“violation of the law” or “unethical behaviour”. It is therefore advisable to use clearly formulated policies and guidelines to give employees an unambiguous picture of what conduct is considered worthy of reporting. Complex legal terms should be avoided as far as possible. The same applies to the communication of a transparent understanding of the responsibilities and processes for handling incoming reports in order to gain and maintain the trust of employees in the functioning and effectiveness of a whistleblowing system. To this end, potential whistleblowers should be provided with relevant information in an easily accessible manner. It is therefore recommended that the whistleblowing process is laid down in a guideline/policy (unless a works council agreement is to be concluded anyway) and handed out to all employees.

Direct effect: Do the obligations of the EUWD already apply to my company from 18 December 2021?

In principle, EU Directives only oblige Member States to transpose the content of the EUWD into national law.
Directly applicable, however, are those provisions of a directive that are to be classified as “self-executing”. These are characterised by the fact that they are formulated in such a clear and independent manner free of conditions that no further transposition acts are required in order to determine which claims exist under the directive, because the content of the regulations can already be completely derived from the directive. However, this only applies to the extent that private legal entities are not affected. In this respect, the standards of the EUWD apply directly “only” to public undertakings as of 18 December 2021.

External parties: Does the whistleblower system also have to be opened up to external parties?

The EUWD does not impose an obligation on companies to accept information from persons who do not fall within its subjective scope of application, i.e. from outside the company. However, it is recommended to consider this as an option, especially with regard to the obligation to set up a complaints procedure provided for in the Supply Chain Due Diligence Act.

Violations: What violations can be reported in accordance with the EUWD?

According to the scope of application of the EUWD, only the reporting of breaches of certain EU law falls under the protection of the EUWD. This means that whistleblowers who report violations of national law do not fall under the scope of protection. It can therefore be assumed that the German transposition law will go beyond the EUWD, as otherwise effective whistleblower protection is hardly conceivable. In addition, it would be left to the assessment of the employees whether it is a violation of national or EU law or just unethical behaviour. This could lead to a great reluctance to use the whistleblowing system.

Confidentiality: Are the whistleblowers and the persons named in the report to be treated confidentially in the company?

Yes, the EUWD requires reporting channels to be designed, established and operated in such a secure manner that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is maintained and unauthorised employees are denied access to it. The draft bill for the Whistleblower Protection Act, which has since failed, contained a fine of up to EUR 20,000.00 for violations of the confidentiality obligation. It is recommended that all employees who are authorised to receive and/or process whistleblowing reports sign a separate confidentiality declaration.

Central whistleblowing system: Are central whistleblower systems still permissible in groups of companies and corporations?

In the opinion of the EU Commission, which commented on this issue in the summer of 2021, a group-wide central whistleblower system at the parent company does not constitute a permissible division of resources, so that subsidiaries that fall within the scope of application due to their number of employees must (additionally) set up their own decentralised whistleblower system.

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

法人犯罪与合规性

OLG Nürnberg: Management obligated to establish a compliance management system - what does this mean for M&A transactions?

2022年7月28日
Briefing

作者

点击此处了解更多
竞争、欧盟与贸易事务

EU authorized new sanctions against Russia

General overview of the sanctions regime and explaination what companies need to do now

2022年6月2日
Briefing

作者

点击此处了解更多
纠纷和调查

Compliance management systems and the perpetual question of “what is appropriate”?

2022年3月8日
In-depth analysis

作者

点击此处了解更多