To ensure an EU-wide standard for the protection of whistleblowers, the European Union adopted a whistleblower protection regulation in October 2019. In a two-year implementation period, EU member states are required to transpose EU Directive 2019/1937 into their own national laws by December 17, 2021.
What exactly does this policy entail? What does it mean for me as a company? This is what we want to explain in this article and show how we can help you with our solution – Polario.
The basis of the Whistleblower Protection Act
The Whistleblower Protection Act is based on EU Directive 2019/1937. This directive was issued to improve the protection of whistleblowers. Whistleblowers have made waves in the recent past, both politically and economically, by disclosing unlawful acts.
Probably the best-known whistleblower in the political field is Edward Snowden. But also in the economic context, e.g. in the context of the VW diesel gate, there are numerous people who have pointed out grievances and would be considered whistleblowers according to the new legal situation. Whistleblowers are perceived positively by the public because they disclose illegal actions that cause damage to society as a whole. In companies, however, as past cases have shown, whistleblowers are often perceived negatively, as these tips can have negative consequences for employees and the company. At the same time, this negative perception within the company leads to whistleblowers fearing sanctions, up to and including losing their jobs. This is exactly the point at which the EU policy with the directive has set in, so that framework conditions are created to uncover grievances in the future without the whistleblowers having to fear reprisals.
The aim of the EU Directive 2019/1937
The primary purpose of the Directive and the resulting law is to protect whistleblowers who report violations. Whistleblowers are persons who obtain information about violations in a professional context and report them. Infringements are defined as illegal acts. The directive explicitly refers to EU law, which includes, for example, tax fraud, data protection, consumer protection, environmental protection, money laundering and other offenses sanctioned by EU law. With the transposition of the Directive into German law, the reporting of violations of German law will also be covered by the Whistleblower Protection Act.
Who is to be protected by the law?
Employees of the company
Former employees of the company
Supporters of the whistleblowers
Suppliers & service providers
Individuals who report violations outside of work activities or external violations are not protected.
Mandatory introduction of an internal reporting channel
The guideline specifies two possible reporting channels to which whistleblowers can turn. On the one hand, via external reporting channels and, on the other hand, via internal company reporting channels.
External channels are special authorities that have been established for these purposes.
Internal channels are ways that an employee can report the breach internally within the company. And this is where it becomes relevant for your company, because there is an obligation for companies to set up such reporting channels. The EU Directive explicitly states that internal reporting channels are to be given preferential treatment.
Not only companies under obligation
For companies with more than 50 employees or annual sales higher than 10 million euros, for municipalities with more than 10,000 inhabitants and state and federal authorities, this new law means that you must set up internal reporting channels for your employees for such violations. These reporting channels must meet the following requirements.
- Ensure confidentiality
- Prevent disclosure of information to the reporter
- Comply with the GDPR
- Enable anonymity for whistleblowers
- Protect against reprisals
In addition, the company must appoint an ombudsperson who accepts reports and follows up on the information provided. The guideline states that the ombudsperson must have the following skills:
- Expertise to follow up on leads from the report
By when do you need to have the internal reporting channel up and running?
Legal entities over 250 employees
Legal entities with more than 50 employees or € 10 million turnover
Municipalities over 10,000 inhabitants
Federal & state authorities
The possibilities of the reporting channels
What can such reporting channels look like according to the law? Basically, the directive provides three options for setting up reporting channels.
As a company, you can set up a 24/7 telephone hotline where employees can report violations. When recording the violations, a detailed log of the report must be made. However, it is difficult to maintain the anonymity of the whistleblower.
The establishment of an office or the appointment of a compliance officer is another way to comply with the requirement to establish an internal reporting channel. In this case, too, a protocol must be prepared. This type of reporting channel hardly enables the preservation of anonymity and creates the risk of disclosure of the informant.
Setting up a digital reporting channel via a web application or integration into an employee app is preferable. In this case, employees are provided with an online form that they can use to report violations. The whistleblowers can be given the option of anonymous or public reporting.
The advantages of the digital reporting channel
- Pre-structuring of notifications through standardized form
- Automatic time stamp for compliance with deadlines
- Possibility of anonymous or public reporting
- Transparent overview and documentation of reported information
Further obligations of the companies
In addition to setting up a whistleblower system, i.e. a reporting channel for whistleblowers, companies have further obligations. An “impartial person” is to be designated for responsibility within the company for following up on the whistleblower’s reports. According to the EU, this could be compliance officers, human resources managers, in-house counsel, CFO, management or even entire departments. Even the same person/department that receives tips or reports can be designated.
Within seven daysof receipt of a report, the company must confirm to the whistleblower that the report has been received. Information from the company regarding the measures taken, the status of the internal investigation and its outcome must be provided within three months.
Furthermore, the company has an obligation to provide information. Companies must provide their employees with easily understandable and accessible information about internal reporting processes and external/alternative reporting channels to the competent authorities.
All reports received must be stored securelyso that they can be used as evidence if necessary.
Polario of plazz AG as a whistleblower system
plazz AG is a leading provider of content and communication platforms. An individual Polario solution can be activated and implemented for companies and municipalities within a few weeks, since the requirements from the Whistleblower Protection Act are already implemented as functions in the employee app Polario Campus.
Our SaaS solution Polario Campus has a survey and query tool. It is easy to configure in the CMS that answers from these forms are submitted anonymously The corresponding notes are also displayed anonymously in the CMS. There is a possibility of email forwarding to ombudsperson/department.
Pre-filtering by plazz AG
The whistleblower system Advanced enables you to extend the service of plazz AG. In order to relieve your ombudsperson/department, we offer expert and trained employees who filter and analyze reports from your whistleblower system and forward only valid reports to you. Furthermore, you ensure that the legal deadlines are met.
As a German company, integrity and confidentiality are very important goods to us. Especially with regard to the confidentiality of whistleblowers, plazz AG sets the highest standards for data protection and IT security. As a long-standing provider of SaaS solutions, we can rely on a mature security architecture.
- ISO 27001 certified company
- ISO 27001 certified data center
- Regular pentration tests
- TISAX certification
- Detailed technical and organizational measures
- Development and support completely in house at the development center in Erfurt, Germany
- Hard encryption (TLS 1.2+)
- Anonymous data collection
- Precise access control
Check whether your company needs a whistleblower system!
Tips from plazz AG
- If you have a works council in the company, involve it in the planning and processes of a whistleblower system at an early stage. A works agreement can be useful here.
- Model open culture and see such a system as an opportunity to uncover unknown wrongdoings in the company. Compliance culture helps optimize the overall corporate culture.
- Get your management on board and inform them about the introduction of the whistleblower system and processes at an early stage.
- Inform your employees transparently about the possibilities of the whistleblower system and create a climate of openness, that tips are followed up and that concerns are reduced that whistleblowers have to fear disadvantages. Make it clear that both the law and the whistleblower system counteract these concerns.
- Involve all necessary departments in your company in the process, such as data protection, compliance, internal communications, legal, IT, etc.