Practical Implications of the Whistleblowing Directive: Compliance, Data Protection and Employment

Brief introduction: what is the purpose of the Whistleblowing Directive?

The deadline for the transposition of Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the "Directive") is December 17, 2021 at the latest, so any company in the EU should be aware of the potential changes that the Directive will mean to whistleblowing schemes.

The Directive aims to make "known" unlawful conducts, through the protection of persons who are in a privileged position to report them. The goal is to find a solution to the culture of fear of reprisals experienced by those who are aware of certain infringements committed by (or within) companies, public administrations or other entities, but that do not reportfor fear of suffering consequences . The reality is that these types of breaches are very difficult to identify if the people closest to them (workers, suppliers, etc.) do not report them.

Therefore, this Directive aims to provide broad protection to those persons who report wrongdoings and to create the channels for these reports to be made, with adequate protection of the rights and freedoms of the whistleblowers, but also the rights of companies, public administrations, entities and the public interest.

The adoption of this Directive in Europe will undoubtedly have important repercussions in many areas. In particular, we highlight in this article the possible consequences that the transposition may have on criminal compliance, data protection and employment law.

What you need to know about the Directive

The Directive aims to ensure that unlawful conduct in matters under European Union law is prosecuted, through the protection of persons who are in a privileged position to report. The material scope is as follows:

• Public procurement,

• Financial services, products and markets, and prevention of money laundering and terrorist financing,

• Product safety and compliance,

• Transport safety,

• Environmental protection,

• Radiation protection and nuclear safety,

• Food and Feed Safety, Animal Health and Animal Welfare,

• Public health,

• Consumer protection,

• Privacy and personal data protection, and network and information systems security,

• Infringements affecting the financial interests of the Union,

• Infringements relating to the internal market.

The Directive will not apply to matters with specific whistleblower protection rules, nor does it affect matters over which the EU has no competence, such as:

• The protection of classified information;

• The protection of the professional secrecy of doctors and lawyers;

• The secrecy of judicial deliberations;

• The rules of criminal prosecution.

Interestingly, the Directive makes express reference to the fact that the protection of whistleblowers has a direct connection to the respect for freedom of expression, and includes measures for whistleblowers (provided certain requirements are met) to have protection for contacting the media. The fact that freedom of expression is involved may have both procedural effects (possible need for special procedures to pass laws in EU member states) and material effects (possibility of proceedings for the protection of fundamental rights, access to certain courts, etc.).

Who is protected?

All those persons in a situation of vulnerability with respect to the entity reported (or in the context of which a conduct has been reported) are the ones subject to the protection of the Directive. It is interpreted very broadly. For example:

• Employees (regardless of whether they are temporary, indefinite-term, etc.);

• “Vulnerable” self-employed;

• Contractors (including consultants, suppliers...);

• Shareholders or managers who may suffer retaliation;

• Former employees or candidates;

• Persons who, although not economically/employee dependent, may suffer retaliation (volunteers, interns, etc.).

• Relatives, clients, colleagues of any of the above who have an employment relationship (or similar) with the employer / entity or who are clients or recipients of services. Consider, for example, that a reported energy company is reported, and as retaliation relatives of the whistleblower are deprived from the electric services of said company.

Which companies / entities are affected by the Directive?

The prohibition of retaliation against whistleblowers affects all public or private sector entities.

The obligation to have internal whistleblowing channels affects all public sector entities and those private entities with 50 employees or more. However, each member state has some room in transposing the Directive. For example, the number of employees may be reduced in companies in certain sectors, or the obligation may be excluded in public administrations in municipalities with few inhabitants or with fewer than 50 employees.

How is the whistleblower protected?

First of all, the confidentiality of the whistleblower is guaranteed (except with his or her express consent or for necessary and proportional reasons provided for by law, such as the right to defence). Only the personnel authorized to manage the whistleblowing channel may know the identity of the whistleblower.

Whistleblowers (and related persons, as explained above) are protected against any type of retaliation. The concept of retaliation is extremely broad. It includes any type of discrimination, suspension, denial of training, dismissal, non-renewal, financial loss. It constitutes a real guarantee of indemnity. In addition, the burden of proof is on the company/entity that has taken the harmful measure.

Whistleblowers will not incur any liability for any contractual breach of confidentiality or non-disclosure of information (e.g. in the employment agreement or provision of services) by resorting to the Directive's whistleblowing systems. In addition, if the whistleblower has committed any wrongdoing (including offenses of breach of confidentiality, data protection rules, etc.) to obtain the information being reported, the whistleblower will not incur any liability whatsoever, provided that he/she had reasonable grounds to believe that the report was necessary to expose an unlawful activity.

In addition, EU member states should ensure that the whistleblower has access to judicial means, and to free training and counselling regarding protection against retaliation. The whistleblower, where appropriate, should be provided with free legal assistance, and states may even provide financial assistance or support measures, including psychological support, in the context of legal proceedings.

What about false reports?

The widespread use of whistleblowing channels can lead to their malicious use, especially taking into account that sometimes the reported person may not be informed until later in the investigation. To avoid misuse of channels, member states should establish proportionate penalties for knowingly false public complaints or disclosures. There are no more specific measures, but each state can decide how to avoid false reports in the transposition of the Directive.

Are anonymous reports allowed?

Each state can decide whether to require companies/entities to accept and follow up on anonymous reports or not. In Spain, for the time being, their existence is allowed in the Data Protection Act. However, to confirm whether Spain will finally impose the obligation to accept anonymous reports, we will have to wait to see the final text once implemented. In any case, if an anonymous whistleblower is identified afterwards, the protection regime of the Directive will apply.

Which is the protection for the reported individual/s?

Reported individuals have the right to be heard and to access  the file in order to be able to defend themselves. He / she shall be informed as soon as possible about his /her data protection rights, including the alleged unlawful facts of the complaint. Besides, he / she shall have the same confidentiality protection as the whistleblower.

However, if informing him / her could be problematic for the investigation (e.g. he /she may destroy evidence, could interfere in the investigation etc.), the Directive allows member states to include exceptions to delay the duty to inform him / her. However, this delay shall be documented for accountability purposes, and shall not exceed what is absolutely necessary to protect the investigation.

In any event, before taking any decision, the concerned person shall be provided with the file of the report and shall be heard.

Internal whistleblowing channels: confidentiality

In those entities that are required to have an internal whistleblowing channel, there must be adequate means for submitting complaints. The priority is the confidentiality of the whistleblower, whatever the channel chosen, and to this end, the entity must guarantee that the channels comply with this requirement. The channels should be:

• Written (e.g. email or physical mailbox); and/or.
• Verbal (e.g. telephone);
• In addition, the applicant shall have the right in any case, upon request, to have a face-to-face meeting.

It is essential that the reception and follow-up of the complaint be carried out by persons or departments that guarantee confidentiality, absence of conflicts of interest and independence. In this regard, the possibility of the company or entity appointing third parties to manage the whistleblowing channel is very interesting. Depending on the third party chosen, it may be easier to demonstrate independence and absence of conflicts of interest, so that the whistleblower can have more peace of mind in this regard. In any case, it is necessary that the corresponding data protection contract has been signed with the third party, so that this access to personal data is covered by the General Data Protection Regulation.

It is necessary to take into account the formal obligations associated with the whistle-blowing channel. Among others:

• Inform in a clear, transparent, accessible and visible manner about the existence and characteristics of the complaints channel (taking into account the obligations of the General Data Protection Regulation).
• Existence of a complaints register.
• Obligation to transcribe or document the content of calls and meetings.
• Obligation to acknowledge receipt of the complaint.

External / internal complaint channels

The internal whistleblowing channel may not function as well as desired, because complaints are not followed up diligently, or within a reasonable time frame, or because the whistleblower has valid reasons to fear a breach of confidentiality, or because there is a risk of destruction of evidence. Therefore, although the general rule should be using the internal whistleblowing channel, in addition there should be national authorities that manage a whistleblowing channel, external to the organizations.

The conditions are analogous to the internal channels: among others, protection of confidentiality and the absence of reprisals and diligent follow-up of complaints. Until the Directive is transposed, we will not know exactly which authorities will be in charge, nor what their specific competences will be.

Public disclosure of the complaint

If none of the above mechanisms (internal and/or external whistleblowing channels) work, or if the whistleblower has reason to believe that there is an imminent or manifest danger to the public interest, or if in the case of external whistleblowing there is a risk of retaliation or risk that  the whistleblowing channels will not be effective, the whistleblower may publicly disclose the subject matter of the complaint. In these circumstances, he / she will also have the protection of the Directive (e.g. absence of retaliation). This means that he/she will be able to go to the media / press and make the complaint public under the protection regime of the Directive, which is a remarkable novelty.

Each member state may also have its own mechanisms for the protection of freedom of expression and information, as is the case in Spain and the protection of journalistic sources.

Practical implications for companies, administrations and other entities

The obligations of the Directive imply that the companies, administrations and entities concerned must develop internal mechanisms to ensure compliance. Below we indicate, from a practical point of view, what the main implications are in relation to criminal, data protection and labor regulations.

Regarding criminal compliance

The implementation of a whistle-blowing channel under the terms of the Directive will strengthen the culture of crime prevention and detection within companies. However, it will require companies to update and review their internal compliance regulations. Specifically:

• Although it will largely depend on the characteristics of the company, it may be advisable for the whistleblowing channel to be managed by the entity's compliance body. If there is no compliance body within the company, it is advisable to set it up, including establishing operating regulations. This function may also be delegated to third parties.
• The body or person in charge of managing the whistle-blowing channel must be capable of detecting criminal offenses, for which it is necessary to have a good knowledge of the company's compliance program and regulations. To this end, the company must provide, if it is someone internal, the relevant training to ensure the effectiveness of the whistleblowing channel. If outsourced, the company must ensure the suitability of the supplier selected.
• When drafting the policy or regulation governing the operation of the whistleblowing channel, the company's criminal compliance needs and existing measures should be taken into account.
• From the point of view of criminal compliance, it is necessary to draw up a protocol for internal investigations in order to react correctly to irregularities detected through the whistleblowing channel. In this regard, respect for the chain of custody when collecting evidence and the fundamental rights of the persons involved becomes particularly relevant, in order to be able to assert the findings of the investigation in potential legal proceedings.

In terms of data protection

The processing of data derived from the existence of the complaints channel is subject to strict requirements, due to the implications that any non-compliance may have for the whistleblowers, the reported individuals, or for the rest of the persons involved:

• A privacy policy must be in place for all those involved in the whistleblowing channel, as well as for those under investigation. It is necessary to provide information about the processing both at the time the whistleblower channel is created, as well as when accessing it. In the event that an investigated individual is not informed for a necessary and compelling reason (e.g. possible destruction of evidence), the proportionality of the measure and its duration must be adequately documented.

• The whistleblowers / reported persons must be made aware in advance of the functioning of the whistleblowing channel, of the possible consequences and their rights under data protection regulations, so that they have an adequate expectation of their privacy.

• There must be protocols to ensure that the whistleblowing channel complies with the principles of data minimization (no more data is processed than necessary), the principle of retention (maximum 3 months, which can be extended to 6 months), etc.

• Adequate security measures must be in place to ensure the confidentiality of the whistleblowers (and also of those being reported) and to prevent any processing of data other than that provided for in the complaints channel.

• The data protection officer (if applicable) should give his or her point of view on the implications for the processing of personal data of the design of the whistleblowing channel. It is recommended that he/she also be consulted (even without disclosing identities) in the event that the investigations have a particular impact on the data protection rights of the whistleblowers / reported individuals.

• Where the whistleblower channel is managed by a third party, there should be protocols in place to choose providers with high standards of personal data protection (including specific training), and with a data protection contract that complies with the General Data Protection Regulation (including high security measures).

• Due to the nature of the processing, an impact assessment (art. 35 of the General Data Protection Regulation) may be mandatory to ensure that the impact on the rights and freedoms of data subjects is not disproportionate.

In the area of employment law

The labor consequences that will presumably result from the transposition of the Directive to the Spanish legal system are many, in view of the literal wording of the regulation, such that public and private entities will have to focus on:

• Establishing or, as the case may be, reviewing internal complaint channels and procedures to adapt them to the guarantees required by the Directive.

• Involve social agents from a multidisciplinary perspective (criminal, data protection and labor).

• Manage the complaints channel either internally under the principle of non-interference or by contracting a third party in order to guarantee impartiality in the complaints procedure.

• Whenever a disciplinary or non-disciplinary measure restricting the rights of employees is to be imposed, a detailed analysis of the content of this Directive should be carried out in order to assess whether the employee in question is covered by the protection provided by the Directive.

• Detect the responsibilities in which the company may incur in order to apply the appropriate corrective measures in the event that the reported person incurs in any of the offenses listed in the Directive.

• Provide training to all staff  and especially to those persons who will internally manage the channel or internal complaint procedure.

Authored by Ignacio Sánchez, Gonzalo F. Gállego, Luis Enrique de la Villa, Juan Ramón Robles, Carolina Llorente and Virginia Canales.