On 12 April 2022, a new draft law on the protection of persons who report breaches of law, known as “the draft on the protection of whistleblowers”, was published dated 6 April 2022. The legislative work is connected with the obligation to implement Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of EU law.
- SUBJECT MATTER OF THE DRAFT
The draft regulates matters related to the reporting of breaches of law both internally (i.e. within an organisation) and externally (i.e. to central authorities), and sets out the conditions and measures to protect whistleblowers, i.e. the reporting persons.
- NEW OBLIGATIONS FOR UNDERTAKINGS
The draft provides for the obligation to establish a procedure to report breaches of law and for follow-up activities (Art. 24 of the Draft).
The obligation is imposed on (Art. 23 of the Draft):
- legal entities in the private sector with 50 or more workers; and
- legal entities which conduct business in the following sectors: financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety, and environmental protection – irrespective of the number of persons employed.
Note: failing to comply with the obligation to establish an internal procedure or breaching the established procedure of the requirements will constitute an offence (Art. 55 of the Draft).
- REQUIREMENTS APPLICABLE TO THE INTERNAL PROCEDURE
- The Draft also established a procedure for internal reporting (Art. 25 Sec. 1) which should define:
- the entity designated by the legal entity:
- to receive the reports; and
- to take follow-up actions.
Both these roles may be performed by one entity, including an external entity. This is significant as to ensuring impartiality;
- the methods to submit the reports at a contact address. The draft departs from the idea of anonymous reporting;
- the obligation to confirm to the reporting person that the report has been received within 7 days of receipt unless the reporting person did not provide their contact address;
- the obligation to diligently follow up on the reports; and
- the maximum deadline to provide feedback to the reporting person that must not exceed 3 months from the date on which receipt of the report was confirmed;
- the entity designated by the legal entity:
- The draft (Art. 27) also imposes the obligation to maintain the confidentiality of:
- the reporting person;
- the person concerned referred to in the report; and
- the third party whose name was given in the report.
Note: breaching the obligation to maintain the confidentiality of: (i) the person who reported the breach; (ii) the facilitators assisting in the reporting process; or (iii) the persons related to the reporting person, is an offence subject to the penalty of a fine, restriction of liberty, or deprivation of liberty for up to one year (Art. 53 of the Draft).
- Prior to implementing the rules and regulations for internal reporting, consultations should be held (Art. 24 Sec. 3 of the Draft):
- with trade union organisations at the company, or if such organisations do not exist at the entity
- with representatives of the persons who work for a given entity appointed in line with the procedure accepted at this entity.
- MEANS OF PROTECTING A WHISTLEBLOWER
The reporting person who is a whistleblower is the individual who submits a report or makes a public disclosure. The Draft contains detailed regulations covering the protection of the whistleblower including the following:
- it is not permitted to take or attempt to take retaliatory measures against the reporting person, or threaten to take such measures. The Draft contains a sample catalogue of conduct that will be treated as retaliatory measures.
- the whistleblower cannot receive adverse treatment because of the report or public disclosure (adverse treatment is considered to be, i.a. the refusal to enter into an employment relationship, a notice of termination or termination without notice of the employment relationship, a decrease in salary). The prohibition on adverse treatment also covers the facilitators who helped the reporting person or persons related to the whistleblower;
- the whistleblower will be entitled to compensation if retaliatory measures are taken against them;
- the reporting person’s disciplinary liability will be excluded as well as their liability for damage incurred due to breaching other persons’ rights or breaching obligations described under law and specifically regarding libel, the infringement of personal interests, copyrights, breaching regulations on personal data protection and confidentiality obligations, including business secrets; and
- notice of termination or terminating a contract without notice because of the reporting or public disclosure will be considered ineffective.
Note: a condition for the whistleblower to be protected is that they report a breach in good faith, i.e. in a situation in which the whistleblower had justified reasons to believe that the information regarding the breach of law that was reported or was subject to public disclosure was true at the moment of reporting and that such information concerned a breach of law.
Protection is afforded to the reporting person who:
- may be an employee (former or current);
- may seek employment;
- may be a temporary worker providing work on a basis other than an employment relationship (including based on a civil law agreement);
- is a self-employed person, or is a shareholder or stakeholder;
- is a member of the bodies of a legal entity;
- is a person who works under the supervision and direction of the contractor;
- is a subcontractor or supplier, including based on a civil law agreement; or
- is a trainee, volunteer, or apprentice.
Protection is also afforded to facilitators or to persons related to the reporting person.
- CRIMINAL SANCTIONS
The draft introduces new types of criminal offences:
- the obstruction of or attempt to obstruct reporting;
- using violence, threats, or deceit to obstruct or attempt to obstruct reporting;
- retaliation contrary to law against the person who reported a breach or made a public disclosure;
- a breach of the obligation of confidentiality of the reporting person, the facilitator, or a person related to the reporting person;
- intentional reporting of a breach or making a public disclosure containing false information or assisting in reporting false information; and
- failing to establish internal procedures or establishing an internal procedure that does not comply with regulatory obligations;
- ENTRY INTO FORCE
The law enters into force 2 months after its publication. However, legal entities in the private sector with 50 or more workers but fewer than 250 workers must establish internal procedures by 17 December 2023.
Legal entities in the private sector with at least 250 workers and legal entities which conduct business in the following sectors: financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety, and environmental protection, must establish internal procedures within 1 month of the law entering into force.
- SHOULD WE WAIT UNTIL THE DRAFT LAW COMES INTO FORCE?
ADVANTAGES FOR AN ORGANISATION FOR REACTING NOW
Establishing internal reporting channels to report breaches will become a legal obligation. It follows from our experience that these channels may be a valuable tool of communication with workers and may also significantly enhance the process of identifying and preventing internal abuses. This then makes it possible to limit financial losses or harm to public relations as well as legal risks incurred by companies as a result of abuses.
Effective implementation not only requires that the obligations under law are complied with but also that the internal reporting procedure and an individual organisation’s model for handling the reports are adequately prepared.
WHAT CAN WE DO TO HELP YOU?
We can help you to:
- develop internal procedures;
- select and implement an adequate channel to receive reports of breaches;
- evaluate the risk of breaches of law in the context of the business profile of an entity,
- prepare communication in connection with establishing channels to receive internal reports of breaches;
- handle the reports and follow-ups, including investigations; and
- conduct training for persons responsible for the handling of reports and follow-ups.