Stepping forward: The EU Whistleblower Protection Directive  

What is the Whistleblower Protection Directive about?

In 2019 the European Parliament adopted Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (“The Whistleblower Protection Directive”/ “The Directive”) and EU Member States are obliged to transpose it into their respective national legislation by 17 December 2021.

The Directive aims to encourage employees to step forward and report breaches in EU legislation within their organisations. From the perspective of Bulgarian law, encouraging individuals to report unlawful activity is not a new approach. For example, the Bulgarian Criminal Code already contains such provisions, however, the practice shows little proactiveness in terms of reporting breaches in the private business sector.

The Whistleblower Protection Directive defines a significantly broad material scope by including areas, some of which relating to business processes that are present in almost every company: public procurement, financial services, products and markets, and prevention of money laundering and terrorist financing, product safety and compliance, transport safety, protection of the environment, radiation protection and nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, protection of privacy and personal data, and security of network and information systems.

The Directive is primarily focused on the protection of whistleblowers but it also contains provisions aiming to prevent individuals from disrupting businesses by constantly submitting ungrounded signals. Employees are subject to protection under the Directive only if they have sufficient reason to believe that a breach is conducted and they report this breach in accordance with the Directive.

What are the different types of whistleblowing?

The Directive foresees three main types of whistleblowing:

► Internal: reporting for breaches within an entity (in the private or the public sectors);   

► External: reporting that is done directly to the respective competent authorities; and   

► Public: making the respective breach information available to the public domain. In this scenario, the individual is also protected by the Directive if they have tried internal or external reporting prior to the public disclosure.

What will follow for businesses?

Businesses must create and maintain properly protected whistleblowing channels for employees to submit alerts against breaches of EU legislation. This means that employers are responsible for the implementation of both technical means and record keeping methods in this regard. However, the Directive foresees that such obligations only apply to businesses with 50 or more employees, thus releasing small companies from this administrative burden. Certain exceptions are foreseen for entities in socially important sectors such as environmental protection and healthcare.

The Directive accurately considers that internal confidentiality can hardly be achieved when it comes to whistleblowing channels, so it foresees that these processes can also be handled by third parties.

After an alert has been submitted, the department/persons responsible must proceed with a suitable investigation and provide proper feedback.

Will the individual be protected?

The main aim of the Whistleblower Protection Directive is not only to encourage people to stand against legislative breaches but also to provide sufficient protection for the ones who actually do it. Any whistleblower must be protected from suspension, lay-off, dismissal or equivalent measure due to their actions. Whistleblowers also receive a wider range of protection on an industry level (by imposing a prohibition for them to be included in industry-specific blacklists), as well as protection from being stripped from any other rights whatsoever.

How is personal data managed?

Considering that the Directive foresees that personal data is handled within the whistleblowing channels, the Directive outlines that the rules of Regulation (EU) 2016/679 and Directive (EU) 2016/680 apply with regards to personal data processing. Due to the fact that a potential unlawful access to or disclosure of the personal data of whistleblowers may cause a significant interference in their personal sphere, data controllers must implement very strict policies and measures in this regard. Additionally, special attention should be turned to the contractual relationship in case an external entity is retained for handling whistleblowing channels.

In conclusion

The Whistleblower Protection Directive lays a firm foundation for reducing unlawful practices in both public and private sectors. However, the practical efficiency and implementation will depend on the businesses and public authorities.