There are new rules on setting up reporting channels and protecting whistleblowers. This was determined by Europe in the European Whistleblower Directive[1] (Directive 2019/1937) and contains rules and procedures to protect “whistleblowers”. These are persons who report information obtained in a work-related context about breaches in some key policy areas.
With the introduction of the whistleblower system, the European legislator wants to offer these people the necessary protection. After all, there is a need for transparency, guaranteeing integrity, so that the implementation must be in line with the social responsibility of the organization. The directive was transposed into the Belgian law of 28 November 2022[2] for the private sector, which entered into force on 15 February 2023. Public authorities are also subject to similar rules.
What exactly is the Whistleblower Directive about?
For most organizations, this will entail new obligations, such as setting up internal reporting channels. Companies with 50 to 249 employees have until 17 December 2023 to do so, while the employer with 250 employees or more is obliged to introduce an internal reporting channel from the entry into force of the law (15 February 2023).
The new legislation will provide a secure and accessible reporting system that will provide whistleblowers with a platform to make reports possible and provide better protection against retaliation. In this way, it is hoped to lower the threshold for raising any abuses, without having to fear harmful consequences such as suspension or dismissal. Each reporter must always receive an acknowledgement of receipt within 7 days of receipt of the report. There is also a feedback obligation for organisations to respond to and act on such reports within a reasonable period of time not exceeding 3 months following the acknowledgement of receipt.
Which infringements are involved?
Infringements covering the following areas:
- public procurement;
- financial services, products and markets, prevention of money laundering and terrorist financing;
- product safety and product compliance;
- transport safety;
- protection of the environment;
- radiation protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health;
- consumer protection;
- protection of privacy and personal data (GDPR), and security of network and information systems;
- fight against tax fraud;
- combating social fraud;
- the financial interests of the European Union;
- infringements relating to the European internal market.
Who does this directive protect?
The regulations apply to individuals working in both the public and private sectors. This directive protects, among other things, former or current employees, self-employed persons, shareholders, persons belonging to the administrative, management or supervisory body of a company, volunteers, paid or unpaid trainees and job applicants.
As well as people who help whistleblowers in a confidential manner (e.g. a colleague who helps to find evidence), certain third parties connected to the reporting person who may be victims of retaliation in a work-related context (e.g. family members), and legal entities owned by the reporting person, for whom the reporting person works or with whom the reporting person is connected in a work-related context (e.g. a company of a self-employed person service provider).
Notification channels
The law provides that companies with at least 50 employees must set up an internal reporting channel and procedure within the company where whistleblowers can report orally or in writing.
Small companies (with fewer than 50 employees) are exempt from this obligation, except for financial and economic SMEs, which will still have to provide an internal reporting channel and procedure from one employee.
Every company with more than 250 employees must have set up an internal reporting channel within the company from 15 February 2023, which must also be able to handle reports anonymously.
In addition, the legislator has recently also designated authorities that must set up independent and autonomous external reporting channels for receiving and handling information about breaches. Examples of bodies acting as competent authorities include:
- National Bank of Belgium (NBB) for credit institutions,
- FPS Economy for Consumers,
- Financial Services and Markets Authority (FSMA) for financial markets
- Data Protection Authority (DPA) for privacy.
- Regardless of the size of the company, an external report can be made to the competent authorities. Although there is no obligation to first report the breach internally before making an external report, the intention is that the internal procedure should be preferred as much as possible.
As a last resort, the whistleblower can, under certain conditions, make the information public.
Sanctions
Anyone who does not respect the law and, for example, retaliates against whistleblowers, obstructs or tries to obstruct the reporting or does not set up a reporting channel, risks level 4 criminal sanctions. This consists of a prison sentence of 6 months to 3 years, or a criminal fine between 4,800 and 48,000 EUR per infringement or 2,400 to 24,000 EUR administrative fine per infringement.
Whistleblowers are also sanctioned if it is established that they have intentionally reported or disclosed false information. This sanction consists of a prison sentence of up to 1 year or a criminal fine of up to EUR 8,000 per infringement.
If you want to know more about how we can help you implement these requirements, take a look at our services page:
Or contact us via the link at the bottom of this page!
[1] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law PE/78/2019/REV/1, OJ L 305, 26.11.2019, p. 17–56.
[2] Law of 28 November on the protection of reporting persons of breaches of Union or national law adopted within a legal entity in the private sector, B.S. December 15, 2022.