Claeys & Engels
Search

The European Whistleblower Directive has been published!

Newsflash
Data protection and privacy

On 26 November 2019, a new Directive on whistleblowing systems was published in the Official Journal of the European Union. The Directive must be transposed into Belgian law by 17 December 2021 and will cause significant changes for many companies.
For example, companies with 50 workers or more are obliged to set up an internal reporting channel, Member States must provide for external reporting channels, whistle-blowers are protected against retaliation, etc.

The Directive lays down common minimum standards for the protection of persons reporting breaches of EU law. It includes breaches concerning public procurement, financial services, product safety, transport safety, food safety, protection of the environment, public health, consumer protection, protection of personal data, etc.

The Directive protects reporting persons working in the private or public sector who have acquired information on breaches in a work-related context. This includes not only workers or civil servants, but also job applicants, former employees, self-employed persons, shareholders, board members, trainees and any person working under the supervision and direction of (sub-)contractors and suppliers.

It remains to be seen what the Belgian law will look like, especially since Belgium does not currently have a general statutory whistleblower regulation. The key points of the Directive are as follows:

(a) INTERNAL REPORTING CHANNELS

The Directive foresees an obligation to establish an internal reporting channel for:

  • legal entities in the private sector with 50 workers or more;
  • all legal entities in the public sector, of whom Member States may exempt (i) municipalities with fewer than 10,000 inhabitants or fewer than 50 workers or (ii) other entities with fewer than 50 workers.

The channel must comply with various requirements (including security, confidentiality, information, due diligence and impartiality) and procedural requirements (including notification, acknowledgment of receipt and follow-up).

Member States have the possibility to grant enterprises with more than 50 and fewer than 250 workers additional time until 17 December 2023 (instead of 17 December 2021).

(b) EXTERNAL REPORTING CHANNELS

Member States must establish independent and autonomous external reporting channels. There is no explicit obligation to report breaches internally before an external report can be made. Member States shall encourage the use of internal reporting channels, before external reporting, where the breach can be effectively addressed internally and where the reporting person considers that there is no risk of retaliation.

External reporting channels must largely comply with the same requirements and procedural requirements as internal reporting channels.

(c) DISCLOSURE

In specific circumstances, a person who discloses information about breaches falling within the scope of the Directive will also benefit from protection (outside the internal and external reporting channels). This is for example the case if there is a well-founded fear of retaliation in case of external reporting.

(d) PROTECTION OF THE REPORTING PERSONS

Persons reporting breaches are protected against any form (threats and attempts) of retaliation. This includes dismissal, but also demotion, withholding of promotion, transfer of duties, change of place of work, reduction in wages, change in working hours, withholding of training, negative performance assessment, disciplinary measures, etc. A number of other (legal) persons can also be protected (e.g., colleagues or family members, legal entities to which the reporting persons are connected).

In proceedings before a court or other authority, there is a reversal of burden of proof. If a reporting person demonstrates that they reported or made a public disclosure and suffered a prejudice, it will be assumed that this is a reprisal. In such cases, it is up to the person (e.g., the employer) who has taken the prejudicial measure to prove that such measure was duly justified and does not constitute retaliation.

(e) PENALTIES

Member States should provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons who:

  • hinder or attempt to hinder reporting;
  • retaliate against protected persons;
  • bring vexatious proceedings against protected persons;
  • breach the duty of maintaining the confidentiality of the identity of reporting persons.

Such penalties will also apply to persons who knowingly reported or publicly disclosed false information. In such cases, the injured party must be able to institute an action for damages in accordance with national law.

(f) LEGISLATION CONCERNING THE PROTECTION OF DATA

In addition to the whistleblower regulation, all other applicable regulations must be complied with, including the data protection legislation. The Directive explicitly requires that any processing of personal data under this Directive must comply with the General Data Protection Regulation (“GDPR”).

Action point

Check whether the Whistleblower Directive will require your company to establish an internal reporting channel. If your company already has a whistleblower system, check whether this system will need to be adapted to the requirements of the Directive.

The concrete legal framework will depend partly on the way the Belgian legislator will transpose the Directive into national law. We will continue to follow developments and keep you informed.