This week is International Fraud Awareness Week and following the recent NAVEX and PwC webinar about the EU Whistleblower Protection Directive, we’re answering questions received from the audience.
Before we dive in, there were several questions from our audience inquiring about country specific whistleblower protection requirements. For more information related to each EU Member State’s adoption of the Directive, visit the Whistleblower protection: a guide to national laws page.
Now, for a closer look at some of the questions we received during this webinar.
Any prospect of the EU Commission revisiting its position on the Directive?
The European Commission which oversees the Directive shall, by December 17, 2025, assess the impact of national law transposing the Directive. The report shall evaluate the way in which this Directive has functioned and consider the need for additional measures, including, where appropriate, amendments with a view to extending the scope of this Directive to further Union acts or areas, in particular the improvement of the working environment to protect workers' health and safety and working conditions.
What have you seen, in terms of best practices, for senior management to set a good tone on the top in recasting whistleblowing in a positive light?
Top management needs to practice what is preached: maintaining a sound whistleblowing structure, acknowledging speaking up about wrongdoing and continuously maintaining awareness on this topic. Ensure management and stakeholders are fully trained. This will improve the channels of communication throughout the organization, helping to effectively communicate the policy to all members of staff. It should also focus on ensuring managers know how to handle a report correctly.
The ‘tone from the top’ should be positive, inclusive and work in the employees’ best interests. Make sure there is a zero-tolerance approach to whistleblower retaliation.
Recommended reading: The Whistleblower Experience – Unpacking the Benefits and Best Practices
What is the reason for not allowing group tools? Confidentiality?
Confidentiality is a reason for group companies to be eager to have local level reporters using the group channel, so the distance between the reporter and those managing the report is maximized.
In two explanatory letters on this topic, the European Commission (EC) recalls that all medium-sized and large companies belonging to a group remain obliged to have each their own channels. According to the EC, this “is justified by the need to ensure the reporting channels’ efficiency, including by ensuring their proximity to the whistleblower.” Regarding non-employees (external persons having a work-related relation with the company), “the proximity of internal channels and procedures would be particularly important because they are only familiar with the company they work with/for.” Additional reasons are mentioned for situations in which companies of a same group are located in different Member States.
In the second explanatory letter, the EC adds reasons for maintaining a local subsidiary reporting obligation: whistleblowers did not know where and how to report for lack of easily accessible channels and information (including communication with trusted locally designated persons).
If EU companies have a non-EU head office, should the reporting channel just be maintained in the EU or is non-EU acceptable to act as the reporting hub?
Apart from where limitations exist based on national law, it is in principle possible to maintain the central reporting management location outside the EU. Keep GDPR obligations in mind when transferring data outside the EU.
If there is a group of companies and each subsidiary is an SME or small company, but all together including the HQ, has more than 249 staff, does this group fall within the Directive?
Whether an organization falls within the thresholds of the Directive and its transpositions must be determined at legal entity level, not at a consolidated level.
Do contractors count in the number of employees? For example, if you only have contractors but no employees in a market, do you need to comply with the Directive?
The number refers to ‘workers’, within the meaning of Article 45(1) TFEU, as interpreted by the Court, namely persons who, for a certain period of time, perform services for and under the direction of another person, in return for which they receive remuneration. Freelance workers, contractors, subcontractors and suppliers are not included in the Article 45(1) TFEU definition, even though they enjoy protection under the Directive.
Where a company has a global reporting channel and also local reporting channel. If a report is submitted via the centralized, global channel from, for example Bulgaria, is there an obligation to follow local peculiarities despite not reporting to local entity?
The jurisdiction(s) which apply to the reporter determine which rights and obligations should be observed. This means that the reporter is protected by applicable national law, even when using the centralized group channel.
Which EU countries impose local whistleblowing reporting channels?
All Member States are in principle under the obligation to do so; some Member States (e.g., Denmark) decided not to implement this obligation into national law but left a possibility to revoke the option to maintain group channels only.
We are a global company. Is it thus better not to refer to a whistleblowing hotline as a "whistleblowers" tool due to the interpretation from these countries?
This depends on the characteristics of your organization and the countries you operate in. Often-heard alternatives are “speak-up channel”, “open line”, “integrity channel”. Giving your employees (the potential whistleblowers) a say in which term they feel most comfortable with, can be a good start of a conversation around reporting.
For companies with fewer than 249 employees and allowed to use the corporate reporting channels, can the management and investigation process be carried out by the corporate team based outside of the countries?
In principle yes, unless a transposition or national provision determines the report should be dealt with within the same jurisdiction.
If you have existing voluntary whistleblowing systems in place for group companies fewer than 50 employees, do you need to meet the internal reporting channel requirements now set out by the new local laws (even if this channels were in place prior to whistleblowing laws being introduced)?
We assume that by offering a reporting channel, an organization is creating a “reasonable expectation” for the whistleblower that such channel complies with the existing legislation around whistleblower protection.
How does outsourcing to a global law firm differ from a group solution which also outsources it to another company?
This depends on how the channel is managed; the whistleblower may have the right to demand the report be dealt with at local level only. Various third parties can facilitate this, taking into account local language, culture and regulations.
When you say companies need to have a separate reporting system, would an email address for employees to raise concerns to their local compliance/HR teams suffice?
The Directive is silent on the shape in which a reporting channel should be offered. This means that email addresses, post and even physical complaint boxes may theoretically comply, knowing that it might be a challenge to efficiently live up to all requirements such as confidentiality and GDPR compliance.
Does the Directive apply to all sectors in the member states and all corporates, not for profits etc. or does it exclude some organizations or sectors?
In principle, all sectors are covered, except for national security or defense.
Does the organization have a duty to protect the identity of the whistleblower?
This is one of the key requirements of the Directive: procedures for internal reporting shall include channels for receiving the reports which are designed, established, and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected and prevents access thereto by non-authorized staff members.
Is anonymity guaranteed and does this weaken the Directive and any investigation?
Anonymity may be guaranteed only when allowed for in national law. Anonymity does not perse weaken a report or its management. Fear of retaliation seems to be the main reason for people to opt for anonymous reporting. We see organizations that succeed in creating a culture of trust and transparency receive more confidential (as opposed to anonymous) reports. A culture in which it is safe and encouraged to raise concerns is extremely powerful. The investigation should focus on the content of the report, not on its source.
Is there a central EU Whistleblowing hub to 'track' cases and any investigation(s)?
A company can centrally administer cases; it should be stressed that, even where the whistleblower objects to sharing the report with the headquarters, the Directive does not prohibit sharing the outcome of a given case at group-level for instance for ex-post auditing, compliance or corporate governance or other duly justified purposes, provided the confidentiality requirements laid down in the Directive are respected.
If we are a U.K. not for profit organization, operating in these countries, but without a legal presence (i.e., we have no formal branch or subsidiary but employ a handful of people in country to manage some sites), does the Directive apply? At present we have a central whistleblowing solution and any reports made from Europe, will be captured centrally, and managed from the U.K., so, is that non-compliant, or because we do not meet the applicability of the Directive, is this OK?
In principle, this seems compliant. See above: We assume that by offering a reporting channel, an organization is creating a “reasonable expectation” that such channel complies with the existing legislation around whistleblower protection.
How to reconcile the mandate of the Directive to protect whistleblowers and some local implementation requesting local channel to be used (which arguably may in many instances expose more whistleblowers)?
See above: Confidentiality is a reason for group companies to be eager to have local level reporters using the group channel, so the distance between the reporter and the people managing the report is maximized. In two explanatory letters on this topic, the EC recalls that all medium-sized and large companies belonging to a group remain obliged to have each their own channels.
According to the EC, this “is justified by the need to ensure the reporting channels’ efficiency, including by ensuring their proximity to the whistleblower.” Regarding non-employees (external persons having a work-related relation with the company) “the proximity of internal channels and procedures would be particularly important because they are only familiar with the company they work with/for.” Additional reasons are mentioned for situations in which companies of a same group are located in different Member States.
As mentioned above, in the second explanatory letter the EC adds reasons for maintaining a local subsidiary reporting obligation.
Would existing informal channels like Ombudsman be considered as compliant?
Depending on how channels are set up, Ombudsman channels are in principle a fine way of complying with the Directive, as long as all rights and obligations around whistleblowing protection and management are maintained.
We understand the European Commission continues to look at the change of law in Denmark which foresees sharing of resources at a group level, is there any indication whether this approach may be favored by the Commission and possibly result in an amendment to the EU Directive?
This is difficult to predict, but unlikely based on the argumentation provided by the EC. See above.
For countries that do not allow group reporting channels, what happens in case of a conflict of interest (for example the concern is related to a Managing Director) and how should this be managed?
Ideally, the person(s) managing the whistleblowing channels are in an independent position comparable to the DPO for data protection matters. If it is not possible to establish such an independent role at subsidiary level, an alternative reporting channel should be available. The risk of not offering sound internal channels is that the whistleblower decides to report to an authority, or even worse, in the public domain.
If you have multiple entities in the EU with over 250 employees each, can you share the internal channel?
Yes, but based on the Directive, you should also offer local level reporting options.
If you can use a channel on group level, can the information be all in English and not in the local language?
This depends on the transposition; in various countries, it suffices to offer a language which the reporting can reasonably be expected to understand. In other countries, the local language(s) must be available.
Surely in a majority of significant cases it is the lack of appropriate response from higher ups in organizations or government dept. Does this not display a need for a trusted independent third party to manage information/intelligence without prejudice?
This raises the question of which third party is truly independent. An example is what went wrong with the initial setup of the Netherlands’ House for Whistleblowers, where the organization was paralyzed because of internal conflicts and did not manage to resolve whistleblowing cases.
We may have 249 employees in the EU but fewer per country. Would the Directive be applicable?
Only if your sector falls outside the threshold provisions, or if you have 50 or more employees in a certain entity.
In this webinar, we discuss a lot more of what you need to know to comply with the Directive. For more information:
