On November 26, 2019, the Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law, commonly known as the whistleblower protection directive ("Directive"), was published in the Official Journal of the European Union. Starting from 16 December 2019, member states have two years to implement in their domestic laws regulations providing for, among others, new obligations (subject to sanctions) imposed on undertakings with respect to the support and protection of whistleblowers.

Who are the whistleblowers according to the Directive?

The Directive aims to protect against retaliation a broad range of individuals who, in conducting their professional activity, encounter and disclose unlawful activities. The following persons may become whistleblowers:

  • employees, irrespective of the basis of their employment, including self-employed individuals, volunteers and trainees;
  • members of corporate structures, including shareholders and members of managing and supervisory bodies;
  • employees of a given entity's third-party collaborators, i.e. contractors, sub-contractors and suppliers.

In addition, the Directive requires member states to provide analogous legal protection to persons connected to a whistleblower through familial, economic or other actual links, if they may face retaliation in connection with the whistleblower's report.

The status of a whistleblower is determined if a person obtains information about the reported breaches in a work-related context, broadly understood as including the recruitment or contact negotiation stage, as well as reports made after a given legal relationship expires.

In addition, triggering the protection mechanisms set forth in the Directive is contingent upon the whistleblower's good faith, manifested by justified belief that the reported information is true and falls within the scope of the Directive. This comprises breaches affecting the financial interests of the European Union and principles of the internal market, as well as breaches in the following areas:

  • public procurement;
  • financial services, products and markets and prevention of money laundering and terrorist financing;
  • product safety and compliance;
  • transport safety;
  • protection of the environment;
  • radiation protection and nuclear safety;
  • food and feed safety, animal health and welfare;
  • public health;
  • consumer protection;
  • protection of privacy and personal data, and security of network and information systems.

What will the system of reporting breaches look like?

The Directive provides for a three-step model of reporting paths available to the whistleblowers:

  • internal reporting channels within the internal structures of a given private or public sector organisation;
  • external reporting channels as part of public administration authorities designated for this purpose;
  • public disclosure by making the information on breaches available in the public domain.

While the Directive favours the use of internal channels before escalating to further-reaching disclosure methods, the final decision on the selection of a reporting channel rests with the whistleblower. Consequently, the burden is on the undertakings to shape their internal procedures and corporate culture in a manner that encourages whistleblowers to report breaches internally, so as to limit the legal and reputational risks related with the disclosure of sensitive information to public bodies or the media.

What protection does the Directive provide to whistleblowers?

The overriding objective of the Directive is to provide whistleblowers with protection against broadly construed repressive actions of an employer (contractor) in retaliation to the reporting of breaches. Examples of prohibited actions against whistleblowers may include:

  • interfering with access to employment by either unjustified termination or failure to renew an employment relationship, as well as or obstructing the possibilities of finding employment with other employers through blacklisting;
  • actions sabotaging paths of professional career development, including withholding promotions or access to trainings;
  • actions aimed at undermining a whistleblower's credibility, for example by vilifying them in social media or by psychiatric referrals;
  • cancellation of a licence or permit.

The Directive expects member states to introduce to their domestic legal systems instruments providing whistleblowers with adequate protection against retaliation. The Directive outlines the absolute minimum of such measures, the most important of which in terms of its legal consequences is the presumption of retaliatory nature of acts detrimental to a whistleblower. Once legal provisions implementing the Directive come into force, in proceedings initiated with respect to damage suffered by a whistleblower, the burden of proof will lie on the employer to demonstrate that the given actions that the whistleblower perceives to be negative were taken for justified reasons and were unrelated to the reported breaches.

Whistleblowers will receive further support through solutions consisting in the interim protection of their rights (e.g. prohibition against termination of employment for the duration of a trial) and statutory exclusion of liability for reports that, due to their form or content, may be qualified as defamation, infringement of copyright or breach of provisions protecting particular categories of confidential information.

Legal solutions favourable to whistleblowers will, in practice, prove to be a significant challenge for employers. Ensuring maximum legal security to a company in the event of a dispute with an employee claiming the status of a whistleblower in many cases will require a substantial overhaul of procedures and documentation in the organisation's decision-making processes, in particular in the area of human resources.

What changes await undertakings?

The most important challenge that undertakings will face following the implementation of the Directive is the adjustment or establishment of reporting channels and procedures within their internal structures. The obligation will affect entities that employ at least 50 employees, with the author of the bill allowing for co-sharing of resources by undertakings with fewer than 250 employees. The Directive also emphasises the option to outsource the operation of reporting systems to an external provider.

At this stage, the Directive only specifies the terms on which reporting channels should be made available to employees of an undertaking. The undertakings may voluntarily decide to also accept reports made under this procedure by other categories of whistleblowers.

The structure of the internal reporting channels should protect whistleblowers' identities from being disclosed to persons that are not members of the team dedicated to the matter. This means not only confidentiality of communication with whistleblowers, but also planning investigative actions in a manner that does not suggest the sources of the reports to third parties, as well as ensuring that the report documentation is securely stored and archived. In addition, the positioning of the reporting channels and persons responsible for their operation within the organisation should ensure that the reports are assessed impartially.

The operation of the internal reporting channels entails information obligations of undertakings towards the whistleblowers. The Directive requires that the whistleblowers receive a confirmation of the submitted report within seven days. Employers are also required to inform whistleblowers of the undertaken or planned follow-up actions, including their justification, within three months of the report. Undertakings should also maintain a register of the received reports, regardless of the outcome of follow-up actions taken (if any).

Along with the clearly formulated internal reporting procedures, undertakings should provide employees with easily accessible information about the rules of using external (public) reporting channels..

Future outlook

The Directive provides for a two-year period for its implementation, granting an additional period of two years for the adaptation of smaller undertakings (with fewer than 250 employees). In this period, the Polish legislator will make a number of decisions in terms of positioning the new provisions in the local legal system. In particular, it is likely that the legislator, taking advantage of the ready-made EU solutions, will extend the new regulations to include not only reports of breaches in the areas of EU law specified in the Directive, but also breaches of domestic laws.

The Directive leaves to the member states the power to, among others, regulate the manner of proceeding with reports made by anonymous whistleblowers, as well as indicates the possibility that organisations employing fewer than 50 employees could be required to create internal reporting channels. Finally, the choice of sufficiently effective and dissuasive sanctions for infringements of the rules of protection of whistleblowers and for bad-faith disclosure of false information about alleged breaches is in its entirety left to the discretion of the EU member states.

In view of unprecedented nature of solutions proposed in the Directive in the Polish legal system, significant adaptational difficulties are expected both among managerial staff and among employees. Undertakings subject to the new regulations are recommended to already take first steps in order to review and possibly expand the existing policies and procedures, develop the legal and ethical awareness of their personnel and equip their organisations with suitable technical tools and solutions.

Please note that irrespective of the upcoming statutory obligations in this respect, effective procedures of internal reporting of breaches constitute a crucial element of an effective risk management system in any organisation. Our clients' experiences demonstrate that providing whistleblowers with a secure and trustworthy internal reporting channel allows for a much faster, and, in consequence, much more effective response and remedial action in situations of exposure to legal and reputational risks, leading, in turn, to significant financial savings in the area of risk management.

Our lawyers are happy to answer any questions you might have with respect to the support and protection of whistleblowers and can help you in preparing your organisation for the new requirements arising from the Directive..

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.