The Whistleblower Directive - A Promoter of Responsible Corporate Culture
The EU Whistleblower Directive enters into force at the end of 2021 and will be binding on all EU Member States. It emphasizes the importance of public interest and responsible corporate culture. The Whistleblower Directive will affect many Finnish companies.
Obligation to set up a reporting channel extended to all companies with more than 50 employees
According to the Directive, all companies and public sector organizations with more than 50 employees must establish a whistleblower channel – a reporting channel to which suspected or observed misconduct can be reported. The Directive also obligates companies and public sector organizations to protect employees, who report misconduct they observe at their workplace. In Finland, the principal of non-retaliation is already known to employers as it is established in the equality and non-discrimination laws. However, the Whistleblower Directive will further increase the amount of regulation relating to reporting misconduct, investigations and sanctions. Prior to the Directive, obligations relating to reporting channels have applied mainly to companies which operate in the financial sector and to other entities covered by the Anti-Money Laundering Directive and to the publicly listed companies covered by the Market Abuse Regulation. The Whistleblower Directive extends the obligation to set up a reporting channel to many small- and medium-sized enterprises.
Reporting Channel and Investigation Process – Tools for Early Intervention
The reporting system in the Whistleblower Directive has three levels: 1) internal reporting channel, 2) reporting channel maintained by a public authority and 3) public disclosure of information. The primary reporting channel is the organization’s internal, confidential reporting channel. Employees and other stakeholders defined in the Directive may anonymously report suspected or observed misconduct to the internal reporting channel. The reporting channel will be run, and the reports will be handled by an impartial and independent person or unit such as the compliance team or the HR department. It is up to the organization to decide whether it sets up the internal reporting channel by itself or whether the reporting channel service is purchased from an external service provider. The key is, that the employees and other stakeholders trust the person/team in charge of the reporting process and feel that they can safely report any misconduct they observe. The reporting channel allows organizations to receive information about issues at early stage and provides an opportunity for early intervention. In addition to the internal reporting channel, reports can also be made to a channel maintained by a public authority. Reports to the external reporting channel may be made either directly, or in situations where reporting to the internal reporting channels has not led to any actions. In certain special cases defined in the Directive, an employee/stakeholder may also disclose the information to the press.
The Whistleblower Directive requires clear procedures for processing and investigating any received reports. The handling of the reports becomes mandatory and certain minimum requirements will be required. Companies and public sector organizations are required to take actions and draw up guidelines to ensure that the received reports and any related information are stored in accordance with the Data Protection Regulation and other privacy laws. The reporting channel is only one element of the companies’ and organizations’ compliance program and one tool in the promotion of responsible corporate culture. In order to function properly and to improve ethical and responsible behavior, the companies’ codes of conduct and other policies and guidelines must be in order. The employees must know what kind of behavior and actions are expected from them and what kind of actions are not acceptable. Stakeholders on the other hand, must be able to assess whether the company operates responsibly and in compliance with laws and regulations.
Whistleblower Protection and Prohibition of Retaliation
The Whistleblower Directive contains specific provisions regarding the anonymity of whistleblowers, i.e. persons reporting to the channel and regarding protection against retaliation. Companies and public sector organizations must ensure that the identity of the reporting persons remains confidential. This information may not be disclosed to anyone without a consent from the person, except to those responsible for the investigations of the report and for the follow-up actions. The confidentiality obligation extends also to any other information from which the identity of the reporting person could be directly or indirectly deduced. The Directive also contains provisions which protect the reporting person from retaliation such as dismissal, transfer of duties or intimidation and discrimination. The rights and the protection set forth in the Directive cannot be waived and they cannot be limited through workplace policies or employment agreements. The scope of persons entitled to protection is broad. It includes current and former employees, shareholders, members of the Board and the Supervisory Board, as well as subcontractors and suppliers, including their employees. Moreover, the protection partly extends also persons assisting the reporting person. Thus, in addition to their own employees, companies and public sector organizations must also consider other stakeholders.
Extensive Scope – The Aim to Promote Public Interest and Responsible Actions
The scope of the Whistleblower Directive is broad. It covers, among others, public procurement, anti-money laundering and counter terrorist financing legislation, anti-corruption and anti-bribery, product safety, environment protection, public health and safety, consumer protection, privacy and personal data protection as well as competition law and state aid infringements. The aim of the Directive is to ensure that employees and other stakeholders can safely speak up and report misconduct they observe at their workplace and which is harmful to the public interest. Moreover, the Directive aims to strengthen the prevention of corruption and fraud, ensure fair competition and efficient implementation of the EU legislation. As the Directive enters into force, companies and public sector organizations must pay more attention to corporate responsibility and take public interest more into account.