How Will the Whistleblower Protection Act Affect Companies?
On September 1 of this year, the Whistleblower Protection Act, aimed at protecting individuals who report violations of European Union law in the workplace, will come into effect. Below is an overview of how the new law will impact companies.
Large Companies Must Establish a Secure Reporting Channel
Companies with at least 50 employees must establish an internal reporting channel that allows individuals to confidentially report violations of EU law. Initially, the law stipulated that the reporting channel could only be an email address, phone number, postal address, or face-to-face meeting. However, at the chamber's suggestion, the wording of the law was made more flexible, now allowing the use of web platforms or other applications as reporting channels. Reporting can be done in writing, orally, or both, and each company can choose the most suitable reporting channel for itself.
The chamber also suggested including a provision in the law that allows companies within a group to share or jointly manage an internal reporting channel. Additionally, companies with up to 249 employees can do this.
Companies with 50-249 employees must establish a reporting channel by January 1, 2025, at the latest. Companies with at least 250 employees must have their reporting channel operational by September 1 of this year. Smaller companies can also establish an internal reporting channel, but it is not mandatory for them.
Companies Must Appoint a Person Responsible for the Reporting Channel
If a company has an internal reporting channel, it must appoint a person, unit, or external party (service provider) responsible for receiving violation reports, providing feedback to the whistleblower, and ensuring follow-up actions are taken. Access to information related to the reporting channel should be limited to the designated person or unit, who must ensure the confidentiality of the whistleblowing act.
When a person submits a violation report through the internal reporting channel, the company must send a confirmation within seven days, acknowledging receipt of the report and that it is being reviewed. The company must retain the violation report for three years.
Additionally, upon receiving a violation report, companies must take appropriate follow-up actions to investigate, eliminate, and prevent the violation or forward the report to the relevant state authority for processing. Follow-up actions could include initiating an internal investigation. The company must provide feedback to the whistleblower on the follow-up actions taken as soon as possible, but no later than three months after receiving the violation report. The whistleblower must also be informed of the final outcome of the investigation.
Exceptionally, if the whistleblower has forbidden it or if there is reason to believe that confirmation would jeopardize their confidentiality, the company does not need to send the confirmation of receipt, feedback on follow-up actions, or the final outcome of the investigation.
Two Other Ways to Submit a Violation Report
Establishing an internal reporting channel does not mean that the whistleblower must first use this channel to report a violation. The law allows violation reports to be sent through an external reporting channel. This option is also available to individuals connected to companies with fewer than 50 employees that do not have an internal reporting channel.
External reporting channels must be established by state authorities that handle specific types of violations or oversee certain areas. For example, environmental violations can be reported to the Environmental Board, and consumer protection violations to the Consumer Protection and Technical Regulatory Authority.
The law also allows individuals to report violations through public disclosure, but this can only be done under certain conditions. For example, it is permitted if the person has previously reported the violation through at least an external reporting channel and the report was not processed adequately.
Companies Are Prohibited from Taking Retaliatory Measures Against Whistleblowers
Companies cannot take or threaten to take retaliatory measures against a whistleblower. For example, it is not allowed to fire the whistleblower, demote them, impede their promotion, reduce their salary, or change their job duties or working hours.
If a company takes retaliatory measures against a whistleblower and the whistleblower proves they reported the violation, it is assumed that the company took the retaliatory measures because of the whistleblowing unless the company proves otherwise. This means that while a company can terminate a whistleblower's employment, it must prove in case of a dispute that the termination was for a reason other than whistleblowing.
Conditions for Whistleblower Protection
A company cannot take retaliatory measures against a whistleblower and must keep the act of reporting confidential only if the conditions for whistleblower protection are met.
Under the law, a whistleblower is protected if they have a reasonable basis to believe at the time of reporting that a violation has been committed or is about to be committed. This means that the whistleblower must believe, based on objective facts, that the information is true. For example, if a person hears that their employer is violating environmental norms, they have a reasonable basis to believe a violation is occurring if the information heard is detailed, factual, and the source is reliable. Information about a violation would not be considered reasonable if someone says that their employer is violating environmental norms because all companies do so.
The second condition for protection is that the whistleblower had a reasonable basis to believe that the violation is related to work activities that fall under specific areas of EU law. These areas include public procurement; financial services, products, and markets; anti-money laundering and counter-terrorism financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety, animal health, and welfare; public health; consumer protection; privacy and data protection; network and information systems security; breaches affecting the financial interests of the Union; and internal market-related breaches, including competition and state aid rules and tax-related breaches associated with obtaining tax advantages.
The third condition for protection is that the whistleblower must have used an internal or external reporting channel or public disclosure to report the violation.
Whistleblower protection is not limited to employees working under an employment contract but also applies to individuals working under a contract of service, such as freelance contractors, interns, volunteers, company owners, members of the company's management bodies, individuals working in various capacities for the company's contractual partners, individuals in pre-contractual negotiations, or those preparing contracts. Protection also extends to individuals associated with the whistleblower, such as legal entities owned by the whistleblower or family members working in the same company. Protection also applies to individuals managing the internal reporting channel.
Fines of Up to 100,000 Euros
If a company obstructs a whistleblower, takes retaliatory measures against them, or breaches their confidentiality, the Police and Border Guard Board can impose a fine of up to 100,000 euros on the company.
Prohibited to Submit False Violation Reports
A whistleblower is not liable for the legal consequences of disclosing information if they had a reasonable basis to believe that the disclosure was necessary to reveal the violation. However, this does not apply if such disclosure is punishable as a crime. Disclosing trade secrets as part of whistleblowing is legal.
A whistleblower is also not liable for obtaining access to information for the purpose of reporting a violation unless obtaining such access is punishable as a crime. Therefore, liability exemption is excluded in cases where accessing information or documents involves unauthorized entry into a building or room, theft of documents or items, interference with computer data, or unlawful access to a computer system.
To prevent false accusations, the law clearly states that a whistleblower is prohibited from knowingly submitting a false violation report. The law also includes penalties for whistleblowers who submit false information. If a whistleblower knowingly submits a false violation report through an internal, external, or public disclosure channel, they can be fined up to 1,200 euros. If a knowingly false report involves a crime, it can result in imprisonment.
If you have questions about the new law, contact the chamber's lawyers at juristid@koda.ee.