Whistleblowing

The Whistleblowing Directive (Directive 2019/1937/EU) sets minimum standards for the protection of whistleblowers and covers various areas. It was originally due to be implemented in all EU member states by 17 December 2021. Austria met this obligation with the slightly delayed Whistleblower Protection Act (HSchG), which was passed by the National Council on 1 February 2023. The law entered into force on 25 February 2023 and aims to provide better protection for whistleblowers.

The law is limited to the mandatory provisions of the Whistleblowing Directive. The aim of this is to minimise the burden on smaller companies. However, the statute provides for a re-evaluation. The content of the Whistleblower Protection Act is very similar to the Directive and barely goes beyond it. It only extends to include crimes related to corruption, already embedded in the Austrian Criminal Code.

Companies with 250 or more employees and – from 17 December 2023 onwards – companies with 50 or more employees are required to establish internal reporting channels. In addition, certain companies, particularly those in the financial sector, must establish these channels regardless of the number of employees. The obligation also extends to the public sector, including the federal government, provinces, municipalities, chambers and others. External reporting channels must also be established, with the Federal Bureau of Anti-Corruption acting as the primary external reporting body. The Financial Market Authority or the Money Laundering Reporting Office is responsible for the area of financial service providers.

Section 13 (4) HSchG provides that third parties may be entrusted with the tasks of the internal reporting channel. The law does not specifically define who such third parties can be, but such outsourcing does not affect the ultimate responsibility of the company or the legal entity to comply with the law.

It is not clear whether a joint reporting channel can be established in corporate groups. In addition to outsourcing to third parties, section 13(4) HSchG also allows the transfer of internal reporting tasks to a joint body. It is questionable whether this provision is in line with the Directive. The European Commission interprets the relevant provision of the Whistleblowing Directive differently. It argues that every company with at least 50 employees must set up its own reporting channel. This question will therefore have to be clarified by the courts.

Both companies and whistleblowers can be fined up to 20,000 euro (40,000 euro for repeated offences) per violation. Examples of sanctionable acts include obstructing whistleblowers, retaliation, breach of confidentiality or the deliberate submission of false information.

Works Council Agreements (WCAs) can be concluded on general rules that regulate the behaviour of employees in the company. If the introduction of the internal whistleblowing system only reflects the minimum requirements of the HSchG, it does not trigger mandatory co-determination by the works council and no WCA is necessary.

On the other hand, if the company sets up an internal whistleblowing system that goes beyond the minimum requirements of the HSchG, the works council’s co-determination will have to be observed regularly.

The employer must provide the works council – upon request – with information on all matters concerning the economic, social, health or cultural interests of the employees of the enterprise as per section 91(1) of the Austrian Labour Constitution Act (ArbVG). In addition, the employer must inform the works council of the types of personal data of employees that he collects using automated systems and of the processing and transmission that he intends to carry out. Upon request, the works council must be allowed to verify the basis for the processing and transfer – section 91(2) ArbVG.

Employers must inform employees of the existence of a whistleblowing system. Potential whistleblowers must be adequately informed about the internal reporting channel and the reporting procedure. Therefore, an internal whistleblowing policy must be created that meets the legal requirements.

A whistleblowing system processes personal data. Therefore, the employees must be provided with basic information about the use of their data. The information must include details on who processes the data, to whom the data will be disclosed, what the data will be used for and how long the data will be stored.

Companies and legal entities in the public sector must ensure that protected persons have easy access to clear information on the option and procedure of whistleblowing to internal and external bodies. As external persons may also be protected, it is usually necessary to publish this information (eg, on their website).

Third parties may be entrusted with managing the internal reporting channel (section 13(4) HSchG). As a result, the rights and obligations of the channel are transferred to the third party. It is not specified who such a third party may be. According to Recital 54 of the Whistleblowing Directive, third parties may be, for example, external reporting platform providers, external consultants, auditors, trade union representatives or employee representatives. If they are located abroad, the legal system in that country must be respected. However, ultimate responsibility always remains with the company or legal entity.

Section 8 HSchG contains extensive specific provisions on data protection. It states that the processing of ordinary, sensitive and even criminally relevant data is permissible. Data processing must be limited to what is necessary to establish and punish an offence. The principles of purpose limitation and data minimisation apply.

Personal data not necessary for the processing of a complaint must not be collected. Data necessary for the processing of a complaint must be kept for five years.

In addition to information about the option and procedure of reporting, the information obligations under data protection law under the GDPR must also be observed. For the establishment of a whistleblower system, companies must implement technical and organisational measures under the GDPR and keep them up to date.

The HSchG provides only very general guidelines. For example, internal reporting channels are required to maintain the confidential identity of the whistleblower and third parties and to act impartially and objectively. The employer must provide for this. Every report must be investigated, and any obviously false reports must be dismissed.

Companies must follow these guidelines but are free to implement their own personnel structure, specific design and the nature of the internal reporting channel.

The Whistleblowing Directive only applies to the reporting of violations of law in those areas that are mentioned in the Whistleblowing Directive itself or fall within the scope of the EU legislation listed in the Annex to the Whistleblowing Directive. However, the Austrian legislature has extended the application of the HSchG so that the areas mentioned in sections 3(3) to (5) HSchG have been named and no reference to the Whistleblowing Directive has been included in the relevant provisions.

The legal areas covered include the prevention of money laundering and terrorist financing, environmental protection, public health, consumer protection, privacy and personal data protection, and the security of networks and information systems.

Violations in other areas of law do not fall within the scope of the HSchG. As a result, whistleblowers who report violations that are not explicitly mentioned are not protected by the corresponding protection provisions. However, companies and legal entities are free to open their internal reporting channels for disclosures that do not fall within the scope of the law.

Internal reporting units are nothing new, especially in financial services. However, there are also special provisions in the HSchG for the financial sector. For example, the threshold of 50 employees does not apply to companies that are subject to certain European legislation (eg, MiFID 2 or PSD2), which means that the provisions of the Austrian Whistleblower Act would apply (unless the relevant law already contains binding provisions or national regulations on whistleblower protection.)

A Whistleblower is a person who has received information about violations or infringements of the relevant statutory provisions due to current or former professional connections (section 2(1) HSchG).

A whistleblower is anyone who learns of a violation of the law in the course of his or her work and reports it. In addition to employees, this includes applicants, trainees, volunteers, board members, employees of contractors, consultants and (sub)suppliers. An ongoing contractual relationship is not required. Furthermore, people who are close to the whistleblower or who support him or her (eg, colleagues and relatives) are also included.

The person must have learned of the violations through a current or former professional relationship. External persons such as customers, suppliers, business partners or other third parties who know relevant information can also act as whistleblowers and make reports. The scope of protection is very broad.

Whistleblowers are also protected by the law if they report anonymously or want to remain anonymous. The HSchG does not specify whether companies or legal entities must investigate anonymous reports. However, in practice some companies that have already implemented a whistleblowing system accept and investigate anonymous reports. Anonymous reporting can pose certain challenges; if the whistleblower remains anonymous, it may be more difficult to ask follow-up questions or request additional information to verify the report.

No, the whistleblower does not need to be a direct witness to the violation they are reporting. Whistleblowing can be based on information or circumstances known to the whistleblower, even if he or she is not a direct witness to the violation.

Whistleblowing information must be provided in writing or verbally to the internal reporting channel. If the whistleblower requests a meeting, it must be held within 14 days. Once information is received, the allegations must be investigated promptly and thoroughly. This may include gathering additional evidence, conducting interviews and taking appropriate action to remedy any violations identified. Whistleblowers also have the right to add to or correct any information provided. Feedback must be provided to the whistleblower no later than three months after receipt of the information. This includes information on follow-up action or the reasons why the information was not followed up.

The whistleblowing system must be designed so that the whistleblower is encouraged to use the internal reporting channel before using the external reporting channel. This is not a mandatory requirement for the whistleblower, it just means that a whistleblower should use external channels only after he or she has made an internal report. In particular, the external reporting system should be used when dealing with the information under the internal whistleblowing system is not possible, inappropriate or has proved unsuccessful or futile. Whistleblowers are also protected when reporting directly through external channels.

HSchG does not impose such an obligation. However, reporting may be required based on other regulations, for example, in cases of suspected money laundering or terrorist financing.

The whistleblower is protected if the information is subsequently found to be false, but there were reasonable grounds for believing that the information was true, or if, under the given circumstances and with the available means of verification, the information could be reasonably assumed to be true.

There is no protection if false information is disseminated intentionally or through gross negligence. Unfortunately, there is no regulation regarding the possible duty of the whistleblower to verify his or her information or suspicions.

A fine of up to 20,000 euro may be imposed on anyone who obstructs or attempts to obstruct a whistleblower, or who exerts pressure on such a person through vexatious judicial or administrative proceedings. A fine of up to 40,000 euro may be imposed for repeat offences (section 24 No. 1 HSchG).

The whistleblower is protected only when reporting to internal and external reporting channels. The protection applies if there are objectively sufficient signs of the existence of a violation. General experience and average general knowledge are sufficient. Legal expertise is not required.

Finally, the law provides for the publication of violations (eg, on social media) as a last resort. Except for material violations, such as endangering the public or other emergencies, this is only possible if internal or external reporting channels have been used and no appropriate action has been taken. Whistleblowers will only be protected if these conditions are met.

Whistleblowers enjoy the protection of confidentiality and from retaliation, immunity from liability and relief from the burden of proof. Any retaliatory measures such as termination, dismissal, suspension or transfer are therefore invalid. Whistleblowers also benefit from easier access to evidence in legal proceedings and exemptions from liability and confidentiality obligations. This means he or she is not liable for the actual or legal consequences of justified whistleblowing.

The identity of whistleblowers must be protected through internal and external reporting channels (section 8(1) HSchG). This also applies to any other information from which his or her identity could be directly or indirectly deduced.

Arguably the most significant protection is from labour law consequences or other retaliatory measures. Actions taken in retaliation against a legitimate whistleblower are legally invalid.

Furthermore, whistleblowers and those close to them are not liable for the actual or legal consequences of a justified whistleblowing report (section 22 (1) HSchG). Damages cannot be claimed against a whistleblower.

Even though a bona fide whistleblower is protected from retaliation, he or she may be affected temporarily until those measures have been reversed.

Due to the retaliatory measures, the identity of the whistleblower could also become known within the workforce, which could lead to additional internal conflicts.

Anyone who knowingly makes a false report can be fined up to 20,000 euro, or up to 40,000 euro in repeated cases. The offence requires knowledge, which is only present in the case of intentional or conditionally intentional conduct.