Guide to Whistleblowing

Contributing Editors

In this new age of accountability, organisations around the globe are having to navigate a patchwork of new laws designed to protect those who expose corporate misconduct. IEL’s Guide to Whistleblowing examines what constitutes a protective disclosure, the scope of regulations across 21 countries, and the steps businesses must take to ensure compliance with them.

Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

01. Which body of rules govern the status of whistleblowers?

01. Which body of rules govern the status of whistleblowers?

Flag / Icon

Australia

  • at Lander & Rogers

Whistleblowers in private sector entities are predominantly covered by the Corporations Act 2001 (Cth) part 9.4AAA.

Whistleblowers are also covered by the Taxation Administration Act 1953 where the disclosure relates to tax information.

Public officials are covered by the Public Interest Disclosure Act 2013 (Cth).

Australian whistleblower protections are slightly different from that of the EU. Broadly, the 2019 EU Directive provides much broader protection for whistleblowers. In Australia, the laws are more specific to certain circumstances. Some examples:

  • the EU Directive covers both the public and private sector, while Australia has two separate systems;
  • the EU Directive covers individuals who assist whistleblowers, while the Australian systems do not;
  • the EU Directive notes that disclosable acts referred to as breaches include acts or omissions that are not unlawful but that defeat the object or purpose of the law. Australia has key disclosable acts that are not this broad.
  • the EU Directive, like Australian law:
    • covers individuals outside of the typical employer/employee relationship;
    • does not consider motive as to why someone reports;
    • protects the whistleblower's identity and grants protection to anonymous disclosers who are later identified;
    • allows people to report internally or directly to the authorities; and
    • allows for public disclosure in certain circumstances. 
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

This guide will only focus on the private sector. The federal government is working on an Act that will transpose the EU Whistleblower Directive into Belgian legislation. It will comply with the provisions of this Directive, but also offers greater protection for whistleblowers. At the time of publication, the draft legislative proposal has not yet been submitted to the federal parliament. Therefore, this guide is based on the provisions of the draft legislative proposal.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Whistleblowing is addressed in Law 12846/2013 (Brazilian Anticorruption Act) and is also mentioned in Decree 8420/2015, which details the terms and conditions of the Brazilian Anticorruption Act.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

In Croatia, the status of whistleblowers and whistleblower protection (WBP) is governed by the Act on the protection of persons who report irregularities (WBP Act). The WBP Act came into force on 23 April 2022 and replaced the previous Croatian WBP legislation of 2019, introducing amendments to implement Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law (the Directive).

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

In Denmark, whistleblowers are subject to the Whistleblowing Act.

In addition to the Whistleblowing Act, other legal frameworks, such as the Danish Anti-Money Laundering Act, the Danish Act on Approved Auditors and Audit Firms, the Danish Marine Protection Act and the Offshore Safety Act, and the Danish Payment Act, include separate obligations to set up whistleblowing procedures under the Whistleblowing Act.

The Whistleblowing Act entered into force on 17 December 2021 and enacted the EU Whistleblowing Directive (Directive (EU) 2019/1937).

The Whistleblowing Act has a broader scope than the Whistleblowing Directive, as the rules also cover reports on serious breaches of the law and other serious matters.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

In France, whistleblowing was governed by Law No, 2016-1691 on transparency, the fight against corruption and the modernisation of economic life, also known as Sapin II.

A few years later, the European Parliament adopted Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law.

The main objective of the EU Directive is to harmonise EU member states’ legislation about whistleblowing.

In France, the transposition laws of the EU Directive were definitively adopted and came into force on 21 March 2022:

  • an “ordinary” law aimed at improving the protection of whistleblowers; and
  • an “organic” law aimed at strengthening the role of the French Human Rights Defender in terms of whistleblowing.

These new local Laws comply perfectly with European standards and make numerous amendments to Sapin II.

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The status of whistleblowers in Germany is primarily governed by European law. The relevant legislation is Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons reporting infringements of Union law (EU Whistleblower-Directive).

The EU Whistleblower-Directive should have been implemented into German law by 17 December 2021 at the latest. After initial draft legislation failed for political reasons, the Federal Ministry of Justice has recently presented a new draft bill for a Whistleblower Protection Act (HinSchG-E) on 13 April 2022. The legislative process is pending. The consultations on the draft bill in the German Bundestag and Bundesrat are expected to take place in the summer of 2022, so the bill can be expected to enter into force in the second half of the calendar year 2022.

The following responses are therefore based on the current draft bill legislation of the Federal Ministry of Justice. At this point, it also remains to be seen whether the government draft will make further amendments to the draft bill of the Federal Ministry of Justice.

If the draft bill should meet specific concerns under European law, this will be pointed out separately in the following.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

The only legislation dealing with the protection of whistleblowers in India are:

  • the Whistle Blowers Protection Act 2014 (Whistle Blower Protection Act). This Act provides a legal mechanism for the reporting of illegal, unethical and illegitimate practices by members of an organisation. However, the scope of the Act is limited to public servants and public sector undertakings. Further, please note that as of the time of writing, despite the Whistle Blower Protection Act being passed by both houses of the Indian parliament, it has not yet been enacted by the central government; and
  • the Companies Act 2013 (Companies Act), which mandates the incorporation of a whistleblower policy, but primarily only by listed companies.

To date, there are no specific laws dealing with the protection of whistleblowers applicable to private, unlisted companies or unincorporated entities and their employees. Employers are free to formulate and adopt a whistleblower policy to encourage employees (or any other person for that matter) to report matters without the risk of subsequent victimisation, discrimination or disadvantage, economic or otherwise. Accordingly, for private establishments, the whistleblowing regime remains largely discretionary and policy-driven. 

India has not yet adopted laws to improve the protection of whistleblowers across sectors or levels in the economy and establish adequate secure channels or mechanisms to enable whistleblowers to report without fear of disclosure, retaliation or victimisation.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The Whistleblower Protection Act (the Act) governs the status of whistleblowers.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The status of whistleblowers is governed by the Whistleblowing Act. The provisions of the Whistleblowing Act comply with European standards since legal requirements arising out of the EU Whistleblower Directive (EU WBD) are implemented therein.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

The status of whistleblowers is mainly governed by the Law on the Protection of Whistleblowers of the Republic of Lithuania (the Law) and other respective related Acts. They implement Directive 2019/1937 (the Directive) and comply with European standards.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

To date, the status of whistleblowers is governed by the following rules in Luxembourg:

  • Circular CSSF 12/552 on central administration, internal governance and risk management, as amended by Circulars CSSF13/563, CSSFv14/597, CSSF16/642, CSSF16/647, CSSF17/655, CSSF20/750, CSSF20/759 and CSSF 21/785, applicable until 29 June 2022;
  • Circular CSSF 12/552 on central administration, internal governance and risk management, as amended by Circulars CSSF13/563, CSSFv14/597, CSSF16/642, CSSF16/647, CSSF17/655, CSSF20/750, CSSF20/759, CSSF 21/785 and CSSF 22/807, applicable from 30 June 2022;
  • Law of 7 December 2015 on the insurance sector;
  • Law of 5 April 1993 on the financial sector, as amended;
  • Article 8 of the Law of 23 December 2016 on market abuse, as amended;
  • Criminal Code: article 140;
  • Code of Criminal Procedure: article 23;
  • Law of 12 November 2004 on the fight against money laundering and terrorist financing (articles 5 and 9), as amended;
  • Labour Code: articles L.313-1(4), L.241-8, L.245-5 and L.253-1, L.271-1 and L.271-2;
  • Law of 16 April 1979 establishing the general status of state officials;
  • Law of 24 December 1985 establishing the general status of municipal civil servants; and
  • Law of 26 June 2019 on the protection of know-how and undisclosed commercial information against unlawful obtaining, use and disclosure.

Bill 7945 (the Bill) transposing Directive (EU) 2019/1937 of the European Parliament and of the council of 23 October 2019 on the protection of persons who report violations of Union law. The bill is expected to come into force in the last quarter of 2022.

The information in this submission will therefore be based on the provisions of this Bill.

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

The legal framework governing the status of whistleblowers in Malta is set out in the Protection of the Whistleblower Act (Chapter 527 – the Act). Originally promulgated on 15 September 2013 by Act VIII of 2013, the Act protects a whistleblower from action an employer may pursue in retaliation for a protected disclosure and is intended to encourage persons to disclose any improper practice witnessed in a work-related context. Maltese law has, therefore, made provisions for whistleblowing procedures since 2013.

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the Directive) was adopted by the European Parliament and the Council on 23 October 2019. As a member state of the EU, Malta has transposed the provisions of the Directive, which recognises the key role of the whistleblower in safeguarding the welfare of society. The Act was revised pursuant to Act LXVII of 2021 (passed by the House of Representatives on 14 December 2021 – the Amending Act) to come in line with the Directive. In doing so, the Maltese legislature has been largely faithful to the text of the Directive. The amendments introduced by the Amending Act came into effect on 18 December 2021.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

Although there are no specific rules governing the status of whistleblowers in Nigeria, the following all provide some guidance on the subject:

  • The Nigerian Code of Corporate Governance, 2018 (NCCG), encourages all companies to have a whistleblowing policy. Also, we have some other sectoral guidelines that provide rules for governing the status of whistleblowers in Nigeria. These sectoral guidelines include Whistleblowing Guidelines for Pensions, 2008;
  • Code of Corporate Governance for Banks and Discount Houses, 2014;
  • Code of Corporate Governance for Finance Companies, 2018;
  • Investment and Securities Act 2007; and
  • Rulebook of the Nigerian Stock Exchange 2015.
Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

European Union law primarily regulates the status of whistleblowers in Poland. The relevant law is Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons reporting infringements of Union law (the Whistleblowing Directive).

The Whistleblowing Directive was supposed to be transposed into the Polish legal system by 17 December 2021. The Directive is to be implemented through a separate act (not an amendment of existing laws), supplementing existing regulations and procedures, including those already in force in the financial sector.

A governmental draft bill for the Whistleblowers Protection Act is being developed by the Ministry of Family and Social Policy. The most recent version of the bill was published on 22 July 2022.

This means that the Directive has not yet been implemented into the Polish legal system. 

The following responses are therefore based on the current draft bill legislation of the Ministry of Family and Social Policy unless stated otherwise.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

In Portugal, the law that governs the status of whistleblowers is Law No. 93/2021, which transposed Directive (EU) 2019/1937 of the European Parliament and the Council.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

Romanian Law No. 571/2004 (Law 571)[1] was one of the first laws in Eastern Europe to deal with the protection of whistleblowers in the public sector. As regards the private sector, discussions related to the Draft Law on the Protection of Whistleblowers in the Public Interest, which was passed by the Senate on 19 April 2022, have been tense. This Draft Law (Pl-x 219/2022)[2], hereinafter referred to as the Draft Law) was adopted on 29 June 2022 with major changes (details below) by the Chamber of Deputies and subsequently challenged in the Romanian Constitutional Court. In a ruling on 13 July 2022, the Constitutional Court stated that the Draft Law is not unconstitutional and may be promulgated by President Iohannis. Several NGOs, whistleblowers and stakeholders of civil society have addressed an open letter to President Iohannis, asking him to use the alternative option and send the Draft Law back to Parliament for re-examination. The main reason they invoke is a failure of the Draft Law to comply with the requirements negotiated by the representatives of the Ministry of Justice with the European Commission and hence, a risk of an infringement procedure against Romania. The President has taken this step and sent the Draft Law back to Parliament.

This is the status at the time of writing. Currently it is unclear when the Draft Law shall be discussed in Parliament; this is expected to take place earliest in September 2022 after the parliamentary vacation.

The Draft Law is meant to implement the EU Whistleblowing Directive (Directive (EU) 2019/1937), but differs significantly from the European regulation. It has been criticised on the one hand because important provisions regarding the protection of whistleblowers in legal proceedings (eg, for defamation, breach of copyright, breach  of secrecy, breach of data protection rules, disclosure of trade secrets) have been omitted. On the other hand, the Draft Law has been attacked for reducing the protection standard granted by the previous Law 571/2004 for the public sector (eg, by restricting the possibility of whistleblowers to report directly to the press and by eliminating the resumption of good faith in favour of the whistleblowers). The signal from the Romanian parliament to employers has been interpreted as a sign of high tolerance as regards non-compliance with the Whistleblowing Directive. For example, employers applying repetitive retaliation measures against whistleblowers will pay a reduced civil fine of 2,000 EUR, as compared to roughly 6,000 EUR as per the first proposal. Another aspect is the lack of remedies and full compensation for damages suffered by whistleblowers, which can discourage them from reporting.

 

[1] Law no. 571/2004 regarding the protection of the staff of the public authorities, public institutions and other units that notifies breaches of law, published in the Official Gazette no. 1214/ 17.12.2004.

[2] Source: http://www.cdep.ro/pls/proiecte/upl_pck2015.proiect?nr=219&an=2022 (last checked on 20.07.2022).

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

First, we must clarify that the Directive has not been transposed into the Spanish legal system yet. However, on 4 March 2022, the Council of Ministers approved a preliminary draft law transposing the Directive (the Draft). The Draft must be approved by the Spanish Cortes Generales (legislature) to become law.

This chapter will be based on the current content of the Draft.

Apart from the above, there are no other legal and regulatory obligations on employers for whistleblowing (except in certain sectors).

The most important Spanish regulations that up to now have had an impact on whistleblowing are:

  1. Section 24 of Law 3/2018, on Data Protection and the guarantee of Digital Rights authorises the creation of information systems for internal complaints regarding actions that could be unlawful and regulates some requirements that need to be met by these channels.

The content of this section has been included in the Draft and also extended.

  1. Section 31 bis of the Criminal Code states that legal entities can be exempt from liability for crimes committed by its legal representatives or persons authorised to take decisions in the name of the company (among others) if the legal entity has implemented, before the criminal offence took place, organisational and management models that include appropriate surveillance and control measures to prevent offences or reduce the risk of them occurring.
  2. Section 48.1 of Law 3/2007 on effective equality between women and men states that companies must establish workplace conditions that prevent sexual harassment. Consequently, they are required to establish procedures destined to prevent this conduct and study complaints made by victims.
  3. Section 26 bis of Law 10/2010 on the prevention of money laundering and terrorist financing establishes that entities or individuals to whom this law applies[1] must implement internal procedures that allow employees, directors, and other agents to communicate (even anonymously) relevant information regarding money laundering and terrorist financing in their company.

Additionally, entities and individuals who fall under the law’s scope must protect employees, directors or agents who report information from retaliatory, discriminatory, or unfair measures, thus establishing a soft-law mechanism.

 

[1]Section 2 of Law 10/2010 states that concerned individuals will be: credit entities; insurance companies authorized to offer life insurance or investment related insurance; investment companies; entities managing pension plans; entities managing risk-capital and risk-capital entities whose risk-capital is not managed by another entity;  mutual agreement companies; individuals who are involved in money exchanging activities; postal services regarding certain services; property developers and individuals who professionally participate in operations with a certain value; accountants, tax consultants and individuals who perform similar activities; notaries and similar public servants; lawyers; casinos; art or antiquities sellers and collectors; among others.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

In Sweden, whistleblowers are protected under:

  • the Whistleblowing Act (SFS 2021:890) addresses reports about violations of EU law or irregularities in the public interest;
  • the Discrimination Act (SFS 2008:567) addresses reports about discrimination, harassment and sexual harassment; and
  • the Freedom of the Press Act (SFS 1949:105) and the Fundamental Law on Freedom of Expression (SFS 1991:1469) address public sector employees’ freedom of communication to certain media outlets, etc.

Also, sector-specific legislation and regulation may impose a disclosure obligation on a whistleblower, such as the Patient Safety Act (SFS 2010:659).

The Whistleblowing Act entered into force on 17 December 2021 and enacts the Whistleblowing Directive (Directive (EU) 2019/1937[1]). The Whistleblowing Act, however, has a wider scope of applicability than the Whistleblowing Directive as it also protects whistleblowers who report on irregularities in the public interest.

 

[1] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

In the UK, the legal framework for whistleblowers is set out in the Employment Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998 and the Employment and Regulatory Reform Act 2013).

The UK framework does not fully comply with European standards set out in the EU Directive 2019/1937/EU (the Directive).  Especially now that the UK has left the EU, it is not known whether UK whistleblowing legislation will be amended to reflect the workers’ rights and best practices introduced by the Directive.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

There is no uniform private sector “whistleblower protection law” in the United States. Rather, the United States has enacted numerous different whistleblower statutes in the course of regulating particular industries, claims made to the government and commercial activity. Indeed, the United States has enacted whistleblower protections in areas as diverse as workplace safety and health, airline, commercial motor carrier, consumer product, environmental, financial reform, food safety, health insurance reform, motor vehicle safety, nuclear, pipeline, public transportation agency, railroad, maritime and securities laws.

One of the most prominent and commonly invoked whistleblower protection statutes is the Sarbanes-Oxley Act of 2002 (SOX), as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank). SOX protects employees of certain companies from retaliation for reporting alleged mail, wire, bank or securities fraud; violations of the Securities and Exchange Commission (SEC) rules and regulations; or violations of federal laws related to fraud against shareholders. SOX covers employees of publicly traded companies and those companies’ subsidiaries, as well as (in some instances) contractors, subcontractors, and agents of those employers.

Dodd-Frank also contains whistleblower protection provisions (ie, anti-retaliation provisions), one specific to activities regulated under the Securities Exchange Act, and another specific to activities regulated by the Commodities Exchange Act.

In addition, Dodd-Frank established a whistleblower bounty program, which enables individuals who report original information leading to an enforcement action by the SEC that results in monetary sanctions exceeding $1 million to receive between 10% and 30% of that recovery.

The Internal Revenue Service (IRS) similarly pays monetary awards of between 15% and 30% of recovered amounts exceeding $2 million to individuals who provide information regarding alleged tax noncompliance.

Another prominent whistleblower statute is the federal False Claims Act (FCA), which allows persons and entities with evidence of fraud against federal programs or contracts to sue the wrongdoer on behalf of the United States government in what is referred to as a “qui tam” action. A qui tam plaintiff, referred to as a “relator,” is protected from retaliation and, if successful, can receive between 15% to 30% of the total recovery from the defendant, whether through a favourable judgment or settlement.

Likewise, several states have similarly enacted whistleblower statutes, including California, Illinois and New York. Many states also have their own false claims laws that allow individuals to file “qui tam” lawsuits against those who defraud the state.

Further, over half of the states in the United States recognise a common law claim of retaliatory discharge in violation of public policy, which may present a risk of punitive damages.

Last updated on 29/07/2022

02. Which companies must implement a whistleblowing procedure?

02. Which companies must implement a whistleblowing procedure?

Flag / Icon

Australia

  • at Lander & Rogers

According to the Australian Securities and Investment Commission (ASIC), public companies, large proprietary companies, and corporate trustees of Australian Prudential Regulation Authority (APRA)-regulated superannuation entities must now have a whistleblower policy. Among other things, the law requires the whistleblower policy to include information about the legal protections available to whistleblowers, and how a company will investigate whistleblower disclosures and protect whistleblowers from detriment.

ASIC Regulatory Guide 270, Whistleblower Policies was created to help companies and other entities establish a policy in line with their legal obligations.

Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

All legal entities, including companies, with 50 or more employees (ie, full-time equivalents (FTEs)) will have to implement an internal reporting channel. This threshold of 50 FTEs will be calculated in the same way as the rules for social elections prescribe. This means that they will look at the average employment over a reference period.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Private companies are not legally required to have a whistleblowing procedure, but having one is an element that may benefit them in lessening the severity of sanctions imposed in anti-corruption investigations.

The only exception is financial institutions and companies subject to the authority of the Central Bank of Brazil. Such companies must set up a whistleblower channel due to administrative ordinance 4859/2020. Please refer to question 11 as regards financial institutions and other companies subject to the authority of the Central Bank of Brazil.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Under the WBP Act, a whistleblowing procedure must be implemented by:

  • any company falling within the scope of EU acts referred to in Part I.B and Part II of the Annex to the Directive, regardless of the number of employees employed by the  company; and
  • any company employing 50 or more employees.

Under unofficial interpretations by the officials of the Croatian Ministry of Justice and Public Administration (the Ministry), where applicable, the headcount threshold should take into account only persons employed with the company (ie, persons engaged by the company based on an employment contract) and ordinarily working for the company anywhere in the world (ie, it does not include persons engaged otherwise, such as temporary agency workers or persons engaged by the company’s group company).

To implement the whistleblowing procedure, the company must adopt a whistleblowing policy establishing procedural rules and appoint a person competent for receiving and following up on whistleblowing reports, communicating with the whistleblowers and conducting the protection procedure in connection with the whistleblowing report (WBP officer) and their deputy.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

The Whistleblowing Act requires all companies – public or private – with 50 employees or more to establish an internal reporting channel and procedure by:

  • 17 December 2021, for companies with 250 employees or more; or
  • 17 December 2023, for companies with 50 to 249 employees.

Other companies may also need to implement a whistleblowing procedure, subject to sector-specific rules.

On 17 December 2021, external reporting channels were established within the Danish Data Protection Agency, the Danish Ministry of Justice, and the Danish Ministry of Defence.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

The scope of the whistleblowing procedure is very broad. Companies with more than 50 employees, public-sector institutions, authorities and municipalities with 10,000 or more inhabitants must set up internal reporting channels for whistleblowers. 

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

In principle, companies that regularly employ 50 or more employees are obliged to set up an internal reporting system by the time the Whistleblower Protection Act will become effective, (section 12 (1), (2) HinSchG-E). For companies with between 50 and 249 employees, this obligation will only apply from 17 December 2023 (section 42 HinSchG-E).

For certain employers, particularly in the financial and insurance sectors or for data provision companies, the obligation to set up an internal reporting office applies irrespective of the number of employees as of the entry into force of the Act (section 12 (3) HinSchG-E).   

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

As per the Companies Act, the following types of companies are required to establish a vigil mechanism and adopt a “whistleblower policy” for directors, employees, stakeholders and any other individuals (such as auditors) to report concerns about unethical behaviour, actual or suspected fraud or violation of the company’s code of conduct or ethics policy:

  • listed companies;
  • companies that accept deposits from the public; and
  • companies that have borrowed money from banks and public financial institutions totalling more than 500 million Indian rupees.

The abovementioned companies will be hereinafter referred to collectively as “Covered Companies”.

The vigil mechanism or whistleblower policy must provide adequate safeguards against the victimisation of persons who use it. The Companies Act also requires auditors to report an offence of fraud in the company by its officers or employees if they identify or note such instances during the performance of their duties.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

Any business operator[1] that continuously employs more than 300 workers must implement a whistleblowing procedure. Any business operator that continuously employs 300 or less workers must endeavour to implement a whistleblowing procedure. (article 11, paragraph 3 of the Act).

This applies to the questions below regarding the implementation of a whistleblowing procedure.

 

[1]   “business operator” means a corporation or other organizations and an individual who engages in business.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

Companies with 50 or more employees must establish an internal whistleblowing policy and an internal reporting channel. Companies with less than 50 employees can establish an internal whistleblowing policy and reporting channels at their own discretion or implement a group reporting channel.

Companies with 50-249 employees may develop a joint internal whistleblowing system and reporting channels. This applies to private entities registered and operating in Latvia. This does not extend to entities operating abroad, including group entities (eg, two companies operating in Latvia can establish one joint reporting channel).

Companies, operating in the finance sector, the area of prevention of money laundering, terrorism and proliferation financing, and the areas of transport security or environmental protection must also establish an internal whistleblowing system if they have less than 50 employees.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

The whistleblowing procedure relating to the implementation of an internal channel must be implemented by:

  • state or municipal institutions (with certain exceptions);
  • private legal entities, other organisations, divisions of foreign legal entities or organisations (regardless of the nature of the activity) employing 50 or more employees;
  • private legal entities, other organisations, divisions of foreign legal entities or organisations, whose activity is included in the list of Acts of the European Union and Acts of the Republic of Lithuania, as approved by the minister of justice.
Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

To date, only companies in the financial and insurance industries are required to implement a whistleblowing procedure. According to the Bill, all legal entities in the private or public sector will be subject to the obligation to set up channels and procedures for internal reporting and monitoring:

  • public legal entities include any entity owned or controlled by the public sector, including municipalities with more than 10,000 residents;
  • private legal entities will only be subject to this obligation if they have at least 50 employees.
Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

The Act imposes an obligation to establish formal channels and procedures for internal reporting on every employer, as defined in the Second Schedule to the Act.

Previously, the list of subject-persons (ie, employers) was limited to a few entities within the private sector meeting at least two of the following criteria: more than 250 employees; a total balance sheet exceeding €43,000,000; and/or annual turnover exceeding €50,000,000.

In terms of the Act (as amended), the term “employer” now covers any entity within the private sector having 50 or more employees. This obligation may apply to entities with fewer than 50 employees where this is considered necessary following an appropriate assessment of the level of risk arising from their activities, such as those involved in environmental and public health.

The obligation to establish internal reporting channels and procedures does not apply to entities falling within the scope of the Union acts referred to in Parts I(B) and II of the Annex to the Directive (applicable through a schedule to the Act). Examples include companies in the financial services sector and sectors susceptible to money laundering and terrorist financing, which are, regardless of their size, already required to have an internal reporting system under separate legislation.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

The NCCG applies to all public companies (whether a listed company or not), all private companies that are holding companies of public companies or regulated entities, all concessioned or privatised companies, and all regulated private companies (private companies that file returns to any regulatory authority other than the Federal Inland Revenue Service (FIRS) and the Corporate Affairs Commission (CAC)).

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

All legal entities employing more than 50 employees will have to implement a whistleblowing procedure.

There are implemented whistleblowing procedures in certain entities (financial sector, civil aviation sector and others, due to AML procedures) already, according to sectoral regulations. The requirement to establish an internal reporting system applies to some employers, primarily those in the banking and insurance sectors, regardless of the number of employees as of the Act's effective date.

Implementation of the requirement to establish internal reporting regulations by private sector entities with between 50 and 249 employees will occur by 17 December 2023). Other legal entities are required to implement whistleblowing within two months of the coming into force of the Bill.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

Legal persons, including the state and other legal persons governed by public law that employ 50 or more employees must implement a whistleblowing procedure. Regardless of the number of employees, entities operating in the sectoral areas referred to in Part I.B and II of the Annex to the EU Directive, including financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety and protection of the environment must also introduce a process. Finally, in the public sector, local governments with 50 or more employees but with less than 10,000 inhabitants are excluded.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

As a general rule, companies with 50 to 249 employees must establish internal reporting procedures from 17 December 2023. Article 8 paragraphs 3 and 4 of the Whistleblowing Directive provides that such a threshold of 50 employees does not apply for companies acting on the capital markets, in banking, credit, investment, insurance and re-insurance, occupational or personal pensions products or securities, meaning that they will have to organise reporting channels irrespective of their number of employees. The Romanian transposition seems to have misunderstood this stricter rule, hence (even if probably irrelevant in most cases in practice) companies from these sectors with less than 50 employees do not need to establish internal channels.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

According to section 10 of the Draft, in the private sector, natural and legal persons with 50 or more workers must establish internal information systems.

Moreover, irrespective of the number of employees, legal entities falling within the scope of European Union law regarding financial services, products and financial markets, the prevention of money laundering or terrorist financing, transport safety and environmental protection, referred to in parts I.B and II of the Annex to the Directive, will be governed by their specific regulation. In these cases, the Draft will only apply to matters not covered by said specific regulations.

Political parties, trade unions, employers' organisations and foundations created by them, insofar as they receive or manage public funds, may also implement whistleblowing procedures.

Private-sector entities that do not need to establish internal information systems but decide to do so anyway must also respect the content of the Draft.

According to section 13 of the Draft, all public-sector entities must establish internal reporting channels.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

The Whistleblowing Act requires businesses (within both the private and public sector) that at the beginning of the calendar year employ 50 or more employees to establish internal reporting channels and procedures. Internal reporting channels and procedures must be implemented by:

  • 17 July 2022, where the business employs 250 or more employees; and
  • 17 December 2023, where the business employs between 50 and 249 employees.

The Whistleblowing Act also requires competent authorities to establish external reporting channels by 17 July 2022.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

There is no legal requirement in the UK for companies to implement a whistleblowing procedure or policy or any requirements as to the content or form of any procedure or policy if one is adopted. However:

  • The Department for Business Innovation and Skills has published guidance entitled Whistleblowing: Guidance for Employers and Code of Practice which identifies that it is best practice for an employer to have a whistleblowing policy or appropriate written procedure. The guidance can be found here.
  • The UK Corporate Governance Code set by the Financial Reporting Council recommends public-listed companies implement a whistleblowing procedure.
  • Financial services firms regulated by the Financial Conduct Authority or the Prudential Regulation Authority will be subject to regulatory requirements that require the operation of applicable whistleblowing procedures.
Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Section 301 of SOX requires the audit committee of publicly traded companies to establish procedures for the receipt, investigation and treatment of confidential, anonymous complaints regarding questionable accounting or auditing practices. Section 301 allows for flexibility in developing appropriate procedures in light of a company’s circumstances, so long as the required parameters are met.

Last updated on 29/07/2022

03. Is it possible to set up a whistleblowing procedure at a Group level, covering all subsidiaries?

03. Is it possible to set up a whistleblowing procedure at a Group level, covering all subsidiaries?

Flag / Icon

Australia

  • at Lander & Rogers

There is no specific guidance on whether there may be a whistleblower procedure at a Group level encompassing all subsidiaries. However, in the absence of a prohibition to this effect, the better view is that such a procedure is possible at a Group level covering all subsidiaries. 

Under section 1317AA(4) of the Corporations Act, an entity's policy must cover the types of disclosures that qualify for protection. Disclosable matters involve information that the discloser has reasonable grounds to suspect concerns misconduct, or an improper state of affairs or circumstances, concerning:

  • an entity; or
  • if the entity is a body corporate, a related body corporate of the entity.

Under section 1317AAA of the Corporations Act, an entity’s policy must explain the role of “eligible recipients” – that is, to receive disclosures that qualify for protection. If an entity is a body corporate, an eligible recipient includes:

  • an officer or senior manager of the entity or related body corporate;
  • the internal or external auditor (including a member of an audit team conducting an audit) or actuary of the entity or related body corporate; and
  • a person authorised by the entity to receive disclosures that may qualify for protection.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Companies with less than 250 employees will be able to share an internal reporting channel. Legal entities with more than 250 employees will need to have their own internal reporting procedure. The EU Commission has confirmed in an opinion that it will not allow centralised internal reporting systems for a whole group of companies. However, that does not mean that a group cannot provide the framework and policies for the internal procedures of its subsidiaries, provided employees can make reports and receive a decent follow-up at the local entity level. It is also possible to outsource the internal reporting channel to a third party.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Yes, it is possible to set up a whistleblowing procedure at a Group level, covering all subsidiaries.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Yes, it is possible to have a whistleblowing procedure applicable at a Group level, but only in addition to an internal reporting channel. This is because the WBP Act states that each company must have its own internal reporting channel (meaning a WBP officer and their deputy appointed by the company). However, neither the Directive (as interpreted by the European Commission) nor the WBP Act prohibits the company from having a separate central reporting channel at a Group level, provided that such a channel is available in addition to (co-existing with) a reporting channel set up under Croatian law.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

Yes. The Whistleblowing Act allows all companies to set up a joint whistleblowing procedure at the group level, including larger companies with 250 employees or more.

The special flexibility allowing larger companies with 250 employees or more to establish a joint procedure is subject to the rule being compliant with the EU Whistleblowing Directive. If it becomes clear that it is contrary to the EU Whistleblowing Directive, the rule will be limited to medium-sized companies.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

The procedure for collecting and processing alerts may be common to several or all of the companies in a group, under the terms set by an application Decree to be published.

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

According to the explanatory memorandum of the draft bill of the Whistleblower Protection Act, it is legally permissible to implement an independent and confidential internal reporting office as a "third party" within the meaning of article 8(5) of the EU Whistleblower Directive at another group company (eg, parent company, sister company or subsidiary), which may also work for several independent companies in the group (section 14 (1) HinSchG-E). However, the European Commission has already announced in two statements that a group-wide whistleblower system does not meet the requirements of the EU Whistleblower Directive. It remains to be seen whether the draft law will still be amended at this point in the legislative process. If the German law ends up retaining the outsourcing of the obligation to a third party, which may also be a company belonging to the group, the question of the compatibility of the regulation with EU law will probably arise at a later stage.

The draft bill of the Whistleblower Protection Act in line with the EU Directive further provides that several private employers with between 50 and 249 employees employed on a regular basis may commonly implement and operate an internal reporting office to receive notifications. However, the legal obligation to take action to remedy the violation and the corresponding duty to report back to the person making the report has to remain with the individual employer.   

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

Yes, this may be done. Various organisations in India have adopted a whistleblowing policy at the group level and set up a common hotline channel or speak-up portal to receive complaints of unlawful or unethical conduct and other wrongdoing within group companies.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

Each Group company must establish a system for responding to whistleblowing, but it is possible to set up a point of contact at a Group level, covering all subsidiaries. In this case, each Group company must state in its internal rules in advance that a point of contact is established at a Group level and a responsible person of each Group company must be appointed for the “Whistleblowing Response Operation[1]”[2]. This may be an employee of a Group company or an employee of the parent company of the Group[3].


[1]   “Whistleblowing Response Operation” means receiving whistleblower report, investigating the reportable fact (Please see question 10) pertaining to such whistleblower report, and taking necessary rectifying measures.

[2]   Consumer Affairs Agency, Explanatory Document for Guidelines on Whistleblower Protection Act [Cabinet Office Notification No.118 (2021)] (“Consumer Affairs Agency Guidelines Explanation ”), at footnotes 13 and 18, at pp.8-9, last visited June 28, 2022.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

There are no provisions in the Whistleblowing Act that would allow for the setting up of a whistleblowing procedure at a group level.

Based on the guidelines prepared by the State Chancellery (the contact point for whistleblowing in Latvia) and EU WBD, one single group whistleblowing procedure is only allowed if the local entity is not required to have an internal reporting channel (if they have less than 50 employees in Latvia) or if the company has a local internal reporting channel and a group whistleblowing procedure is established in addition to it.

If both whistleblowing procedures exist, employees are allowed to use either procedure. A group procedure on its own is not allowed if the local entity has 50 or more employees.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

Divisions of private legal entities, other organisations, foreign legal entities or organisations with between 50 and 249 employees may share internal channels, subject to the principle of confidentiality.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

Private legal entities with 50 to 249 employees may share resources at the group level for receiving reports and following up on them. However, each Luxembourg entity will have to comply with the obligations set out under the Bill, namely to maintain confidentiality, provide feedback and fix the reported violation.

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

The obligation to establish internal reporting channels and procedures applies to every company with 50 or more employees, even when such companies belong to a group of companies. Notwithstanding this:

  • the Act allows medium-sized entities employing between 50 and 249 persons to share resources concerning the receipt of reports and any investigation to be carried out; and
  • maintaining or creating centralised whistleblowing functions within a group is not prohibited, provided that internal reporting channels and procedures are also available at the subsidiary level.

This is in line with guidance provided by the European Commission on the interpretation of the Directive.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

There is no provision that prevents or prohibits a Group company from setting up a whistleblowing procedure at a Group level covering all its subsidiaries.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

The national legislation does not foresee such a solution. Legal entities in the private sector with between 50 and 249 employees may agree to share resources for receiving and verifying reports and conducting an investigation, provided that the activities performed comply with the Bill.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

The law does not specify so, in theory, yes provided that we are referring to the general rules of a whistleblowing procedure.

Please note that all companies with 50 or more employees should establish internal reporting channels, irrespective of the nature of their activities.

Nevertheless, in the private sector, companies with 50 to 249 employees may share resources with other legal entities as regards the receipt of reports and any investigation to be carried out.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

As a general rule (article 9 paragraph 4), companies with 50 to 249 employees (regardless of the group) should have the option to share resources as regards the receipt of reports and any investigation to be carried out. Companies with fewer employees than that or administrative bodies with less than 10,000 inhabitants cannot pool their resources together.

The Commission states that the protection of whistleblowers and a higher number of disclosures will only be achieved if each company having more than 49 employees will establish its own whistleblowing system. According to the current interpretation instructions of the EU Commission regarding the Whistleblowing Directive (dated 2 June 2021 and 29 June 2021), it is not prohibited to establish a centralised system, but such a system must be run in parallel with the mandatory local system.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

According to section 11 of the Draft, Group companies as defined in section 42 of the Spanish Code of Commerce (basically, when a company has or may have, directly or indirectly, control of another company or companies), the parent company may adopt a general policy for an internal reporting system and whistleblower protection and should also ensure its application in all entities of the Group, without prejudice to the autonomy and independence of each of the companies to establish its own corporate governance system or to introduce modifications or adaptations as may be necessary to comply with applicable regulations in each case.

The Responsible for the system and an internal information system could be unique for the Group companies or there could be one for each of the companies in the group, under the terms established above.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

Yes; however, a whistleblowing procedure established according to the Whistleblowing Act can only be shared between group companies employing 50 to 249 employees at the beginning of the calendar year. Such group-wide whistleblowing procedures can only include the receipt of reports and investigations into the reported matters (save for contacts with the whistleblower).

It is, however, possible to deviate from the Whistleblowing Act as it relates to internal reporting channels and procedures to be applied concerning employees by way of a collective bargaining agreement (CBA) entered into by trade unions and employer organisations at a central level. As such, the labour market parties within the IT and tech sector have entered  a CBA that allows group-wide whistleblowing procedures to, inter alia, also cover group companies employing 250 or more employees. The CBA is only applicable to members of the relevant employer organisations party to the CBA.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

Yes. Employers can implement a whistleblowing procedure at a Group level.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Yes, this may be done. Section 301 does not expressly mandate separate whistleblowing procedures for different subsidiaries.

Last updated on 29/07/2022

04. Is there a specific sanction if whistleblowing procedures are absent within the Company?

04. Is there a specific sanction if whistleblowing procedures are absent within the Company?

Flag / Icon

Australia

  • at Lander & Rogers

Sections 1311(1) and 1317AI(4) of the Corporations Act notes that it is an offence of strict liability not to implement a whistleblower's policy.

The penalty for non-compliance for individuals is 60 penalty units (A$13,320) and for companies is 600 penalty units (A$133,200), and is enforceable by ASIC.

Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

The absence of an internal reporting channel can be sanctioned with an administrative fine of up to 5% of the revenue of the company (legal entity) the previous year. The fine has to be proportionate, and the government will still create a system that will give more guidance to the administration regarding the amount of the fines (in a future royal decree).

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

No, there is no specific legal sanction for not implementing a whistleblowing procedure.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Yes, a failure by the company to adopt or implement an internal whistleblowing policy by 23 June 2022, or appoint a WBP Officer and their deputy by 23 July 2022 may each result in liability for an administrative offence and a related fine, which may be up to about 4,000 EUR for the  company, and up to about 1,350 EUR for the responsible individual within the company.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

Failure to comply with the obligation to set up a statutory whistleblowing procedure may result in a fine unless a stricter penalty follows from other rules of law.

Another sanction could apply if the absence of a whistleblowing procedure in itself results in the whistleblower being prevented – or it is considered an attempt to prevent the whistleblower – from reporting. In this scenario, failure to comply could result in claims for compensation or, depending on the circumstances, a requirement to re-employ the individual.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

There is no specific legal sanction for failing to create a whistleblowing procedure.

However, the absence of an internal reporting channel increases the risk for the company’s reputation as whistleblowers could use external reporting such as public disclosure in the press or social media.

Besides, any person who obstructs the transmission of a report may be exposed to criminal suit and a penalty of up to one year’s imprisonment and a fine of 15,000 EUR.

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

If there are no whistleblowing procedures in the company (ie, an internal reporting system is not implemented and operated), this constitutes an administrative offence punishable by a fine. This fine may amount to up to 20,000 EUR (section 40 (2) No. 2, (5) HinSchG-E.

At this point, it should be noted that there is a high incentive for employers to implement an internal reporting channel, since the external reporting channel is available to the whistleblower in any case. Consequently, if an internal reporting office were not implemented or operated, the whistleblower would be forced to report directly to the external reporting office. As a result, the employer would not be able to make internal corrections without the reported information leaving the company.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

For failure to adopt and implement a whistleblowing procedure, a Covered Company and every officer of that company who is responsible for such non-compliance may be punished with a fine of up to 10,000 rupees and, if non-compliance continues, a further fine of up to 1,000 rupees a day.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The prime minister:

  • may ask the business operator to submit reports or may give advice, guidance or recommendation to the business operator if necessary for the enforcement of the provisions of article 11, paragraphs 1 and 2 of the Act, such as ensuring the business operator establishes a system for responding to whistleblowing (article 15 of the Act); and
  • may disclose the company’s name if the business operator has not followed the recommendations to establish a system for responding to whistleblowing, etc. (article 16 of the Act).

Any business operator who fails to make a report or makes a false report may be fined up to 200,000 yen (article 22 of the Act).

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

No, there are no sanctions provided in the law if there is no internal whistleblowing procedure or internal reporting channel. The absence of an internal whistleblowing procedure will likely promote the use of other reporting channels, such as:

  • directly approaching the competent public authority that supervises the field or area where the breach occurred,
  • approaching the State Chancellery as the contact point for whistleblowing,
  • reporting publicly, if the requirements provided in the law are met.

To avoid risks associated with the use of external reporting channels, which may result in investigations and sanctions by public authorities, it is advisable to have an internal reporting channel and whistleblowing policy.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

Yes, an administrative fine may be imposed. This may be up to 300 EUR (or up to 500 EUR for repeated infringements) and if the infringement is related to the disclosure of the identity of the whistleblower, the fine may be up to 2,000 EUR (or up to 4,000 EUR if it is a repeated infringement).

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

Yes. If the obligations to set up internal reporting channels are not met, private legal entities will be liable for an administrative fine of between EUR 1,500 and EUR 250,000.

Nothing is specified for public entities.

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

The Act does not provide for a specific sanction if a covered entity fails to establish internal reporting channels and procedures. That said, the importance of having channels and procedures to facilitate internal reporting cannot be overstated. This enables companies to address issues internally and minimise the risk that their reputation or interests are harmed by exposure to competent authorities or the public.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

There is no sanction in place for the absence of whistleblowing procedures within a company. The NCCG and some of the sectoral codes listed above merely recommend that a whistleblowing policy be put in place by companies as part of good corporate governance practice.

However, the Investment and Securities Act (ISA) stipulates a penalty of 5 million naira on any capital market operator or public company that contravenes the provisions of the ISA on whistleblowing or disclosure.[1]

 

[1] Section 306 (10) of the Investment and Securities Act, 2007

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

There is no specific sanction foreseen in the Bill if the internal whistleblowing procedures will not be implemented within the company.

There is a sanction or fine that can be imposed on a person that has not established an internal reporting procedure or if the established internal reporting procedure violates the Bill’s provisions. The fine is up to 5000 Polish zloty.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

Entities that fail to establish a whistleblowing procedure will incur a serious penalty, with fines from 1,000 EUR to 125,000 EUR.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

There are several administrative fines for companies failing to comply with the new whistleblowers’ legislation – between 500 EUR and 5,000 EUR for not establishing internal reporting procedures.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

No. There is no specific sanction in the Draft if whistleblowing procedures are not implemented within the company. However, section 63.3.(c) establishes that “Any failure to comply with the obligations provided for in this law that is not classified as a very serious or serious infringement” will be considered a minor infringement.

Considering that the absence of a whistleblowing procedure is not expressly listed as a very serious or serious infringement, it could be argued it would qualify as a minor infringement.

According to section 65, for a minor infraction, the sanction is a fine of up to 10,000 EUR if the perpetrator is a natural person, and 100,000 EUR if it is a legal entity.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

If whistleblowing procedures, including internal whistleblowing channels, are not established according to the Whistleblowing Act, the Swedish Work Environment Authority (SWEA, being the supervisory authority) may order the business to fulfil its legal obligations subject to a fine.

Any business preventing or hindering whistleblowing according to the Whistleblowing Act (eg, by omitting to implement whistleblowing procedures) may be held liable for damages payable to the relevant persons.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

No, because there is no underlying legal requirement under the Employment Rights Act 1996 for companies to implement a whistleblowing procedure or policy.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

There is no specific, pre-designated sanction for failure to implement a whistleblower procedure. However, the lack of a clear process for raising concerns can expose an employer to significant legal and reputational risk as incidents of improper conduct will be less likely to be discovered and appropriately remedied.

Last updated on 29/07/2022

05. Are the employee representative bodies involved in the implementation of this system? 

05. Are the employee representative bodies involved in the implementation of this system? 

Flag / Icon

Australia

  • at Lander & Rogers

Strictly speaking, no. ASIC Regulatory Guide 270 does not refer to employee representative bodies needing to be involved in the implementation of whistleblower policies.

Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

There has to be a consultation of the social partners for the establishment of an internal reporting procedure. This means that the employer will have to consult the works council. If there is no works council (less than 100 employees), they will consult the trade union delegation. If there is no trade union delegation either, the health and safety committee can be consulted. This right to consultation does not mean that these representative bodies have a veto right or a decision power, but they have the right to give their opinion on the proposed system. Ideally, the employer will take their remarks into consideration.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

No, employee representative bodies are not involved in the implementation of the whistleblowing procedure.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Yes, the involvement of employee representative bodies (the works council or, if there is no works council, a union trustee), provided that any such body exists with the  company, is two-fold:

  • the company must consult with the works council or union trustee regarding adoption of the whistleblowing policy – failure to do so would result in the adopted whistleblowing policy being null and void; and
  • the company must appoint the persons requested by the works council or union trustee as the WBP Officer and deputy; if no such request is made by the works council or union trustee, the  company may appoint the WBP Officer and deputy at its discretion.
Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

Not as a main rule. However, the employee representatives or works councils may argue that the implementation of the system falls within the scope of obligations in the Danish Information and Consultation of Employees Act.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

A company’s work council must be informed and consulted before the implementation of a whistleblowing procedure.

Indeed, work councils are informed and consulted “on all questions which are linked to the organisation, management and general running of the company and in particular on conditions of employment, professional training, working conditions and on the introduction of new technologies or any significant change in health and safety conditions or working conditions” (article L. 2312-8 of the Labor Code).

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

Although the implementation of a whistleblower system is based on a legal obligation, the works council only has to be involved under certain circumstances.

At first, the employer is, in principle, already obliged to inform the works council in good time and comprehensively about everything it requires to carry out its duties. This information requirement should enable the works council to review whether co-determination or participation rights exist or whether other tasks have to be carried out according to the German Works Constitution Act (BetrVG).

For instance, instructions concerning the orderly conduct of employees are subject to co-determination. These instructions are intended to ensure an undisturbed work process or to organise the way employees live and work together in the company.  If, in the course of the implementation of a whistleblower system, the already existing contractual obligations are extended or regulations regarding the specific reporting procedure are introduced (eg, in the form of a reporting obligation on the part of employees), the organisational behaviour would be affected and the works council must therefore be involved (section 87 (1) No. 1 BetrVG).

Furthermore, in the context of setting up an internal reporting channel, the draft bill of the Whistleblower Protection Act only stipulates that whistleblowers must be given the option of submitting a report to the whistleblowing system in text form or verbally. This could, of course, also be provided via digital channels - eg, via software- or web-based solutions. Should the introduction and use of such technical equipment in the relevant case allow the employer to monitor the behavior or performance of employees (eg, those who deal with the complaint), further co-determination rights of the works council according to section 87 (1) No. 6 BetrVG can be triggered.   

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

No, employee representative bodies are not involved in the vigil mechanism. The whistleblowing mechanism will be overseen by a Covered Company through its Audit Committee or Board of Directors, as may be relevant.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The Act does not require the involvement of employee representative bodies.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The Whistleblowing Act does not require the involvement of employee representative bodies in implementing the whistleblowing procedure. The involvement of employee representative bodies in the whistleblowing procedures is more consultative.

The Whistleblowing Act provides that trade unions and their associations, as employee representatives bodies: can provide support, including counselling, to whistleblowers to promote whistleblowing and whistleblower protection; provide support, including counselling, to its members concerning whistleblowing; and can apply to a public authority (body) or a court on behalf of a whistleblower who is a member of the trade union.

The Labour Act provides that employee representative bodies have the right to receive information from the employer and consult with the employer concerning the implementation of measures that affect or may affect the employment relationship. Therefore, it is advisable to inform or consult with employee representative bodies (if any) about the implementation of whistleblowing procedures to avoid the risk of administrative liability.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

There is no direct obligation to include employee representatives in the implementation of this system. However, since the employer must inform or consult with the works councils regarding the adoption of certain internal laws, including when they may be relevant to the social and economic situation of employees, the need to inform and consult with the works council can be inferred.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

Yes.

When establishing the internal reporting procedure, a company's staff delegation must be involved in different ways, depending on the size of the company:

  • In companies with less than 150 employees, the information and consultation procedure with the staff delegation will commence. The staff delegation will have to be informed about the intention to set up or modify the whistleblowing channel and will be entitled to give opinions and propose changes.
  • In companies with 150 employees and more, the decision to set up or modify the whistleblowing channel will have to be made jointly by the employer and the staff delegation (co-decision).

Under the current regime, whistleblowing channels are mostly implemented unilaterally by employers in the financial and insurance sectors, but the previous consultation process with the staff delegation or, in larger companies, co-decision, should be respected.

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

There is no legal requirement (whether in the Act or local employment legislation) for an employer to inform or consult with employee representative bodies on its internal reporting channels and procedures.

Aside from the above, the Act recognises the right of employees to consult with their representatives or trade unions (without suffering any unjustified detrimental action for doing so), the autonomy of those social partners, and their right to conclude collective agreements, which remain unaffected by this Act.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

The Nigerian law is silent on the employee representative bodies’ involvement in the implementation of whistleblowing policies. However, the companies with whistleblowing policies do not involve employee representative bodies in the implementation of their system.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

The legal entity will determine the internal reporting regulations after consultation with:

  • a company trade union organisation or,
  • employee representatives selected under the procedure adopted by the employer – if the legal entity does not have a company trade union organisation.

The consultations will last no less than seven days and no longer than 14 days from the date of submission by the legal entity of the draft internal reporting procedure.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

No, but the provisions of Law No. 93/2021 do not affect the right of employees to consult their representatives or trade unions and the protective rules associated with the exercise of this right, and the right of trade unions, employers' associations, and employers to conclude a collective bargaining agreement.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

The previous proposal of the law implementing the EU Whistleblowing Directive provided for employee representative bodies (ie, generally speaking trade unions, if they exist, or employee representatives) to be consulted when establishing the reporting procedures. The approved version as of 29 June 2022 does not provide for such consultancy procedure anymore; however, it remains recommendable.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Yes. Section 5 of the Draft states that the management body or governing body of each entity or body that must establish “internal information systems” will be responsible for their implementation, after consultation with the employees´ legal representatives.

Moreover, collective-bargaining agreements may also establish certain obligations in this regard.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

There is no obligation to include employee representative bodies in the implementation of whistleblowing procedures.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

There is no specific legal requirement in the Employment Rights Act 1996 for employee representative bodies to be involved in (or otherwise agree to) the implementation of a whistleblowing procedure or policy. However, the rules in place with existing employee representative bodies may require consultation on any new policy or procedure and, in any event, it is best practice to involve employee representatives in the implementation of a whistleblowing system.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Employers with unionised employees may have a duty to bargain with the union if the whistleblower program can be deemed to affect the terms and conditions of employment of the union members.

Last updated on 29/07/2022

06. What are the publicity measures of the whistleblowing procedure within the company?

06. What are the publicity measures of the whistleblowing procedure within the company?

Flag / Icon

Australia

  • at Lander & Rogers

Under section 1317AI(5)(f) of the Corporations Act, an entity's policy must cover information on how the policy will be made available to officers and employees.

ASIC Regulatory Guide 270 provides examples of how to make a policy available to staff. It suggests:

  • holding staff briefing sessions or smaller team meetings;
  • posting the policy on the staff intranet or other communication platform;
  • posting information on staff noticeboards;
  • setting out the policy in the employee handbook; and
  • incorporating the policy in employee induction information packs and training for new starters.

Further, an entity should conduct upfront and ongoing education and training.

Specialist training should be provided to staff members who have specific responsibilities under the policy.

Australian entities with overseas-based related entities need to ensure that people in their overseas-based operations also receive appropriate training.

To ensure disclosers outside an entity can access the entity’s whistleblower policy, the policy should be available on the entity’s external website.

Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

The company needs to provide clear information regarding the use of the internal reporting channel. This can be done in a written policy or even in the internal work rules (but this is not necessary). The company should also inform workers about the possibility of reporting externally to the competent authorities.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

There is no reference in Brazilian law as to how the whistleblowing procedures must be implemented. However, it is good practice that the procedure be included in a Code of Integrity and Ethics that is widely accessible to employees and third parties, for example by including a link to the reporting channel on the company’s website, and that companies give regular training on internal regulations on the matter.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

The WBP Act does not contain rules on how the whistleblowing policy should be communicated to employees and other eligible whistleblowers, other than stating that the policy should be easily accessible to all persons within the work environment (as defined in question 12), understandable, and effective in encouraging the primary use of internal reporting channels or systems for reporting breaches or irregularities. In light of this, the publication of the whistleblowing policy should be made following the provisions of Croatian labour legislation.

Under the Croatian Employment Act and implementing regulations, any employment-related policy (which would include the whistleblowing policy) must be signed by the management of the company and published on a bulletin board in the company’s premises (specifically stating that the policy will come into force on the ninth day after publication, at the earliest). It is recommended that all eligible whistleblowers (ie, both employees of the company, and persons not employed by the company) are notified of the company having in place a whistleblowing policy and that they can receive a copy of such policy upon their request.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

Internal whistleblowing channels must always be available to employees in the company.

Companies can freely choose if the whistleblowing channel is also made available to other whistleblowers connected to the business, such as the self-employed, members of management, volunteers, trainees, past or future employees or suppliers (see question 12).  

Clear information on the whistleblowing channel must be made available in an easily accessible manner, such as the Intranet or a company website.

Information on the reporting procedure must include a description of:

  • what matters the whistleblower can report;
  • how reports are processed and registered;
  • how the whistleblower can use the whistleblowing channel;
  • what rights the whistleblower has;
  • who can report;
  • whether it is possible to make an anonymous report; and
  • that it is possible to report to an external whistleblowing channel.

Companies must also encourage internal reporting, subject to it being possible to process the report effectively and the whistleblower not being at risk of retaliation. 

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

From 1 September 2022, the internal regulation applicable within the company must mention the whistleblowing process and protection.  The internal regulations will be brought to the attention of all persons having access to the workplace.

Moreover, if there is implementation or modification of the whistleblowing process, we recommend informing employees by all means.

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The draft bill of the Whistleblower Protection Act does not oblige the company itself to publish any information regarding the internal reporting office or the internal reporting channel implemented. However, the internally implemented reporting office must have clear and easily accessible information available on the external reporting procedure and relevant reporting procedures of European Union institutions, bodies or agencies (section 13 (2) HinSchG-E).

The current explanatory memorandum to the draft bill also contains the more detailed, but not legally binding, reference that the information can be made available via a public website, company intranet or a bulletin board that is accessible to all employees. In this context, it is recommended that the company also refers to the internally implemented reporting office or the internal reporting channel in the same way. This helps to counteract the risk that potential whistleblowers will report primarily via the external reporting channel.

Furthermore, the German Supply Chain Due Diligence Act (LkSG) also provides for the implementation of complaint mechanisms so that the regulatory requirements of companies can also be met through a uniform reporting system. Within its scope of application, the LkSG also provides for the publication of procedural rules for such a reporting system in text form as well as for annual reporting obligations on what measures the company has taken as a result of complaints.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

Details of the whistleblowing policy and the mechanism thereof will have to be disclosed by the Covered Company on its website as well as in the Board of Directors’ annual report filed with the competent regulatory authority.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The publicity measures of the whistleblowing procedure are not set out by the Act. The business operator may inform the whistleblowing procedure through various forms, such as company intranet, in-house training, distribution of intra-card and advertisement goods, and displaying of posters[1].


[1]   Consumer Affairs Agency Guidelines Explanation, supra note 3, Section 3 II (3)(i)(c), at p.19

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The Whistleblowing Act does not allow companies to use publicity measures regarding a commenced, pending or finished whistleblowing case. The employer must ensure the confidentiality of information, not only to protect the interests of the whistleblower but also to protect the identity of the perpetrator.

Publicity measures are applied in cases of whistleblowing in public institutions. In such cases, the whistleblower can include in its report whether he or she consents to the results of the investigation being published, if a breach is established.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

Certain concrete information provided by law, such as information on the whistleblowing procedure and the investigation thereof through the company's internal channels; the designated competent body (including its contacts); and the rights and guarantees of the whistleblower must be provided through the institution's internal and external (if any) communication channels. In principle, companies must adopt an internal policy for the reporting of breaches (providing all information required by law) and communicate it.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

The legal entity is required to provide information on the reporting procedures in place:

  • to the competent authorities;
  • to workers; and
  • to all persons who come into contact with the entity in the course of their professional activities (eg, service providers, distributors, suppliers, business partners).

Communication of the procedure can be done through posters in a visible place accessible to all these persons, on the website of the legal entity, through the company's internal regulations if they exist, by a reference in the employment contract to an internal document, etc.

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

The company must publish:

  • clear and easily accessible information about the existence of the internal procedures; and
  • adequate information on how the internal procedures may be used. This information is to be published widely and republished at regular intervals (the Act does not define any specific periods).

The company must also provide clear and easily accessible information regarding the procedures for reporting externally.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

Typically, the company is required to put in place an effective reporting channel that protects the confidentiality of the information disclosed and the anonymity of the disclosing party. It could either be through a reporting link or platform set up for that purpose or a suggestion box to be used anonymously.

Companies are required to notify their employees and stakeholders of the existence of a whistleblowing policy and the mechanism for reporting applicable within the company.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

An internal reporting procedure entering into force should be made known to persons performing work in each legal entity, in the manner adopted in the company.

A legal entity will provide information on the internal whistleblowing procedure along with the commencement of recruitment or pre-contract negotiations to a person applying for work under an employment relationship or other legal relationship constituting the basis for the performance of work or services or the performance of a function.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

There are no specific publicity measures for the whistleblowing procedure within companies (as long as the whistleblowing procedure rules are not considered an internal regulation of the company, as this would entail publicity).

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

According to article 10 paragraph 2 of the Draft Law, employees are informed about the reporting procedures, including the person or department designated to receive such reports, both through the website of the company and through announcements at its headquarters, provided that there is a visible location accessible to all employees.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Section 25 of the Draft states that the company should provide appropriate information, in a clear and accessible way, on the use of internal reporting channels (or information systems, following the name given in the Draft), as well as on the essential principles of the procedure to be followed. If the company has a website, said information should be reflected on the homepage, in a separate and easily identifiable section.

Moreover, competent public authorities are also subject to publicity measures regarding whistleblowing procedures, including: conditions to be eligible for the protection reflected in the Draft; contact information regarding external channels; management procedures;  confidentiality; remedies and procedures for protection against retaliation; and the availability of confidential advice.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

An internal whistleblowing channel and procedure established under the Whistleblowing Act must be made available for persons who are active within the business, including employees, volunteers, trainees, persons otherwise performing work under the supervision or direction of the business, the self-employed who perform services, members of the business’s administrative, management or supervisory bodies and shareholders operating within the business.

In addition, businesses must provide clear and easily accessible information on:

  • how to report via the internal reporting channel;
  • how to report via external reporting channels (both national and EU bodies); and
  • as applicable, the whistleblowers’ constitutional rights in respect of freedom of speech, freedom of communication and freedom to procure information.
Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

According to the Whistleblowing: Guidance for Employers and Code of Practice published by the Department for Business Innovation and Skills (BEIS), it is best practice for the whistleblowing policy or procedures to be in writing and easily accessible to all workers. BEIS also recommends that awareness of the policy or procedures is raised through all available means such as staff engagement, intranet sites and other marketing communications.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

There is no specific legal requirement to publicise an employer’s whistleblower procedure. However, it is best practice to notify employees in as many places as possible (eg, in the employee handbook, code of conduct or website) of the employer’s anti-retaliation policy and mechanisms for raising complaints, including doing so anonymously.

Last updated on 29/07/2022

07. Should employers manage the reporting channel itself or can it be outsourced?

07. Should employers manage the reporting channel itself or can it be outsourced?

Flag / Icon

Australia

  • at Lander & Rogers

ASIC Regulatory Guide 270 notes that it is good practice but not mandatory that an entity has mechanisms in place for monitoring the effectiveness of its whistleblower policy.

ASIC suggests an entity could set up:

  • oversight arrangements for ensuring its board, audit or risk committee are kept informed about the effectiveness of the policy;
  • a mechanism to enable matters to be escalated to the entity's board or the audit or risk committee; and
  • periodic reporting to the board, audit or risk committee.

The guide also notes that entities may consider involving an independent whistleblowing service provider authorised to receive their internal disclosures. This is especially so for smaller entities. Using an outside service provider may encourage more disclosures since disclosers can:

  • make their disclosure anonymously, confidentially and outside business hours;
  • receive updates on the status of their disclosure while retaining anonymity; and
  • provide additional information anonymously.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

The reporting channel can be outsourced to a third party (eg, to a payroll provider, compliance experts or lawyers). However, the employer will remain legally responsible for the implementation and use of the system.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

There is no statutory requirement in this regard. Accordingly, employers can manage the reporting channel directly or outsource it to an external supplier.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Under the WBP Act, the internal reporting channel is a WBP officer and their deputy, as appointed by the company. This officer and deputy are solely authorised to receive the whistleblowing reports and conduct investigations (ie, the conduct of these actions cannot be outsourced to any third person).

However, the WBP Act does not preclude companies from appointing individuals employed or hired by an external service provider as a WBP officer or deputy (noting, however, that the company may make such appointment at its own discretion only if these appointments have not been proposed by either the works council, or, if there is no works council, the union trustee, or if there is no works council or union trustee, by at least 20% of the  company’s employees).

Even if the company appoints individuals employed or hired by an external service provider, the appointed persons must keep confidential the identity of any whistleblowers and any information contained in the whistleblowing report, and will not be able to directly involve external service providers in the investigation without express consent from each whistleblower. However, the  company may engage an external service provider to indirectly assist these appointed persons (regardless of whether the individuals appointed are employed by the  company or by the external service provider, and regardless of whether the whistleblower provides express consent for disclosure of his or her identity and the content of the report), if such assistance will not lead to disclosure to that provider of the identity of the whistleblower and any information contained in the whistleblowing report.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

The whistleblowing channel can be outsourced wholly or partly to an external third party (for example a specialised platform, lawyer, or auditor).

Companies can outsource the whistleblowing channel but will remain fully responsible for complying with the Whistleblowing Act. For that reason, written declarations must be drafted with the provider to make sure that the requirements relating to impartiality, confidentiality, data protection, etc, are satisfied.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

Employers can subcontract the management of the whistleblowing procedure to an external supplier, which will be in charge of:

  • setting up the reporting channel available;
  • receiving complaints; and
  • investigating the reported facts.

In practice and as an example, the external supplier can set up a telephone hotline or an email address for the collection of reports. These are then transmitted to the employer to decide on any action to be taken.

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

In principle, the draft bill of the Whistleblower Protection Act intentionally does not specify which persons or organisational units are best qualified to carry out the tasks of the internal reporting office or to manage the corresponding reporting channel. However, the internal reporting office may not be subject to any conflicts of interest and it also must be independent. The EU Whistleblower-Directive mentions, for instance, the head of the compliance department or the legal or data protection officer as possible internal reporting offices.

If, in addition to the (internal) persons responsible for receiving and processing internal reports, other (external) persons have to be involved in a supporting activity, this supporting activity is legally only permissible to the extent that is necessary for the supporting activity. This applies, for example, to IT service providers that provide technical support for reporting channels.

It is also legally permissible to appoint a third party to carry out the tasks of an internal reporting office, including the reporting channel (section 14 (1) HinSchG-E). Third parties may include lawyers, external consultants, trade union representatives or employee representatives.

However, engaging a third party does not relieve the employer of the obligation to take appropriate action to remedy a possible violation. In particular, for follow-up actions to check the validity of a report, there must be cooperation between the commissioned third party and the employer.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

While the reporting channel may be outsourced, in respect of Covered Companies, the mechanism should be overseen by the Audit Committee or Board of Directors, as applicable.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The business operator may outsource the establishment of a point of contact to a third party, such as a subcontractor or parent company[1].


[1]   Id, Section 3 II (1)(i)(c), at p.7.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The Whistleblowing Act allows employers to use third-party services for whistleblowing procedures. Therefore, the management of a reporting channel can be organised by outsourcing management service providers. On the other hand, such outsourcing cannot be used to implement group whistleblowing procedures (eg, to use a reporting channel established at a group level or in a related company).

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

Companies may outsource internal channel administration services to other companies providing such services or external third parties, provided that they ensure that the principles of independence, confidentiality and data protection are observed. Administrative services provided by third parties do not include the investigation of information about the breach and any subsequent decision-making.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

The legal entity may subcontract the monitoring of reports (articles 6 and 7 of Bill 7945).

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

In theory, the Directive states that the reporting channel may be operated internally or externally by a third party. The Act requires the employer to designate an officer from within the company (whistleblowing reporting officer – WRO), who may or not be the same person receiving reports, to follow up on reports.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

The reporting channel can either be internally managed or outsourced for transparency and objectivity.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

Employers may outsource maintaining reporting channels (as part of ICT solutions) and receiving reports.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

The internal reporting channels may be operated internally or externally, and independence, impartiality, confidentiality, data protection, secrecy and the absence of conflicts of interest must be guaranteed.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

Both options are available for companies. At first glance, internal channels controlled by its own employees (auditors or compliance officers, in-house legal counsel or even an internal hotline) may be more effective for companies, since this ensures that potential wrongdoings are checked internally and do not compromise the image of the company. However, whistleblowers may not trust internal channels that allow easy identification of the individual whistleblower and are usually established to act in the best interest of the company (and not necessarily the whistleblower). Groups of companies must give more thought to the organisation; in many cases, outsourcing to third parties (eg, a recognized law firm) may be a better and more cost-effective solution.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Yes, the management of internal reporting channels can be outsourced as established in section 6 of the Draft. However, a third party managing the reporting channel must provide adequate guarantees of respect for independence, confidentiality, data protection and secrecy. This third party would be considered a “data processor”, whereas the person or persons appointed by the company as “responsible for the system” will still be responsible for the reporting channel, even when it is outsourced.

Management of an internal information system by a third party should not undermine the guarantees and requirements established for this system in the Draft.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

Businesses may choose to manage reporting channels in-house or to outsource the management of reporting channels to third parties. Regardless, businesses should designate independent and impartial persons or departments (including third-party entities) to receive reports, maintain communication with whistleblowers, follow-up on reports and provide feedback to whistleblowers.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

The reporting channel can be outsourced. Where an employer’s whistleblowing policy or procedure authorises disclosure to a third party (eg, an external hotline), UK law will treat a disclosure to the third party the same as a disclosure to the employer.

The Department for Business Innovation and Skills guidance on whistleblowing identifies that larger UK organisations may have a designated team who can be approached to make a disclosure. The guidance recommends that smaller organisations should have at least one senior member of staff as a point of contact for whistleblowers. However, the guidance also acknowledges that there are commercial providers who can manage a whistleblowing process on behalf of the employer.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

A reporting channel can be managed internally or outsourced.

Advantages of an internal reporting channel include:

  • better understanding of the organisation; and
  • better understanding of the context in which complaints may arise and be escalated.

Advantages of a third-party reporting channel include:

  • increased independence and transparency; and
  • broader expertise in handling whistleblower reports.
Last updated on 29/07/2022

09. What precautions should be taken when setting up a whistleblowing procedure?

09. What precautions should be taken when setting up a whistleblowing procedure?

Flag / Icon

Australia

  • at Lander & Rogers

An entity should analyse how best to structure, draft and present their policy.

An entity should also consider other standards and guidelines to ensure the policy is as up-to-date as it can be.

Entities should take care in determining whether they are complying with all legal requirements under the Corporations Act.

ASIC Regulatory Guide 270 provides a useful overview of what should be included in the policy as follows:

  • policy's purpose;
  • who the policy applies to;
  • matters the policy applies to;
  • who can receive a disclosure;
  • how to make a disclosure;
  • legal protections for disclosures;
  • support and practical protections;
  • handling and investigating disclosures; and
  • ensuring fair treatment of all individuals.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Companies should draft a clear and accessible policy that outlines the procedure. The deadlines of the procedure need to be respected and the policy should clarify which situations fall under the scope of the procedure and the fact that reports will enjoy certain protections against retaliation. To implement the procedure itself, bigger companies are advised to use a digital reporting tool as it could be too complicated to use a non-digital system for a large number of employees, which could lead to errors in the procedure and missing deadlines. There are lots of tools out there, from quite simple ones to very intelligent (but also expensive) ones. The company will have to do some market research to find the tool that meets its specific needs.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Brazilian law does not explicitly govern this matter, but it is good practice that the whistleblowing procedure must:

  • clearly indicate what type of conduct is subject to whistleblowing;
  • indicate who can make a report, how, when and where to do it – it is recommended to have at least two reportinng channels and it must be clear that reports can be made in a local language;
  • allow anonymous reports;
  • guarantee, to the extent possible, the confidentiality of the proceedings;
  • list the steps of the proceedings and the responsibilities and rights of each involved party (whistleblowers, witnesses, investigators, etc);
  • guarantee non-retaliation against whistleblowers or any person contributing to the investigation; and
  • indicate possible outcomes after the conclusion of the investigation.
Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

The following precautions should be taken into account by the company when setting up a whistleblowing procedure:

  • Language of the whistleblowing policy – even though the WBP Act does not explicitly provide that the whistleblowing policy must be available in Croatian, the WBP Act requires that information on the internal whistleblowing procedure must be easily accessible, understandable and effective. If the whistleblowing policy is not prepared in Croatian, the company may run the risk of: the employee claiming that he or she did not properly understand the policy; or in the case of inspection or dispute, the inspection body or court holding that a policy made only in English, or a language other than Croatian, is null and void as not being easily understandable.
  • Appointment of WBP officer and deputy – given that a company must appoint a WBP officer and their deputy at the request of either the works council, union trustee, or 20% of employees of the company (if there is neither a works council nor union trustee), it is advisable that the  company provides in the whistleblower policy that any candidate should be a person of trust and competent to conduct the duties of a WBP officer.
  • WBP officer’s resources – the company must ensure that the WBP officer and their deputy have the resources required to effectively perform their duties, such as providing the officer with a personal computer or laptop and a separate email address for receiving whistleblowing reports, a direct telephone line for receiving whistleblowing reports, a dedicated office for conducting meetings with whistleblowers, and equipment for keeping records of reports.
Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

Recommended precautions include:

  • making the whistleblowing channel available to all whistleblowers. When the whistleblowing channel is restricted to employees, other whistleblowers who are not employees will instead report via external channels or public disclosure; and
  • only accepting reports from whistleblowers covered by the Whistleblowing Act. If the whistleblowing channel allows other individuals to report, they will not be protected under the Whistleblowing Act. Also, companies would have to consider other issues, including adapted information obligations and data protection, to ensure there is a legal basis for processing reports from these individuals, among other things.
Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

During the processing of the report, the procedure implemented must guarantee the confidentiality of the identity of its authors, the persons concerned and any third party mentioned within.

Moreover, the company must respect guarantees of independence and impartiality in the treatment of reports. These guarantees must be specified in a published application decree.

Companies are also required to comply with GDPR obligations. In this regard, the French Data Protection Authority (CNIL) has published a frame of reference to help public and private organisations implement whistleblowing procedures in compliance with data protection regulations (CNIL deliberation dated 18 July 2019).

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports as well as the persons assisting them in fulfilling these tasks have access to the incoming reports. It must, therefore, be ensured that no unauthorised persons have access to the identity of the person making the report or to the report itself. This has implications for the technical design of the internal reporting channel.

Also, the persons entrusted with running the internal reporting office must indeed be independent in the exercise of their activities and the company must ensure that such persons have the necessary expertise. Therefore, smaller or medium-sized companies should especially assess whether it will be more efficient to assign an experienced external ombudsperson to receive and initially process incoming reports. However, the ombudsperson who takes the call in this case is a witness bound to tell the truth, even if this is, for example, a company lawyer.

As per the present draft bill, there is no legal obligation to design the reporting channels in such a way that they enable the submission of anonymous reports. Companies should therefore assess carefully whether they provide systems that enable anonymous reports, as this may increase the number of abusive reports and make enquiries impossible. On the other hand, some ISO standards require the receipt of anonymous reports. Therefore, should a company seek certification according to these ISO standards, the whistleblower procedure to be set up must allow for the processing of anonymous reports.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

Key aspects that should be borne in mind while formulating a whistleblower policy or procedure are:

  • a special or distinct committee or channel must be created for receiving and handling disclosures, giving the whistleblowing mechanism a separate institutional framework;
  • the reporting mechanism should be systematic, simple and straightforward to facilitate an early and easy disclosure of any wrongdoing. The procedure for disclosure must be easily comprehensible and should be accessible by all employees or individuals associated with the organisation;
  • the policy should provide adequate assurances and comfort regarding confidentiality of the identity of the whistleblower, continuity of association with the organisation, and the steps that the organisation will take to ensure that the whistleblower is not victimised, discriminated against or adversely impacted in any manner according to the disclosure (including facilitating legal assistance at the organisation’s cost, if necessary);
  • the policy should ensure that no action will be taken against whistleblowers who make disclosures in good faith and even allow for anonymous reporting; and
  • identification of what matters may be reported under the policy, the persons against whom such matters can be reported, the process that should be followed by the organisation, remedial measures, details of persons with whom reported information will be shared, and an overview of the mechanism for protecting whistleblowers and persons cooperating with an investigation, etc.  
Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The business operator must appoint a person in charge of handling the whistleblowing (article 11 of the Act).

The business operator may provide internal rules, including matters required under the Consumer Affairs Agency Guidelines on the Whistleblower Protection Act[1].


[1]   Consumer Affairs Agency, Guidelines for promoting appropriate and effective implementation of the due measures by the business operators based on Article 11, Paragraphs 1 and 2 of the Whistleblower Protection Act (“Consumer Affairs Agency Guidelines”) [Cabinet Office Notification No.118], , Section 4 (3)(iv) ,at p.4, last visited June 28, 2022.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The whistleblowing procedure should be established to avoid potential conflicts of interest. Usually, there are one or several employees responsible for the review of whistleblowing reports, or a combination of internal and third-party whistleblowing is used. Companies should avoid situations where, for example, responsible persons might encounter a conflict of interest upon review of whistleblowing reports (ie, if there is no alternative reporting channel and employees would have to report to the perpetrator, who is also the responsible person in the company). In any case, responsible persons who review or analyse whistleblowing reports should be someone with a good reputation and trust in the company.

The principle of data minimisation and confidentiality should be observed throughout the whole procedure.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

When setting up an internal channel for reporting breaches, it is worth considering who will be responsible for its administration, the investigation of information and how the confidentiality of individuals will be protected.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

As follows:

  • The establishment of channels for the receipt of reports that are conceived, set up and managed securely and guarantee the confidentiality of the identity of the author of the report and any third party mentioned, and protect these channels from unauthorised persons;
  • an acknowledgement of receipt sent to the author of the report within seven days of receipt of the report;
  • designation of an impartial person or service competent to follow up on reports;
  • diligent follow-up by the designated person or service;
  • a reasonable time to provide feedback, not exceeding three months from the acknowledgement of receipt of the report or, failing that, three months from the end of the seven-day period following the report; and
  • provision of clear and easily accessible information on the report procedures and their use to the competent authorities.
Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

When drafting a whistleblowing policy, employers should ensure that the whistleblowing procedure guarantees the impartial and confidential treatment of reports. It must also ensure that the whistleblowing procedure is operated securely and prevents access to reports by non-authorised staff members.

The obligation to adhere to the principle of data protection by design and default means that the whistleblowing procedure itself must be designed to be GDPR-compliant from the start. The employer would need to have a privacy notice that covers any processing of personal data carried out in connection with the whistleblowing procedure. Any processing of personal data carried out in the context of the obligation to establish a whistleblowing procedure under the Act must be documented to demonstrate compliance with the GDPR – the accountability principle.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

The precautions that must be put in place when setting up a whistleblowing procedure are anonymity of the whistleblower, effective and reliable processes for investigating anyone accused of unethical conduct and protection of the whistleblower, among others.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

The legal entity will ensure that the internal reporting procedure and the related processing of personal data prevent unauthorised persons from gaining access to the information covered by the report and protect the confidentiality of the identity of the reporting person, the person concerned, and the third party indicated in the notification.  Confidentiality protection relates to information that identifies such persons, directly or indirectly.

The employer may create an impartial, internal unit or person within the structure of the legal entity, authorised to undertake follow-up actions.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

The completeness, integrity and preservation of the complaint, the confidentiality or anonymity of the complainants and the confidentiality of any third parties mentioned in the complaint must be guaranteed. Unauthorised access must also be prevented.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

The big challenge is to create a system that would strike a balance between better protection and an increased incentive for the whistleblower to notify breaches. As mentioned in question 7, employers need to make a thorough analysis and decide whether to handle the whistleblowing channel from within the company or outsource it to a specialised provider that is known in the Romanian market and trusted by employees.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Some requirements must be met in the implementation of whistleblowing procedures: easy-to-follow guidelines, confidentiality, and good practice for monitoring, investigation and whistleblower protection.

These precautions are bolstered by sections 18 and 20 of the Constitution. These sections consolidate the rights to privacy, information and freedom of speech that influence Law 3/2018 on Data Protection and the guarantee of Digital Rights, and the Draft.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

Businesses should ensure that personal data processed through a whistleblowing channel is handled according to the GDPR and the Whistleblowing Act, meaning the personal data controller should implement sufficient technical and organisational safety measures to protect personal data.

Further, employees and other impacted persons should, as a general rule, be informed upfront of any processing of personal data that may take place.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

The Department for Business Innovation and Skills guidance on whistleblowing recommends, as best practice, several practical considerations when setting up a whistleblowing procedure, including, but not limited to:

  • employers should provide training to all workers on how disclosures should be raised and to managers on how to deal with disclosures;
  • organisations should ensure that there are a range of alternative persons who a whistleblower can approach if a worker feels unable to approach their manager; and
  • any clauses in any settlement agreements or non-disclosures agreements (including confidentiality clauses in the employment contract) must not prevent workers from making disclosures in the public interest.
Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Key elements of an effective whistleblowing procedure include:

  • repeated and consistent messaging from senior leadership regarding the employer’s commitment to creating a “culture of compliance” and encouraging employees to bring forth good-faith complaints without fear of retaliation;
  • policies and procedures for receiving, investigating and addressing employees’ complaints;
  • policies and procedures for receiving, investigating and addressing complaints of retaliation;
  • anti-retaliation policies and related training for employees and managers; and
  • program oversight through ongoing monitoring and periodic audits.

Employers should continuously review and update their policies and procedures to ensure that they keep pace with developments in the business, legal and regulatory landscape.

Last updated on 29/07/2022

10. What types of breaches/violations are subject to whistleblowing?

10. What types of breaches/violations are subject to whistleblowing?

Flag / Icon

Australia

  • at Lander & Rogers

Section 1317AA of the Corporations Act provides that a disclosure qualifies for protection under the Act where:

  • the discloser is an eligible whistleblower; and
  • the disclosure is made to any of the following:
    • ASIC;
    • APRA;
    • A Commonwealth authority; and
    • Subsection 4 or 5 applies - see immediately below. 

Subsection 4 applies to disclosures of information where the discloser has reasonable grounds to suspect that the information concerns misconduct or an improper state of affairs or circumstances related to:

  • the regulated entity; or
  • a related body corporate of the regulated entity.

Subsection 5 applies to a disclosure of information if the discloser has reasonable grounds to suspect that the information:

  • indicates the regulated entity or officer of the entity or related body corporate of the entity or officer of the related body, has engaged in conduct that constitutes an offence against, or contravention of any of the following:
    • the Corporations Act;
    • the ASIC Act;
    • the Banking Act 1959;
    • the Financial Sector (Collection of Data) Act 2001;
    • the Insurance Act 1973;
    • the Life Insurance Act 1995;
    • the National Consumer Credit Protection Act 2009;
    • the Superannuation Industry (Supervision) Act 1993;
    • an instrument made under an Act referred to in any of subparagraphs (i) to (viii); or
  • constitutes an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months or more, represents a danger to the public or the financial system, or is prescribed by the regulations for this paragraph.

What an entity chooses to specify as falling under the policy, therefore, needs to cover these areas.

ASIC Regulatory Guide 270 provides some examples:

  • illegal conduct;
  • fraud, money laundering, misappropriation of funds;
  • offering or accepting a bribe;
  • financial irregularities;
  • failure to comply or breach of legal or regulatory requirements; and
  • engaging in or threatening to engage in detrimental conduct against a person who has made a disclosure.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Belgium has copied the list of the EU directive, but has expanded this with some very important domains. The breaches in the following fields of law (domains) fall under the material scope of the Whistleblower Act:

  • public procurement;
  • financial services, products and markets and the prevention of money laundering and terrorist financing;
  • product safety and compliance;
  • transport safety;
  • environmental protection;
  • radiation and nuclear safety;
  • food and feed safety, animal health and welfare;
  • public health ;
  • consumer protection;
  • protection of privacy and personal data and security of networks and information systems;
  • combating tax fraud; and
  • combating social fraud.

Compared to the EU Directive, the two last fields were added. For employers, the social fraud domain is especially interesting as this includes (non-exhaustively) all breaches of the Social Penal Code and all breaches of the statute of independent workers. The Social Penal Code provides for sanctions for breaches of almost all provisions of social law (employment law and social security law); moreover, article 1 of the Social Penal Code defines social fraud as any breach of social legislation that falls under the competence of the federal government. This means that almost all breaches of social laws will fall under the scope of the whistleblowing procedure.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

In addition to violations of the company’s Code of Conduct, Compliance Policies, etc, companies should focus on the prevention of government corruption, such as the examples listed in the Brazilian Anticorruption Act (main examples below):

  • promise, offer or give, directly or indirectly, an undue advantage to a public agent, or a third party related to that agent;
  • finance, fund, sponsor or in any way subsidise the practice of illegal acts referred to in this Law;
  • use an intermediary, natural or legal person, to hide or disguise real interests or the identity of the beneficiaries of the acts performed; and
  • with regard to bids and contracts:
  • frustrate or defraud, through adjustment, combination or any other expedient, the competitive nature of a public bidding procedure;
  • prevent, disturb or defraud the performance of any public bidding procedure;
  • remove or seek to remove a bidder, through fraud or the offering of an advantage of any kind;
  • defraud a public bid or a contract resulting therefrom;
  • fraudulently or irregularly create a legal entity to participate in a public bid or enter into an administrative contract;
  • fraudulently obtain an undue advantage or benefit from modifications or extensions to contracts entered into with public bodies, without authorisation by law, in public bids or the respective contractual instruments; or
  • manipulate or defraud the economic-financial balance of contracts entered into with public bodies.

Also, conduct related to unfair competition, money laundering, harassment, and discrimination have been included as violations that can be reported in whistleblower channels.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

The material scope of the WBP Act encompasses the following breaches or violations (under the WBP Act they are named “irregularities”):

  • related to the scope of application of the EU Acts listed in Part I of the Annex to the Directive;
  • affecting the financial interests of the EU, as stated in article 325 of the Treaty on the Functioning of the European Union and further defined by relevant EU measures;
  • relating to the internal market, as stated in article 26(2) of the Treaty on the Functioning of the European Union, including breaches of EU rules on competition and state aid, and breaches of corporate tax rules or arrangements to create a tax advantage contrary to the applicable corporate tax legislation; and
  • relating to other rules of Croatian law, the breach of which undermines the public interest.

The WBP Act defines the term “irregularities” as actions or omissions that are unlawful and relate to or are incompatible with the goal or purpose of the above-stated legislation.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

The Whistleblowing Act covers reports on the following matters:

  • breaches of EU law as defined in the EU Whistleblowing Directive;
  • serious breaches of law (eg, theft, sexual harassment, hacking); and
  • other serious matters (eg, significant and/or repeated breaches of internal guidelines).

Serious breaches of the law and other serious matters may be included too if the breach is a matter of public interest. Reports on more trivial or petty matters, including reports on the whistleblower's employment relationship, are not generally covered.

Whistleblower units must consider whether a report qualifies as a relevant matter on a case-by-case basis.

Certain types of reports are de facto excluded from the scope of the Whistleblower Act, including reports with information covered by a special duty of confidentiality for lawyers and healthcare personnel, classified national security information, and criminal proceedings.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

The list of breaches and violations provided by the law is very wide. It covers:

  • crime and offences;
  • threat or harm to the public interest;
  • violation of an international commitment duly ratified or approved by France, or of a unilateral act of an international organisation taken based on such a commitment; and
  • a violation of the law of the European Union, or its regulations. 

However, facts, information or documents, covered either by national defence, medical or lawyer/client confidentiality are excluded from the whistleblower rules. This means that it is not possible to divulge that kind of information. If the whistleblower does it anyway, he or she will not benefit from whistleblower protection.

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The draft bill´s material scope of application goes beyond European legal requirements. It extends the material scope of application to all violations that are subject to punishment (section 2 (1) No. 1 HinSchG-E). Additionally, violations subject to fines are included insofar as the violated regulation serves to protect life, body, health or the rights of employees or their representative bodies (section 2 (1) No. 2 HinSchG-E). The last alternative covers not only regulations that directly serve occupational health and safety or health protection, but also related notification and documentation requirements, for example under the Minimum Wage Act. Thus, as a result, section 2 (2) No. 2 HinSchG-E covers the majority of administrative offences in the context of employment.

Finally, the draft bill also provides for a list of infringements that predominantly correspond to the relevant areas of law according to the recitals of the EU Whistleblower Directive.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

As per the Whistle Blower Protection Act, a whistleblower may make a complaint or disclosure relating to:

  • the committing of or an attempt to commit an offence under the Prevention of Corruption Act 1988 by a public servant;
  • wilful misuse of power or wilful misuse of discretion by which demonstrable loss is caused to the government or demonstrable wrongful gain accrues to the public servant or any third party; and
  • the committing of or an attempt to commit a criminal offence by a public servant.

The Companies Act only states that stakeholders of a company may report “genuine concerns” under the vigil mechanism. While the definition of “concerns” has not been provided for under the Companies Act, it would be a prudent assumption that it covers instances of suspected fraud and non-compliance with applicable laws, rules and procedures or any other wrongdoing that would adversely affect the organisation or stakeholders at large (financially or otherwise).

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The Act covers whistleblowing of a “reportable fact” as defined in article 2, paragraph 3 of the Act) which is:

  1. a fact of an occurrence of a criminal act under the laws listed in the Appended Table of the Act[1], (including orders based on the laws) concerning the protection of individual lives and security of the person; consumer interests; environmental conservation; fair competition; lives, personal security and property of citizens; and other similar interests (“Appended Table Laws”), or a fact forming the grounds for an administrative fine provided for in the Act or Appended Table Laws; or
  2. a fact which is the reason for a disposition such as an order of a competent authority in the case where a violation of a disposition pursuant to the Appended Table Laws constitutes a fact in item (i) above (including the fact which is the reason for a different disposition or recommendation, in the case where the reason for disposition is the fact which is in violation of a different disposition or the fact which is not complying with a recommendation, etc. under the Appended Table Laws )[2].
 

[1]   The Appended Table of the Act lists the following:

  1. Penal Code;
  2. Food Sanitation Act etc.;
  3. Financial Instruments and Exchange Act;
  4. Act on Japanese Agricultural Standards,
  5. Air Pollution Control Act;
  6. Waste Management and Public Cleansing Act;
  7. Act on the Protection of Personal Information; and
  8. Other laws designated by cabinet order as laws concerning the protection of individual lives and security of the person; consumer interests; environmental conservation; fair competition; the lives, personal security and property of citizens; and other similar interests.

[2] An example of a reportable fact in the case of (ii) would be a violation of Food Labeling Standards under the Food Labeling Act. To be more specific, a violation of Food Labeling Standards itself does not constitute a criminal act, but if there is a violation of Food Labeling Standards, the prime minister may instruct the violator to comply with the Food Labeling Standards, and if after receiving the instruction, the violator does not take the measures pertaining to such instruction without just cause, the prime minister may order such violator to take the measures pertaining to such instruction. A violation of such order constitutes a criminal act. Therefore, a violation of Food Labeling Standards would be included in a reportable fact under this clause (Consumer Affairs Agency, Handbook for whistleblowing, at p.8), last visited June 28, 2022).

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The Whistleblowing Act allows the reporting of any violations related to the public interest, while specific attention is drawn to the following areas in the law:

  • inaction, negligence, abuse of office or other unlawful acts of public officials;
  • corruption, violations of the rules on financing political organisations (parties) and their associations and restrictions on pre-election campaigning;
  • embezzlement of public funds or property;
  • tax evasion;
  • public health threats;
  • threat to food safety;
  • threat to building or construction safety;
  • threat to environmental safety, including actions affecting climate change;
  • radiation protection and nuclear safety;
  • threat to occupational safety;
  • threat to public order;
  • violation of human rights;
  • infringements in the field of public procurement and public-private partnerships;
  • infringements in the financial and capital market sector, including fraud and other illegal activities affecting the financial interests of the European Union;
  • money laundering and the prevention of the financing of terrorism and proliferation;
  • infringements of competition law and business support rules;
  • infringements in the field of the provision of goods and services, including safety and compliance;
  • infringements in the field of transport safety;
  • infringements in the field of the internal market;
  • infringements in the field of animal welfare;
  • consumer protection; and
  • protection of privacy and personal data and security of network and information systems.
Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

According to the Law, a “breach” means a criminal act, administrative offence, official misconduct or breach of work duties, or a gross violation of the mandatory norms of professional ethics, an attempt to conceal said infringement or any other breach of the law posing a threat or causing harm to the public interest. It is a breach if it has been planned but not implemented, is being committed or has been committed at the company. Whistleblowers may become aware of the breach through his or her present or former service, employment or contractual relationship (eg, counseling, contracting, subcontracting, internships, volunteering) with this company, including through recruitment or another pre-contractual relationship.

The list of areas of breaches is not definitive, which means that it covers all possible areas for the protection of the public interest, not just those listed in article 2(1) of the Directive.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

While the directive only covers certain acts and policy areas of the European Union, the government has decided, in line with its coalition programme [2018-2023], to extend the scope of Bill 7945 to all national laws.

The scope of whistleblowing in the current regime in the financial sector, the insurance sector, the public sector and the Labour Code, includes:

  • Insurance sector: potential or actual infringements of the laws and regulations listed in articles 303 paragraph 1, and 304 or other conduct referred to in articles 303 paragraph 1, and 304 (article 4, a) of the law of December 7, 2015, on the insurance sector (ie, any infringement of the law of 7 December 2015 on the insurance sector and its implementing regulations; any infringement of the law of 27 July 1997 on insurance contracts, as amended, and its implementing regulations; any failure to comply with the instructions of the Commissariat Aux Assurances);
  • Financial sector: any suspicion or reasonable grounds to suspect that money laundering, a related predicate offence or terrorist financing is taking place, has taken place or has been attempted; any potential or proven violations of the law of 5 April 1993 on the financial sector or the law of 30 May 2018 on markets in financial instruments; and any significant and legitimate concerns related to the internal governance of the institution or to internal and regulatory requirements in general;
    • Labour Code: bribery, influence peddling and unlawful taking of interest regarding their colleagues, their employer or anyone senior in rank, as well as an external person; any work situation which can reasonably be suspected to present a serious and immediate danger to health and safety and any flaw in protective systems; and any discrimination or sexual harassment;
    • Public sector: equal treatment, direct or indirect discrimination, sexual harassment, unlawful taking of interest, bribery, influence peddling, bribery of judges and acts of intimidation committed against persons holding public office.
Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

Broadly speaking, information on improper practices would be considered a protected disclosure and would fall within the scope of the Act. Such information (including reasonable suspicions) would relate to actual or potential improper practices that occurred or are very likely to occur in the organisation the whistleblower works in or has worked in, or one with which the whistleblower is or was in contact through their work, and about attempts to conceal such improper practices.

The list of improper practices provided by the Act includes:

  • failure to comply with any applicable legal obligation;
  • danger or risk thereof to the health or safety of any individual;
  • damage or risk thereof to the environment;
  • the occurrence or potential occurrence of any corrupt practice;
  • the commission or potential commission of any criminal offence;
  • miscarriages of justice;
  • bribery;
  • breaches of EU legislation that concern areas such as transport safety, consumer protection, protection of privacy and personal data, and security of network and information systems, among others;
  • breaches affecting the financial interests of the EU; and
  • breaches relating to the internal market (eg, breaches of competition and state aid rules).

Disclosure of information protected by legal and medical professional privilege is not a protected disclosure under the Act.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

All illegal or unethical dealings of a company, an employer or director of a company are subject to whistleblowing.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

Breaches of:

  • public procurement;
  • financial services, money laundering, and terrorist financing;
  • product safety and compliance;
  • transport safety;
  • environmental protection;
  • radiation protection and nuclear safety;
  • food and feed safety, animal health and welfare;
  • public health;
  • consumer protection;
  • protection of privacy and personal data, and security of network and information systems;
  • rules for the protection of financial interests of the EU related to the fight against fraud, corruption, and any other illegal activity affecting EU expenditures or revenue;
  • the functioning of the internal market;
  • EU competition law and state aid rules;
  • corporate tax laws; and
  • violations concerning the financial interests of the treasury of Poland or a local authority unit.

According to the provisions of the EU Whistleblower Directive, the draft bill also includes a list of violations that primarily relate to relevant legal disciplines.

The employer may additionally establish reporting of violations other than those indicated in the Directive, including those relating to the employer's internal regulations or ethical standards.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

For this law, the following shall be considered an infringement:

  1. anything contrary to rules contained in the Acts of the European Union referred to in the Annex to Directive (EU) 2019/1937 of the European Parliament and the Council, or any national rules implementing, transposing or complying with such acts or to any other rules contained in legislative instruments implementing or transposing them, including those providing for criminal offences or administrative offences, concerning the fields of:
    • public procurement;
    • financial services, products and markets and the prevention of money laundering and financing of terrorism;
    • product safety and compliance;
    • transport safety;
    • environmental protection;
    • radiation protection and nuclear safety;
    • food and feed safety, animal health and animal welfare;
    • animal health and welfare;
    • public health;
    • consumer protection; and
    • the protection of privacy and personal data and security of network and information systems;
  2. anything contrary to and detrimental to the financial interests of the European Union referred to in article 325 of the Treaty on the Functioning of the European Union (TFEU), as specified in the relevant Union measures;
  3. anything contrary to the internal market rules referred to in article 26(2) TFEU, including competition and state aid rules, as well as corporate tax rules;
  4. violent, especially violent and highly organised crime, as well as the crimes provided for in article 1(1) of Law No. 5/2002 of 11 January establishing measures to fight organised and financial crime; and
  5. anything contrary to the rules or provisions covered by paragraphs (1) to (3).

Although it is not expressly foreseen in EU and domestic legislation, it is debatable whether breaches or violations of employment law rules are subject to whistleblowing.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

The proposed Romanian implementation follows encouragement by the EU to extend the list of sectors (public procurement, financial services, money laundering, product and traffic safety, public health, consumer and data protection) subject to whistleblowing procedures and stipulate a general protection for reports on any breaches of law, including specific rules on ethics and codes of conduct for certain professions. Such an extension of the scope of application, combined with vague exclusions (see question 11) and the refusal to analyse anonymous reports, may, however, have the opposite effect and discourage whistleblowers from reporting any wrongdoing.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Section 2 of the Draft establishes that “this law protects the natural persons who report, through any of the procedures provided for therein”:

  • Any action or omission in breach of European Union law as defined in the Annex to the Directive, regardless of the categorisation they receive under national law, and provided that they affect the financial interests of the Union as referred to in section 325 TFEU or have an impact on the internal market as referred to in section 26 (2) of the TFEU.

    This scope corresponds with that of the Directive.
  • Any action or omission that may constitute a serious or very serious criminal or administrative offence or any violation of the rest of the legal system, provided that it directly affects or undermines the public interest and does not have a specific regulation. In any case, the public interest is deemed affected when the action or omission involves economic loss for the Treasury.

    This is an expanded scope introduced by the Draft.

    Section 2 also refers to particular cases where the protection of the Law transposing the Directive will apply (for example, in reports regarding infractions of occupational hazards regulations, even if there is a specific regulation) or not (classified information, among others).
Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

As a starting point, any breach, violation, irregularity or misconduct, as well as any personal grievance, may be subject to whistleblowing.

That said, the Whistleblowing Act only applies to whistleblowing in a work-related context concerning:

  • violations of EU law as per the Whistleblowing Directive; and
  • irregularities in the public interest.

Irregularities in the public interest include any act, omission, accident or other occurrence, whether intentional or negligent, ongoing or historical that may harm the public at large. Whistleblowing concerning other irregularities and misconduct, such as personal grievances or concerns related to the reporting person’s working conditions, are not protected under the Whistleblowing Act. Instead, such whistleblowing may be protected under, for example, the Discrimination Act.

Also, note that the Whistleblowing Act does not apply to whistleblowing concerning certain matters of national security.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

In the UK, only certain “protected disclosures” will be protected under the Employment Rights Act 1996. There are several conditions, one of which is that the disclosure of the information must “tend to show” that one or more types of failures or wrongdoing has occurred or is likely to occur (each a “relevant failure”):  

  • a criminal offence has been committed, is being committed or is likely to be committed;
  • a person has failed, is failing or is likely to fail to comply with any legal obligation to which he or she is subject;
  • a miscarriage of justice has occurred, is occurring or is likely to occur;
  • the health or safety of any individual has been, is being or is likely to be endangered;
  • the environment has been, is being or is likely to be damaged; or
  • information tending to show any matter falling under the categories above is being or is likely to be deliberately concealed.

There is no requirement that the qualifying disclosure must relate to a relevant failure or failures of the employer. The disclosure can relate to a relevant failure of the employer, an individual employed or engaged by the employer or a third party.

There is also no requirement that the relevant failure occurs or would occur in the UK. It could occur, or be occurring, outside of the UK.

The other conditions are set out in question 14.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Whistleblowing protections under federal law apply to complaints concerning a broad array of subjects, including, but not limited to:

  • Fraud and Financial Issues
    • Anti-Money Laundering Act;
    • Consumer Financial Protection Act;
    • Criminal Antitrust Anti-Retaliation Act;
    • SOX;
    • Taxpayer First Act;
  • Employee Safety
    • section 11(c) of the Occupational Safety and Health Act (OSH Act);
  • Environmental Protection
    • Asbestos Hazard Emergency Response Act;
    • Clean Air Act;
    • Comprehensive Environmental Response, Compensation and Liability;
    • Energy Reorganization Act;
    • Federal Water Pollution Control Act;
    • Safe Drinking Water Act
    • Solid Waste Disposal Act;
    • Toxic Substances Control Act;
  • Consumer Product, Motor Vehicle, and Food Safety
    • Consumer Product Safety Improvement Act;
    • FDA Food Safety Modernization Act;
    • Moving Ahead for Progress in the 21st Century Act;
  • Transportation Services
    • Federal Railroad Safety Act;
    • International Safe Container Act;
    • National Transit Systems Security Act;
    • Pipeline Safety Improvement Act;
    • Seaman’s Protection Act;
    • Surface Transportation Assistance Act;
    • Wendell H Ford Aviation Investment and Reform Act for the 21st Century
  • Health Insurance
    • Affordable Care Act
Last updated on 29/07/2022

11. Are there special whistleblowing procedures applicable to specific economic sectors or professional areas?

11. Are there special whistleblowing procedures applicable to specific economic sectors or professional areas?

Flag / Icon

Australia

  • at Lander & Rogers

The Taxation Administration Act 1953 is tax specific. The Public Interest Disclosure Act 2013 (Cth) is also specific to public officials.

Otherwise, most other companies are covered under the Corporations Act as section 1317AAB outlines what is a regulated entity. It includes:

  • a Company;
  • a Corporation to which paragraph 51(xx) of the Constitution applies;
  • an authorised deposit-taking institution;
  • a general insurer;
  • a life company;
  • a superannuation entity or trustee; or
  • an entity prescribed by the regulations.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

The Act provides for an extra strict enforcement mechanism for companies active in financial services, products and markets and for rules for the prevention of money laundering and terrorist financing. So the financial and banking sector is under additional scrutiny. However, the procedures stay mostly the same.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Yes. As a result of the Brazilian Anti-Money Laundering law, the Central Bank has issued an administrative ordinance (4859/2020) that determines that financial institutions and other businesses subject to its authority have a whistleblower channel. Among other obligations, they must inform the Central Bank of operations that may indicate potential money laundering conduct. Non-compliance with such obligations will expose the companies and their officers to penalties such as warnings, fines, temporary bans from working as an officer of a company subject to the Central Bank’s authority or even closing of the business.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Yes, the WBP Act specifically excludes its application in the matters of defence and national security, except where such matters are covered by Union acts listed in Part I of the Annex to the Directive. Furthermore, the governmental bodies competent for matters of defence and national security must regulate the protection of whistleblowers and the reporting procedure in the areas of key security and defence interests (specifically the protection of key security and defence interests). To our knowledge, there are still no adopted or publicly available regulations covering WBP and reporting procedures in the areas of key security and defence interests.

In addition, if the Union acts listed in Part II of the Annex to the Directive provide for separate rules on reporting irregularities, the WBP Act restricts its application only to matters that have not been regulated by such separate rules.

Last updated on 29/07/2022

Flag / Icon

Denmark

  • at IUNO
  • at IUNO

Yes, sector-specific regulations may impose additional procedures and obligations. This namely concerns the financial sector and may follow from special rules such as the Danish Anti-Money Laundering Act or the Danish Payment Act (see question 1).

Moreover, breaches of statutory secrecy obligations may result in sanctions if the matter being reported is excluded from the scope of the Whistleblowing Act.

Last updated on 30/11/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

There are special whistleblowing procedures for some areas, including banking and insurance; these industries which may offer additional advantages, such as a simplified reporting procedure.

For instance, the Financial Market Authority (FMA) has deployed a whistleblowing system reserved for persons looking to provide the FMA with strictly confidential information concerning infringements of European legislation, the Monetary and Financial Code or the FMA General Regulation. 

A whistleblower who has learned of such events in his or her working life or business relationships can report them in writing (in electronic format or on paper), verbally by phone, or by meeting in person with specialist members of the staff in the offices of the AMF.

An acknowledgement of receipt is sent within seven days.

Guarantees apply to whistleblowers who report infringements accurately:

  • the originator of the report, the person targeted and the information collected are strictly confidential during receipt and processing; and
  • the whistleblower would also not be subject to dismissal, punishment or discriminatory measures, whether direct or indirect, notably concerning compensation or career development, or any other unfavourable measure, for having in good faith reported an infringement to the FMA.

(DOC-2018-13 – Procedures for whistleblowers reporting infringements of the regulations to the FMA; Act 2016-1691 of 9 December 2016 on transparency, anti-corruption and economic modernisation, article L.634-1 of the Monetary and Financial Code)

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The draft bill of the Whistleblower Protection Act itself does not distinguish between different sectors regarding the internal reporting process. However, it contains an enumerative list of regulations from other statutes that take precedence over the Whistleblower Protection Act for the reporting of information on violations; these regulations are therefore lex specialis compared to the Whistleblower Protection Act (section 4 (1) HinSchG-E). Priority special provisions are, among others, regulated by the Money Laundering Act, the Banking Act, the Insurance Supervision Act and the Stock Exchange Act.    

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

The Whistle Blowers Act of 2014 targets public servants and is intended to prevent corruption, misappropriation of assets and misuse of power in the public sector. Further, provided a whistleblower makes full and true disclosure of all material facts, the settlement commissions established under the Income Tax Act 1961 and the Goods and Services Tax Act 2016 have the power to grant them immunity from those statutory penalties. Similarly, the Competition Commission of India established under the Competition Act 2002 possesses the power to award a reduced penalty to an informant who is a part of an anticompetitive cartel and makes a full, true and vital disclosure.  The Securities Exchange Board of India also rewards whistleblowers who are themselves guilty of violating securities law by granting anonymity and a pardon for their complete cooperation.

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

No, there are no special whistleblowing procedures applicable to specific economic sectors or professional areas.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

Latvian law does not provide for special whistleblowing procedures. Whistleblowing is subject to special procedures only in cases where such special procedures are established specifically in law.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

No.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

There are special procedures currently in place in the financial sector or for state and municipal employees.

In such cases, the provisions of the Bill will supplement the less favourable provisions of these existing procedures.

Last updated on 29/07/2022

Flag / Icon
Malta

Malta

  • at Camilleri Preziosi
  • at Camilleri Preziosi
  • at Camilleri Preziosi

Sector-specific rules on reporting may be found in legislation relating to the financial services sector. Professionals or institutions carrying out a relevant activity or financial business may be subject to rules on reporting knowledge or suspicions of money laundering or the funding of terrorism.

Reports relating to the activities of persons operating within certain sectors are received and processed by the regulator, as set out in a schedule to the Act. For example:

  • the Financial Intelligence Analysis Unit is the authority responsible for the receipt of reports from any employee of a natural or legal person, subject to the Prevention of Money Laundering Act (Chap. 373 of the laws of Malta – the PMLA) or the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01 – the PMLFTRs), of improper practices linked to the PMLA/PMLFTRs; and
  • the Malta Financial Services Authority (the MFSA) is the authority in Malta responsible for the receipt of reports from any employee of a person or company that provides the business of credit and financial institutions, the business of insurance and the activities of insurance intermediaries, the provision of investment services and collective investment schemes, pensions and retirement funds, regulated markets, central securities depositories, the carrying out of trustee business either in a professional or a personal capacity, and any other areas of activity or services as may be under the supervisory and regulatory competence of the MFSA.

Where specific rules on the reporting of improper practices or breaches are provided for in sector-specific legislation, those laws will apply and the provisions of the Act will apply to the extent that a matter is not expressly regulated by that legislation.

Last updated on 16/11/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

Yes. Some of the Codes and Guidelines with whistleblowing procedures that are industry-specific have been stated in question 1.

Last updated on 29/07/2022

Flag / Icon

Poland

  • at Baran Książek Bigaj
  • at Baran Książek Bigaj

Regarding the internal reporting procedure, the Bill itself does not differentiate between different industries. However, sectoral whistleblowing regulations cover the banking and financial sector, insurance sector, and civil aviation sector, combating unfair competition and AML-obliged entities.

Last updated on 17/11/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

According to article 116-AA of the Legal Framework of Credit Institutions and Financial Companies, credit institutions must implement specific, independent and autonomous means for receiving, processing and filing reports of serious irregularities related to their administration, accounting organisation and internal supervision, and any serious signs of breaches of the duties provided for in the Legal Framework or Regulation (EU) No. 575/2013 of the European Parliament and the Council.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

Appendix 1 to the Draft Law contains references to the special procedures applicable both EU-wide and at a national level (ie, stock-listed companies, the insurance sector, managers of alternative investment funds and offshore oil businesses). Specialists have particularly drawn attention to the fact that the vague wording of article 1 paragraph 4 of the Draft Law may exclude a large spectrum of companies involved in national defence and security from the mandatory protection of whistleblowers.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Yes, for example in the finance sector (anti-money laundering) and antitrust.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

Yes, there are sector-specific regulations that have precedence over the Whistleblowing Act, such as within the financial services sector.

Also, certain professionals can be held liable for any wilful breach of qualified secrecy applicable by law.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

The UK Corporate Governance Code recommends public-listed companies implement whistleblowing procedures.

Financial services firms regulated by the Financial Conduct Authority or the Prudential Regulation Authority will be subject to regulatory rules and requirements that govern the terms and operation of their whistleblowing procedures.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Different whistleblower statutes employ different procedures. For example, an employee cannot file a SOX whistleblower claim in a federal district court before filing a complaint with the Occupational Safety and Health Administration (OSHA) and exhausting all administrative remedies. An employee alleging retaliation under Dodd-Frank, by contrast, need not first file a complaint with OSHA; they may proceed directly to court. Similarly, many state whistleblower statutes do not erect any administrative hurdles.

Last updated on 29/07/2022

13. Who can be a whistleblower?

13. Who can be a whistleblower?

Flag / Icon

Australia

  • at Lander & Rogers

Whistleblowers are often, but not always, employees of the organisations where the misconduct has occurred or is occurring.

Previous examples of internal whistleblowers include:

  • the Commonwealth Bank Financial Planner Scandal whistleblower; and
  • the CommInsure Life Insurance Scandal whistleblower.

Previous examples of external whistleblowers who were not employees include:

  • a Ponzi Scheme whistleblower who was an external financial analyst; and
  • the Trio Capital Superannuation Fraud whistleblower who was an external financial analyst.

While the commonly accepted definition of “whistleblowing” refers to employees of an organisation (both former and current), an eligible whistleblower is not limited to an employee of an organisation. This is highlighted in section 1317AAA of the Corporations Act, particularly subsections (c), (d), (g) and (h). This section of the Corporations Act is discussed further below.

Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

The personal scope is very broad: it can be employees (workers); independent workers; shareholders; members of administrative, management or supervisory bodies; volunteers and interns (paid or unpaid); any person working under the supervision and direction of contractors, subcontractors and suppliers; ex-employees; or employment candidates. However, companies do not have to make their internal reporting channels accessible to persons other than their employees (the other persons can use the external system).

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

A whistleblower can be any person defined as such in the company’s Code of Ethics and Integrity, Whistleblower Procedure or equivalent document: employees, former employees, applicants, contractors, suppliers, clients or any persons that have information about inappropriate conduct.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

Any person that acquires knowledge of or information on irregularities within their work environment and reports such irregularities under the prescribed reporting procedure may be considered a whistleblower. This includes:

  • persons within an employment relationship;
  • persons with the status of a self-employed person;
  • holders of stocks in a joint-stock company or holders of shares in a limited liability company, as well as persons who are members of the administrative, management or supervisory body of a company, including non-executive members, volunteers, and paid or unpaid interns;
  • persons working under the supervision and direction of contractors, subcontractors and suppliers; and
  • persons that in any way participate in the activity of the legal or natural person.
Last updated on 29/07/2022

Flag / Icon

Denmark

Author: