Guide to Whistleblowing

Contributing Editors

In this new age of accountability, organisations around the globe are having to navigate a patchwork of new laws designed to protect those who expose corporate misconduct. IEL’s Guide to Whistleblowing examines what constitutes a protective disclosure, the scope of regulations across 18 countries, and the steps businesses must take to ensure compliance with them.

Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

17. What are the terms and conditions of the whistleblowing procedure?

17. What are the terms and conditions of the whistleblowing procedure?

Flag / Icon

Australia

  • at Lander & Rogers

ASIC Regulatory Guide 270 provides guidance on establishing a whistleblower policy. Under this guide, an entity's whistleblower policy must:

  • identify the different types of disclosers within and outside the entity who can make a disclosure that qualified for protection;
  • identify the types of wrongdoing that can be reported (ie, disclosable matters), based on the entity's business operations and practices;[3]
  • identify the types of people within and outside the entity who can receive a disclosure that qualifies for protection;
  • include information about how to make a disclosure;
  • include information about the protections available to disclosers who qualify for protection as a whistleblower, including the protections under the Corporations Act; and
  • outline the entity's measures for supporting disclosers and protecting disclosers from detriment in practice.
 

[3] The policy must also outline the types of matters that are not covered by the policy (eg, personal-work-related grievances).

Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

There are two main systems of reporting, the internal reporting procedure within a legal entity and the external reporting procedure (to a competent authority).

Concerning the internal reporting channel, the company must provide a protected and confidential reporting system. This is a channel for receiving reports that, by its design, structure and management, securely protects the confidentiality of the reporter and any third party named in the report, and to which unauthorised personnel do not have access. The reporting can take place verbally, in writing or both (so companies can choose the method). If verbally, this can be by telephone, another verbal system (eg, digitally) or through a meeting (but only at the request of the reporter and within a reasonable term).

Within seven days, the reporter needs to receive confirmation of receipt of the report. Next, the company should assign a “reporting manager” or “whistleblower officer” who can act independently and who does not have a conflict of interest. Instead of one person, it can also be a team (eg, a compliance team). This person or team will lead the “investigation” regarding the reported breaches and will be responsible for the careful follow-up of the report. This careful follow-up is defined as “an action by the recipient of a report to check the accuracy of the allegations made in the report and to address the reported infringement where appropriate, including through measures such as an internal preliminary investigation, an investigation, prosecution, recovery of funds or termination of the proceedings. Within three months after the confirmation of receipt, the reporter needs to receive feedback from the reporting manager. Feedback is defined as “providing the reporter with information on the follow-up as planned or taken and on the reasons for this follow-up”.

Concerning external reporting, a reporter can report to a competent authority after the internal reporting or immediately (without reporting internally). The competent authority (it is not yet fully clear which institution this will be, but in most cases this will probably be the federal ombudsman) also has to establish an independent and autonomous reporting system. Like internal reporting, there needs to be a confirmation of receipt within seven days following the reporting and feedback within three months after this confirmation. However, the competent authority can prolong this deadline (if required) to six months. Furthermore, the competent authority has to inform the reporter of the result of its investigation (if legally possible), so the procedure does not stop per se at the moment of feedback within three or six months. The competent authority can dismiss reports if it does not consider the report to contain meaningful information (but this has to be communicated to the reporter) and it can prioritise reports concerning severe breaches.

There is also a third procedure, namely the public disclosure of the information (eg, in the press, online or in a book or magazine). Reporters who publicly disclose information in this manner will be protected by the law if they follow certain conditions. If there is indirect disclosure (after an internal or external reporting procedure), the reporter will be protected if there have been no appropriate measures taken by the company concerning the report. If there is direct disclosure (without following the internal or external procedure first), the reporter will be protected if there is an urgent or real danger to the public interest or if there is a risk of retaliation if the information is reported externally, or if an appropriate reaction is unlikely. This will be the case in specific circumstances (eg, when there is a risk that the evidence will be destroyed or when there is collusion between the competent authority and the person or entity who has breached the rules). 

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

There are no legally required terms and conditions of the whistleblowing procedure. However, it is good practice that the procedure must be made promptly, independently, impartially, discreetly, and confidentially. Whistleblower channels must be easily accessible to employees and third parties, there should be mechanisms to protect good-faith whistleblowers, measures that guarantee the immediate suspension of irregular conduct and remediation of damages and disciplinary measures if there is a violation of the process.

Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

The whistleblowing procedure must be regulated by a whistleblower policy adopted by the company. In practice, the policy should include provisions regulating eligible whistleblowers; methods of reporting; the content of the whistleblowing report; the procedure for submitting, following up on and investigating the whistleblowing report with all applicable deadlines; and the appointment of a WBP officer and a deputy.

  • Eligible whistleblowers - please see answers to questions 12 and 13;
  • Methods of reporting - the whistleblowing report may be submitted either in writing (including e-mail communication) or verbally (meaning via a telephone call or voice message, or in a physical meeting if so requested by the whistleblower);
  • Content of the whistleblowing report - the whistleblowing report should contain information on the identity of the whistleblower, information on the reported body or person (ie, the body or person who committed irregularities), and information on the irregularities.
  • Procedure for submitting, following up on and investigating the whistleblowing report – after receiving the report, the WBP officer or their deputy must:
    • acknowledge receipt of the report within seven days;
    • without delay undertake actions within the officer’s competence as required to protect the whistleblower;
    • undertake actions required to investigate the reported irregularities and provide feedback to the whistleblower generally within 30 days, but in no case later than 90 days from the date of acknowledgement of receipt of the report, or if no acknowledgement was sent to the whistleblower, 90 days from the end of the seven-day period after the report was made;
    • without delay, forward the report to competent authorities for further processing if the irregularities have not been resolved in cooperation with the company;
    • without delay, notify the whistleblower in writing of the outcome of the investigation;
    • notify in writing the authority competent for external reporting on received reports within 30 days of a decision on the report;
    • keep confidential the identity of the whistleblower and all information contained in the report as required by the law; and
    • provide clear and easily available information regarding the procedure for submitting a report to the competent authority for external reporting and, as appropriate, institutions, bodies, offices or agencies of the European Union competent to take further action following the content of the report;
  • Appointment of a WBP officer and a deputy – the company must appoint a WBP officer and deputy at the request of a works council. If there is no works council, then a union trustee would make the request. If there is no works council or union trustee, then 20% of employees of the company would make the request. The appointed officer and deputy must provide written consent for the appointment. If any of the above does not request the appointment of an officer or deputy, the company may make the appointment at its discretion. If the WBP officer and deputy are appointed, and at any time the works council, union trustee or the abovementioned proportion of employees make a written request to the company proposing that any other persons be appointed as WBP  officer and deputy, the company must make the necessary replacements.
Last updated on 29/07/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

French law provides for specific requirements regarding independence, impartiality, confidentiality and data protection.

  • Independence and impartiality: the whistleblowing procedure must be independent and impartial in the treatment of the report and respect time limits in providing feedback to the author of the alert (fixed by decree to be published).
  • Confidentiality: the procedure must protect the identity of the authors, the persons concerned and any third party mentioned in the report.
  • Data protection: data relating to alerts may be kept only for as long as is strictly necessary and proportionate to process the alert and for the protection of the authors, concerned persons and any third parties mentioned in the alerts, taking into account the time required for any further investigations. 

Employers should also be careful regarding any action directed toward the whistleblower, as some behaviour could be considered a form of retaliation (disciplinary sanctions, intimidation and harassment, damage to reputation, financial loss, etc).

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The whistleblower procedure requires – in its broad outlines – that the personal and material scope of the Whistleblower Protection Act is applicable. Assuming this, the whistleblower must have obtained information about violations in connection with his or her professional activities or in advance of professional activities. In a further step, the whistleblower must report or disclose these violations to the internal and external reporting bodies responsible. The Reporting Office will issue an acknowledgement of receipt to the person making the report within seven days. Within three months of the acknowledgement of receipt, feedback will be provided to the whistleblower on planned and already taken follow-up measures and their reasoning. This information will be documented in compliance with the principle of confidentiality. This documentation will be deleted two years after the conclusion of the proceedings.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

For Covered Companies, the terms and conditions, as well as the whistleblowing procedure, will be subject to the policy adopted by them. As regards the Whistle Blower Protection Act, at the time of writing there is no specific procedure prescribed in the legislation (this would be prescribed by the rules framed by the appropriate governments once the Whistle Blower Protection Act is in force).

Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

A point of contact will accept the whistleblowing report, and the necessary investigation will be conducted unless there is a just reason not to do so. When it becomes clear that a violation of laws and regulations has occurred as a result of the investigation, the business operator needs to promptly take necessary measures to stop the violation or make other necessary rectifying measures. In addition, after taking action, the business operator needs to confirm whether such measures are effective, and if they are not, take the necessary measures again[1].

When whistleblowing is accepted in writing, the business operator must promptly notify the whistleblower that they have taken measures to stop the violation or other necessary rectifying measures or that there is no violation, provided it does not impede the course of business and the protection of the confidentiality, credibility, honour, privacy, etc, of interested parties[2].

 

[1]   Consumer Affairs Agency Guidelines, supra note 8, Section 4(1)(i)&(iii), at p.2.

[2]   Id, Section 4(3)(ii), at p.3.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

There are no terms provided in the law for the submission of a whistleblower’s report. Nevertheless, the Whistleblowing Act contains a list of information that should be provided in whistleblowers’ reports. These may include a description of the violation and if information about the violation was provided before, as well as reporting channels for whistleblowers’ reports and the procedure for how whistleblowers’ reports should be reviewed.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

Information about the breach can be provided in several ways:

  • through an internal channel at the institution;
  • directly to the competent authority – when there are at least one of the circumstances specifically listed in the Law; and
  • by reporting such information publicly.

When information is provided through an internal channel at the company, the company, not later than two working days from the receipt of the information on the breach, must inform the whistleblower of receipt of the information provided by him or her, and – within 10 working days of the receipt of such information – notify the whistleblower about the progress of the investigation or a decision to refuse to investigate.

When providing information on a breach or notification to the competent authority, the whistleblower will indicate the specific factual circumstances of the breach (what is the breach, who committed it, when it was committed, etc), whether the breach has already been reported and, if yes, who it has been reported to and whether a response has been received, and his or her identifying information, contact details, and other information provided by law. If possible, a whistleblower should attach written or other available data about a breach.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

Please refer to our answer to question 9.

Last updated on 29/07/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

There is no uniform statute containing the terms and conditions of the whistleblowing procedure. The whistleblowing procedure to be adopted by each company depends on the provision of the NCCG[1] and the sectoral codes[2].

Thus, the terms and conditions of the whistleblowing procedure vary from company to company under their whistleblowing policies.

 

[1] Principle19.2 of the Nigerian Code of Corporate Governance 2018.

[2]Section 32.3 of the SEC Code of Corporate Governance for Public Companies.

Last updated on 29/07/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

The identity of the whistleblower, as well as any information that directly or indirectly allows the identity of the whistleblower to be revealed, is confidential and access is restricted to persons responsible for receiving or following up complaints. Additionally, entities and competent authorities responsible for receiving and handling complaints must keep a record of the complaints received and retain it for at least five years or, regardless of this limit, while judicial or administrative proceedings relating to the complaint are pending. Complaints made verbally, by recorded telephone call or other recorded voice message system, may be recorded, with the consent of the complainant, by recording the disclosure on a durable and retrievable storage medium or transcribing the communication fully and accurately.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

The internal whistleblowing procedure needs to provide for the following:

  1. channels for receiving the reports that are designed, established and operated in a secure manner and ensures that the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by unauthorised staff members;
  2. acknowledgment of receipt of the report to the reporting person within seven days of that report;
  3. the designation of an impartial person or department competent for receiving and following up on the reports, who will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person;
  4. diligent follow-up by the designated person or department referred to in point c;
  5. feedback about the status of the report within a reasonable timeframe, not exceeding three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, three months from the end of the seven days after the report was made, except for situations when such feedback may jeopardise the process; and
  6. clear and easily accessible information regarding the procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union.

 

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

The Draft establishes two ways of reporting: internal and external reporting.

Regarding internal report channels, communications should be written or verbal or both. Section 7.2 regulates different ways of reporting the information (post, email or any other accepted electronic means, phone or voice message, in person, among others).

Section 8 of the Draft regulates the procedure to manage information. First, the procedure may be approved by those responsible for the system and in charge of its diligent handling. Then, the agreed procedure will establish the necessary provisions for the internal information system to comply with the Law enacting the Directive. In particular, it will cover the following at a minimum:

  • an identifiable internal information system;
  • receipt of acknowledgement must be submitted within seven days to the reporting person (if identified), unless it compromises confidentiality;
  • potential contact with the whistleblower if it is deemed necessary to obtain further information.
  • additionally, the potential offender is entitled to be informed about the accusations against him or her. Such communication will take place at the time and in a manner as is deemed appropriate to ensure a proper investigation;
  • the investigated individual has a right to the presumption of innocence, a right to be heard and for their honour to be respected;
  • investigations should last no longer than three months from the date of receipt of the information. This can be extended by three additional months if the matter is particularly complex;
  • section 8.2 also indicates that clear and easily accessible information on external channels or European entities should be included; and
  • confidentiality and personal data must be respected. 

Regarding external report channels, an independent authority for the protection of whistleblowers will be established. Whistleblowers are allowed to choose that path directly or after having used internal information systems. The type (written, verbal) and means to send the report are the same as the ones for internal systems.

Once the communication has been made, it will be registered in the communications management system and an identification code will be assigned to it. The communications management system will be contained in a secure database with access restricted to the staff of the authority for the protection of whistleblowers.

A receipt of acknowledgement should be given within five business days of receiving the information (unless the reporting person is anonymous or has waived receipt of communications relating to the investigation).  

When the information is registered, it is subject to a preliminary analysis (maximum of 10 business days) by the state-level or regional-level independent authority – to see whether the report falls into the scope of the law enacting the Directive or could be considered a criminal offence. This will result in:

  • admission – to be communicated to the whistleblower, if any, within five business days; or
  • rejection – when the facts reported lack plausibility or do not fall under the scope of the Directive or, even falling under the said scope, do not affect the public interest. The rejection should be communicated to the reporter, if any, within five business days;
  • it can be admitted to the entity or body considered competent to process it or it affects the interests of the Treasury. When the facts may indicate a criminal offence, it will be referred to the Public Prosecutor's Office.

If it is admitted, investigations ensue. The investigated individual will be notified, and a succinct explanation of why he or she is being investigated will be provided. The whistleblower will have a right to make allegations in a written form, but a hearing can be arranged if there are certain risks, such as tampering with, concealing, or destroying evidence.

These inquiries will conclude in a report by the Independent Authority for the Protection of the Whistleblower or corresponding local Authority, which will close the case, begin a disciplinary procedure or transfer the case to another authority.

In any case, investigations should last no longer than three months from the date of receipt of the information.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

A whistleblowing procedure under the Whistleblowing Act must be designed to meet the following requirements:

  • the whistleblower must be able to report both in writing and verbally (including in a physical meeting); and
  • as a main rule, the whistleblower:
    • must receive an acknowledgement of receipt of the report within seven days of reporting;
    • should receive feedback regarding any action envisaged or taken as follow-up and on the grounds for such follow-up within three months of the acknowledgment of receipt of the report; and
    • should receive feedback regarding any action envisaged or taken as follow-up and on the grounds for such follow-up within three months of the acknowledgment of receipt of the report; and

It is possible to deviate from the above terms and conditions by way of a CBA; however, only as it relates to employees of the business (see question 3).

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

Under the Employment Rights Act 1996, there is no requirement to have a whistleblowing procedure and, therefore, there are no prescribed terms and conditions.

Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Please refer to question 9.

Last updated on 29/07/2022