The directive's adoption raises questions about implementing whistleblower channels in entities of a group of companies
The Whistleblowing Directive 2019/1937 has introduced significant developments in whistleblower protection, particularly the implementation of reporting channels, one of the key elements of any compliance programme.
Article 8(3) of the directive states that legal entities in the private sector with 50 or more employees must establish internal reporting channels and procedures that employees may use to reveal information on breaches of EU law. This article is not open to interpretation: every legal entity with 50 or more employees must set up internal whistleblowing channels and procedures, even if it belongs to a group of companies.
However, the European Commission has issued two non-binding statements on this article, allowing for a centralised complaint channel as long as each subsidiary has a distinct channel. If there is one channel for the parent company and one for the subsidiary, the reporting person may choose which channel to use.
Therefore, the directive seeks to ensure the success of the channels and their accessibility for the whistleblower since they may feel more safe reporting the specific case to the subsidiary, perhaps, for fear of retaliation by the parent company or because the parent company is directly related to the event being reported.
Regardless, subject to the requirements of the directive, it is compatible for legal entities in the private sector with 50 to 249 employees to share resources to receive complaints and carry out investigations.
Application to national law
Since there are differences in the transposition of the directive in each Member State, the requirements for implementing a whistleblowing channel may vary. Some countries, for instance, Ireland and France, may follow the European Commission's approach, while others such as Germany allow for a group-level solution (Konzernlösung).
Spain passed Law 2/2023 on the protection of persons reporting regulatory breaches and the fight against corruption; it was published in Spain's official gazette Boletín Oficial del Estado on 21 February 2023 and entered into force on 13 March.
Article 11 of this law sets out that a group's parent company must approve a general policy regarding an internal information system, which may be the same for all the group or one for each company in the group, subgroup or group of companies, allowing the different persons responsible for the group's system (if any) to exchange information for the effective coordination and best performance of their duties.
The law also considers the possibility of legal entities in the private sector and with 50 to 249 employees sharing their internal information system and the resources intended for the management and processing of communications, regardless of whether they are part or not of a group of companies.
Osborne Clarke comment
The purpose of the directive is to facilitate the reporting of EU law breaches. Spain requires the parent company of a group to develop rules and policies that would encourage the implementation of an information system intended to properly organise and coordinate the channels in each of the entities that are part of the group. This role seems appropriate, provided that the compliance culture specifically originates from and begins by, according to best practices, complying with the "tone at the top" principle.
The European Commission non-binding statements are European Commission – JUST/C2/MM/rp/(2021)3939215 – June 2nd, 2021 and European Commission – JUST/C2/MM/rp/(2021)4667786 – June 29, 2021.