The law implementing the EU Whistleblowing Directive (Directive 2019/1937) was finally published on 21 February and it is referred to as the Whsitlebloweing Act (Law 2/2023 of 20 February).
In this blog post we review the most relevant issues to be addressed by employers upon the enforcement of the Whistleblowing Act.
The Whistleblowing Act enters into force today, on 13 March 2023, but companies with at least 250 employees will not need to establish their internal information system (IIS) before 13 June 2023. Furthermore, as in some other member states, companies employing between 50 and 249 employees, will need to do so no later than 1 December 2023.
Pursuant to the EU Whistleblowing Directive, the Whistleblowing Act requires companies employing at least 50 employees to implement an IIS, including both an internal whistleblowing channel, as well as a person responsible for the system and the whistleblowing procedure. The IIS will enable individuals (this includes employees but also volunteers, interns, trainees, or candidates) to report breaches of European Union law or acts or omissions that could constitute criminal offences or otherwise serious or very serious administrative offences.
The Whistleblowing Act imposes the involvement of the employee representatives in the consultation period prior to the implementation the IIS. The latter will need to guarantee the confidentiality of whistleblowers as well as of all parties involved during a procedure.
Companies will need to adopt an internal policy setting out the general principles of internal whistleblower protection, which may be done by means of a common policy in groups of companies and which may also share a single IIS. Internal whistleblowing channels, however, will need to be implemented at a company-level.
Companies will need to designate a person in charge of the IIS, who should be independent of the companies’ management or governing body. This means that a new role will be created or alternatively, if the nature or size of a company does not justify the existence of a person in charge whose role is exclusively related to the IIS, an employee of the company (eg. a compliance or integrity policy officer) can wear a double hat (one of which is that of the person in charge of the IIS). In the latter case, precautions should be taken in order to avoid any conflict of interest and to meet a number of legal requirements provided by the law.
The Act provides for very onerous sanctions regime with a range of serious, very serious and minor infringements. Very serious infringements include, among others:
- attempts or actions to hinder the submission of communications or to prevent, frustrate or slow down their follow-up,
- reprisals against whistleblowers,
- breaches of confidentiality, anonymity, or secrecy of information, or
- breaches of the obligation to have an Internal information system as required by the Act.
The fines for these infringements will be up to EUR 100,000 for minor infringements, between EUR 100,001 and EUR 600,000 for serious infringements, and between EUR 600,001 and EUR 1,000,000 for very serious infringements. In addition, the statute of limitations for very serious infringements will be three years, two years for serious infringements and six months for minor infringements.
In order to make sure that they are complying with the provisions of the Whistleblowing Act, employers will have to implement or adapt their whistleblowing systems to the provisions described above and others set out in the law.