From 17 December 2021, employers with more than 250 employees will be required to adopt procedures protecting whistleblowers. From 17 December 2023, the same obligations will also be imposed on smaller entities. In order to properly fulfil those obligations and to avoid possible liability related to the activities of whistleblowers, it will be necessary to conduct a legal audit.
The obligation to implement the provisions on whistleblower protection by 17 December 2021 applies to:
Private entities employing from 50 to 249 individuals will become subject to the new obligations from 17 December 2023. By these deadlines, businesses must ensure channels and effective procedures for internal reporting and follow-up.
The implementation of Directive 2019/1937 for employers will not only mean new obligations related to the new regulations, but will also involve – what is hardly obvious – also the need to audit the compliance of the entire business of an entity obliged to apply the new whistleblower protection procedures. Businesses with over 250 employees, by no later than 17 December 2021, will have to thoroughly review the processes and procedures in place, analyse risk and statutory obligations and, based on this analysis, make appropriate updates or take specific corrective actions.
The most common requirements, in addition to specific sectoral requirements, include:
From 17 December 2021, the following persons will be able to report breaches and irregularities in companies covered by the new regulations:
The channel created by the firm must be independent and autonomous, so it should be designed and operated in a way ensuring completeness, integrity and confidentiality of information. It must also be protected against unauthorized access.
The firm will be obliged to inform the person notifying irregularities in due time about the acceptance of the notification, as well as about the method of handling it or about its further processing. In the event of a breach in the functioning of the company, the firm will be required to take follow-up actions, such as referring the case to the relevant state authorities or instituting disciplinary proceedings against the person responsible for the breach. An additional obligation will be to keep a record of notifications and store them for a specified period of time.
The list of entities that will be obliged to ensure the possibility of reporting any detected irregularities is very wide and also includes external entities whose interests do not coincide, and often in the case of disputes related to non-performance or improper performance of contract or dismissed employees, those interest may conflict with those of the obligated undertaking. Thus, it can be expected that these procedures will be often used, or even overused – the key will be therefore to construct them in a way that prevents a fraudulent use of these procedures, and to ensure internal compliance of activities and procedures with national and EU requirements.
In Directive 2019/1937, the lawmakers also imposed an obligation on Member States to establish external reporting channels and to follow up on notifications. To this end, Member States will be required to ensure that competent authorities establish autonomous and independent reporting channels designed to ensure the completeness, integrity and confidentiality of information and to prevent access to it by unauthorized staff members of the competent authority. The authorities will be bound to:
In addition, Directive 2019/1937 ensures that any person will be able to make public information about a breach if:
In addition, Member States will be entitled to provide for other sanctions, including financial penalties, for failure to adequately protect whistleblowers, obstructing them from reporting or taking retaliation.
Regulations implementing the directive in Poland
In order to implement Directive 2019/1937, under Order No. 229 of the Prime Minister of 1 December 2020 (Polish Monitor of 2020, item 1112), the Minister of Development, Labour and Technology was appointed the “Designated Minister” for carrying out relevant legislative works at the governmental stage of legislative work. On 10 December 2020, the Minister of Development, Labour and Technology issued order no. 6 on the appointment of a team that will draft regulations implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. Therefore, the Polish legislative body has only just started work on the draft act implementing Directive 2019/1937.
At the time of writing this article, it is impossible to predict whether the legislative body will implement Directive 2019/1937 on time. However, this does not mean that directive will not be effective even if not implemented. If a directive gives a citizen – be it a natural or a legal person – some rights with regard to the state, that citizen may exercise them against the state authority. It follows from settled case law of the Court of Justice of the European Union (e.g. in the case of Becker v. Finanzamt Münster Innenstadt, file no. 8/81). At the same time, as emphasized by the same Court, the same member state that failed to implement an EU directive on time cannot invoke its unimplemented provisions in a dispute with citizen (e.g. judgment in the case of Kolpinghuis Nijmegen BV v. The Netherlands, ref. No. 80/86). Undoubtedly, this will mean direct application of Directive 2019/1937 in public sector entities, as well as the need to launch and operate an external channel for reporting breaches of law, and thus it will be possible to publicize the breach or an identified problem in business entity – including a private entity. Therefore, it is worth considering to adopt appropriate procedures in advance, regardless of legislative actions.
TGC Corporate Lawyers
TGC Corporate Lawyers offers support in implementation of an effective fraud reporting system in the organization, as well as in the field of corporate audits or drafting and tailoring the required procedures. We help clients that operate in capital groups, but also small and medium-sized enterprises, public companies, non-governmental and non-profit organizations.