HR Signal: The EU Whistleblowing Directive

Read more

#Alert: Bill of the Whistleblower Protection Act


On 18 October 2021, a bill of the Whistleblower Protection Act (the “Act“) was released. We present the results of our analysis of the Act in an accessible Q&A format based on the questions asked during conversations about whistleblowers with our clients.

Who must implement whistleblower procedures and when?

Private sector companies with 250 or more employees must implement appropriate procedures within 14 days of the promulgation of the Act. We assume this will occur still in December 2021.

Financial market and AML/CFT entities will be required to implement the new regulations regardless of the headcount levels.

Companies employing between 50 and 249 employees will have until 17 December 2023 for implementation. However, entities with fewer than 50 employees will be able to implement the procedures on their own initiative (no statutory obligation).

Who should be included when calculating the headcount level?

Companies should take into account employees as defined in the Labor Code. This means that we do not include people employed under civil-law contracts, such as mandate contracts, work-product contracts or B2B.

In our view, an employer using temporary workers (employed by a temporary work agency) do not need to count them as “its” employees.

What violations of the law can be reported under the Act?

The Act provides for a broad catalog of violations of the law, including, among others, AML/CFT issues, public procurements, privacy and personal data protection, and competition rules.

However, an employer may expand this catalog at its discretion to include, for example, ethical issues, mobbing, discrimination, harassment (including sexual harassment) or managerial abuse.

 Who can be a whistleblower?

The Act stipulates that employees may file internal (i.e. addressed to the employer) reports. Extension of this catalog to include other persons, e.g. persons employed under civil-law contracts, candidates, former employees, interns or contractors, requires an appropriate provision in the internal reporting regulations.

Is every whistleblower subject to protection?

No. This applies only to reports made in good faith, i.e. if the whistleblower has reasonable grounds to believe that the reported information is true and constitutes information on a violation of law.

In addition, the Act will not apply if the violation harms only the rights of the whistleblower or the report is made solely in the whistleblower’s personal interest.

What about anonymous reports? Do they need to be accepted?

In the case of internal reports, you will need to accept them if your company’s bylaws so stipulate. However, accepting anonymous report is a good and recommended practice.

Do we need to establish a special reporting channel that ensures full anonymity to whistleblowers?

No. The Act does not require you to take such actions. There are many providers in the market offering such service, but it is not mandatory.

However, you are required to ensure that the whistleblower’s personal data is not disclosed unless the whistleblower consents. Therefore, it will be necessary to apply appropriate solutions protecting the whistleblower’s identity (e.g. limited circle of persons involved in receiving and verifying reports).

How to regulate whistleblowing issues?

Rules and regulations for internal reporting should be established. In accordance with the Act, they should regulate a number of organizational issues, including, among others, who receives reports, whether anonymous reports are permissible, when, whom, and what to report.

In addition, the rules and regulations may provide for an expanded catalog of persons authorized to make reports or additional violations of law that may be reported.

Do we establish such rules and regulations ourselves or do we need to consult them with employees?

The rules and regulations for internal reporting are established by the employer upon consultation with company trade union organizations.

If there are no such organizations, consultation takes place with selected employee representatives. To this effect, a new election should be held as the existing representatives have not been given the authority to consult this document.

The result of the consultations is not binding on the employer.

Who can receive and review reports?

This will be handled by persons designated by the employer, such as the HR Manager, Compliance Officer, in-house lawyer or external legal counsel or a specialized firm.

Each of these persons must obtain a written authorization from the employer.

Do reports need to be registered somewhere?

Yes, employers will be have to create their own report register. The information entered in the register should include, among other things, the subject matter of the report, the date on which the report was made, the date on which the internal investigation was completed, and information on follow-up actions taken.

The register may be kept in any form, including in electronic form.

What will the whistleblower protection involve?

No retaliation may be taken against a whistleblower. The Act stipulates that in connection with a violation report, the following may not be done, among other things: termination of the employment contract, reduction of the remuneration, demotion or unfavorable change of the workplace, as well as referral for an unreasonable medical examination (e.g. psychiatric).

In addition, termination of the employment contract due to reporting a violation will be ineffective. Although the Act does not give us more details, in our view, this should be understood analogously to an unlawful termination of employment – it will be effective (the employment relationship will be terminated), albeit defective.

Can you have “common” whistleblowing systems?

To a certain extent, yes. Employers with between 50 and 249 employees may share the resources for receiving and verifying reports and follow-up actions. The Act clearly stipulates that such resource sharing will not be available to employers with at least 250 employees or fewer than 50 employees.

Resource sharing will be allowed for both related entities (group) and unrelated entities. However, it is the European Commission’s position that each of these entities must have its own rules and regulations and notification channels.

Do we face criminal liability for violations of the Act?

Yes. The Act provides for a broad catalog of offences associated with violation of whistleblower regulations. This applies in particular to:

(i) failure to establish an internal whistleblowing procedure;

(ii) obstructing the making of reports;

(iii) retaliatory actions; or

(iv) disclosing the identity of the whistleblower.

Each of these acts is punishable by a fine, restriction of freedom or imprisonment for up to 3 years. These penalties may be imposed on, among others, the HR Manager, Compliance Officer, management board member, or any other person who commits such acts. Everything will depend on the specific circumstances of the case.


As of now, we do not know when exactly the Act will come into effect or what its final form will be. Please note that this legislation has been subject to public consultations and may change. We will keep you updated on all significant changes.

If you have any additional questions or would like to talk about implementation of a whistleblowing system in your organization, do not hesitate to contact us.


Download a full copy of our #ALERT here.