The Directive determines new compliance duties. Specifically, companies must create opportunities for employees and third parties to anonymously report alleged and actual irregularities (= internal whistleblower system). The idea is that the company's management will thereby become aware of (alleged) irregularities and be able to react. The national legislation must to transpose the Directive. The corresponding draft bill is now available and can be downloaded here (in German): Link.
The EU Whistleblowing Directive applies to all companies with 50 employees or more and to companies with a turnover of EUR 10m per year or more. Companies in the financial services sector must establish internal whistleblowing systems regardless of the number of employees.
Furthermore, the EU Whistleblowing Directive now provides extensive protection for employees. They can report irregularities both to their own company as well as to external bodies (authorities) without having to fear labour law sanctions. This is especially true if there is no internal whistleblowing system.
Employees, customers, suppliers and other third parties may ‑ as of today ‑ report violations of EU law (e.g. data protection law), violations of national law (e.g. working time violations) as well as violations of internal policies to the internal or external whistleblowing system.
The legislator has the explicit goal that especially medium-sized companies deal more actively with the topic of compliance and take first measures. In order to enforce these goals and increase the pressure, authorities must now provide their own, so-called external whistleblowing systems. In this way, authorities are to become aware of wrongdoings within companies. Employees are also allowed to report grievances directly to the public if companies or authorities do not follow up on their tips. All in all, companies must prepare themselves for the wind blowing a little harder from the legislator which will focus in particular on grievances and breaches of rules within the private sector.
Yes, there are. Compliance violations often lead to personal liability of those involved. Compliance violations may also lead to personal liability of (uninvolved) directors, unless they have taken precautionary measures, such as establishing an internal whistleblowing system. The breach of the new obligation to establish such an internal whistleblowing system further increases the liability risks.
The Whistleblowing Directive stipulates that data processing may not violate the General Data Protection Regulation. This does not make it any easier to establish whistleblowing systems in practice. After all, the Whistleblowing Directive protects the individual whistleblower, while the GDPR protects the accused in addition to the whistleblower. This may lead to conflicts.
Companies should apply the necessary judgment. Specifically, it is good advice to talk to an expert about the initial situation in one's own company and to establish one's own internal whistleblowing system with extra time before the new regulations come into force on 17 December 2021, i.e. in the 2nd or 3rd quarter of 2021. Here, the commissioning of an external compliance trust agency which can provide such a whistleblowing system as an external service provider (at low cost), is an option. Then the management would be exempt from liability while the company fulfils the new obligations.