In accordance with the Act on the protection of persons reporting breaches in organizations, the employer is obliged to create an internal reporting channel, which should meet a number of requirements included in the Directive of the European Parliament and of the Council (EU) 2019/1937. What exactly does the Directive say regarding the anonymity and protection of Whistleblowers' personal data?
What irregularities may be reported by the Whistleblower?
According to the directive, a Whistleblower is a person who reports violations of European Union law in the work environment. The goal of those reporting problems in organizations is to act in good faith for the benefit of companies. Whistleblowers make reports when they have reasonable grounds to believe that the information they have collected is correct at the time the problem is raised. They can report irregularities in the following areas:
- financial services, products and markets,
- public procurement,
- product, food and transport safety,
- environmental protection and nuclear safety,
- protection of consumers and personal data,
- security of networks and ICT systems,
- public health,
- the financial interests of the European Union,
- the internal market of the European Union and the rules of competition, state aid and corporate taxation,
-internal organization of work, for example in the event of mobbing.
First of all, the purpose of the directive is to prevent terrorism and the so-called money laundering. Whistleblowers can report not only problems that already arise, but also those that they suspect may have occurred.
The Whistleblower System is software that makes signaling problems simple and effective. It provides a number of necessary functionalities and improves communication between the employer and employee. Find out more about the Whistleblower System for reporting breaches in companies.
Do Whistleblowers need identity protection?
From the perspective of Whistleblowers, it is essential and crucial to ensure identity protection by the employer. For the existence of Whistleblowers to make sense and for them to fulfill their obligations, they must not be afraid of repercussions and retaliation by their associates. Revealing the identity of those who report problems can, in the worst case, risk losing their jobs and their source of income.
Taking into consideration the public interest, it is equally important to take measures to protect the identity of Whistleblowers. When a person, for fear of disclosing data, does not indicate a problem, the effects of these illegal or unfavorable activities for the company may be associated with huge financial and image losses, as well as affect the life and health of employees.
How does the Directive address the issue of Whistleblower anonymity?
On December 17, 2021, the deadline for implementing the EU Directive on Whistleblowers expired forPoland. The act implementing the provisions of the directive has not yet been passed, as legislative work at the government level is still ongoing. Importantly, this did not release Polish employers from the obligation to implement the Whistleblower protection system from December 17, 2021.
We asked Dr. Jacek K. Sokołowski, a partner at the The attorney-at-law team and a researcher at the Jagiellonian University with experience of working in EU institutions (the office of the Commissioner Internal Market and Services):
“First, there is no doubt that the Directive is directly applicable. This means that from December 17, every company employing more than 250 employees should have an early warning system for irregularities, and the lack of such a system may result in severes anctions.
Moreover, this system should, in principle, protect the identity of Whistleblowers. This protection - in the most far-reaching interpretation - may mean complete anonymity.
Whether completely anonymous reports will be allowed in the Polish Whistleblower protection system and what the protection of the person who made an anonymous report, after which their identity will be revealed, will be ultimately decided only by the provisions of Polish law - when they are already enacted.
Personally, I do not consider anonymous reports to be a rational solution and I hope that the Polish law will abandon it.
For the time being, however, for their own safety, the obliged entities (i.e. employers) should adopt an extended interpretation, i.e. also ensure the possibility of submitting completely anonymous reports. As well as implement systems for processing such notifications”.
According to the PWN dictionary of the Polish language, the word "anonymous" means a person "who does not reveal his / her surname or whose surname is unknown". From the point of view of the directive, "anonymity" is voluntary and at the moment it is only obligatory to protect the data of reporting persons, which is treated as an obligation to keep the personal data of Whistleblowers confidential, as well as of persons to whom a given report relates.
Importantly, the Whistleblower Protection Directive itself does not require Member States to oblige privateand public sector entities to enable anonymous reporting of breaches as part of procedures. Ultimately, each of the European Union countries can decide whether this type of provision will apply in a given territory.
Where anonymous reporting is allowed under national law, it is not always possible to do so. An example is the situation where the reporting person was the only and direct witness of the infringement. In this case, the Whistleblower may report the breach knowing that his identity will be identifiable or not report the problem at all. It should also be remembered that an anonymous Whistleblower is not legally protected until he discloses himself or his identity is identified.
The Directive, on the other hand, regulates the protection of the confidentiality of the Whistleblower's identity. It is binding during the submission of the notification and in the course of explanatory proceedings. Therefore, disclosure of the Whistleblower's identity is possible only if he discloses himself or if it is required in accordance with EU or national law. Breach of the confidentiality principle of the identity of the person reporting the breach should be associated with an appropriate sanction.
Whistleblower System is asoftware that complies with the requirements of the European Parliament and Council Directive (EU) and ensures the confidentiality of the identity of Whistleblowers. This flexible software allows you to intuitively create and handle a new notification, improves communication with employees and has the option of personalizing the user interface. Get to know all the functionalities of the Whistleblower, the best system for handling breach notifications.