EU Whistleblower Protection Directive: into the home straight
Executive Education / 29 April 2020
  • Share

  • 3693

  • 0

  • Print
Partnerin und Fachanwältin für Strafrecht und Zertifizierte Datenschutzbeauftragte in der Kanzlei Dr. Buchert und Partner
Dr. Caroline Jacob ist Partnerin und Fachanwältin für Strafrecht und Zertifizierte Datenschutzbeauftragte (DESAG) in der Kanzlei Dr. Buchert und Partner. Dr. Rainer Buchert ist Dozent im Zertifikatsstudiengang Certified Fraud Manager. Ihre Schwerpunkte liegen in den Bereichen Compliance und Wirtschaftsstrafrecht. Sie vertritt Unternehmen als Ombudsperson.

To Author's Page

More Blog Posts
Der Zahlungsverkehr als Top-Thema der Bankwirtschaft und im Handelsgeschäft
Unerlässlich bei der Unternehmensfinanzierung: Nachhaltigkeit und ESG-Faktoren
EU-Sanktionen – wie können Compliance Officer darauf reagieren?

On April 16, 2019, the European Parliament adopted the Directive on the “protection of persons who report breaches of Union law” (generally known as the EU Whistleblower Protection Directive). The Directive, which came into force on October 7, 2019, obliges EU member states to implement the provisions of the Directive in national law within a period of two years.

Material and personal scope of application

For reasons of legal certainty, the Directive includes in its appendices a list of all relevant breaches of European Union law. The list covers areas such as corruption, money laundering, public procurement, financial services and the financing of terrorism. But each member state has the right to add their own interpretations to the list.

The Directive only grants personal protection to whistleblowers if they have obtained information on legal breaches in the course of their professional activities and report the breaches accordingly. Under certain circumstances, third parties may also be protected – individuals who no longer work for the company concerned, for example.

EU Whistleblower Directive is intended to provide comprehensive protection

The EU Whistleblower Protection Directive is intended to regulate the protection of whistleblowers throughout Europe. Until now, whistleblower protection has been governed by a variety of standards and in some cases, only partially regulated. In the future, potential whistleblowers should be able to rely on a minimum level of comprehensive protection in at least three respects: The confidentiality of the whistleblower’s identity should be assured, and s/he should be protected from retaliation and liability.

In the future, whistleblowers reporting breaches should not have to fear any consequences arising from lawsuits under labour law. In the event of a lawsuit based on labour law, the Directive states, for example, that the burden of proof must be shifted in the whistleblower’s favour: The employer must prove that the latter’s dismissal was not in any way connected with the employee’s whistleblowing report.

Mandatory implementation of whistleblowing systems

Companies in the financial services sector are already required to set up whistleblowing systems. Now all companies with more than 50 employees or a turnover of more than EUR 10 million, as well as municipalities with more than 10,000 residents, are obliged to establish reliable, fully functioning internal reporting channels. Each whistleblowing system must be designed, implemented and operated in such a way as to guarantee the confidentiality of the whistleblower. For legal entities with 50-249 employees, the period for implementing such a system has been extended by another two years to December 17, 2023.

Reporting process

The Directive provides for three forms of whistleblowing report:

  1. Internal reports
  2. External reports
  3. Public disclosures

It should be possible to submit internal reports either in writing, by telephone or, if preferred, in person. In addition to in-house contacts, possible methods should also include ombudspersons and online whistleblowing tools. In each case, it is important to ensure that the established reporting channels can be accessed by qualified persons such as fraud managers or compliance officers, and that reports can be processed as appropriate. In the case of external reporting channels, the whistleblower should be able to contact the competent authority directly. The Directive requires each member state to designate a competent authority empowered to receive whistleblowers’ reports. Such authorities might include, for example, regulatory, supervisory or law-enforcement agencies.

In the case of both internal and external reports, whistleblowers should receive an acknowledgement of receipt within seven days. In addition, companies are required to respond to irregularities and carry out appropriate internal investigations within a maximum of three months. In the case of external channels, this deadline may be extended by an additional three months if suitable justification is provided.

A public disclosure involves making information such as breaches of press freedom publicly available. Whistleblowers should only pursue such disclosures, however, if they have not received appropriate responses to either internal or external reports, or if such disclosures are in the public interest.


The clock is ticking. German lawmakers must implement the provisions and recommendations of the EU Whistleblower Protection Directive in national law by October 17, 2021. In the process, they must ensure that where the law diverges from the Directive, it favours the whistleblower rather than the persons or entities allegedly in breach of Union law.

Detecting and preventing white-collar crime is the job of fraud management. This includes the professional handling of whistleblowing reports, intended to prevent lawsuits for tort and damage. Companies that already have effective whistleblowing systems in place and employ staff with the relevant knowledge will probably find implementation less onerous. But even they should double-check that they comply with the provisions of the new Directive. Companies that do not have whistleblowing systems in place will have much more work to do on implementation.