Directive (EU) 2019/1937, also known as the Whistleblower Directive, came into effect on December 16, 2019. This directive marked the beginning of heightened protections for those who report breaches of EU law within their professional environment. It required Member States to align their national laws, guaranteeing a consistent protection level for whistleblowers throughout the EU.
This Directive emphasizes the significance of safeguarding whistleblowers and ensures that entities have appropriate channels for reporting breaches of Union law.
Understanding the EU Whistleblower Directive
Objective: Its primary intent is to set a baseline and align national legislations across the EU regarding the protection of individuals who disclose violations of Union law.
Implementation Timeline
General Adoption: EU Member States had a deadline until December 17, 2021, to enact laws and regulations in line with the Directive’s requirements.
Specific Provisions for Medium-Sized Entities: The Directive stipulates that private sector and legal entities employing between 50 and 249 individuals have until December 17, 2023,to implement an Internal Reporting Channel (IRC).
The establishment of this IRC must emphasize the following pillars:
Confidentiality: Ensuring the privacy of the whistleblower.
Prompt Acknowledgment: Recognizing received reports within a 7-day window.
Impartial Management: Appointing an impartial person designated specifically for handling reports.
Timely Feedback: Committing to provide feedback on reports within a span of three months.
Transparent Reporting Avenues: Clearly delineating the methods and pathways available for reporting.
Additionally, entities are obligated to preserve all records pertaining to reports and their accompanying documentation in order to comply with the requirements imposed.
Key aspects and objectives of the EU Whistleblower Directive
Broad Scope of Application: The directive covers a wide range of areas, including public procurement, financial services, money laundering, product and transport safety, nuclear safety, public health, consumer protection, environmental protection, and more.
Multiple Reporting Channels: Whistleblowers are encouraged to use internal reporting channels within their organizations first, but if these are not effective or could lead to retaliation, they can also report directly to competent national authorities or even make a public disclosure in certain circumstances.
Protection Measures: The directive sets out that member states should prohibit any form of retaliation against whistleblowers, including dismissal, demotion, harassment, and other forms of unfair treatment.
Confidentiality: The identity of whistleblowers must remain confidential unless they give their express consent to disclose their identity.
Public and Private Sector: The directive applies to both the public and private sectors. In the private sector, it applies to entities with more than 50 employees, unless a special provision is made for entities with fewer employees.
Burden of Proof: If any adverse actions are taken against the whistleblower, presumably in retaliation to a report, then the burden of proof shifts to the person who has carried out the detrimental action to demonstrate that they acted for reasons other than retaliation.
Support and Assistance: Member states are required to provide information, advice, and even free legal aid to whistleblowers to ensure they know their rights and are supported throughout the process.
iubenda’s Whistleblowing Management Tool helps EU businesses ensure compliance. We’ve designed our product to streamline management within organizations, protect whistleblowers, and ensure businesses consistently adhere to the law.
Our tool offers an easy-to-use reporting form for employees and other stakeholders and allows businesses to manage the entire process from an intuitive all-in-one dashboard.
IMPORTANT: Even if your company is based outside the EU,if you have an EU branch with at least 50 employees, it also needs to comply with the directive.
⚠️ iubenda’s Whistleblowing Management Tool is included in the Ultimate Plan, it can be activated with one click. No configuration needed.
1. Activate the Whistleblowing Management Tool
From your iubenda Dashboard, simply click on “Activate“
⚠️ Once you’ve activated the Whistleblowing Management Tool, be sure to click on the “Embed” button within the Whistleblowing tile to proceed with the form embedding. If you don’t do so, you won’t be able to receive any whistleblower reports. See below how to embed your Whistleblowing Management Tool ⬇️
2. Embedding
After activation, click on “Embed” to integrate the reporting form for easy access by employees or other potential reporting persons.
💡 Remember, a clearly visible form ensures that anyone who wishes to report can easily do so.
Next, in this section, you’ll find the direct link to embed the form. Copy it, and then paste it strategically on your website, intranet, whistleblower policy, or wherever else you need it.
⚠️ Tip: Using a direct link guarantees that the form displays consistently across different platforms.
Where do I put the iubenda Whistleblowing link?
That depends entirely on you. But the rule of thumb is your site’s footer. It’s a good way for it to be seen from every page.
Also, you can print forms for offline use. For quick access to the online form, just scan the provided QR code. (This feature will be available soon).
3. User Reporting
Once activated, reporting persons can choose to report either anonymously or by providing their identity using the form embedded on your website. They can specify details such as the type of wrongdoing or misconduct, provide an exact date, and describe the facts. Once completed, they simply click on “Submit report” to send it.
After submitting the form, reporting persons will automatically receive an acknowledgment of receipt.
4. Whistleblower dashboard
When a reporting person submits a report, the Whistleblowing Manager immediately receives an email notification. The Whistleblowing Manager can then access all reports from the Dashboard, and quickly identify the status of each.
In your Whistleblowing Management Dashboard you have full access to all the requests, with all the necessary details — the Creation Date, Type, Subject, Status and a Detail Icon.
When you click on the icon, all report details become visible. This allows you to promptly address any reported issues while ensuring a secure and confidential channel for whistleblowers.
From this “Report details” panel, you have the capability to assign different statuses to each report, helping you track the different phases of report processing.
Received: Once a report is received, review it and advance to the next step. Remember that upon submission, by default, the online form displays an acknowledgment receipt to the whistleblower. For non-anonymous reports, consider reaching out to the whistleblower in writing within 7 days.
Admissibility → Admissible/Not admissible: Your initial task is to assess the report’s admissibility. If the report meets the set criteria and is deemed admissible, continue with its processing. However, if it’s found inadmissible, consider the processing complete. For non-anonymous reports, inform the reporting person.
Processing (relevant only if admissible): After marking a report as admissible, ensure diligent follow-up. As per the Whistleblower Directive, advance to the subsequent step and provide feedback to the reporting individual within 3 months from the acknowledgment date.
Feedback Provided (relevant for non-anonymous reports only): Upon completion of the follow-up activities, share your assessment and subsequent steps taken with the reporting person, if their identity is known. As stipulated by the Whistleblower Directive, offer this feedback within 3 months of acknowledgment.
Processed: At this point, you’ve executed all requisite actions, deeming the report processed. Assess if additional steps are necessary for further follow-up or internal purposes before contemplating deletion.
Information Deleted: In accordance with the Whistleblower Directive, reports must be retained only for the duration necessary and proportionate to comply with the requirements of the directive or other mandates from Union or national law. In instances where national legislation specifies deletion requirements, ensure compliance. Exercise caution when deleting, as this action is irreversible.
Additional Resources
To help our users and enhance the efficiency of managing whistleblowing, we’ve prepared a set of downloadable resources:
📜 Customizable Whistleblowing Policy Template — The whistleblower policy serves as a foundational blueprint for organizations to personalize, featuring a section that allows for the addition of a link to the form for online submissions, while offering flexibility for customization to meet the organization’s unique needs and operational style. It establishes clear guidelines, ensuring that the team knows exactly how to proceed when encountering unethical or illegal behavior.
👥 Appointment Template: Assigning Responsibility — We prepared an appointment template for the designation of a person or department to handle whistleblowing reports. It helps streamline the reporting and investigation process, ensuring accountability and that concerns are addressed by those best equipped to handle them.