Iubenda logo
Start generating


Table of Contents

The A-Z of Whistleblowing Reporting Process in the Workplace

Whistleblowing, a vital mechanism for maintaining organizational ethics and accountability, involves employees reporting suspected wrongdoing or misconduct within their organization. For whistleblowing to be effective, it is imperative to have a well-defined and transparent reporting process.

In the European Union, whistleblowing is regulated by Directive (EU) 2019/1937, also known as the Whistleblower Directive, which came into effect on December 16, 2019. The Directive enhances protection for people reporting breaches of EU law in their work environment and it requires Member States to align their national laws to provide an adequate level of protection throughout the EU.

The Whistleblower Directive applies to:

  • EU private companies with 50 or more employees;
  • non-EU companies with an EU branch, that have 50 or more employees within the EU.
  • local authorities serving over 10,000 people.

In order to comply, companies must:

  • Establish safe and confidential internal reporting channels. The deadline for complying with this requirement is December 17th, 2023.
  • Provide training for employees and stakeholders, to explain the directive, whistleblower rights, and reporting procedures.
  • Ensure the confidentiality and protection of the personal data of whistleblowers.
  • Implement anti-retaliation policies, conduct fair investigations, and support whistleblowers facing retaliation.
🇪🇺 Learn more about the Whistleblower Directive here

The whistleblowing reporting process

The whistleblowing reporting process is made of different phases.

Recognition of wrongdoing and reporting the concern

The first phase, which starts the reporting process, is the recognition of wrongdoing within a company. Whistleblowers can report a wide range of issues in several areas, including but not limited to:

  • Protection of privacy and personal data
  • Consumer protection
  • Violations of company policies and procedures
  • Financial misconduct
  • Money laundering and terrorist financing
  • Fraud
  • Network and information system security
  • Harassment or discrimination
  • Safety concerns (product safety and compliance, food and feed safety, transport safety)
  • Public health or animal health and welfare concerns
  • Environmental issues

Once the wrongdoing has been documented, the whistleblower can report it by choosing either an internal or external reporting channel.

Internal reporting channels are usually preferred, but if these are not effective or could lead to retaliation, they can also report directly to competent national authorities or even make a public disclosure in certain circumstances.

Handling and investigating the report

Once the report has been received, the organization needs to address it. Each organization should have a clear whistleblowing policy, that defines how the reporting process will be handled and designate an impartial person or department to receive and follow up on reports.

The designated team will then start the investigation, determining the soundness of the complaint and whether additional information is necessary. In certain cases, the company may also need to inform the people concerned of the allegations made against them.

Resolutions and follow-up

The whistleblower should expect a first follow-up within 7 days. This is a formal acknowledgment that the report has been received and investigations will start.

Once the investigation is completed and the company has taken any necessary action, the report can be considered complete. The whistleblower should receive another feedback on the report within 3 months maximum.

Protection for the whistleblower

Directive (EU) 2019/1937, also known as the Whistleblower Directive, particularly stresses the importance of protecting whistleblowers from any kind of retaliation. Employees should feel safe in reporting any wrongdoing within their working environment, without fearing being fired, demoted, or harassed.

That’s why it is essential that a company establishes both a clear policy on whistleblowing and a safe and confidential reporting channel.

Moreover, whistleblowers can also choose whether to remain anonymous or to disclose their names. The identity of the whistleblower can be disclosed only if they grant their consent. In either case, the organization has to safeguard their identity and avoid any type of retaliation.

Lastly, reporting persons should be offered strong legal protection. This includes, but is not limited to:

  • access to comprehensive and independent information and advice;
  • effective assistance from competent authorities;
  • legal aid in criminal and cross-border civil proceedings;
  • exclusion of liability in respect of the acquisition of the information that is reported or publicly disclosed.

Internal and external reporting channels

According to the EU Whistleblower Directive, people can report wrongdoing in the workplace in three ways:

  • Internal reporting channels (preferred).
  • External reporting channels to national authorities designated by Member States.
  • Public disclosure. This option should be used only in certain conditions, for example when no appropriate action has been taken after reporting internally/externally.

Let’s go through each one of them.

Internal reporting channels

Internal reporting channels are the preferred method for whistleblower complaints. According to the EU Directive, all private companies with 50 or more employees and all public entities must set up effective and confidential reporting channels. Remember: the deadline for complying with this requirement is December 17th, 2023.

Types of internal reporting channels

Whistleblowers should be able to submit their complaints in writing, orally, or in person.

To submit a report orally or in person, the whistleblower should contact the designated team or person who is in charge of whistleblowing within the organization. In these cases, anonymity can’t always be guaranteed, but the company still needs to ensure confidentiality.

To submit a report in writing, an organization can either create an internal procedure – for example, setting up a specific email address to which to send the complaints – or rely on a third-party platform. Usually, these platforms allow streamlining the whistleblowing process, while ensuring anonymity and confidentiality.

iubenda’s Whistleblowing Management Tool

Tailored for the EU Whistleblower Directive, our tool helps keep you compliant with a secure channel for submitting and managing whistleblower reports. Maintain an easy-to-use reporting form for employees and other stakeholders, and manage the whole process from an all-in-one dashboard.

External reporting channels

If the internal reporting channel isn’t considered safe or confidential, or if the report could lead to retaliation, the whistleblower can also report directly to competent national authorities.

The EU Whistleblowing Directive requires Member States to designate a competent authority, which should receive the complaints, investigate and then give appropriate follow-up to the reports.

Here is a list of the competent authorities in Europe:

Country Competent Authority
Austria Austrian Federal Competition Authority (AFCA)
Belgium Federal Ombudsman
Bulgaria Commission for Personal Data Protection (CPDP)
Croatia Ombudswoman of Croatia
Czech Republic Ministry of Justice
Denmark National Whistleblower Scheme
Finland Chancellor of Justice
France Several competent authorities depending on the subject matter: here’s a list. The French Defender of Rights is the centralized contact point for whistleblowers.
Germany Federal Office of Justice
Greece Office of Complaints of the General Secretariat against Corruption (GSAC)
Ireland Protected Disclosures Commissioner
Italy Anti-Corruption Authority (ANAC)
Latvia Several competent authorities depending on the subject matter. The State Chancellery is the centralized contact point for whistleblowers.
Lithuania Prosecutor’s Office of the Republic of Lithuania
Luxembourg Several competent authorities depending on the subject matter: here’s a list.
Malta Office of the Ombudsman
Netherlands Authority for the Financial Markets for the Netherlands
Norway Several competent authorities, such as the Norwegian Labour Authority, the police and the Data Protection Authority.
Portugal National Anti-Corruption Mechanism
Romania National Integrity Agency
Slovakia Whistleblower Protection Office
Slovenia 22 different state institutions are responsible for receiving and handling the external reports.
Spain Independent Authority for the Protection of Informants
Sweden Several competent authorities depending on the subject matter. The Swedish Work Environment Authority is the centralized contact point for whistleblowers.

Public disclosure

The last-resort reporting channel is public disclosure, which should only be used in certain conditions. A few examples are:

  • no appropriate action has been taken after reporting internally or externally;
  • the whistleblower did not receive appropriate feedback within the timeframe set by the law;
  • it is reasonable to suspect a collusion between the perpetrator of the crime and the state authorities responsible for prosecuting them;
  • in cases of urgent or grave danger to the public interest.

Public disclosure can happen via web platforms, social media, the press, elected officials, civil society organizations, etc. Even in this case, the whistleblower should be granted the same level of protection.

Best practices for implementing whistleblowing procedures

To sum up, there are three important steps that each organization should follow to implement a solid whistleblowing reporting process:

  1. Offer a clear whistleblowing policy: every employee should know how to send a whistleblowing report, who to contact for a complaint, and how the process will be handled. The policy should also address whistleblower protection and retaliation prevention strategies. Download a whistleblowing policy template here.
  2. Set up a secure and confidential reporting channel: this will help you protect whistleblowers from any kind of retaliation, by ensuring confidentiality and anonymity. Moreover, setting up a secure reporting channel is now mandatory within the European Union, for organizations that have 50 or more employees. You can choose to implement an internal reporting channel, or to rely on a third-party service, like iubenda’s Whistleblowing Management Tool.
  3. Designate a responsible team or person: the team will be the reference point for any employee willing to make a whistleblowing complaint. They will also be in charge of carrying out the investigation and sending timely feedback. Download an appointment template for assigning responsibility here.

iubenda’s Whistleblowing Management Tool

iubenda’s Whistleblowing Management Tool helps EU businesses ensure compliance. We’ve designed our product to streamline management within organizations, protect whistleblowers, and ensure businesses consistently adhere to the law.

Here’s how it works:

  • Activate the Whistleblowing Management Tool from your iubenda dashboard (please note: you need an Ultimate plan to do it). Then embed the reporting form where it can be easily accessed by employees or other potential reporting persons.
  • When a report is submitted, your Whistleblowing Manager receives an email notification instantly, while the anonymous reporting option keeps whistleblowers’ identities a secret.
  • Your Whistleblowing Manager can view the details of the report in their dashboard and follow up when appropriate. Real-time updates help you stay informed of each report’s status throughout the entire process.

iubenda helps you comply with the EU Whistleblowing Directive

Create your reporting channel now