Whistleblowers now protected by law

1. Within which scope does the protection apply?

The law lays down common minimum standards for the protection of whistleblowers who report breaches falling within the following scopes: public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, product safety and compliance, transport safety, protection of the environment, radiation protection and nuclear safety, food and feed safety, public health, consumer protection, protection of privacy and personal data, security of network and information systems, and the combat of tax and social fraud.

In addition, the law also provides protection when there are breaches affecting the financial interests of the Union. There is also protection in case of breaches relating to the internal market including breaches of Union competition and State aid rules.

2. To whom does this protection apply?

This is a targeted protection that applies only to reporting persons - working in the private sector - who acquired information on breaches in a work-related context. It is therefore important that the information was obtained by a person who has a professional relationship with the company or legal entity in question.

This applies mainly to employees (including civil servants), self-employed persons, shareholders, and members of the administrative, management or supervisory body of an undertaking, volunteers and trainees, persons working under the supervision and direction of contractors, subcontractors and suppliers.

In this respect, it is irrelevant whether or not the employment relationship has ended or was not yet to begin since the notification. In the latter case, the information about the disclosed breaches must have been acquired during the recruitment process or the pre-contractual phase.

In addition, the protection also applies to facilitators (person who assists a reporting person in the reporting process and whose assistance should be confidential), third persons connected with the reporting person and who could suffer retaliation (such as colleagues or relatives), and legal entities that the reporting person owns, work for or are otherwise connected with in a work-related context.

The authors of disclosures concerning breaches related to financial services, products and markets, breaches related to the prevention of money laundering and terrorist financing are not required to prove that they obtained the information professionally to justify protection.

Finally, the following persons are not covered by the protection of this law:

1. persons who report offences to enforcement agencies for remuneration or compensation, provided that they are listed as informants on the basis of their informed consent or registered as such in databases managed by authorities designated at national level; and
2. persons making a warning or disclosure pursuant to an obligation arising from one of the sectoral Union acts.

3. What are the channels that can serve for a notification?

The law distinguishes three channels of notification. A notification is any oral or written communication of information on breaches.

The reporting channels are the following:

3.1 An internal reporting channel to be established within the company

Internal reporting is the oral or written communication of information on breaches within a legal entity in the private sector.

Legal entities with 50 or more workers must establish an internal reporting channel that can receive and process reports as well as internal reporting and follow-up procedures. This includes alerting management of a breach within the company.

For legal entities with 250 or more workers following up anonymous reports is mandatory, while companies with 50 to 249 workers do not have to handle them. Small companies (with fewer than 50 workers) are exempt from this obligation, except for companies in the financial sector.

The management of this internal reporting channel can be outsourced and, in any case, the implementation of the reporting channel should be subject to consultation with social partners.

3.2 External reporting channel

External reporting is the oral or written communication of information on breaches to the federal coordinator or to the competent authorities.

Regardless of the size of the company, this is a direct reporting channel for the whistleblower to the competent authorities in charge of monitoring the legislation in the scope within which the breach was committed.

The federal ombudsman will be responsible for investigating whether external reports have been made in accordance with the law and will refer the report to the competent authorities.

There is no obligation to first report the breach internally before making an external report.

3.3 Public disclosure

Public disclosure means the making of information on breaches publicly available.

Protection for this form of reporting is only possible if:

• the person first reported internally and externally, but no appropriate action was taken in response to the report and
• the person has reasonable grounds to believe that:
  • the breach may constitute an imminent or manifest danger to the public interest, or
  • in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed due to the particular circumstances of the case.

One thinks here of the possibility of evidence being withheld or simply destroyed, or of the authority colluding with or being involved in the breach.

4. How is the reporter protected?

Protection applies to any reporter (see section 2) who makes a valid report.

A valid reporter is someone who:

• had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the law. This criterion is assessed relative to a person in a similar situation and with similar knowledge; and
• reported either internally or externally, or made a public disclosure as mentioned in point 3 above.

The reporter does not lose the benefit of the protection if he makes a report in good faith that is subsequently found to be incorrect or unfounded.

This protection prohibits any form of retaliation against the reporting person. Any unfavourable treatment entitles the victim to specific compensation between 18 and 26 weeks' salary. This compensation cannot be cumulated with compensation for manifestly unfair dismissal.

A person reporting on breaches of legislation on financial services, products and markets who experiences retaliation may claim compensation in the form of a lump sum of 6 months' salary or the actual loss suffered. In these sectors, the whistleblower can also request reinstatement or respect for his or her working conditions.

Moreover, retaliation will be punished on the basis of level 4 social criminal sanctions (i.e. imprisonment and/or fines).

Whistleblowers who abuse the system will also be criminally sanctioned.

In the context of legal proceedings, the Federal Institute for the Protection and Promotion of Human Rights will be responsible for providing information, legal and financial assistance as well as technical, psychological, media and social support.

5. Conclusion

The new legislation to protect whistleblowers aims to increase the number of reports and detection of violations of EU and/or national law.

The law takes effect on 16 February 2023 for:

• companies with more than 250 workers and
• companies in the financial sector covered by provisions on financial services, products and markets and/or money laundering and terrorist financing, regardless of the number of workers.

Private undertakings with 50 to 249 employees will have until 17 December 2023 to set up internal reporting channels.

So undertakings with more than 250 workers will have to set up  an internal reporting channel as from 16 February 2023. Undertakings with at least 50 employees still have until 17 December 2023 to do so, with the exception of undertakings in the financial sector.