GDPR and European directives governing whistleblowing


Whistleblowing: what does it mean

In the European Union all data must be processed in compliance with the General Data Protection Regulation (GDPR) and make no exception data relating to whistleblowing, an institution which aims to regulate and protect the conduct of the whistleblower.

The phenomenon of whistleblowing originates in countries where the common law system is in force and has been regulated since the end of the 19th century with the False Claim Act, the law which aimed to reduce fraud by suppliers of munitions and war materials during the Secession. Since the ‘80s of the last century, the discipline has been integrated by other regulatory interventions such as, for example, the Whistleblower Protection Act.

Whistleblower: what it is and how the reporting process works

In English the word whistleblowing – literally “to blow the whistle” – refers to the spontaneous disclosure by an individual, who takes the name of whistleblower – the one who “blows the whistle” – who witnesses an offense or irregularity, potentially harmful to the community, committed within the organization for which it works.

The whistleblower figure was developed in the United States of America and some believe that the definition recalls the image of the referee who “blows” the whistle to stop the game in case of irregularity: the same action refers to the employee who reports an offence. Therefore, the whistleblower is often an employee but can also be a third party, such as a supplier, a consultant or a customer.

There are two types of whistleblowing reports:

Inside reports: when the report is made through internal channels of the company by employees or third parties of an organization who witness illegal or fraudulent conduct;

Outside reports: when the report is made through the judicial authority, the media or the competent associations. Those who make use of this practice generally do because they lack trust in their company as it doesn’t guarantee a system of protection for the whistleblower.

In short, usually the whistleblower is the one who discovers and reports facts that cause or could cause damage to the public or private organization in which it works or to the individuals who relate to it, like customers and shareholders. Thanks to the activity of whistleblowers it is possible to prevent dangers, for example those related to fraud or health care, informing the company or its stakeholders about the risk before the actual damage occurs.

If set up at all levels of the company and suitably protected, the whistleblowing favors free communication within the organization, greater participation in its progress and correct implementation of the inner control system. To better manage this, it’s key that the whistleblowing system must:

  • Be easily accessible and usable;
  • Ensure the protection of each whistleblower;
  • Ensure the monitoring and management of reports;
  • Provide quick interventions after a fact gets reported.

Whistleblower: a few examples

To make it simple, let’s focus on two examples that may help to understand who a whistleblower is and what it exactly does.

The whistleblower can be an employee of the accounting department of a company who notices mistakes in the balance sheet or money laundering, as in the case involving the British banker Howard Wilkinson and Danske Bank. And again, the whistleblower can also be the researcher of a pharmaceutical company who has become aware of the fact that the drug about to be launched on the market has not passed all the quality and safety tests and may have dangerous side effects.

Of course, these are common examples that can differ according to the working sectors and the types of conducts. Other reports of irregularities, in fact, may relate to bribes, corporate information leaking, theft, abuse of power or forgery of documents.

The European laws about whistleblowing

The European Whistleblowing Directive came into force on December 16th 2019, with the goal of providing whistleblowers with equal protection in all Member States, harmonized between the various sectors, introducing common rules about  the adoption of confidential reporting channels, secure and ensure effective protection, as well as safeguards against possible retaliation.

EU Directive 2019/1937 affects all companies, both public and private, and government organizations counting 50 or more employees. It also applies to local authorities and municipalities counting more than 10,000 inhabitants. These entities must provide employees of methods to report wrongdoing and make systems to check and act after reports are made. Each organization must also take measures to protect the identity of whistleblowers and comply with the GDPR to ensure that the whistleblower doesn’t face any recriminations for reports made in good faith.

Competitive bidding processes are key areas and represent a good example of public governance where implementing the whistleblowing system is very important. The reason is that, with the large sums of money floating around in the industry, corruption can take advantage of numerous opportunities to occur. Indeed, according to estimates, corruption costs EU taxpayers up to €120 billion per year, around 1% of EU GDP and this can increase the cost of public procurement by up to 15%. If member states make strong whistleblower protections, more insiders would feel safe providing information that can help reduce corruption and save money across the 27 countries.

The Directive protects anyone who has a professional relationship with the organization, so it includes:

  • Employees, including former ones whose work contract ended;
  • Freelance workers;
  • Contractors and subcontractors;
  • Providers;
  • Shareholders;
  • People running managerial roles;
  • Candidates for recruitment;
  • Volunteers and trainees, paid or unpaid.

Whistleblowing: what protections does the European Directive offer?

Directive’s article n.19 lists the safeguards against retaliatory actions by affected organizations or individuals, which protect whether whistleblowers, their families and colleagues who have supported them in their reporting.

Member States must take the necessary measures to forbid any form of retaliation, including threats and other wrongdoing like:

  • Dismissal or suspension;
  • Demotion of rank or failure to promote;
  • Change of functions, workplace and/or working hours;
  • Reduction of the salary;
  • Suspension of training;
  • Negative references;
  • Disciplinary measures, unfair scolding or even pecuniary sanction;
  • Coercion, intimidation, harassment or ostracism;
  • Discrimination with unfair treatment;
  • Failure to convert a fixed-term employment contract into a permanent employment contract, especially if the worker had legit expectations for that;
  • No renewal or termination of a fixed-term employment contract, if the whistleblower works for the company;
  • No renewal or termination of a supply contract, or the cancellation of a license, if the whistleblower is a provider or cooperate with the company from the outside;
  • Damage to reputation, especially through Internet or by submission to psychiatric or medical tests, and finance, including loss of income and new opportunities;
  • Blacklisting according to formal or informal sector’s agreement, which may make the whistleblower unable to find new employment;

Moreover, the directive ensures that the whistleblower is protected for his action even if he’s required to be silent by his own employment contract, a non-disclosure agreement or clause, company’s copyrighted material or any other document.

On the other hand, Directive’s article n.20 deepens the support measures available to whistleblowers. They are provided from the moment the whistleblower comes actually makes a report, no matter if internally within the organization, externally to the authorities or through public channels such as the media. This protection includes the provision of free and comprehensive information on their rights, legal assistance to oppose retaliation, financial assistance and access to psychological support.

Articolo precedenteHow to manage identity verification in digital onboarding
Articolo successivoAll about the risk of personal data breach