What is regulated by the EU Whistleblower Directive?
The EU Whistleblower Directive 2019/1937 (hereinafter referred to as the "EU Directive") entered into force on 16 December 2019. By 17 December 2021, the EU Member States must have implemented the requirements resulting from the EU Directive into national law. The EU Directive aims to protect persons who report breaches of EU law (hereinafter "whistleblowers") from dismissal, demotion, and other discrimination. The term "whistleblower" does not only refer to current employees of the companies concerned. Rather, former employees, self-employed persons, consultants, applicants, volunteers, etc. are also considered whistleblowers in the sense of art. 4 of the EU Directive. The protection of such whistleblowers must at least relate to the reporting of wrongdoing in relation to EU law. However, individual member states are free to extend the protection to whistleblowing under national law.
In the future, whistleblowers will have the choice between submitting an internal report through the reporting channels provided by the company or submitting a report to the competent supervisory authority. Within seven days, the company must confirm receipt of the report to the whistleblower. Within three months, the company must provide the whistleblower with feedback on the steps that have been taken in the meantime. If there is no reaction to the report or if the whistleblower has reason to believe that there is a public interest in knowing about the grievances, a direct approach to the public is also permitted.
The obligation to provide an appropriate internal whistleblowing channel - compliant with the EU Directive and the EU General Data Protection Regulation (EU GDPR) - will apply to private and public sector companies with 250 or more employees as of 17 December 2021. Companies with a size of 50 - 249 employees will be granted a transition period until December 2023.
16 EU-Member States, including Germany, Italy and Austria, have missed the deadline for transposing the EU Directive by 17 December 2021. As a result, the EU Commission initiated infringement proceedings against these EU member States. On 27 July 2022, the draft law (Whistleblower Protection Act, HinSchG) to implement the EU Directive was presented by the German Federal Cabinet. The new law is now expected to be passed in autumn 2022 and enter into force three months later, i.e. probably in January 2023. In the remaining countries, apart from Hungary, the first steps of the implementation process have also been taken. In Austria, for example, the legislator published a new draft law on 3 June 2022, which has so far met with criticism from society.
As Switzerland is not a member of the EU, why might a Swiss company still have to comply with the EU Directive?
The EU Directive is not directly applicable in Switzerland. As Switzerland is not an EU member state, there is no obligation to implement the EU Directive into national law. A comparable regulation for the protection of whistleblowers does not yet exist in Switzerland, because the Federal Council's bill on "Protection in the event of reporting irregularities in the workplace" definitely failed in parliament on 5 March 2020 (cf. more about this here).
Swiss companies with business activities or business connections to the EU area are, however, exposed to the risk of falling within the scope of the EU Directive. The EU Directive is particularly relevant for Swiss companies that have business branches in the EU, which generally employ at least 50 people. The EU Directive is also applicable to whistleblowers who are not employed at an EU location of a group operating in the EU, but the reported wrongdoing or the criticised misconduct concerns a company location in the EU. Swiss companies with a branch in the EU are therefore well advised to ensure compliance with the EU Directive 2019/1937 in principle by ensuring an internal GDPR-compliant reporting possibility and investigation.
What aspects must a Swiss company consider when designing the reporting system and conducting internal investigations?
The selected reporting body of private companies must be able to receive information about wrongdoings or violations from whistleblowers either written or orally. However, contrary to popular belief, the assurance of anonymity is not mandatory according to the EU Directive. Regardless of this, however, the identity of the whistleblower must be kept confidential as far as possible in order to protect him or her from reprisals.
In practice, it is common for affiliated private sector group companies to share resources for receiving reports and possibly conducting investigations. According to Art. 8 No. 6 of the EU Directive, this should remain possible for legal entities in the private sector with 50 to 249 employees. According to the wording of this article, individual companies with 250 or more employees are no longer allowed to use the same resource for the receipt of reports and possible investigations. They must receive and process the reports themselves or conclude their own contracts with corresponding service providers. In doing so, they must ensure that the incoming reports are processed per company and that the internal investigations are also conducted independently of the other companies.
The crux of the obligation to provide an internal reporting system is in any case that the individual Member States may also decide on stricter implementation requirements of the EU Directive and thus a case-by-case assessment must always be made as to whether a reporting system and the handling of the reported indications meet the applicable requirements under the respective applicable EU and national law. Special attention must be given to the data protection requirements under the EU GDPR and national laws with regard to the handling of reported misconduct and maladministration. The sanctions under the EU GDPR, at four percent of global annual turnover, are usually many times higher than the sanctions under the EU Whistleblower Directive. The latter are to be determined by each EU member state itself. It must also be ensured that whistleblowers receive correct information on which national supervisory authority they can turn to as an alternative to the internal reporting office.
The companies concerned should therefore clarify as soon as possible which national regulations and contact bodies are potentially relevant due to their business activities in the EU area.
Summary
Swiss companies with business activities in the EU are required to provide an internal EU-compliant reporting system and adhere to the EU requirements regarding internal investigations. Nevertheless, we also recommend that other Swiss companies with international business activities and no branch offices in the EU provide internal reporting systems. In the absence of legal regulation, it is up to Swiss employers to regulate the processes for whistleblowing internally by means of company guidelines and thus create more legal certainty with regard to the question of the admissibility of whistleblowing reports and strengthen their corporate governance. Companies operating internationally in Switzerland are therefore well advised to closely examine the internal implementation of the EU Directive - not only in the EU area. The fundamental employment and data protection aspects of whistleblowing systems and internal investigations in Switzerland that need to be considered are described in more detail here.
We are happy to support you in assessing the national and European legal requirements applicable to your company and in designing such a reporting system and in internal investigations of the reported wrongdoings.
