Implementing the Whistleblower Directive: When is it time and what to prepare?

Compliance Circle Webinar

The Compliance Circle held another webinar on 22 March 2022. CERHA HEMPEL Partners Bernhard Kofler-Senoner and Armin Schwabl as well as Senior Associate Christopher Peitsch looked at Austria’s implementation of the EU Whistleblower Directive. After setting out the current state of implementation in Austria, there followed a discussion of related data protection and labour law issues. Numerous representatives from different sectors took part in the online event.

The Compliance Circle is intended to give participants the opportunity to exchange ideas with experts and with each other and to benefit from expert presentations relevant to them.

Although the Directive has not been implemented in Austria yet, many questions on how to prepare for its introduction have already arisen. The answers to these questions will enable a timely implementation after the enactment of the actual law. 

Not yet implemented in Austria

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the "Directive") entered into force on 16 December 2019 and was supposed to be transposed into national law by the Member States by no later than 17 December 2021 or, in some cases, 17 December 2023.

Austria and 23 other EU Member States have not yet implemented it, which is why the European Commission initiated infringement proceedings against them on 27 January 2022.

Currently, a draft dated 22 October 2021, prepared by the Federal Ministry of Labour for a federal law on the procedure to be followed and protection afforded in case of indications of violations in certain areas of law ("Draft Whistleblower Act"), is circulating in Austria.

The Draft Whistleblower Act is not yet a government bill, but a working draft prepared by the ministry responsible for departmental and legal matters. The text of the law ultimately adopted is likely to differ in some respects. 

The following overview summarises the central requirements of the Draft Whistleblower Act that are relevant for companies. We will provide an update as soon as the Austrian legislation has been finalized. We will then see whether and to what extent the Austrian legislator has made use of "gold plating" in relation to the minimum standard of the Directive.

Two core obligations for companies

Companies must establish a whistleblowing system and cannotpunish individuals for reporting suspected violations or for using the whistleblowing system.

Which companies are affected?

Following its entry into force, the Whistleblower Act will apply to legal entities under private law in certain areas (e.g. in the financial sector, prevention of money laundering and terrorist financing) and to companies with at least 50 employees.

If the Whistleblower Act fails to provide a definition of employee, recital 38 of the Directive would have to be consulted, which would mean that persons who have the status of "worker" and those in non-standard employment relationships, including temporary workers, may well have to be included in the calculations to determine the number of "employees".

When does my company have to act? 

Companies with at least 250 employees right after implementation (exact timing to be seen).

Companies with 50 to 249 employees as of 18 December 2023 (to be seen whether the actual Whistleblower Act to be implemented will extend this deadline).

Who are whistleblowers?

The whistleblowing system must be available for whistleblowing by current employees. In addition, it must be possible for certain "external" persons to provide information; these are, in particular, former employees, (probably also rejected) applicants, employees of business partners (e.g. suppliers) and shareholders.

What should be reported?

The whistleblower system must (only) be made available for reporting suspected violations of certain legal provisions based on EU-competence (explicitly mentioned in the Draft Whistleblower Act) (e.g. offences related to public procurement, traffic safety, etc.). Golden Plating of the Austrian legislator (in particular with respect to the major topic of anti-corrruption) is still to be seen.

How should the whistleblower system be designed?

Anonymity: As it stands, whistleblower systems apparently only have to be made available for non-anonymous reports.

Confidentiality: The company must keep (i) the identity of the whistleblower and (ii) the identity of the person affected by a whistleblower confidential.

Responsible body: The Draft Whistleblower Act introduces an obligation on the company to establish an internal body composed of persons authorised to receive and process information.

Ease of use: The company must provide clear information to make the whistleblowing system easy to use and encourage the employees to do so. It must be possible for whistleblowers to provide information either in writing or orally. The Draft Whistleblower Act also provides for a specific case handling procedure.

GDPR: The whistleblowing system must be implemented using appropriate technical and organisational measures, as referred to in Article 25 GDPR ("privacy by design" and "privacy by default").

What should my company pay particular attention to?

Labour law: It may be necessary to conclude a shop agreement as well as to inform the works council. In an operation without a works council, it might be required to obtain individual consent from all affected employees.

Data protection law: Apart from certain special provisions in the Draft Whistleblower Act, the data processing necessary for operating a whistleblower system is subject to the GDPR. When introducing the whistleblowing system, representatives of the data protection department should be involved from the beginning.

Can a company take action against a whistleblower?

The Draft Whistleblower Act prohibits any company from taking measures in retaliation for a justified tip-off (e.g. termination, mobbing, less favorable treatment in terms of pay, working conditions, etc).. Such measures are legally invalid or can lead to entitlements to damages. There is a reversal of the burden of proof in favor of the whistleblower, so that the employer must prove the existence of objective reasons.