The EU Whistleblowing Directive: Everything You Need to Know

Amine Gharby, head of sales at Euronext Corporate Services, hosted a webinar on the impact of the EU Whistleblowing Directive on Belgian corporates.

Known as the Whistleblower Act, the new law became active on February 15th 2023 for companies with 250 or more employees, applying to those employing between 50 and 249 from December 17th 2023. 

Joining Amine in the studio were Grégory de Sauvage, Tom De Cordier and Katrien Leijnen of Belgian law firm CMS. 

Requirements of the directive 

Senior Associate, Employment & Pensions at CMS, Katrien Leijnen, began with an overview of the EU Whistleblowing Directive. Although each member state can make the directive more stringent when transposing it into national law, Katrien recapped the minimum requirements from the directive, which include:  

• Affected company must establish internal reporting channels for whistleblowing 
• Member states must establish competent external reporting channels 
• Member states must ensure companies have protections in place for whistleblowers, prohibiting retaliation and offer support and advice for reporting persons 
• The law should apply to all persons who acquire knowledge of breaches of EU law in a work context 
• This is not just restricted to employees, but also executives, contractors, volunteers and more.   

When Belgium transposed the directive, it extended the scope to cover national law, too.  

The internal reporting channels must:  

• Allow for oral or written reporting, or both 
• Allow the option for a face-to-face meeting 
• Acknowledge receipt of a report within seven days 
• Designate an impartial person or department to follow up 
• Send the reporting person feedback on the investigation within three months

Implications for Belgian employment law 

Katrien Leijnen said companies could implement their reporting process through work rules or their company policy and should make sure to adhere to national legislation over the use of language. They should provide a tool in French, German and Dutch, with an English translation if necessary.   

She also stressed the importance of communicating the policy to employees and conducting training to familiarise them with it. In addition, informing employee representative bodies of the policy is advisable.  

Investigations under Belgian law 

In order to investigate reports, Belgian law allows the impartial department or person to conduct interviews with relevant parties (in French, German or Dutch as appropriate). It is also important to gain the employee’s signature regarding their evidence in order to use it in the investigation.  

It is also possible to search offices, laptops and mobile phones and to conduct camera surveillance. However, there are rules surrounding these actions to make sure you remain compliant.   

Some companies question whether they can compel employees to cooperate with the investigation. Katrien Leijnen said that Belgium’s employee loyalty obligation meant that current serving staff have a duty to answer questions. But, they need to be balanced against the right not to self-incriminate.   

For former employees, there is no formal obligation to cooperate. This might require the company to make an agreement with outgoing staff to join the investigation, if required, at a later date.  

Sanctions for misconduct 

Any potential sanctions for breaches found by an investigation into a whistleblowing report must be listed in the work rules.  

Companies must be aware that, if they wish to suspend an employee, this needs the consent of that employee, according to Belgian law. It is also possible to implement a series of sanctions and even to request damages from a guilty party. 

Data protection aspect of the law 

The General Data Protection Regulation (GDPR) governs the use of personal data. In order to remain compliant when implementing a whistleblowing reporting channel, CMA’s Commercial Law partner Tom De Cordier said that companies will be covered for holding accused persons’ personal data without their consent by having legal grounds and a legitimate interest to do so.  

The report must be handled confidentially, as required by both the EU Whistleblowing Directive and GDPR. In addition, companies in Belgium with 250 or more employees can investigate anonymous reports from whistleblowers. There need to be controls to prevent the data from being modified without consent or deleted. 

Tom De Cordier warned against expanding the scope of the reporting channel too widely, as it could be considered disproportionate to collect personal data for minor infractions.  

Another concern is the concept of data transfers outside of the EU, which GDPR forbids except in certain circumstances. Using non-EU companies to set up reporting channels could contravene this rule.  

Organisations must also be transparent with users about their data being used in an investigation. Also, you can delay this if it would hinder the investigation. And businesses should not hold the data longer than necessary or keep irrelevant information.  

Tom De Cordier recommended running a data protection impact assessment, even though it is not a requirement in Belgium.  

Sanctions for non-compliance 

For companies that do not comply with the Whistleblower Act, there can be sanctions as illustrated in the directive. Partner in Corporate/MA, Insolvency & Restructuring at CMS, Grégory de Sauvage discussed the EU-wide implications, stating that there should be “effective, proportionate and dissuasive penalties for hindering reporting, retaliating against whistleblowers or failing to maintain the confidentiality of reporting persons. In turn, if it is proved that reporting persons knowingly reported false information, they can be pursued by the company for damages.”  

In Belgian’s transposition of the directive, employers can face fines of between €2,400 and €24,000 per employee, up to a maximum of 100 employees, for failing to provide an internal whistleblowing channel. If the company or its employees infringe the rules, such as obstructing a report, there can be custodial sentences of up to three years and fines of between €4,800 and €48,000.  

Under Belgian law, there is a system for bringing criminal sanctions against legal persons. This means that directors can be held liable.