27. Sep 2021

Important information summarized for you

Whistleblower guideline for private companies and public bodies

In October 2019, the EU passed a directive ((EU) 2019/1937) on the protection of whistleblowers, which must be implemented as minimum standards of the national whistleblower directive in all EU member states by December 2021 in order to protect whistleblowers from reprisals.

The qualityaustria experts Eckehard Bauer, MSc, Executive Vice President Business Development Safety Management, Business Continuity, Risk, Security, Compliance and Transport and Martin Fridl, Network partner, Product Expert Compliance and Anti-bribery management systems have summarized all important information for you in a compact article!


  • General implementation of the EU directive into national law by December 17th, 2021 (currently open).
  • The Austrian legislature still has to determine which authority (s) will be responsible for such reports in Austria.
  • Graduation of the entry into force according to company size:
    • > 249 employees: December 17, 2021 Mandatory compliance with internal whistleblowing channels
    • 50-249 employees: mandatory compliance for organizations from December 17, 2023

Area of application:

Any report of a breach or potential breach of EU law. That means:

  • The provisions of the directive only apply to reports of legal violations in certain areas of Union law. The following are recorded, for example:
    • Violations related to public procurement (procurement procedures), financial services, public health,
    • The protection of privacy and data protection or internal market rules (free movement of workers)
    • Misconduct in other areas / on other topics - such as in anti-discrimination law (but that will be the largest proportion!) - are not covered by the directive. The Austrian legislature could extend these rights and obligations to other areas, but nothing of this is included in the government program.

Procedure – three-stage reporting system:

  1. internal reporting channels;
  2. external reporting channels and
  3. a disclosure (as part of which information is made publicly available).

The basic rule is that whistleblowers must first exhaust the internal reporting channels before they continue to report. Under certain conditions, the whistleblower may contact the responsible authorities directly (external reporting channels). For example, if no “suitable measures” are taken after an internal report or there is no internal reporting system at all. If these reporting systems do not (also) work or if the whistleblower has, for example, “sufficient reason” from the outset to assume that a violation could directly or obviously jeopardize the “public interest”, he may even make information about a violation directly publicly available (e.g. go to the media). According to the directive, making information publicly available should only be permitted in exceptional cases, but it only describes the requirements for this in a general way (possibly too complicated questions of interpretation in practice).

Legally important for the system and the handling of whistleblower information is:

  • Safely designed, set up and operated (Art. 9.1.a)
  • Confirmation of receipt of the report within seven days (Art. 9.1.b)
  • Designation of a person or department (Art. 9.1.c) Attention: independence
  • Proper follow-up on anonymous and non-anonymous reports (Art. 9.1.d-e)
  • Prompt response, within three months (Art. 9.1.f)
  • Guarantee of confidentiality (Art. 16)
  • Conformity with the GDPR (Art. 17)
  • Documentation of reports (Art. 18)

Normative support is provided by the following management system standards ISO 37001 (Management Systems) and ONR 192050 "Compliance Management Systems (CMS) - Requirements and Instructions for Use" and in parts ISO 37301 (Compliance Management Systems).

You would like to have more information? Contact us here – we look forward to your inquiries and contact!

Contact persons


Mr. Eckehard Bauer, MSc

Executive Vice President Business Development Safety Management, Business Continuity, Risk, Security, Compliance and Transport

Network partner

Mr. Martin Fridl

Network partner, Product Expert Compliance and Anti-bribery management systems

News & Events

The basis for long-term success!

12. Jan 2022

5 tips on how to achieve circularity

The clock is ticking: the time has come to solve the current environmental crisis!

Learn more
12. Jan 2022

Blackout: What to do in the worst-case scenario

Inconceivable but possible?

Learn more
15. Dec 2021

Christoph Mondl and Werner Paar take over the management of Quality Austria

New management duo

Learn more
05. Oct 2021

Quality 2030 – Where is the journey heading?

Whitepaper series

Learn more
05. Oct 2021

Successfully implementing a circular economy

The role of innovation, quality standards & digitalization

Learn more
28. Sep 2021

News from the ISO 45000 group

Facts you should know now

Learn more
24. Sep 2021

User Survey for ISO 14001 and ISO 14004

Participate now!

Learn more
23. Sep 2021

Konrad Scheiber receives EOQ Georges Borel Award

Award for promoting the European quality movement

Learn more
15. Sep 2021

OHSAS 18001 will be adopted at the end of September 2021

ISO 45001 as follow-up standard

Learn more
16. Aug 2021

25th anniversary of ISO 9001 implementation

Wabtec MZT AD - Skopje

Learn more
15. Jun 2021

The shifting role of certifications

Confirmation by third parties

Learn more
08. Jun 2021

ÖNORM D 4900 series supersedes ONR 49000 series

Innovations and interesting facts

Learn more
+43 732 34 23 22