Whistleblower guideline for private companies and public bodies

The qualityaustria experts Eckehard Bauer, MSc, Executive Vice President Business Development Safety Management, Business Continuity, Risk, Security, Compliance and Transport and Martin Fridl, Network partner, Product Expert Compliance and Anti-bribery management systems have summarized all important information for you in a compact article!

Timing:

• General implementation of the EU directive into national law by December 17^th, 2021 (currently open).
• The Austrian legislature still has to determine which authority (s) will be responsible for such reports in Austria.
• Graduation of the entry into force according to company size:
  • > 249 employees: December 17, 2021 Mandatory compliance with internal whistleblowing channels
  • 50-249 employees: mandatory compliance for organizations from December 17, 2023

Area of application:

Any report of a breach or potential breach of EU law. That means:

• The provisions of the directive only apply to reports of legal violations in certain areas of Union law. The following are recorded, for example:
  • Violations related to public procurement (procurement procedures), financial services, public health,
  • The protection of privacy and data protection or internal market rules (free movement of workers)
  • Misconduct in other areas / on other topics - such as in anti-discrimination law (but that will be the largest proportion!) - are not covered by the directive. The Austrian legislature could extend these rights and obligations to other areas, but nothing of this is included in the government program.

Procedure – three-stage reporting system:

1. internal reporting channels;
2. external reporting channels and
3. a disclosure (as part of which information is made publicly available).

The basic rule is that whistleblowers must first exhaust the internal reporting channels before they continue to report. Under certain conditions, the whistleblower may contact the responsible authorities directly (external reporting channels). For example, if no “suitable measures” are taken after an internal report or there is no internal reporting system at all. If these reporting systems do not (also) work or if the whistleblower has, for example, “sufficient reason” from the outset to assume that a violation could directly or obviously jeopardize the “public interest”, he may even make information about a violation directly publicly available (e.g. go to the media). According to the directive, making information publicly available should only be permitted in exceptional cases, but it only describes the requirements for this in a general way (possibly too complicated questions of interpretation in practice).

Legally important for the system and the handling of whistleblower information is:

• Safely designed, set up and operated (Art. 9.1.a)
• Confirmation of receipt of the report within seven days (Art. 9.1.b)
• Designation of a person or department (Art. 9.1.c) Attention: independence
• Proper follow-up on anonymous and non-anonymous reports (Art. 9.1.d-e)
• Prompt response, within three months (Art. 9.1.f)
• Guarantee of confidentiality (Art. 16)
• Conformity with the GDPR (Art. 17)
• Documentation of reports (Art. 18)

Normative support is provided by the following management system standards ISO 37001 (Management Systems) and ONR 192050 "Compliance Management Systems (CMS) - Requirements and Instructions for Use" and in parts ISO 37301 (Compliance Management Systems).