27. Sep 2021

Important information summarized for you

Whistleblower guideline for private companies and public bodies

In October 2019, the EU passed a directive ((EU) 2019/1937) on the protection of whistleblowers, which must be implemented as minimum standards of the national whistleblower directive in all EU member states by December 2021 in order to protect whistleblowers from reprisals.

The qualityaustria experts Eckehard Bauer, MSc, Executive Vice President Business Development Safety Management, Business Continuity, Risk, Security, Compliance and Transport and Martin Fridl, Network partner, Product Expert Compliance and Anti-bribery management systems have summarized all important information for you in a compact article!


  • General implementation of the EU directive into national law by December 17th, 2021 (currently open).
  • The Austrian legislature still has to determine which authority (s) will be responsible for such reports in Austria.
  • Graduation of the entry into force according to company size:
    • > 249 employees: December 17, 2021 Mandatory compliance with internal whistleblowing channels
    • 50-249 employees: mandatory compliance for organizations from December 17, 2023

Area of application:

Any report of a breach or potential breach of EU law. That means:

  • The provisions of the directive only apply to reports of legal violations in certain areas of Union law. The following are recorded, for example:
    • Violations related to public procurement (procurement procedures), financial services, public health,
    • The protection of privacy and data protection or internal market rules (free movement of workers)
    • Misconduct in other areas / on other topics - such as in anti-discrimination law (but that will be the largest proportion!) - are not covered by the directive. The Austrian legislature could extend these rights and obligations to other areas, but nothing of this is included in the government program.

Procedure – three-stage reporting system:

  1. internal reporting channels;
  2. external reporting channels and
  3. a disclosure (as part of which information is made publicly available).

The basic rule is that whistleblowers must first exhaust the internal reporting channels before they continue to report. Under certain conditions, the whistleblower may contact the responsible authorities directly (external reporting channels). For example, if no “suitable measures” are taken after an internal report or there is no internal reporting system at all. If these reporting systems do not (also) work or if the whistleblower has, for example, “sufficient reason” from the outset to assume that a violation could directly or obviously jeopardize the “public interest”, he may even make information about a violation directly publicly available (e.g. go to the media). According to the directive, making information publicly available should only be permitted in exceptional cases, but it only describes the requirements for this in a general way (possibly too complicated questions of interpretation in practice).

Legally important for the system and the handling of whistleblower information is:

  • Safely designed, set up and operated (Art. 9.1.a)
  • Confirmation of receipt of the report within seven days (Art. 9.1.b)
  • Designation of a person or department (Art. 9.1.c) Attention: independence
  • Proper follow-up on anonymous and non-anonymous reports (Art. 9.1.d-e)
  • Prompt response, within three months (Art. 9.1.f)
  • Guarantee of confidentiality (Art. 16)
  • Conformity with the GDPR (Art. 17)
  • Documentation of reports (Art. 18)

Normative support is provided by the following management system standards ISO 37001 (Management Systems) and ONR 192050 "Compliance Management Systems (CMS) - Requirements and Instructions for Use" and in parts ISO 37301 (Compliance Management Systems).

You would like to have more information? Contact us here – we look forward to your inquiries and contact!

Contact persons


Mr. Eckehard Bauer, MSc

Executive Vice President Business Development Safety Management, Business Continuity, Risk, Security, Compliance and Transport

Network partner

Mr. Martin Fridl

Network partner, Product Expert Compliance and Anti-bribery management systems

News & Events

The basis for long-term success!

08. Feb 2023

New International training program 2023

Start your next career adventure!

Learn more
10. Jan 2023

QMD Services obtains designation as a Notified Body for in vitro diagnostic devices

Milestone for the Medical Device Industry

Learn more
03. Jan 2023

Christian Matzku (50) takes over the Management of “Sales Steering” at Quality Austria

Sales professional starts at certification organization

Learn more
14. Oct 2022

The new EU Guideline on the implemen­tation of Food Safety Management Systems published

New developments for Food Businesses

Learn more
05. Oct 2022

What’s in for an Assessor?

Experience report from Mario Mauracher

Learn more
16. Sep 2022

New cooperation with ENFIT for highest standards

HQF Certification in supply chains acc. to the ENFIT Standard

Learn more
08. Aug 2022

The Many Uses of Lean Six Sigma

Guest article by Mischa Lucyshyn

Learn more
26. Jul 2022

Ransomware & other potential threat scenarios

07. Jul 2022

Building up Competency as Change Management

Continual Improvement Process

Learn more
07. Jun 2022

The five stumbling blocks you should dodge on your way to a management system

Mind the step!

Learn more
16. May 2022

25th anniversary of successful cooperation in certification

Alkaloid celebrates 25 years of successful cooperation

Learn more
03. May 2022

IFS Food Version 8 – first DRAFT version published

What changes and new features are coming

Learn more
+43 732 34 23 22