How to be compliant with the EU Whistleblowing Directive?

This memorandum provides more information on how to be compliant with the upcoming European Whistleblowing Directive (the ‘Directive’) and its relation to SpeakUp®.

Objective Directive
Provide and promote a safe and secure way for persons to speak up about misconduct in their work environment.

Relevant dates

• Entry into force: 17 December 2019
• Transposing into national law: by 17 December 2021
• Compliancy for organisations >249 employees: 17 December 2021
• Compliancy for organisations 50-249 employees: 17 December 2023

Which entities?

• Private sector: organisations >50 employees
• Public organisations: all organisations, but exemptions are possible for municipalities with fewer than 10.000 inhabitants or fewer than 50 employees

Scope
Any report on a (potential) breach of European Union law.

Who will be protected?
All types of potential (anonymous) reporters are protected against retaliation and have to be supported. Reporters can be e.g. employees, interns, the self-employed, employees of a supplier, former employees, business partners or even third parties who are closely connected to a reporter such as colleagues or family members.

Required reporting channels
Organisations have to appropriately (e.g. clear, easily accessible and easy to understand) inform potential reporters on the following procedures and channels:

• Internal reporting channel: e.g. SpeakUp®. An effective and efficient channel for a well-informed employee without fear of retaliation.
• External reporting channel: competent national or EU authority, e.g. the Dutch House for Whistleblowers. An independent and autonomous channel for an (ex) employee who lacks trust in internal channels or due to unavailability of internal procedures/channels.
• Public reporting: e.g. media. For (a) an employee who is dissatisfied with internal/external follow-up on report, (b) an employee who wants to report on an imminent or manifested danger to the public interest, or (c) an employee who fears retaliation.

Enforcement
It is up to Member States to define penalties for natural and legal person who e.g. hinder reporting or retaliate against reporters.

SpeakUp®: compliant internal reporting channel
SpeakUp® provides a safe environment for (anonymous) reporting and trusted communication on misconduct.

Requirements European Whistleblowing Directive

• Designed, established and operated in a secure manner (art. 9.1.a)
  SpeakUp®  is designed in compliance with the principles of privacy by design and data minimalization. This means that no personal data on ta reporter is purposely collected. Personal data never leaves the secured environment. The unique SpeakUp® method is completely certified and quarterly audited: ISAE 3000 Type II Assurance, based on ISO27001/2 standards.
• Acknowledgment of receipt of report, within 7 days (art. 9.1.b)
  An acknowledgment of receipt of the report can be sent to the reporter via SpeakUp® right away.
• Designated persons/department (art. 9.1.c)
  In SpeakUp®  you can designate a person/department, fully responsible for the handling and following up of reports
• Diligent follow-up of (anonymous) reports (art. 9.1.d-e)
  SpeakUp® is designed to accommodate a diligent follow-up by the authorised users who can directly communicate with (anonymous) reporters.
• Timely feedback, within 3 months (art. 9.1.f)
  SpeakUp®  allows for timely feedback to the reporter and even notifies you when 3 months have passed with no action taken (e.g. informing on investigation or case closure).
• Inform on external reporting (art. 9.1.g)
  Information on external reporting (Member State or Union level)  can be included in your SpeakUp® policy.
• Report in writing and/or orally (art. 9.2)
  SpeakUp® allows for both web & phone reporting.
• Ensure confidentiality (art. 16)
  SpeakUp®  is based on a strict authorisation model and provides reporters a confidential and anonymous channel to report misconduct and communicate with authorised users only.
• GDPR compliance (art. 17)
  SpeakUp®  is 100% GDPR compliant. SpeakUp®  is certified under the European Privacy Seal.
  SpeakUp® automatically deletes personal data which is not relevant for handling a report.
• Record keeping of the reports (art. 18)
  SpeakUp® allows for record keeping of reports. Reports will be logged and a warning system on data retention periods is in place.