Without a doubt, two of the most sought-after concepts in the legal/business world in the last weeks of 2021 and the first weeks of 2022 are and will be the “whistle blowing channel” and “whistleblowing”. A new directive that should have been transposed on December 17 and is pending for the first quarter of 2022, is the cause.
In this article we are going to try to make a summary to get from zero to one hundred on this topic in 5 minutes. We will do it in the form of questions and answers.
What is the European whistleblower directive or EU 2019/1937?
The EU directive 2019/1937 or the whistleblower is a European directive that affects organizations that operate within the EU and its main objective is to protect whistleblowers who report any irregularity that is happening in an organization. Initially, the irregularities affected are those that have an impact on the coffers of the union, such as corruption, the environment, money laundering, public health, security, among others.
The directive had to be transposed by the different countries before 12/17/21. Few countries, Denmark, Sweden or Portugal have done so, the rest, including Spain, have it pending and it is expected for the first quarter of 2022. The transposition may provide some change on the initial scope of the directive making it more restrictive, but at this time it is not known how it will be in Spain.
The key point of the directive is the protection of the complainant, but they have a legal requirement that will have an impact on many organizations. All companies with 50 or more workers must have an internal complaints channel on a mandatory basis. Likewise, public entities with more than 10,000 citizens must also have a channel.
Although when talking about the directive, the focus is often on the whistleblower channel, this is not the most important thing, but it may be mandatory to implement it depending on the size of the organization.
What is a complaints channel?
It is an information system that allows information to be exchanged between a person/whistleblower and the organization in a confidential and even anonymous way. The name of the complaint channel is not the best, in English we speak of “Whitleblowing” which could be translated as whistleblower. They are synonymous with the reporting channel and perhaps with a more neutral meaning: ethical channel, alert channel, compliance channel or whistleblowing channel.
In Spain, an attempt has been made not to talk about a complaints channel, but with the translation of the directive referring to a complaints channel, it will be difficult to change the concept to something less “negative”.
What is a reporting channel for?
Thanks to the reporting channels, anyone who identifies an irregularity has a simple mechanism to report it and facilitate its identification and correction if necessary. With the reporting channels, the “police” are the employees, customers and/or suppliers themselves. With the policy, the whistleblower is protected from potential retaliation.
There are different regulations that require the implementation of a channel…
- money laundering
- European Directive 2019/1937
- Criminal Compliance
- ISO37301
- equality plans
Who should manage a reporting channel?
The channel must be managed by someone independent who can work without pressure to be able to carry out the channel’s efforts diligently. It is not mandatory that it be someone external to the organization, but in organizations with less than 250 employees, the directive explicitly speaks of being able to have a channel shared by several organizations.
It is important that the channel manager is clear about the management protocols and the process that must be carried out. For certain channels, such as harassment channels, it may be necessary for the channel manager to have a specific qualification.
Are reporting channels mandatory?
The reporting channels are mandatory to comply with certain regulations. Thus, although criminal compliance is not mandatory, if it is implemented, it is mandatory to implement a reporting channel.
With the new directive and in the absence of the detail of the transposition in Spain, it will be mandatory during 2022 for companies with 250 or more employees and public administration. It will also be for companies with more than 50 employees, but everything indicates that the term will be until 2023.
Also pay attention to certain sectors affected by the Money Laundering Prevention Law, which must have a channel regardless of the number of employees.
What is the whistle blower?
The whistleblower is the Anglo-Saxon term used to refer to the whistleblower or complainant, the person who initiates the complaint.
What is the difference between an internal and external reporting channel?
Depending on who you ask, they will explain one thing or another. We, following the description of the European directive, understand that the internal channel is the one that must be implemented by the organization (company or public entity) to solve complaints in the first instance, as indicated in the directive, within the organization itself. The internal channel can in turn be “outsourced” both the software and the management. In fact, it is recommended that at least the software be outsourced, to avoid possible manipulations by personnel from the organization itself.
The external channel is the one that must be implemented by a public body to give continuity to the complaints that have been communicated through an internal channel, but have not been adequately resolved.
What elements are key to correctly implementing a whistleblowing channel?
The three key elements for a correct implementation of a complaints channel are:
- Define the channel protocol and data protection. It is very important to define the specific scope of the channel, since the same tool can be used for different purposes and users must be previously informed of what can and cannot be reported by it.
- Implement a tool with security guarantees. It is recommended, although not essential, that it be ISO27001 certified and have a mechanism to be able to integrate with the company’s user authentication systems, azureAD, Google or similar.
- Training and dissemination of the existence of the channel to promote its use.
What does data protection say about reporting channels?
According to Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, art. 24 of the specific rule:
1. The creation and maintenance of information systems through which a private law entity can be made aware, even anonymously, of the commission within it or in the actions of third parties that contract with it, will be lawful. of acts or behaviors that could be contrary to the general or sectoral regulations that may be applicable. Employees and third parties must be informed about the existence of these information systems.
2. Access to the data contained in these systems will be limited exclusively to those who, whether registered or not within the entity, carry out internal control and compliance functions, or to those in charge of the treatment that may be designated for this purpose. However, its access by other people, or even its communication to third parties, will be lawful when it is necessary for the adoption of disciplinary measures or for the processing of legal proceedings that, where appropriate, proceed.
Without prejudice to the notification to the competent authority of acts constituting a criminal or administrative offense, only when disciplinary measures could be taken against a worker, said access will be allowed to personnel with human resource management and control functions.
3. The necessary measures must be adopted to preserve the identity and guarantee the confidentiality of the data corresponding to the people affected by the information provided, especially that of the person who would have brought the facts to the attention of the entity, in the event that it had been identified.
4. The data of the person making the communication and of the employees and third parties must be kept in the complaints system only for the time necessary to decide on the appropriateness of initiating an investigation into the reported facts.
In any case, after three months have elapsed since the introduction of the data, it must be deleted from the complaints system, unless the purpose of the conservation is to leave evidence of the functioning of the model for preventing the commission of crimes by the legal entity. Complaints that have not been processed may only be recorded anonymously, without the blocking obligation provided for in article 32 of this organic law being applicable.
After the period mentioned in the previous paragraph, the data may continue to be processed, by the corresponding body, in accordance with section 2 of this article, the investigation of the reported facts, not being kept in the internal complaints information system itself.
5. The principles of the previous sections will be applicable to the internal complaint systems that could be created in the Public Administrations.
Am I going to receive many complaints through the channel?
Do not be afraid to implement a complaints channel. The volume of complaints is related to the size of the company and its culture. A channel is intended as a preventive tool and to identify and correct bad practices. The culture does not favor reporting, so as long as the culture does not change at a general and organizational level, it is not usual to receive too many complaints.
