New European legal framework on the protection of whistleblowers who report breaches of the Union law

02 September 2021

The deadline for introduction into Bulgarian legislation of Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law adopted in 2019 (the “Directive”) is approaching. The European act (the so-called “Whistleblower directive”) should be transposed locally by December 17, 2021. The implementation of the Directive at local level shall inevitably result in new obligations and regulatory burden for certain business sectors, which should envisage internal procedures in order to ensure an appropriate level of compliance with the requirements of the new regulatory framework.

The main purpose of the Directive is to make it possible for certain categories of persons (the so- called “whistleblowers”) to report breaches of EU law. In addition, the whistleblowers shall be subject to appropriate protection, i.e. prohibition for undertaking the so-called retaliatory actions against them, including prohibition for dismissal, demotion, suspension, disciplinary measures, etc.

Entitled to submit signals shall be employees, as well as self-employed persons, shareholders, board members, subcontractors, suppliers. As a general rule, the whistleblowers shall not bear civil, administrative, disciplinary or criminal liability, in case they violate loyalty or confidentiality clauses when disclosing breaches.

Moreover, the whistleblowers shall have “immunity” when disclosing documents to which they have lawful access (making copies or exporting them from the employer's premises) in breach of contractual or other clauses stipulating that the documents are property of the organization concerned.

On the practical side, the Directive introduces a three-tier alert system:

  • Internal reporting system developed by the respective obliged company;
  • External reporting through specialized state authorities;
  • Public disclosure in the media (including, for example, public forums or social networks).

The organizations obliged under the Directive are determined by introducing respective thresholds concerning the number of employees hired. As a general rule, the Directive obliges companies with more than 50 employees to establish internal rules and procedures ensuring the possibility breaches to be reported. As a standard, accordingly the Directive also provides for exceptions for certain entities (e.g. those providing financial services), as in certain cases and sectors the specified threshold for number of employees may not apply.

Businesses and in particular companies operating in a various countries and/or having higher number of employees hired should comply with the Directive, as:

  • Implement internal policies and procedures or adapt existing ones to ensure their compliance with the Directive;
  • Provide information on these procedures;
  • Review their business standards and arrangements taking into account the new rules.

The technical manners for reporting could vary, e.g. in writing by post, through a complaint box, through an online platform (whether via an intranet or an internet platform), orally via telephone by setting up a hotline or another voice messaging system. Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party.

In conformity with other relevant Union acts, any processing of personal data in connection with the performance of the obligations under the Directive should also be carried out in accordance with the General Data Protection Regulation (GDPR). The European act also obliges the Member States to envisage effective, proportionate and dissuasive sanctions for infringements of the Directive.

Of course, it remains to be monitored how the Directive shall be transposed in the Bulgarian legislation within the set deadline - December 17, 2021, where the expectations in the sector are that the implementation is to be made by the adoption of an entirely new legislative act in the next months (approach, which should be supported, in our opinion). In addition, it is also uncertain which Bulgarian authority or authorities shall be entrusted with powers in the field of reporting breaches under the Directive.

In view of the above, the businesses should undertake timely and appropriate measures in fulfilment of their obligations under the Directive in order to avoid falling into non-compliance with the new requirements. Of course, the Penkov, Markov and Partners team is available to provide any advice and assistance on the topic aimed at bringing the activities of the companies in line with the new regulatory framework.

Of course, you can contact us for additional information and assistance at lawyers@penkov-markov.eu.