On April 16, 2019, the Council of the European Union approved the Directive of the European Parliament and the Council on the protection of persons reporting breaches of Union Law (known as the Whistleblowing Directive), which came into effect on December 17, 2019, having a transposition period of two years (December 17, 2021). However, a special term was established until December 17, 2023, for its implementation in legal entities which hold 50 to 249 workers within the private sector.
Unlike the United States, whistleblowing in Europe is not expressly regulated, thus allowing companies to create these channels. It is basically reduced only to a series of recommendations made by the data protection control authorities, as well as a certain normative.
During the implementation process, Member States may expand the scope of what can be reported, that is, expand the scope of protection for the reporting person.
Whistleblowing refers to those mechanisms that companies make available to their employees, such as complaint channels, suggestion boxes, etc., so that they can report conduct, events or actions that violate internal regulations, codes of ethics or current legislation.of the company.
There are different methods, at the choice of the company, to channel internal reports, such as a phone number, an application or an email address.
It could also be conducted externally by a specialized company.
What is essential is that the complaint has to be made confidentially (not anonymously) and safely, to avoid possible reprisals against the complainant.
In this sense, the Spanish Agency for Data Protection (AEPD) indicates that the filing of any anonymous complaint should not be allowed, as confidentiality of the complainant’s identity is a sufficient guarantee.
Therefore, once the company has evidence, it must investigate the facts that are the subject of the complaint, and if applicable, sanction the offending worker.
The follow-up of the complaint must be carried out by a body independent of the company’s management.
In general, only the Compliance Officer and all those who need access in order to investigate the facts alleged by the complainant will be able to access the data.
According to what is established in article 31 bis of the Criminal Code, provided that the company has adopted, prior to the commission of the act, organization and management models that foresee surveillance and control measures with the aim of reducing the risk or avoiding the commission of criminal acts, will be exempt from any criminal liability, hence the importance of the implementation of these reporting channels.
In Spain, to date, the Directive has not been yet transposed, so we understand that private entities will not be obliged to implement internal complaint channels, as long as the Spanish State puts into force the necessary legal provisions for it. .
However, regardless of whether or not the creation of a whistleblower channel is mandatory before the effective transposition of the Directive, it is recommended that companies implement it as soon as possible and thus encourage the reporting of irregularities internally instead of externally, which is very useful for detecting and correcting misconduct. Establishing a values-based corporate culture in which employees feel protected and can easily communicate their ethical concerns will also make it easier to report wrongdoing.