Here is a general presentation of the bill (hereafter the Bill). An updated newsletter will be sent to you as soon as the Bill has been voted on in its final version.
An extended and strengthened protection regime[1]
Whistleblowers who, in the course of their professional activities, report or disclose specific infringements will soon benefit from an extended and strengthened protection regime. Unlike the Directive, the Bill covers breaches of all national law (including, therefore, labour law) and not just the financial services, the prevention of money laundering and terrorist financing, the protection of privacy and personal data, and the security of networks and information systems.
Protection provided by reporting channels and legal remedies for whistleblowers
In order to ensure the protection of whistleblowers, two main courses of action are envisaged:
- The establishment of internal and external reporting channels and, in some cases, the possibility of public disclosure; and
- The introduction of legal protection for whistleblowers and their relatives, which includes the establishment of legal remedies in the event of reprisals (such as dismissal, non-renewal of a fixed-term contract, refusal to promote, the changing of workplace or working hours, intimidation, etc.), the latter being prohibited and punished in all their forms.
Protection not limited to employees of the company
The protection will not only apply to employees, but also to trainees, volunteers, self-employed workers, job applicants, former employees, etc. Its scope is very broad.
Creation of a reporting office
The Bill provides for the creation of a reporting office, whose mission will be to inform and help whistleblowers in their approach.
How should employers prepare?
Companies with more than 50 employees will be obliged to set up internal reporting channels, inform employees of the implementation and use of this system (e.g. who will process the information and how will internal investigations be conducted?) and ensure that infringements reported by whistleblowers are taken seriously and followed up.
Reporting channels may be managed internally by a designated person or department, or provided externally by a third party.
Channels for receiving reports should be designed, established and managed in such a way as to ensure the anonymity of the whistleblower and any third parties mentioned in the report. Any processing of personal data carried out in this regard must comply with the General Data Protection Regulation (the GDPR), particularly with respect to the principle of data minimisation (ie only data relevant to the report may be processed).
In order to prioritise internal reporting and thus minimise the financial and reputational risks associated with public disclosures, it is recommended that companies ensure that their internal reporting channels are efficient and easy to use. In this respect, the implementation of an electronic/online whistleblowing system, compliant with the GDPR, has the advantage of guaranteeing the security and anonymity of whistleblowers.
The channels and procedures for internal reporting and follow-up will be established after the involvement of staff representatives.
From when will the obligation relating to internal channels apply?
The Directive and the Bill both provide for a transition period lasting until 17 December 2023, after which the obligations relating to internal channels within legal entities that operate in the private sector and which employ between 50 and 249 workers will come into force.
For companies operating in the private sector with 250 or more employees, the requirement to set up internal channels should be immediate.
[1] In the area of financial services, detailed rules on the protection of whistleblowers already exist. These special sectoral laws will, in principle, not be affected by the general provisions of this bill.