Whistleblowing

The whistleblower system - reporting misconducts

As of 2019, the provisions of Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of whistleblowers, the so-called Whistleblower Protection Directive, are in force. Member States are required to implement its provisions by 17 December 2021. A "whistleblower" is a person in a private or public company whose mission is to report any irregularities in the company or unfair activity of the employer. Today, these individuals are particularly vulnerable to discrimination or retaliation and often choose not to raise their concerns for fear of adverse effects. The European Union authorities have therefore decided to ensure balanced and effective protection of whistleblowers under EU law, thus obliging Member States to implement appropriate legal provisions guaranteeing such protection.

Time for implementation

As a first step, all member states have until December 17, 2021 to issue regulations implementing the Directive, which will apply to public sector entities and private sector entities, i.e., companies with at least 250 employees. These entities are required to establish procedures and implement tools that meet the requirements of the Directive.

With respect to private entities that employ between 50 and 249 employees, transitional provisions apply, for which the time for implementing the Directive has been extended twice - until December 17, 2023. The 50-employee limit does not apply to legal entities that operate in the financial sector, civil aviation, maritime transport and activities in the area of offshore oil and gas fields.

The implementation of the Directive will impose new obligations on businesses, including:

Provide an internal whistleblowing/incident reporting channel (or adapt existing channels) and establish and implement procedures for making reports so that the identity of the person making the report is not disclosed, without that person's explicit consent, to any person who is not an authorized member of the staff competent to receive and follow up on reports;
Maintain an internal record of all incident reports in accordance with confidentiality requirements. Reports should not be kept longer than necessary and proportionate to ensure compliance with the requirements laid down in this Directive or other requirements laid down in Union or national law;
Take appropriate action in relation to identified breaches.

The provisions of the Directive do not expressly set out the technical and organizational measures that companies should implement. The obligation to specify lies with the member states that implement the Directive.

Polish law implementing the provisions of the Directive has not yet been enacted, however the obligation to provide an appropriate notification channel rests with the companies, which are obliged to activate it by 17 December 2021.

Simple and safe solution

While waiting for national legislation, all companies can already prepare themselves to ensure proper protection of whistleblowers by implementing a dedicated IT solution - EQS Integrity Line - a secure whistleblowing system in Poland and the EU.

The vendor of the system is a leading provider of whistleblowing solutions in Poland and Europe
The system offers the possibility to report through several dedicated secured channels
The system allows two-way confidential communication between the reporter and the organization
The system is integrated with a secure channel for managing reports
The system is available in Polish and all other languages
Guaranteed GDPR compliance with ISO 27001 certification

The system guarantees the anonymity of whistleblowers and ensures that their identity cannot be traced by technical means. EQS Integrity Line is hosted on external high-security servers with ISO 27001 certification. These servers do not store IP addresses, location data, device specifications or other data that could allow conclusions about the whistleblower's identity.

The whistleblower can choose whether to remain anonymous or provide any personal information. In all cases, the content of the report is sent highly encrypted using a public-private key procedure (PGP) with 2048 RSA bits. In addition, all communication with the server is done over a secure HTTPS connection.