Skip to main content

Whistle(blowing) While You Work

Oct 28, 2020

Table of contents
    Kaisa Fahllund

    I’m in charge of the Contracts Team at Berggren. My mission is to draft contracts that are so good that they leave no room for disputes and, if a dispute should arise, the contract will provide effective tools for resolving the dispute in our client’s favor.

    The European Union whistleblowing directive ((EU) 2019/1937) obliges private and public sector companies, corporations and other entities to establish means for employees to report breaches of EU law and protects such employees from retaliation by the employer.

    Background and Timing of the EU Whistleblowing Directive

    The concept of "whistleblowing" refers, of course, to exposing misconduct and breaches of law. The Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law makes the procedure for reporting suspected breaches compulsory throughout the EU. The provisions of the Directive must be implemented by EU member states by 17 December 2021. Private sector corporations having between 50 and 249 employees have two additional years before the Directive takes effect on 17 December 2023.  

    Application and Scope of the EU Whistleblowing Directive

    The Directive obliges private sector corporations having more than 50 workers to establish internal reporting channels and procedures for employees to report breaches of EU law in specific sectors or industries covered by the Directive. Member states, however, may exempt municipalities with fewer than 10,000 inhabitants or fewer than 50 workers, and public sector entities with fewer than 50 workers from this obligation. On the other hand, based on a risk analysis, member states may oblige private sector corporations having fewer than 50 workers to establish internal reporting channels and procedures.

    The scope of the Directive encompasses several areas. Breaches may relate, for example, to public procurement, financial services, product safety, transport safety, protection of the environment, nuclear safety, food safety, animal health, public health, consumer protection, and protection of privacy, as well as safety of networks and information systems.

    Workers covered by the Directive include reporting persons who work in the private or public sector and those who have acquired information on a breach of EU law through their work-related activities. Protection provided by the Directive covers, inter alia, previous and current workers, civil servants, candidates for employment, volunteers, unpaid trainees, self-employed persons, shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, as well as persons working under the supervision and direction of contractors, subcontractors and suppliers.

    The purpose of the Directive is to ensure that workers who acquire information about a breach of EU law through their work-related activities, are able, irrespective of the nature of their work, report on such breaches without being subject to direct or indirect retaliation from the employer. Retaliation may include, for example, dismissal, demotion, reduction in wages, withholding of training, imposition or administering of disciplinary measures, failure to renew a temporary employment contract, failure to convert a temporary employment contract into a permanent one against the worker's legitimate expectations, a negative employment reference, or other disadvantageous treatment.

    The employer bears the burden of proof that an action taken on the reporting person is not linked in any way to the reporting. Reporting persons shall qualify for protection if they had reasonable grounds to believe that the information on reported breaches was true at the time of reporting and that such information fell within the scope of the Directive.

    Three-Tiered Reporting Process

    The reporting system under the Directive is three-tiered. The report is filed primarily via the employer's internal reporting channel, and secondarily via an external reporting channel to the competent authority. In the final instance, the information may be made public.

    To qualify for protection, the worker is obliged to report suspicions of breaches primarily via the corporation’s own channel. The employer shall acknowledge receipt of the report within seven days. The employer shall, within three months, investigate the matter and provide feedback to the reporting person. The reporting person also may be protected by the possibility of anonymity. It also is important to note that rights pursuant to the Directive cannot be limited by contract or terms of employment.

    Protection should not apply to persons who report information which is already fully available in the public domain, or unsubstantiated rumours and hearsay.

    Measures Taken in Finland

    In Finland a working group appointed by the Ministry of Justice has already begun preparations. The working group will consider, inter alia, whether it is necessary to enact a separate law for the protection of reporting persons, and whether the scope of the law should be wider than the minimum scope set out in the Directive. In practice some Finnish organisations in both the public and private sectors have already launched or are about to launch whistleblowing mechanisms based on the Directive.


    The upcoming European Union whistleblowing Directive will apply to European employers of many types. Such employers must ensure that appropriate procedures are in place for reporting suspected breaches. EU member states, such as Finland, are already preparing for implementation of the directive. Entities to which the directive applies also should be taking appropriate steps to prepare.

    Stay up to date with IP news

    Subscribe to our newsletter to get latest articles.