INTERNAL REPORTING CHANNEL
The Whistleblower Act requires organisations with a regular staff of at least 50 employees to establish an internal reporting channel for reporting information about breaches and for actions taken based on such reports. Several factors must be considered in the implementation of the reporting channel and the handling of reports.
An organisation that has established an internal reporting channel must ensure that at least its own staff has access to the channel. From the perspective of the Whistleblower Act, many other parties may also be whistleblowers. For example, former employees, self-employed persons or those employed by a subcontractor fall within the personal scope of the Act. Organisations must therefore carefully evaluate whether access to the channel should also be made available to other potential whistleblowers beyond their own staff. This can be achieved through means such as enabling access to the reporting channel from the organisation’s public website.
Reports received by organisations must be recorded in a case management system or otherwise registered. Only those designated by the organisation to handle reports, i.e. specific experts appointed by the organisation, should have access to the reports. Access to the information contained in the reports by other individuals must be prevented. The operation of the reporting channel and the handling of reports must also comply with the requirements of the EU General Data Protection Regulation (GDPR, 2016/679).
The internal reporting channel is intended as a confidential means of reporting suspected breaches. The Whistleblower Act therefore stipulates a duty of confidentiality. Confidential information includes the identity of the whistleblower, the subject of the report or any third party, and any information that could directly or indirectly reveal their identity. Compliance with this duty of confidentiality requires special care from those handling the reports.
Confidential information must not be unlawfully disclosed without the express consent of the person for whose protection the duty of confidentiality is established. However, under certain conditions prescribed by law, confidential information may be disclosed, including to pre-trial investigation authorities for the prevention, detection, investigation and prosecution of crimes.