EU Whistleblower Directive: How to Make Sense of Entity-Level Reporting
The entity-level reporting requirement described in the EU Whistleblower Protection Directive (“the Directive”) is one of the more complex aspects of the emerging legal standard. For private organizations with legal entities operating in one or more EU member states, upholding the requirement to empower whistleblowers to choose the entity to which they report, who has access to their report, and who will investigate their case can pose a major challenge.
The transposition process remains ongoing in many EU countries, but the Directive and supplementary guidance provided by the European Commission are enough to establish a basic framework for whistleblowing programs. We have identified five key questions designed to assess your organization’s readiness to comply with the entity-level reporting requirements.
How is my organization structured?
The primary factor dictating the scope of an internal reporting program is determined by the number and worker counts of the distinct legal entities that make up an organization. The complexity of business structures varies widely, and the term “legal entity” is undefined in the Directive. In the absence of more specific criteria defined in a national transposition, the Directive suggests an enterprise’s status as a “legal entity” may be based on its obligation to collect VAT.
The first step in determining your organization’s need is to assess and define the legal structure of your company (or companies). Start by cataloguing each entity and the number of workers each has. You can categorize all entities based on size, from Small (fewer than 50 workers), to Medium (50 to 249 workers), and up to Large (250+ workers). Additionally, it will help to identify the “Parent” entity that acts as a “central” or “hub” resource. Each entity with 50 or more workers must provide a dedicated direct reporting channel on the timelines established by each member state.
Where does my organization operate?
As transpositions of the Directive can vary by member state, it is just as important to know where your organization operates and where its workers are located. Individuals who associate with your organization—vendors, suppliers, customers, and other third-party networks—should also be able to utilize your reporting channels if necessary. You’ll want to note the location of each of your legal entities (some may have more than one), as well as any additional countries where you operate. Having a quick reference of countries to keep track of will help focus your attention as the transposition process unfolds across the EU.
Who handles report acknowledgement and follow-up?
One of the core aims of the Directive is to keep whistleblowers informed throughout the reporting process, from intake to outcome. Acknowledging the receipt of a report and assuring whistleblowers that their reports are being handled helps engender trust.
Under the Directive, the entity that initially receives a report is responsible for acknowledging report receipt and for providing feedback to the reporter throughout the investigation process. The entity must also designate an impartial person or department to perform the follow-up. In practice, this often means a reporter can expect a single point of contact at the entity level to acknowledge receipt of the report, perform the follow-up (including the investigation), and provide the reporter with feedback regarding the investigation or actions taken as a result.
The required acknowledgement and feedback must occur within specified timeframes. Under the Directive, acknowledgement must be provided within seven days of report receipt, and feedback is to be provided within three months from the earlier of the date of acknowledgement or seven days following report receipt. National laws may differ from these periods, however. In your assessment, identify who will handle these responsibilities for each entity providing a reporting channel.
Who is responsible for performing investigations?
The Directive aims to enable a reporter to decide at which level their investigation is handled. This is primarily determined by the level at which they choose to report. Large entities are responsible for handling their own investigations. Medium entities are given special consideration in the Directive and allowed to share investigative resources among other Medium entities or use the investigative resources of their Parent organization. While this exception should help ease the resource burden for Medium entities, the whistleblower may object to the Parent’s involvement in the investigation and request the investigation occur at the subsidiary level.
For your assessment, you should identify who will conduct case investigations at each Large entity. For your Medium entities, identify either a dedicated or shared investigative resource and plan for the need to accommodate a whistleblower’s objection to the investigation being conducted at the Parent level. Reports regarding Small entities can be investigated at the Parent level.
Who has access to case outcomes?
Creating a holistic view of your hotline and incident management program is crucial to track trends, gauge your program’s effectiveness, and identify problem areas before they develop. This means recording, reporting, and analyzing the outcomes of cases as they are closed. Sharing these outcomes with Parent entities (“upstream” sharing) is allowed for auditing, corporate governance or other justified purposes. “Downstream” sharing of this information—a Large entity sharing their outcomes with other Large or Medium entities, for example—is not explicitly addressed by the European Commission. We would assert that an analytics or outcome-tracking program that upholds confidentiality requirements would be consistent with the Directive—and crucial for an effective program. The element of confidentiality is critically important and will require careful vetting and management of who in your organization has access to your case management system, which entity they work for, and for what purpose they are given that access.
When performing your program assessment, identify anyone within an entity who has access to case outcomes.
Below is a sample assessment table that can be used to document the findings to the questions above, the full downloadable copy can be found here:
Putting Your Assessment into Action
This exercise should result in a useful outline of your organization’s high-level needs and features. Every organization is different, however, and the transposition process may not yet be complete in some (or all) of the member states in which you operate. We encourage you to reach out to our team to discuss the specific needs of your organization, details of state-level transposition, and how to best structure your program for maximum efficacy.
For more information on workplace whistleblowing, read the Workplace Whistleblowing 2022: Everything Your Business Needs to Know and The EU Whistleblowing Directive blogs.
Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.