Finnish implementation of the WB Directive – Q&A
When will the Finnish legislation enter into force?
The latest news from the working group preparing the national legislation is that the Finnish act implementing the Whistleblower Protection Directive (Directive (EU) 2019/1937) (the “WB Directive“) will not enter into force by 17 December 2021. The working group received a vast amount of feedback based on the draft Government Bill they issued in early July 2021. The working group is now looking into the feedback and considering whether they need to introduce changes and/or clarifications before they issue the actual Government Bill. At the moment, it is difficult to estimate when the national legislation will enter into force. However, the Government Bill is scheduled to be presented to the Finnish Parliament in week beginning 6 December 2021.
When will companies have to comply? Will there be any transitional period(s)?
Currently, it seems that Finnish companies with 250 employees or more will be required to comply with the WB Directive by 17 December 2021. The Finnish working group’s interpretation of the WB Directive is that it does not allow for a transitional period for such large companies. Therefore, large companies will have to comply with the requirements in the WB directive (to the extent that such requirements are sufficiently clear and precise) regardless of the fact that the national legislation will not enter into force in time.
Smaller companies with between 50 and 249 employees will benefit from a transitional period, giving them until 17 December 2023 to comply with the requirements in the WB Directive.
What protection will whistleblowers have?
Whistleblowers will be protected in two ways, namely (i) the whistleblower’s identity being kept confidential; and (ii) a broad prohibition on retaliatory measures being taken against the whistleblower.
Employers must ensure that the identity of the individual that reports relevant violations at the organization is not disclosed to anyone beyond the staff members authorized to receive or follow up on reported violations, without the explicit consent of that individual. This also applies to any information from which the identity of the individual may be directly or indirectly deduced.
In addition, the national legislation implementing the WB Directive will impose a broad prohibition on retaliatory measures being taken against the whistleblower by the employer. This prohibition includes terminating their employment, weakening the terms of their employment, treating them unfavorably, and taking other measures with adverse consequences for the whistleblower. Any threats or attempts to retaliate against whistleblowers are also prohibited.
Who will be protected against retaliation?
The protection provided in the national legislation applies to those who report certain violations of EU law which they observe in their work-related activities. This includes not only employees but also e.g. self-employed individuals, shareholders, members of one of the employer’s administrative, management or supervisory bodies, CEOs, volunteers and interns.
Protection is provided if the individual reporting the alleged violation has reasonable grounds to believe in the accuracy of the reported information at the time of reporting, i.e. the individual is acting in good faith, and the information reported falls within the scope of the legislation.
As a starting point, protection is granted if the individual reporting the violation complies with the appropriate reporting procedure. Primarily, the violation should be reported through an internal channel of the relevant organization. In the absence of an appropriate reporting channel or if the organization does not properly investigate the alleged violation, the individual that filed the report may report the breach to a centralized external channel operated by the office of the Chancellor of Justice. If there is no timely response to such report(s), or if the individual filing the report has reason to believe that there is an imminent danger to the public interest, they can also make a public disclosure.
What GDPR and data protection considerations need to be taken into account?
Establishing a whistleblowing channel will require organizations to take a number of data protection compliance measures, including updating privacy policies and guidelines, and entering into data processing agreements with service providers. Furthermore, a data protection impact assessment must be carried out before implementing the channel. The processing principles in the EU Data Protection Regulation (“GDPR”) and the whole life cycle of personal data must be considered, as well as questions regarding, for example, who has access to the data, which systems are being used in the reporting procedure, what kind of security measures are required, what the legal bases for processing the personal data are, and when to archive, pseudonymize, anonymize or delete the data. The processing of personal data should also undergo so called co-operation proceedings (Fi. yt-menettely).
As to the lifecycle management of personal data, the Directive and the draft Government Proposal do unfortunately not contain any specific time limits for storing information collected through the reporting channels, which has been criticized by local companies. The Directive merely states that information may be retained for as long as “is proportionate and necessary.” It is therefore unclear for how long personal data contained in the reports and gathered during the investigation must or may be stored.
In the absence of any mandatory time limits for storing information, the general principles on retention periods in the General Data Protection Regulation (GDPR) apply, such as the principles of purpose limitation, data minimization, data accuracy and storage limitation. One benchmark for an appropriate storage period is the limitation period in which claims relating to the issues relevant to the case must be brought by or against the organization. Similarly, the reverse burden of proof provision relating to the prohibition against retaliation may be a relevant factor in the assessment. Some guidance on how long the documentation should be kept could also be sought from the five-year storage period under Chapter 12, Section 3 of the Securities Markets Act for MAR-related whistleblowing reports.
Will group companies need to establish their own channels?
The European Commission’s starting point is that group companies with 50 or more employees should have a channel of their own and that, consequently, group companies cannot continue to have solely a centralized whistleblowing procedure. Originally, the working group preparing the new Finnish legislation had the same approach as the Commission i.e. each group company should have a channel of their own. However, based on the feedback received from a number of group companies, the working group changed their approach. Now, the Finnish draft Government Bill specifically provides that group companies may establish group-level reporting channels and make such channels available within the group. According to the working group, details and the exact wording relating to this so-called group company question are still subject to change.
Johanna Lilja (Partner)
Johanna Lilja is Head of Roschier’s Data Protection practice. She is specialized in intellectual property, with a special focus on patent and design litigation. In addition to IP and data protection work, Johanna specializes in various industry-specific regulatory issues, with a focus on the pharmaceutical, medtech and healthcare sectors. Her experience also covers compliance cases and internal investigations relating to anti-bribery, marketing and data privacy issues. She is recognized as one of the leading experts in her field in Finland (e.g. by Chambers Europe, Chambers Global and Who’s Who Legal).
Laila Sivonen (Principal Associate)
Laila Sivonen is a Helsinki-based Principal Associate specialized in commercial dispute resolution as well as corporate compliance and ethics. Laila’s practice includes litigation, arbitration and alternative dispute resolution. Laila has experience of international and domestic arbitration under various arbitration rules as well as ad hoc arbitration. Laila has had a key role in several complex, high-stake and multi-jurisdictional investigations relating to suspicions of white-collar crime.