Key legislation for organisational whistleblowing

The field of whistleblowing compliance is rapidly developing. New laws requiring organisations to implement corporate whistleblowing procedures are appearing. Also, legislation on whistleblower protection is coming into force.

Many of our customers are active internationally and have to deal with a multitude of data privacy regulations related to whistleblowing. WhistleB supports customers with their compliance responsibilities following this changing legal landscape. Below you’ll find brief information and examples on the many laws on organisational whistleblowing.


Laws requiring corporate whistleblowing

Italy with 231 Corporate Model of Compliance, France with Sapin II and the Netherlands with its House for Whistleblowers Act are examples of EU member states that have introduced laws requiring companies to have a whistleblowing system in place. In Italy, for example, the whistleblowing law obliges companies to identify specific channels to allow employees to report potential misconduct within the work place.

Laws on whistleblower protection

The European Commission states: “Only a few member states have comprehensive – or at least substantial – whistleblower protection. The majority of member states tend to have provisions scattered across different laws, leaving significant gaps, as whistleblowers may face a range of potential problems. A few member states have extremely limited, or practically no legal protection for whistleblowers.”

Anonymity is the least complicated protection a whistleblower can be provided. Some EU member states do not allow anonymous whistleblowing however. In such legislations, a whistleblower must be carefully protected through other security measures.

The European Union is assessing “horizontal or further sectorial EU action on whistleblower protection” with the aim of ensuring overall effective whistleblower protection across the EU. WhistleB is closely monitoring how this will effect the (inter)national regulations on whistleblower protection.

Laws on personal data protection:

The various EU member states have national regulations on how personal data may be processed within a whistleblowing service. These national regulations are based on Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes. On the EU level, the General Data Protection Regulation (the GDPR) as of May 2018 has a direct effect in the member states. The GDPR also affects personal data handling for whistleblowing purposes. You can find more information on this topic in our White paper on whistleblowing and the EU GDPR»  In Russia, the Personal Data Localization Law came into force in 2016. The law requires personal data of Russian citizens to first be processed and stored within Russia. Transfer to third parties located outside of Russia is permitted for secondary processing. However, the transfer must comply with appropriate agreements with the third party to ensure processing meets the data protection measures required under Russian law.


Laws requiring corporate whistleblowing

In the United States, the US Sarbanes-Oxley Act (SOX) of 2002 was the first law that required corporate whistleblowing for publicly traded companies in the USA. Furthermore, a Supreme Court decision of 2014 states that the suppliers of the publicly traded companies are also required to have a whistleblowing scheme in place. Numerous Central and Latin American countries are launching anti-corruption laws, requiring whistleblowing schemes.

Laws on whistleblower protection

In the United States, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 gives the whistleblower protection from dismissal, for example. It also gives them the right to claim financial compensation if the information submitted leads to the discovery of breaches of securities laws, such as SOX and the Foreign Corrupt Practices Act (FCPA).


Laws requiring corporate whistleblowing

In South Africa laws applicable to whistleblowing exist, they are applied differently depending on the type of entity and the type of whistleblower involved.

Tanzania’s Anti-Money Laundering Act includes whistleblowing legislation for reporting suspicions on financial transactions.

Laws on personal data protection

In Morocco, the Data Protection Act  defines personal data as any information of any nature that can identify an individual person. Before collecting such data user consent is required, which makes whistleblowing hard to implement.

Asia, Australia and the Middle East

Laws on whistleblower protection

In China, corruption involving government officials has been the driving force behind legislation concerning whistleblowing. Various laws and regulations, such as Several Provisions on Protecting and Rewarding Whistleblowers for Reporting Duty Crimes, aim to provide protection for whistleblowers and incentives for submitting a whistleblowing report. Various governmental channels exist that facilitate whistleblowing.

Australia has specific whistleblower protection laws in place to encourage and protect disclosures of wrongdoing both in the public and private sectors.

Laws on personal data protection

The Chinese Cyber security Law of 2017, addresses all organisations that may be regarded as being a “network operator”. A broad application of the definitions qualifies virtually any organisation that uses a computer network for its operations in or with China as a network operator.

In India, the Information Technology Act obliges organisations to have a privacy policy published on websites at all times. The privacy policy must provide information such as what data is collected and for which purpose.

Hong Kong has a data privacy law, the Personal Data (Privacy) Ordinance »  in place.



Let us know your needs, we are eager to assist you. Get a quote »

How can I help you?


Please, fill in the form, and we will get back to you shortly by e-mail.

Footer form EN

  • This field is for validation purposes and should be left unchanged.