The Finnish Whistleblower Protection Act
Like all other members of the European union, Finland is required to transpose the EU Whistleblower Protection Directive into its national law, which will become the Finnish Whistleblower Protection Act. The EU Directive obliges businesses with 50 employees or more to have a reporting channel for a broad spectrum of potential whistleblowers, and forbids reprisals against whistleblowers. The deadline for transposition was 17th December 2021, which Finland did not meet.
What is the current status of the Finnish Whistleblower Protection Act?
The Government Bill relating to the Finnish Whistleblower Protection act is scheduled to be presented to the Finnish Parliament in late March or the beginning of April 2022. The working group preparing the national legislation received a vast amount of feedback on the draft government bill issued in July 2021. Since then, the group has been reviewing the feedback to determine whether changes and/or clarifications need to be made before the actual bill is issued. At the moment, it is difficult to estimate when the Finnish Whistleblower Protection Act will enter into force.
The Finnish Whistleblower Protection Act remains delayed by the Finnish Government due to feedback from the July 2021 draft. Like all EU members, Finland is required to transpose the EU Whistleblower Protection Directive into national law. Until the Finnish Whistleblower Protection Act is passed, whistleblowers are not protected.
What to do while awaiting the Finnish Whistleblower Protection Act
As the Finnish Whistleblower Protection Act is delayed, the Finnish Ministry of Justice has clarified that whistleblowers cannot be protected under the proposed act until it enters into force.
Nonetheless, companies in Finland who would prefer to start preparations for compliance now rather than wait for the national law can make some progress. The EU Directive sets a number of minimum standards that will apply in all member states and to all organisations with more than 50 employees. Organisations may therefore choose to familiarise themselves with these minimum requirements (see below), and identify solutions that can help fulfil them.
- A secure channel for receiving whistleblower reports must be put in place.
- Acknowledgment of the receipt of the report must be provided to the whistleblower within seven days.
- An impartial person or department must be appointed to follow up on the reports.
- Records must be kept of every report received, in compliance with confidentiality requirements.
- There must be diligent follow-up of the report by the designated person or department.
- Feedback about the report follow-up must be given to the whistleblower within three months.
- All processing of personal data must be done in accordance with the GDPR.