Parliament adopts law on Whistleblower Protection

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law was adopted on 23 October 2019 and should have been transposed by all Member States by 17 December 2021. It focuses on the protection of whistleblowers against retaliation and should thus encourage the identification and rectification of wrongdoings.

Luxembourg presented a draft law in January 2022 which we covered in a previous flashnews article. 

Now, Luxembourg is one of the last EU countries to adopt a law. Similar to other countries, the Law goes beyond the initial scope of the Directive.

Which entities are in scope?

Article 6 provides that entities in the private and public sector are required to establish internal reporting channels. Private-sector entities with less than 50 employees are exempt. 

Financial-sector entities and firms vulnerable to money laundering are required to comply with the Law regardless of the number of employees. 

The entities within the scope of the Law are numerous and this is especially true of those operating in the financial sector, where current regulatory requirements have been less detailed and less stringent.

Failing to implement internal reporting channels can lead to a fine of up to €250,000. 

What can be reported?

Information obtained in a professional context about acts or omissions which are illegal or defeat the purpose of provisions under national or European law can be reported. Consequently, this involves all kinds of offences and is not limited to financial crime. People making false reports can receive a fine of up to €50,000.

Who can make a report?

Reports can be made not only by current employees, but also by former and prospective workers, volunteers and trainees, the self-employed, shareholders and contractors, subcontractors and suppliers. The Law also applies to civil servants. Therefore, setting up an internal mailbox will not be enough, since the audience extends beyond internal staff.

How are reports managed?

The Law details various requirements for the design of the internal channels, in particular with regard to guaranteeing the confidentiality of the whistleblower’s identity. Article 7 lists specific procedures for managing reports and follow-ups, a timeframe for feedback and the appointment of an impartial person or department for communication with the reporting person.

How are whistleblowers protected?

Reporting persons using the internal channels will be protected against any form of retaliation from their employer as detailed in Article 27, including dismissals, withholding of promotions or training. Persons who retaliate against whistleblowers can receive a fine of up to €25,000. 

Our teams combine experts in handling whistleblowing cases and organising investigations as well as regulatory experts in order to:

• help you review your existing policies and procedures or help you design them;

• support you in designing your training courses – for all employees regarding the use of the internal channels, but also for the dedicated staff handling the reports;

• advise you on setting up an internal solution for your reporting channels or on choosing an external provider that fits your needs; 

• assist in assessing whether an incoming alert is substantiated, meaning if it needs further investigation. In that case, we can accompany you during the entire investigation life-cycle. 

• support you in the operation and alert handling of your whistleblowing system as a managed service with dedicated experts.

Together with our JBR partner EQS group, a leading provider of whistleblowing software solutions, we can support you in the tool implementation and offer Managed Services for the running of your whistleblowing system and the first screening of incoming alerts in close alignment with you.