On 17 May 2023, the law transposing the EU Directive 2019/1937 was published in the Official Memorial.
The new law requires entities in the financial, private and public sector to implement internal reporting channels. Since the law goes far beyond existing requirements, many entities in scope will have to update their systems or implement a new one.
The EU Directive 2019/1937 on the protection of persons who report breaches of Union law was adopted on 23 October 2019 and should have been transposed by all Member States by 17 December 2021. It focuses on the protection of whistleblowers against forms of retaliation and should thus encourage the identification and rectification of wrongdoings.
Luxembourg presented a draft law in January 2022 which we covered in a previous flashnews article.
Now, Luxembourg is one of the last EU countries to adopt a law. Similar to other countries, it goes beyond the initial scope of the Directive.
Article 6 precises that entities in the private and public sector need to establish internal reporting channels. Private sector entities with less than 50 employees are exempt.
Financial sector entities and firms vulnerable to money laundering have to implement the law independent from the number of employees.
The entities in scope of the law are numerous and this is especially true of those operating in the financial sector, where current regulatory requirements have not been that detailed and strict.
Failing to implement internal reporting channels can lead to a fine of up to 250,000 €.
Information obtained in a professional context about acts or omissions which are illegal or defeat the purpose of provisions under national or European law can be reported. Consequently, this involves all kinds of offences and is not limited to financial crime. People making false reports can receive a fine up to 50,000 €.
Reports can be made not only by current employees, but also former and prospective workers, volunteers and trainees, the self-employed, shareholders and contractors, subcontractors and suppliers. The law also applies to civil servants. It will therefore not suffice to implement an internal mailbox since the audience extends beyond internal staff.
The law details various requirements for the design of the internal channels, in particular with regard to guaranteeing the confidentiality of the whistleblower’s identity. Article 7 lists specific procedures for managing reports and follow-ups, a timeframe for feedback and the appointment of an impartial person or department for the communication with the reporting person.
Reporting persons using the internal channels will be protected against any form of retaliation from their employer as detailed in Article 27, including dismissals, refusal of promotions or training. Persons who retaliate against whistleblowers can receive a fine of up to 25,000 €.
All entities in scope will have to either review their existing approach and systems or implement a new one. The new legal requirements are going very far and will often require significant amendments to existing approaches.
In both cases, various stakeholders will have to be involved in order to define the governance structure and the different roles and responsibilities linked to the internal channels, e.g. the department in charge, the reporting lines and special procedures to handle cases concerning senior management or board members.
The drafting, review and approval of policies and procedures will require time and potentially legal support as well as the involvement from the Data Protection Officer (DPO), and the staff delegation, where applicable.
It is recommended to support the implementation with a dedicated communication and training campaign to explain the use of the system and highlight the protection of whistleblowers.
Finally, entities should consider whether the internal channels can be managed using a software tool. This is not mandatory but can help with case management and to comply with documentation and reporting requirements.
How we can help
Our teams combine experts in the handling of whistleblowing cases and the organisation of investigations as well as regulatory experts in order to help you to:
review your existing policies and procedures or help you elaborate them;
support you in the design of your trainings - for all employees regarding the use of the internal channels, but also for the dedicated staff handling the reports;
advise you on the set-up of an internal solution for your reporting channels or the choice of an external provider that fits your needs;
assist in assessing whether an incoming alert is substantiated, meaning if it needs further investigation. In that case, we can accompany you during the entire investigation life-cycle.
Support you in the operation and alert handling of your whistleblowing system as a managed service with dedicated experts.
Together with our JBR partner EQS group, a leading provider of whistleblowing software solutions, we can support you in the tool implementation and offer Managed Services for the running of your whistleblowing system and the first screening of incoming alerts in close alignment with you.