Compliance01.10.2021 News

Group-wide whistleblowing system: not enough for the EU Commission

The disappointment is great: many global corporations have already established a central whistleblowing system and regarded this as sufficient with regard to the implementation of the EU Whistleblower Directive. This is not enough for the EU Commission. For companies, this means considerable additional effort in reorganising their whistleblowing systems.

In two currently published statements dated 2 June 2021 and 29 June 2021, the EU Commission has for the first time provided interpretation guidance on the implementation of the EU Directive for the Protection of Persons who Report Infringements of Union Law (Whistleblower Directive, Directive (EU) 2019/1937). The statements of the EU Commission were preceded by inquiries from various large corporations.

Clear rejection of just one central reporting system

The EU Commission clarified therein that it is mandatory for all legal entities with more than 49 employees to provide its own whistleblowing system (Article 8 (3) of the EU Whistleblower Directive). This is clear from the wording of the Directive and applies equally to independent companies and group companies, irrespective of the possible existence of a current group-wide whistleblowing system. Moreover, this obligation was necessary both for reasons of the efficiency of the systems and because of the expected different implementation of the EU Directive at national level. Accordingly, in the opinion of the EU Commission, group companies cannot be qualified as "third parties" in the area of the outsourcing of whistleblower systems.

Resource bundling only partially permissible

Whilst it is fundamentally permissible for medium-sized subsidiaries (50 to 249 employees) to pool some of their resources (Article 8 (6) of the EU Whistleblower Directive), they should also be able to benefit from the investigative capacities of the parent company. However, this applies only under the following conditions:

  • the subsidiary's reporting channels must remain in place and available;
  • the person making the report must be clearly informed and give his consent to the designated person or department at the headquarters being authorised to access the report (in order to carry out the necessary investigation);
  • the responsibility to maintain confidentiality and to provide the whistleblower with feedback and to remedy or sanction the reported misconduct remains with the subsidiary.

No exceptions for (subsidiary) companies with more than 250 employees

In case of large (subsidiary) companies with more than 250 employees, however, the above simplifications do not apply. In the opinion of the EU Commission, it is therefore mandatory for these companies to have their own reporting system that can process incoming information independently of and outside of any central whistleblower system that may exist in parallel. Corporate groups therefore most certainly are permitted to maintain a central whistleblowing system in parallel. However, this cannot replace a decentralised reporting system at the level of each subsidiary.

Caution in case of cross-company infringements

In cases where a report is received that indicates a cross-company infringement, then according to the EU Commission an investigation may only be carried out at group level if the whistleblower has been informed in advance of the planned forwarding of the report and gives his consent to its submission. However, if the whistleblower does not agree to the submission, he is to be able to "withdraw″ his report and submit an external report to the competent authority. This can have significant consequences, however, which are not further discussed by the EU Commission and which leave companies somewhat at a loss insofar.

The risk of the desired forwarding and processing of the report at group level therefore remains with the company. The latter therefore needs to think carefully about whether to ask the whistleblower for such consent and thus run the risk of the "retraction" of the report and the whistleblower’s right to file an "external" report to the state-operated reporting office. Alternatively, the company may then prefer to carry out the investigations at the level of the subsidiary which received the report.

Inefficient due to duplicate structures

For many companies, this statement will be very sobering and unworldly, as it is more than likely to actually effectively torpedo the efficiency of the reporting channels. After all, the central processing of incoming reports regularly leads to an accumulation of experience and efficiency and is less costly for the groups. Instead, the implementation of duplicate structures is now likely to become necessary, requiring additional human resources and thus further costs.

Although the EU Commission’s statement is not binding for German courts, we can assume that the German legislator will follow this opinion to ensure its implementation in conformity with the Directive, which must take place by 17 December 2021.

Required examination of adjustments to own reporting and investigative bodies

However, even if the national implementation law should be worded more "generously" insofar, a deviation from the requirements of the European Whistleblower Directive always harbours the risk that whistleblowers will then turn directly to the external reporting office, which by nature is unlikely to be in the company's interest. Therefore, companies falling within the scope of the Directive should already consider possible adjustments to their own (possibly previously group-wide) reporting and investigation units in order to be able to process reports independently of the group’s other legal units in the future. Depending on the company structure, the outsourcing of the reporting office to external third parties should also be considered from a cost perspective.

Isabel Hexel

 

Back to list

Isabel Hexel

Isabel Hexel

PartnerAttorneySpecialized Attorney for Employment Law

Konrad-Adenauer-Ufer 23
50668 Cologne
T +49 221 2091 348
F +49 221 2091 333

Email