Almost twenty years ago, things got serious for US-listed companies with the Sarbanes-Oxley Act. As of 17 December this year, many companies in the EU will also require them: Whistleblowing hotlines will become mandatory for companies with 250 or more employees. Those with 50 or more employees have two years longer, until 17 December 2023, for the set up.
Countless blogs have already reported on this, as well as on the general requirements of the Whistleblower Protection Directive (EU) 2019/1937 (EU) . It has also brought quite a few service providers onto the scene who are happily offering their services to companies. However, our experience shows that some pitfalls have so far gone largely unnoticed.
Why is it relevant for Swiss businesses?
First of all, the fundamental question: Why should a company in Switzerland be interested in the directive at all? The answer is simple: in principle, not at all. Switzerland has no comparable regulations, and the last attempt to improve the protection of whistleblowers by law failed in the 2020 parliamentary session. This is unlikely to change any time soon. However, the directive will become relevant for Swiss companies if they have locations in the EU with at least 50 employees (in special cases, depending on the country, fewer may be sufficient to trigger a compliance obligation).
For these companies, channels must be created through which violations of the law affecting the local company can be reported. These violations must be processed at least in accordance with the requirements of the directive. However, each EU member state decides for itself what actually applies as the directive does not apply directly, but only the implementing law passed in the respective country - and this may be stricter and go further than the directive. For example, the directive with its regulations only applies to whistleblowers concerning violations of EU law (including the respective national implementation laws), but the member states can also cover whistleblowers concerning violations of purely national law (which e.g. Germany will do).
A Swiss group of companies will therefore have to check which of its subsidiaries or branches abroad employ 50 or more people and take the appropriate action on their behalf. However, the deadline of 17 December 2021 does not apply to companies with fewer than 250 employees: they are allowed an extra two years.
Different standards in the group
If a Swiss group has any such establishments in the EU, this can put it in a quandary: Certain of its EU establishments are covered by the directive and the associated whistleblower protection, while its sites in Switzerland and other countries are not. Of course, a company can offer the protection voluntarily, but from a whistleblower's point of view, this may not be enough. How can the whistleblower nevertheless obtain the legal protection? If the misconduct also concerns an establishment in the EU, he merely reports his suspicions there - the directive does not distinguish between employees of an establishment and third parties. Nationality does not play a role either.
However, this is not the only challenge for international groups of companies. As the directive is implemented more or less differently in each EU member state, the whistleblowing hotline and the processes for processing tips must also be structured differently. This concerns not only the question of which violations can be reported, but also how the tips are handled.
You can read everywhere that whistleblowers must receive confirmation of receipt of their report within seven days and within three months receive feedback on the steps taken up to that point. What is often not mentioned: Whistleblowers must also be informed to which national authority they can submit their report if they are not satisfied with the company's reaction. In practice, this means that different responses are required depending on the country. In addition, the possibility to complain directly to an authority is an incentive to react in such a way that whistleblowers feel taken seriously.
Group-wide hotlines prohibited in the future?
Whistleblowing hotlines are not new. Many groups have been setting them up for years and have had good experiences - also in Switzerland. A study by the HTW Chur University of Applied Sciences in cooperation with the EQS Group is highly recommended to all interested companies who want to know how others did it and what experiences they had in the process. In almost all cases, however, groups have set up a single point of contact for the whole company, often with the help of a service provider specialising in such hotlines.
This is presumably no longer permissible under the directive. This is because Art. 8(6) provides for a sharing of "resources" for "the receipt of reports and possible investigations to be carried out" only for companies with a maximum of 249 employees. A joint hotline is thus only envisaged for small sites, which will significantly increase the workload in many corporate groups compared to the present situation. Here, too, our experience shows that this aspect has been overlooked by many groups up until now. The practical solution: EU locations with 250 or more employees must conclude a separate contract with the said service providers, even though they may benefit from the preliminary work of the corporate headquarters. They also have to process the incoming reports themselves.
Still, contrary to what is sometimes argued, the directive does not oblige private companies to accept notifications both in writing and orally - the former is sufficient. According to the directive, only the relevant authorities are obliged to offer reporting channels for both. The individual member states must put the appropriate measures in place for so-called external reports - i.e. reports that go directly to the authorities and not first to the company concerned. This is expressly permitted under the directive.
No assurance of anonymity
While it is repeatedly emphasised that the identity of whistleblowers must be protected, contrary to common belief, anonymity is neither guaranteed nor must be possible under the directive. Germany is even likely to go so far as to exempt companies from the obligation to investigate in the case of anonymous tips. Therefore, it will continue to be the case that a company should not assure anonymity to whistleblowers, as it cannot necessarily keep such a promise.
Promises of anonymity should not be confused with measures to keep the identity of the whistleblower as secret as possible and to protect whistleblowers from reprisals - the core concern of the directive. Experience shows, in fact, that although initial reports are often made anonymously, anonymity is lost in the course of the investigation. Incidentally, it does not lead to more abuses. Such abuses do occur, but they are in the single-digit percentage range.
Data protection violations sanctioned more severely
Moreover, the protection of whistleblowers, but also of the accused persons, is also a concern of data protection law, which must continue to be observed - directive or not. The violation of the GDPR is also sanctioned much more strongly than a violation of the whistleblower directive. Violations of the latter are to be punished in Germany with up to EUR 100,000, whereas violations of the GDPR can cost up to four percent of the annual worldwide turnover.
However, data protection offers some additional pitfalls - for example, with regard to the retention period of case reports: Do they have to be destroyed two months after the conclusion of an investigation, as required by some data protection authorities - or should they not be kept for a few years, because the data protection authorities have overlooked the fact that there are indeed reasons for longer periods? You can find some answers to this question in our presentation on the topic.
Our Practice Manual - a guide
If there is an indication of possible misconduct in the company, the directive expects an independent person to investigate it "thoroughly". But how does this work? How does such an internal investigation proceed and what are the pitfalls? If you want to learn more and read German, download your copy of our comprehensive internal investigation and eDiscovery practice manual (free of charge), order a printed copy - or get in touch with us.