Whistleblowers: internal procedure and reporting channel mandatory
March 2023 – On 15 February 2023, a new regulation came into force requiring companies with more than 50 employees to set up a procedure, reporting channel and follow-up that allows employees to report certain breaches of (European) regulations in a professional context. What exactly does this scheme entail?
For companies in the financial sector, financial regulations today already provide for an obligation to provide an internal reporting channel.
However, the EU wanted to extend this principle to other sectors, whereby reporters of (mainly European) regulations could enjoy protection when they report a breach of these regulations to their employer or client.
New law in force since 15 February 2023
Through the law of 28 November 2022 on the protection of whistleblowers of breaches of Union or national law established within a legal entity in the private sector, Belgian regulations also comply with these obligations. Specifically, this new whistleblower law came into force in Belgium on 15 February 2023 for companies with more than 250 employees.
Companies with 50 to 249 employees have until 17 December 2023 to fulfil their obligations regarding procedures, reporting channel and follow-up.
Through which channels can a whistleblower report a breach?
When a whistleblower communicates information in writing or verbally about a breach within the company that employs him, it is an internal report. To enable this, your company must set up a reporting channel. This can be a digital tool, but equally an e-mail address or telephone number. Setting up this internal reporting channel should be done in consultation with the social partners in your organisation.
A whistleblower may also choose to report externally (to the competent government authorities) or to go public via a blog or journalist. This can happen when the whistleblower judges that his internal report is not sufficiently followed up or when he does not trust the internal reporting channel.
Over which domains can a notification be made?
According to the law of 28 November 2022, a whistleblower only enjoys protection if they report one of the following breaches:
public procurement
financial services, products and markets, prevention of money laundering and counter-terrorism
product safety and compliance
transport safety
protection of the environment
Radiation protection and nuclear safety
food and feed safety, animal health and welfare
public health
consumer protection
protection of privacy and personal data, and security of network and information systems
combating tax fraud
combating social fraud
Thus, when reporting on breaches in other areas, no protection applies.
How do you tackle this in practice?
Before introducing a reporting channel, you should consult the social partners. You then have two options for providing this channel: either internally, through the appointment of an impartial reporting manager, or externally, by entrusting the creation and management of the channel to a third party. In either case, your company remains the ultimate controller of personal data processing.
As a company manager, by the way, you can decide whether you want to grant whistleblowers other than purely your employees access to an internal reporting channel. Think, for example, of self-employed people, contractors or former employees.
