Whistleblowing: A layman’s guide to the EU Directive

Why do we need this legislation?

“…whistleblowers are usually in a privileged position to disclose breaches, it is necessary to enhance enforcement by introducing effective, confidential and secure reporting channels and by ensuring that whistleblowers are protected effectively against retaliation.”

EU Directive 2019

What do we know about the EU Directive on Whistleblowing coming into law this December in Sweden?

The EU Directive is 40 pages long so it needs to be summarized to its key components so that even the smallest organisation can become compliant come end of year.

The Directive states that:

“Reporting persons normally feel more at ease reporting internally unless they have reasons to report externally. Empirical studies show that the majority of whistleblowers tend to report internally, within the organisation in which they work. Internal reporting is also the best way to get information to the persons who can contribute to the early and effective resolution of risks to the public interest. At the same time, the reporting person should be able to choose the most appropriate reporting channel depending on the individual circumstances of the case.”

(EU Directive Clause 33)

It is with this in mind that all companies in Sweden with more than 50 employees are bound to establish an internal whistleblowing channel. Municipalities with more than 10,000 inhabitants also need to comply with the same.

However, as with any system having only one channel is not enough, and so the Directive requires an external reporting channel also to be in place. Sweden, along with other EU Member States, must ensure that external reporting channels are established, by appointing a competent authority to receive whistleblower reports, investigate, and give feedback. This means that your organization should have both internal and external channels which effectively avoids the situation of a whistleblower feeling unable to report internally.

The Directive also speaks of competence throughout the document, and it makes clear on what it means by this. For internal reporting channels, competence on receiving whistleblower reports is generally referred to in the following way:

“…as to ensure independence and absence of conflict of interest. In smaller entities, this function could be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.”

EU Directive Clause 56

Competence is also outlined for external authorities who provide reporting channels, investigation, and feedback for organisations.

In summary, competent external authorities should:

  • be judicial authorities, regulatory or supervisory bodies competent in the specific areas concerned, or authorities of a more general competence at a central level within a Member State, law enforcement agencies, anticorruption bodies or ombudsmen
  • have channels in place that are user-friendly and secure
  • ensure confidentiality for receiving and handling information provided by the reporting person on breaches
  • enable the durable storage of information to allow for further investigations
  • have professionally trained staff
  • provide clear and easily accessible information about the available reporting channels
  • have in place adequate protection procedures for the processing of reports
  •  be able to protect the personal data of anyone referred to in a whistleblower report
  • have staff who comply with the duty of professional secrecy and confidentiality when transmitting whistleblower report data whether it be inside or outside the competent authority

As well as the required confidentiality and anonymity of reports and whistleblowers, there is further provision the Directive that allows for the protection of the person making the whistleblower report where an external authority could be in collusion with a perpetrator.

Fortunately, there is safeguarding in general of reporting whistleblowers which is essential in preventing any retaliation, which can be a reason why persons do not blow the whistle, and the Directive seeks to avoid this. There is a burden of proof on anyone who acts causing a negative impact on a person who whistle blows, and the penalties are stiff for those who are found to have retaliated. All of these measures seek to eliminate any dissuasive effect that a threat of retaliation might pose.

A key advantage of having an external authority through which to report ensures that reporting can be proven and gives protection to whistleblowers on this count. Internal contractual agreements such as non-disclosure agreements or other loyalty and confidentiality clauses cannot be used against a whistleblower. In fact, the Directive clearly mentions that the reason for introducing common minimum standards for such protection of whistleblowers is down to the evidence available.

The Directive sets out that a whistleblower qualifies for protection when there are reasonable grounds to show that whatever information reported was true at the time given whether it be reported through internal or external channels.

Whether it be internal or external, the channel through which a whistleblower can make a report is key. It is almost worse to have a poor reporting channel as a non-existent one so the Directive’s stance on the set up and monitoring of the channels is crucial.

If one were to ask a whistleblower what they want when it comes to reporting a breach, the answer would probably be the same:

“To be able to freely report without any negative repercussions to me”.

The design of both internal and external reporting channels is clearly outlined in the Directive. Here is a brief summary:


  • Secure and confidential for both whistleblower and anyone mentioned in a report
  • Acknowledgement given of any report within 7 days of receiving it
  • Impartial and diligent persons who are competent in the handling of reports, gathering further information and provision of feedback
  • Reasonable timeframe for providing feedback – within 3 months of the report being acknowledged or being made
  • Clear and accessible information for reporting externally


  • Independent and autonomous reporting channels
  • Ensure the completeness, integrity and confidentiality of the information reported
  • Ensure durable storage of information
  • Be able to report both orally and in writing (this can be done in a variety of ways)
  • Acknowledgement given of any report within 7 days of receiving it (unless there is a risk to the person’s identity)
  • Diligent follow up on reports
  • Reasonable timeframe for providing feedback – within 3 months of the report being acknowledged or being made (or 6 months in warranted cases)
  • Communicate final outcomes of investigations
  • Duly send information from reports to competent bodies for further investigation
  • Competently deal with high levels of reporting serious breaches

Receiving reports from whistleblowers

Organisations and in fact, society as a whole are diverse, and each person within them has different needs, so when it comes to reporting channels for whistleblowing, the same rings true. The Directive lays out that there must be a variety of ways to report, allowing for ease and confidentiality of doing so. It makes sense that either verbal or in writing or both works for all. Examples are below:

  • Online (electronic)
  • Email (electronic)
  • Telephone (verbal)
  • Letter (in writing)

With all of these channels comes the duty of processing whilst protecting personal data not only in line with the Directive but also GDPR. Any data collected which is not relevant to the handling of a report must be deleted at the earliest and ideally should not be collected at all.

The following summary applies:

  • No information to be collected that is not part of the report handling
  • Legal entities across private and public sector must keep records of every report received
  • No report shall be stored for longer than necessary
  • For verbal reporting, a recording can be made in a durable and retrievable form
  • Verbal reporting can be transcribed by staff handling the report
  • An offer to the person reporting is to be made to ensure the transcript is accurate and that they agree with it, by signing
  • Where there is no recording, staff can minute the conversation and make an offer to the person reporting to check accuracy, by signing
  • Where a physical meeting takes place, an accurate record of the meeting shall occur in either of the same ways outlined above with call recording and transcription


One of the key areas laid out in the Directive is that surrounding the theme of retaliation. The Directive seeks to reduce or in fact remove this and it is summarized as follows:

Retaliation can assume many forms including: loss of job, demotion or withholding advancement, transfer of duties or change of work location, withholding training, negative job performance assessment or reference, reprimanding or other disciplinary measure, intimidation or other form of harassment, damaging a person’s reputation including on social media, blacklisting within the person’s job sector, early cancellation of goods or services contract, cancelation of permits or even psychiatric or medical referrals which would aim to discredit the person.

The Directive lays out that Sweden and other EU Member States shall take necessary measures to prohibit such retaliation even if it is only a threat. Any person who has faced retaliation and takes legal proceedings shall be provided with interim relief during that period.

There are also penalties for those try to hinder reporting or breach confidentiality but there are also penalties for those who would knowingly seek to make false reports.

Report Evaluation

The Directive has included within it, that Sweden, along with other EU Member States report annually on whistleblower reports focusing on the number of reports received as well as the investigations which would be initiated from such reports, and finally details of estimated financial damage and amounts recovered following investigations.

All of this will help take the legislation to the next level by demonstrating the success of what can be achieved through proper regulation.

For more information on the EU Directive or about whistleblowing in general, please contact us at hello@ccgeurope.com or reach out directly to the author, Andrea Berglund via LinkedIn: Andrea (Currie) Berglund | LinkedIn

Leave a Reply

Your email address will not be published.

Chinese (Simplified)EnglishFrenchGermanSpanishSwedish
%d bloggers like this: