Decree-Law no. 119/2021, which transformed into national law the EU Directive 2019/1937, was published in the Official Gazette, introducing, among other matters, a set of obligations for companies and public entities regarding the protection of whistleblowers and the creation and implementation of internal channels for reporting of breaches.
1. Reportable breaches
Reportable breachses are breaches that are being committed or whose commitment can be reasonably expected, as well as attempts to conceal breaches.
Can be reported any breach that constitutes an act or omission violating European Union law rules, namely in the following matters:
A whistleblower is any person that reports or publicly discloses information on breaches that he came aware due to his professional activity.
It is irrelevant whether the report is based on information obtained on an on-going professional activity or during one that has terminated in the meantime, as well as during the negotiation previous to such professional engagement (namely during the recruitment fase).
Are considered wistleblowers, subject to protection under this regime, the following:
Service providers, contractors, subcontractors and suppliers, as well as any person working under their supervision and direction;
Shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members;
Volunteers and trainees.
The whistleblower protection regime will alsoapply to:
Individual persons that support the whistleblower reporting breaches and whose support should be confidential (for instances, unio representatives or employees representatives);
Third persons related to the whistleblower who could suffer retaliation in a work-related context, such as colleagues or relatives of the whistleblower;
Legal entities owned or controlled by the whistleblower, to which the whistleblower works or with which he might be in any way professionaly related.
3. Criation of the internal reporting channel
Any legal entity may create a reporting channel. However, its creation is mandatory for companies and public legal entities that:
Employ 50 or more people;
Regardless of the number of employees, legal entities that fall under legislation on financial services, products and markets, and prevention of money laundering and terrorist financing, transport safety and environmental protection.
Private entities that employ between 50 and 249 workers may share resources to receive and follow up on reports received.
4. Properties of the internal repporting channel
The obligation of creation and implementation of an internal reporting channel in legal entities has the objective of putting in place a mechanism that enables reporting and safe follow up of reports, in order to ensure:
The completeness, integrity and confidentiality of the reports;
The confidentiality of the identity or anonymity of the whistleblowers, as well as the confidentiality of the identity of third parties mentioned in the report;
No unauthorized party has access to the information;
The independence, confidentiality, data protection, secrecy and absence of conflict of interests of the persons or services appointed to receive and follow up on the reports;
Immediate elimination of all personal data that are not relevant for the processing of the report.
The internal reporting channels may foresee the submission of reports:
Written or oral. When the reporting channels foresee the possibility for oral reports, it shall enable persons to report by telephone hotline or other voice messaging system and, at the whistleblowers’ request, in physical meetings.
Anonymous or with the whistleblower’sidentity. Reporting channels must be able to ensure the whistleblower’s anonymity and of the person who receives the report. Information from which the identities are inferable are of restricted access to the person responsible for receiving and following up on the reports.
The identity of the wistleblower can only be disclosed:
To comply with a legal obligation or a judicial decision; and
After written communication to the whistleblower of the reasons for the disclosure of the confidential data, unless such communication compromises investigations or judicial procedures.
6. Record and storing of reports
Records of the reports received must be maintained.
Oral reports are recorded, with the whistleblower’s consent, as follows:
If made by a telephone or another record voice messaging system, recording the conversation in a durable and retrievable form;
If the oral report channel does not allow for recording, by creating a signed minute of the call;
If made in a personal meeting, by recording the meeting in a durable and retrievable form or by a signed minute.
The whistleblower has the right to check, rectify and aprove the transcript of the minute by signing it.
The reports must be stored for at least 5 years, or while any administrative or judicial process related to the report, if any of these were initiated in the meantime.
7. Whistleblower’s protection
A whistleblower that reports or publicly discloses a breach in good faith and with the serious belief in the truthfulness of the reports is legally protected.
It is legally forbidden to adopt have any retaliatory act against the whistleblower. It is considered a retaliatory act any act or omission, including threats and attempts of acts or omissions, that, directly or indirectly, in a professional context and motivated by the internal or external report or by the public disclosure of the information, unjustly causes or may cause pecuniary or non-pecuniary damages to the whistleblower.
Law assumes the following acts practiced within 2 years after the report or public disclosure as retaliatory acts:
In case of retaliation, the whistleblower has the right to claim for damages.
8. Administrative offence
The breach of the rules set forth in this regime may constitute:
Very serious administrative offence, punishable with a fine between € 1,000.00 and € 250,000.00;
Serious administrative offence, punishable with a fine between € 500.00 a € 125,000.00.