[author: Cherelle Johannes]

Our March EU whistleblowing updates webinar explored recent whistleblowing developments and essential actions for effective whistleblowing practices. It also covered new updates specific to the Austrian transposition of the EU Whistleblower Protection Directive.

EU member states were required to transpose the EU Whistleblower Protection Directive into their national law by December 17, 2021. To date, the EU countries that still need to incorporate the Directive into their national whistleblowing laws are the Czech Republic, Estonia, Germany, Hungary, Luxembourg, Poland and Slovakia.

What organizations are affected and items to note

The Austrian HSchG requires companies with 250 or more employees to establish a whistleblowing system by August 25, 2023, and those with 50 or more employees to do so by December 17, 2023, in line with the requirements of the EU Directive.

The Austrian law also provides for external reporting channels, such as one implemented at the Federal Bureau of Anti-Corruption, to protect not just employees and board members, but also contractors, subcontractors and suppliers. Organizations are able to use third parties to manage internal whistleblowing channels, which gives some flexibility around selecting a whistleblowing system or model that best suits particular needs and structures.

There are a few contentious points regarding the law's conformity with the EU Directive.

1. The lack of sanctions for failing to implement a whistleblowing system, despite its requirement as written in the law;
2. The burden of proof in retaliation cases – unlike the EU Directive, which shifts the burden of proof in favor of the whistleblower, the HSchG states whistleblowers claiming retaliation due to their disclosure must substantiate the claim of retaliation in any judicial or administrative processes;
3. Conflict with requirements outlined by the EU Commission regarding how subsidiaries or companies operating as part of a group can report.

For context regarding the third point, the Austrian HSchG allows centralized whistleblowing systems in corporate groups. Organizations operating within Austria can technically assign the responsibilities of the internal reporting channel to a joint body across all bodies within the group.

However, according to EU Commission guidelines, mid-size companies with 50-249 employees operating as part of a corporate group should not rely solely on a centralized whistleblowing system. When a corporate body within a group has between 50-250 employees, the EU Commission obliges the body to set up its own decentralized whistleblowing system.

This means organizations complying with Austrian law on this particular point may not be compliant with the Directive’s stipulations. We anticipate developments around this conflict in the future.

For small municipalities with fewer than 50 employees, the HSchG does not mandate implementing internal whistleblowing systems. Even so, these municipalities are encouraged to adopt voluntary measures to ensure effective whistleblower protection and that any reporters can (and are aware of) external reporting channels available to them.

Information accessibility

Organizations must provide easy access to information on internal reporting channels, including a homepage link, ensuring accessibility to suppliers and subcontractors. External bodies, like the Bundesamt für Korruptionsbekämpfung (BAK), must offer clear, easily understandable and widely available information on whistleblower protection, report handling and follow-up measures. These external bodies must also provide free advice to potential whistleblowers through their websites and during written or oral contracts.

Whistleblowing systems and data protection

Whistleblowing systems must comply with data protection regulations, including the General Data Protection Regulation (GDPR). This includes providing information about the processing of personal data, ensuring data minimization, and implementing security measures to protect the confidentiality and integrity of data. Austrian organizations must also appoint a data protection officer (DPO) and conduct a data protection impact assessment (DPIA).

The EU Whistleblower Protection Directive also mandates that the whistleblower’s identity should not be disclosed without their consent. Austrian law aligns with the Directive, requiring companies to establish secure and confidential communication channels for whistleblowers. However, the HSchG does not explicitly state whether whistleblowing systems have to allow anonymous reports, or whether anonymous reports must be followed up on.

Even so, anonymous whistleblowers are entitled to protection if the disclosure meets requirements and if their identity is disclosed without their consent. A whistleblower's identity may only be disclosed if an administrative authority, court or public prosecutor's office deems it necessary and proportionate, considering the potential risks to the whistleblower and the seriousness of the. If this is the case, the authority must inform the whistleblower in writing, unless it would jeopardize proceedings.

Individuals who receive reports with classified information must maintain secrecy, and trade secrets learned during the reporting process can only be disclosed for HSchG purposes – and only to the extent necessary.

Protections around retaliation against whistleblowers

The EU Whistleblower Protection Directive outlines measures to safeguard whistleblowers from retaliatory actions, including dismissal, demotion or harassment.

In Austria, the HSchG addresses the issue of retaliation by prohibiting any adverse treatment or consequences for whistleblowers. However, concerns have been raised about the effectiveness of these provisions – especially given the conflict with the Directive around the burden of proof requirements in cases of alleged retaliation. Furthermore, protections for reports made on hearsay depend on whether the whistleblower has reason to believe the information was true based on the available evidence.

Learn more about how NAVEX and NAVEX WhistleB can help your company to comply with the EU Whistleblower Protection Directive and the laws governing your region.

To watch the full webinar for Austrian updates to whistleblowing laws, watch on demand now.

View original article at Risk & Compliance Matters