The deadline for implementing the Whistleblower Directive (EU 2019/1937) expires at the end of the year. It provides that certain organisations must, once this is implemented into national law, introduce a reporting system for reporting breaches of EU law confidentially. However, in Germany, such a national law does not yet exist. In this article, we show how organisations can already design conduct policies and reporting systems to meet the requirements of the Directive.
Many organisations have internal codes of conduct in which they commit to moral values and distance themselves from socially unethical behaviour such as harassment, discrimination or bullying. These behavioural guidelines communicate to employees that this type of behaviour will not be tolerated. In addition, and combined with an effectively designed reporting system, they can help to counter any employee accusations of improper handling of inappropriate behaviour. This is all the more important as a national law to implement the EU Whistleblower Directive is not yet in sight: the Justice Ministry’s first draft of the Whistleblower Protection Act was rejected in April 2021. Below, we set out what a code of conduct can cover and what the minimum requirements for a reporting system are.
A code of conduct sets out the values and principles of the organisation, outlining the behavioural standards expected of employees. The values laid down in a code of conduct can range from basic moral values (integrity, respect for human rights and responsibility for the environment) to interpersonal values (ability to deal with conflict, tolerance and loyalty) and communication values (mutual respect, transparency and cultural openness). It makes sense to limit a code of conduct to the values that are most important for the organisation.
Concrete instructions on how to behave, based on the values and principles laid down by the organisation, are the core of a code of conduct. Clear instructions help employees to align their actions with these principles. This means behavioural instructions should be easy to understand for every employee and clarified by means of examples included in the guideline.
The conduct policy should also contain a clear indication that employees who report justified violations do not have to fear sanctions. In this way, an organisation can create an ‘open’ working atmosphere that invites criticism and takes away employees’ fear of employment consequences.
On the other hand, employees should also be made aware that they may face employment consequences if they violate the code of conduct or make obviously false reports.
If a works council exists, it must be involved in the introduction of codes of conduct, as it has a right of co-determination under s87 (1) No. 1 of the Works Constitution Act. However, a distinction must be made between the individual provisions of the code of conduct. Each regulation must be examined to see whether the right of co-determination is actually affected. Individual provisions under co-determination law do not lead to the co-determination of the entire work (cf. Federal Labour Court v. 22.07.2008 – 1 ABR 40/07). For example, there is no right of co-determination where provisions merely specify the work performance owed or establish a corporate philosophy. If reports on violations of the Directive are possible via an electronic system, the co-determination right under s87 (1) No. 6 of the Works Constitution Act may also apply.
The first step is the introduction of internal rules of conduct. In order to ensure that the values laid down in the code of conduct are also lived in daily interaction, it must be possible to report violations. The implementation of a standardised reporting procedure is a good way to achieve this. To meet the requirements of the Whistleblower Directive, the reporting procedure should take into account the elements set out below.
Reporting of all breaches possible
The Whistleblower Directive only requires the establishment of a reporting system for the reporting of breaches of EU law. It is currently unclear whether the German legislator will extend this obligation to national legal violations. It is recommended that the reporting system be available for all types of reporting: for violations of EU law and national law as well as for ‘pure’ violations of the Conduct of Business Directive. A single procedure will simplify the process.
Multiple reporting options
The more varied the reporting options, the more violations can potentially be recorded. It is therefore advisable to provide at least two reporting options. Here, everything from personal reporting via a contact person to an electronic reporting system or a telephone hotline is possible. In particular anonymous reports can also be permitted, though this is not required under the Whistleblower Directive.
For the internal processing of reports of potential violations, the compliance department (if there is one) is a good choice. In smaller companies, the legal department may also be a suitable processing point. It is important that the processing of the reports is done objectively, meaning ideally the individual(s) processing the report should not belong to the same department as the whistleblower.
An effective reporting system also provides for effective investigation of possible violations, by, for example, talking to the person concerned and witnesses to the incident, to clarify the facts as comprehensively as possible.
As reports usually relate to individuals, data protection rules must be respected. Since the storage and utilisation of the data obtained through the reports usually serves either to uncover criminal offences or serious breaches of duty by employees or is the basis for the termination of the employee relationship, the company can usually base the data processing on the permissible facts of s26 (1) of the Federal Data Protection Act.
Documenting and retaining reports and investigations
All reports received should be documented. Whistleblowers should be informed about the status or outcome of internal investigations within uniformly defined deadlines. In order to maintain an overview of the processing of reports received, it is advisable to enter the reports into an internal database and prioritise them according to the severity of the violation.
After the procedure has been completed, the documentation should be deleted. From a data protection point of view, storage is no longer necessary and therefore not permitted. In addition, the guidelines should include fixed deletion periods.
If you want to set up reporting procedures in your organisation, it makes sense to do this directly with the appropriate technical support (i. e. with legal tech). For example, it is possible to set up a reporting platform to receive reports from whistleblowers.
Whistleblowers leave all the necessary information on the platfom (e.g. the type of violation, a brief description, contact details, etc.) and this is then forwarded to a set group of recipients (e.g. the internal compliance department).
The platform can categorise the type of violation and the urgency. Further processing steps, such as forwarding the notification to others, automated responses or other elements could also be included.
A platform could also incorporate a ‘reminder system’, so that the processor and the whistleblower can be informed about the status of the investigation and the next steps within fixed deadlines.
As the deadline for the implementation of the European Whistleblower Directive is 17 December 2021, organisations are well advised to start designing their internal compliance system already. In order to make the internal code of conduct and the reporting procedure ‘Whistleblower Directive compliant’, it is advisable to extend the reporting procedure to reports of all violations, including of the internal code of conduct and of national and EU legal provisions.
This article was written with the kind support of Canan Schneider (research assistant in the Düsseldorf office) and Martin Kammandel (legal tech engineer).