What does the draft of the Whistleblower Protection Act mean?
Regarding the implementation status of the EU Whistleblower Directive1 in Austria
Since 3 June 2022, a draft of the Whistleblower Protection Act exists,2 which is supposed to implement the EU directive in Austria. The law is expected to enter into force in the third quarter of the year. After that, companies will still have room for practical implementation, but preparations should be started promptly. In the following FAQ, our experts have already answered the most important questions about the draft legislation relevant for employers.
FAQ on the Whistleblower Protection Act
Which obligations do employers have? Companies are obliged to set up an internal reporting body to which legal violations can be reported. This body is a separate department or organizational unit within the company that receives (e.g., via telephone hotlines, online tools or apps) and handles the reports. The concrete design of these bodies is left to the company, but certain requirements must be met (see below). In addition, there are various documentation and storage obligations with regard to the reports made, as well as protection and information obligations toward whistleblowers.
Will all employers be obligated? No, only companies with 50 or more employees.
Who can be a whistleblower? In the context of employment law, primarily employees (including temporary workers), applicants or freelancers can be whistleblowers.
Which legal violations does the draft legislation cover? Only certain legal violations, such as legal violations in the area of public procurement, finance, money laundering, product safety, environmental protection, food safety, public health, consumer protection, privacy, network security, abuse of authority or corruption, fall under the scope of the Whistleblower Protection Act.
What protection do whistleblowers have? From the moment they make a report, they are entitled to special protection. The top priority is the protection of their identity. Whistleblowers must also not be subject to retaliatory measures under the labor law, such as dismissals, transfers or demotions. Such measures are ineffective and must be reversed by those responsible. Any resulting damage must be compensated. Severe administrative penalties may also be imposed. However, in order to receive protection, whistleblowers must have sufficient reason to believe that their report is accurate. In addition, the report must concern a legal violation that falls within the above mentioned scope of the Whistleblower Protection Act.
Does every report have to be followed up? Yes, unless the legal violation falls outside the scope of the act or there is no substantial evidence. The act does not specify how the investigation of a reported legal violation must be conducted. Receipt of the report must be confirmed within seven days. Whistleblowers must then in any event be informed about the progress of the investigation and the measures taken within three months. If reports are not being followed up, reasons for this must be given to whistleblowers within the same period.
Can reports also be made to external bodies? Yes, whistleblowers can alternatively turn to a body established outside of the company that performs the same function as an internal body. The Federal Office for Preventing and Combating Corruption (BAK) is to be established as an external body. As whistleblowers can also turn to the external body as an equivalent to the (company) internal body, no sanction is attached to the non-establishment of an internal body. However, companies should have an interest in having whistleblowers report internally.
Does the works council have to be involved? Yes. This is because the establishment of a reporting system is usually a control measure that affects human dignity. In such cases, the conclusion of a works council agreement is mandatory for the implementation of the system.
What applies in companies where there is no works council? In this case, the written consent of each individual employee must be obtained.
When is the law expected to come into force? The law is not expected to come into force before September 2022. Once it comes into force, employers with at least 250 employees still have a period of six months for the factual implementation. For companies with 50 to 249 employees, the law will not take effect until 18 December 2023.
What are the penalties for violations? There are severe fines. For example, obstructing whistleblowers or retaliation against them is punishable by a fine of up to EUR 20,000, or significantly more in the case of a repeated offense. In addition, whistleblowers who knowingly make a false or misleading report also face such a fine.
Requirements for internal reporting channels
The law does not specify in detail how exactly the internal reporting body should look, but the following requirements can be found in the draft:
- The technology and communication devices used must maintain the confidentiality of the identity and be designed in accordance with data protection law.
- The internal reporting body must be provided with sufficient financial and human resources.
- It must be possible for the internal reporting body to receive reports in written and verbal form; if the whistleblower wishes, a personal meeting must be possible within 14 days.
- Feedback to whistleblowers must be possible within three months.
- Employees of the internal reporting body must be free from instructions with regard to the receipt and follow-up of reports.
- Employees of the internal reporting body must be equipped with sufficient authority to review reports and take appropriate action.
1 DIRECTIVE (EU) 2019/1937 on the protection of persons who report breaches of Union law.
2 The act is still in the drafting phase. Changes are still possible and to be expected.