Search for:

What does the draft of the Whistleblower Protection Act mean?

In brief

Regarding the implementation status of the EU Whistleblower Directive1 in Austria

Since 3 June 2022, a draft of the Whistleblower Protection Act exists,2 which is supposed to implement the EU directive in Austria. The law is expected to enter into force in the third quarter of the year. After that, companies will still have room for practical implementation, but preparations should be started promptly. In the following FAQ, our experts have already answered the most important questions about the draft legislation relevant for employers.

FAQ on the Whistleblower Protection Act

Which obligations do employers have? Companies are obliged to set up an internal reporting body  to which legal violations can be reported. This body is a separate department or organizational unit within the company that receives (e.g., via telephone hotlines, online tools or apps) and handles the reports. The concrete design of these bodies is left to the company, but certain requirements must be met (see below). In addition, there are various documentation and storage obligations with regard to the reports made, as well as protection and information obligations toward whistleblowers.

Will all employers be obligated? No, only companies with 50 or more employees.

Who can be a whistleblower? In the context of employment law, primarily employees (including temporary workers), applicants or freelancers can be whistleblowers.

Which legal violations does the draft legislation cover? Only certain legal violations, such as legal violations in the area of public procurement, finance, money laundering, product safety, environmental protection, food safety, public health, consumer protection, privacy, network security, abuse of authority or corruption, fall under the scope of the Whistleblower Protection Act.

What protection do whistleblowers have? From the moment they make a report, they are entitled to special protection. The top priority is the protection of their identity. Whistleblowers must also not be subject to retaliatory measures under the labor law, such as dismissals, transfers or demotions. Such measures are ineffective and must be reversed by those responsible. Any resulting damage must be compensated. Severe administrative penalties may also be imposed. However, in order to receive protection, whistleblowers must have sufficient reason to believe that their report is accurate. In addition, the report must concern a legal violation that falls within the above mentioned scope of the Whistleblower Protection Act.

Does every report have to be followed up? Yes, unless the legal violation falls outside the scope of the act or there is no substantial evidence. The act does not specify how the investigation of a reported legal violation must be conducted. Receipt of the report must be confirmed within seven days. Whistleblowers must then in any event be informed about the progress of the investigation and the measures taken within three months. If reports are not being followed up, reasons for this must be given to whistleblowers within the same period.

Can reports also be made to external bodies? Yes, whistleblowers can alternatively turn to a body established outside of the company that performs the same function as an internal body. The Federal Office for Preventing and Combating Corruption (BAK) is to be established as an external body. As whistleblowers can also turn to the external body as an equivalent to the (company) internal body, no sanction is attached to the non-establishment of an internal body. However, companies should have an interest in having whistleblowers report internally.

Does the works council have to be involved? Yes. This is because the establishment of a reporting system is usually a control measure that affects human dignity. In such cases, the conclusion of a works council agreement is mandatory for the implementation of the system.

What applies in companies where there is no works council? In this case, the written consent of each individual employee must be obtained.

When is the law expected to come into force? The law is not expected to come into force before September 2022. Once it comes into force, employers with at least 250 employees still have a period of six months for the factual implementation. For companies with 50 to 249 employees, the law will not take effect until 18 December 2023.

What are the penalties for violations? There are severe fines. For example, obstructing whistleblowers or retaliation against them is punishable by a fine of up to EUR 20,000, or significantly more in the case of a repeated offense. In addition, whistleblowers who knowingly make a false or misleading report also face such a fine.

Requirements for internal reporting channels

The law does not specify in detail how exactly the internal reporting body should look, but the following requirements can be found in the draft:

  • The technology and communication devices used must maintain the confidentiality of the identity and be designed in accordance with data protection law.
  • The internal reporting body must be provided with sufficient financial and human resources.
  • It must be possible for the internal reporting body to receive reports in written and verbal form; if the whistleblower wishes, a personal meeting must be possible within 14 days.
  • Feedback to whistleblowers must be possible within three months.
  • Employees of the internal reporting body must be free from instructions with regard to the receipt and follow-up of reports.
  • Employees of the internal reporting body must be equipped with sufficient authority to review reports and take appropriate action.

1 DIRECTIVE (EU) 2019/1937 on the protection of persons who report breaches of Union law.

2 The act is still in the drafting phase. Changes are still possible and to be expected.

View German version


Philipp Maier is partner and head of the Baker McKenzie Employment Law Practice Group in Vienna. He joined Baker McKenzie Austria in 2009 as associate of the employment law practice group. Prior to that Philipp worked for several years in the employment law department of Freshfields Bruckhaus Deringer and in the litigation department of Wolf Theiss Rechtsanwälte. He also completed an internship at Aichelin Heat Treatment Systems (Detroit, USA).


Mag. Simone Liebmann-Slatin, MSc. joined Baker McKenzie as a partner in 2003. Since 2011, Ms. Liebmann-Slatin is a senior counsel in the Vienna office and is a member of the employment law practice group. She regularly delivers presentations on issues related to employment law in Austria, and is an active contributor to various publications, webinars and workshops.


Victoria Fink joined the Vienna Baker McKenzie office as a junior associate in January 2019. Before joining the Firm, she gathered experiences as a junior associate in a renowned Vienna law firm for several years, where her main focus was on litigation, also before labor courts. Victoria passed the Austrian bar examination in 2020.

Write A Comment