“Whistleblowing” alerts for companies with 50 or more employees
Law No. 93/2021 of 20 December, establishing the General Protection Regime for Whistleblowers (“RGPDI”) and transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, is coming into force.
Applicable to companies (public and private sector) with 50 or more employees and to entities that are within the scope of the European Union acts referred to in Directive (EU) 2019/1937 of the European Parliament and of the Council. RGPDI establishes that covered entities must reflect in internal regulations a policy for reporting irregularities by 18 June 2022.
Failure to comply with the RGPDI may result in the verification of a serious or very serious offense, with fines ranging from 500 to 250 thousand Euros, depending on whether the agent is an individual or a company and the type of offense.
The new law considers a “Whistleblower” for protection purposes the natural person who, in good faith, with serious grounds to believe that the information is true on the date it is provided, reports or publicly discloses an infringement based on information obtained in the course of his or her professional activity.
At issue are complaints regarding violations related to:
i. Public procurement;
ii. Financial services, products, and markets, and prevention of money laundering and terrorist financing;
iii. Product security and compliance;
iv. Transport security;
v. Environmental protection;
vi. Radiation protection and nuclear safety;
vii. Food and feed safety, animal health, and animal welfare;
viii. Public health;
ix. Consumer protection;
x. Privacy and personal data protection and network and information systems security.
Thus, and by reference to an internal complaint, external or public disclosure, the company must ensure the existence of proper channels to ensure secure communication, requiring that, when presented with a complaint, it must act independently, impartially, in terms of data protection, confidentiality, and absence of conflicts of interest.
Internal reporting channels may be operated internally for the purpose of receiving and following up on complaints by designated persons or services. They may, however, be operated externally for the purpose of receiving complaints.
Countdown to the entry into force of the General Protection Regime for Whistleblowers
The RGPDI highlights the obligations with internal practical effects on legal persons. In particular, the company’s obligations are:
i. Ensure the existence of communication channels that allow the secure submission and follow-up of complaints, in order to guarantee the completeness, integrity, and preservation of the complaint, the confidentiality of the identity or anonymity of the complainants, and the confidentiality of the identity of third parties mentioned in the complaint, and to prevent access by unauthorized persons.
ii. Record and retain complaints received for a minimum period of 5 years or, regardless of such period, during the pendency of judicial or administrative proceedings concerning the complaint;
iii. Ensure confidentiality about the identity of the whistleblower;
iv. Notify the complainant of the receipt of the complaint within 7 days and inform him/her of the possibility and requirements for filing an external complaint, as well as the competent authorities to receive it;
v. Inform the complainant of the requirements, the competent authorities, and the manner and admissibility of filing an external complaint.
vi. Ensure that internal investigations last no longer than three months and that the actions taken are communicated to the whistleblower at the end of the internal investigation.
vii. Provide the complainant, upon his/her request, which may be made at any time, with the result of the analysis of the complaint within 15 days of its conclusion.
viii. Prohibit and sanction the practice of retaliatory acts against the whistleblower.
ix. Failure to comply with the requirements set out in the Law subjects the agents and companies in question to civil and administrative liability, without prejudice to any other consequences applicable to the specific case.
Depending on whether it is a very serious or serious offense, the following fines will be applied:
From one thousand to 25 thousand Euros or from 10 thousand to 250 thousand Euros depending on whether the agent is a natural or legal person – A very serious offense;
From 500 to 12.5 thousand Euros or from one thousand to 125 thousand Euros, depending on whether the agent is a natural or legal person – Serious offense.
External complaints, on the other hand, are submitted to the authorities that, according to their attributions and competencies, should or may have knowledge of the matter at issue in the complaint.
