Whistleblower Directive: Clean implementation of data and Whistleblower Protection


Encouraging employees to report wrongdoing and to protect them when they do, is essential for corruption prevention in both the public and private sectors. The EU Whistleblower Protection Directive came into force in 2019, and member states should have complied with its provisions by 2021. However, according to a report by Transparency International, to this day many countries are still lagging behind in implementing effective whistleblower protection measures. According to Whistleblowing Monitor Germany, Hungary, Luxembourg, Poland, Czechia, Slovakia and Estonia hadn’t complied at all to the regulation in April 2023. No wonder the European Commission lost its patience and started infringement procedures against EU members states. It's very likely that by the end of this year the Directive will be implemented fully in every country.

What are organizations obliged to implement – and by when? Which information and groups of people are affected by the WhistleblowerProtection Act? There is an urgent need for companies to take action, regardless of their size. The overriding goal should be to create structures as quickly as possible that enable whistleblowers to report legal violations at an early stage.

In this way, not only can fines be avoided, but also reputationally damaging consequences and considerable financial damage. According to the latest report by the Association of Certified Fraud Examiners, a classic case of fraud takes twelve months before it is discovered. The association puts the average loss at around 111,000 euros.

Complying with the Whistleblower Protection Act – but how?

The Whistleblower Protection Act aims to reduce the hurdles for reporting violations. The aim is to prevent negative consequences for all persons who provide information or are the subject of the report. Organizations must moreover ensure that personal data is handled in compliance with the GDPR at all times.

Here are the most important details and requirements for companies at a glance:

  • In the future, every company with at least 50 employees will be required to implement the requirements of the law
  • In a transitional phase until December 17, 2023, only companies with more than 250 employees are affected
  • Companies need a reporting channel through which whistleblowers can send messages and data in writing or orally (voice message/recording)
  • Designation and training of a whistleblower officer who must not thereby come into a conflict of interest
  • Maintain confidentiality and GDPR-compliant handling of personal data
  • Expect to face fines of 20,000 euros for non-compliance if a hotline is not established three months after the law comes into force

However, companies should go one step further than simply setting up a reporting channel and appointing a reporting officer. It is likely that more reports will be received in the future than in the past as reporting will be possible anonymously. Stringent processes that go beyond an email inbox are essential for handling information efficiently and securely.

How to implement whistleblowing policy with Tresorit

Technically, the whistleblowing policy can be implemented with Tresorit, among others, and more precisely with the help of its already proven file request function. How exactly does this whistleblower protection solution work?

First of all, Tresorit does not have to be used throughout the company. All data is stored in the cloud in a highly secure and GDPR-compliant manner with zero-knowledge encryption; only the person responsible for the hotline retains control over the data transfer. He sends the link to the file request to the employees. These can use it either via an anonymous private or business email address to save the notice in the folder of the person responsible for the hotline. This allows the latter to receive and collect files from anyone.

Control also extends to permissions. Only certain people have access to the target folder and can view the files, making it easy to share with officials, i.e., authorities and the likes. Thus, Tresorit enables organizations of all sizes to achieve maximum confidentiality in communications and compliance with whistleblowing policy.

In addition, to ensure that employees embrace the whistleblowing service within the organization, user-friendliness is a priority alongside privacy. In addition to uncomplicated setup by IT administrators, ease of use for users is also important. Since creating links and sending data via Tresorit takes seconds, the solution quickly becomes routine and is not bypassed via shadow IT applications. There are also hardly any limits for the users when it comes to file formats: Using a file request, they can upload up to 100 data and 5 GB at once.

Act quickly, avoid damage proactively

Sooner or later, the Whistleblower Protection Act will also be transposed into national law in each and every country of the EU. Decision-makers should act proactively and take the necessary steps now as an internal reporting office that functions efficiently protects against financial and reputational damage.

Tresorit also provides decision-makers, IT admins, and employees with a user-friendly and scalable solution for highly secure data exchange across company boundaries. Crucially for whistleblowers, they don't have to worry about whether reports could have negative consequences for them. End-to-end encryption and clear access rights guarantee exactly that. Information always remains as confidential as you want it to be with Tresorit.