Five tips on preparing for ‘whistleblowing’ rules


In order to guarantee protection of people who report breaches, I.E. Whistleblowers, employers will soon be obliged to create a clear and confidential system for reporting breaches.

By December next year, all EU Member States must transpose Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law, i.e. the whistleblower protection directive, which has already been widely debated at least in Estonia. The new regulation will bring about additional obligations for many companies. The objective of this article is to give five general tips on how to prepare for the new developments on the legal landscape.


Companies that have 50 or more employees and operate in a field concerning various areas required for the normal functioning of the market, such as consumer protection, transport, safety of products, food and animal feed, public health, etc., are the ones that must take this obligation into account most of all. For example, the new requirements apply to reporting breaches concerning the production, presntation and sale of tobacco and related products, so all companies operating in this field should consider the impact of the directive.

Expanding the protection arising from the directive to other fields or activities with the decision of the local legislator cannot be ruled out either.


The companies concerned should consider three main lines of action in order to guarantee the protection of whistleblowers:

1) the establishment of a reporting system;

2) the preparation of rules concerning the functioning of the reporting system and the division of areas of responsibility;

3) the correct processing of reports.

Although national laws updated specifically on the basis of the directive most likely do not yet exist (at least not in Estonia), the introduction of the necessary mechanisms should get under way. If you feel that the overview of information accessible to employees and the organisation of work has become difficult to comprehend, we advise that you carry out a human resource audit.

This helps you ascertain whether or not the existing documents and the areas of responsibility of employees comply with laws and practices as well as deal with the deficiencies that should be resolved in the context of whistleblower protection.


The obligation to appoint the persons responsible for the system should be considered upon establishment of the reporting system. The reporting system can be managed by a specific employee or department of the company, but also by a service provider. Only an unbiased person who has the capabilities and skills to handle the reports correctly is suitable for this.

The selection of the suitable person depends on the company’s structure. For example, in the case of smaller companies, employees such as the HR Manager or accountant should be considered since their position allows them to easily report directly to the head of the company. An audit firm is a good option if the company decides to assign the task to a service provider. In any case, finding a suitable solution and training the responsible persons may be a relatively time-consuming process, so you should start thinking about this now.


We advise implementing specific rules on how to behave in a breach reporting situation in order to reduce the company’s risks. For example, a report must be responded to within a reasonable time – no longer than three months of receipt of the report – and the planned follow-up measures must be explained. Such measures may be, for example, the initiation of an internal investigation or vice versa – the termination of further processing due to the lack of evidence.

The organisation of internal investigations must also be subject to clear rules and among other things, the manner in which evidence is collected must be thought through. The results of internal investigations must be recorded and the possible consequences must be clear to persons before the breach is even committed. If the company has already a reporting system established that seems to comply with requirements, it must still be reviewed. The lack of a uniform set of rules has made it possible to restrict the options of using a reporting system, but such limitations will soon no longer be permitted.


There is no way you can bypass compliance with the obligations arising from the GDPR. All companies concerned should check that their risks arising from data protection regulations have been managed. In the context of whistleblowing, it is necessary to make sure that strict confidentiality requirements are applied to breach reports and that the personal data included in the reports is collected purposefully and only to the necessary extent.


Article provided by: Mari Anne Valberg & Mari-Liis Orav (TGS Baltic, Estonia)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.