whistle hub

Read about whistleblower systems and
whistleblower directive

Essentials

WHISTLEBLOWER POLICY

LEGAL DOCUMENTATION

CGPR DOCUMENTATION

News and posts

Why are whistleblowing schemes a good idea? What does the Whistleblower Directive say? How do you implement a whistleblowing system? Read about the new rules on whistleblowing schemes

Who detects fraud in businesses?

Companies lose an average of 5 percent of their annual revenue due to fraud. This is according to research from the Association of Certified Fraud Examiners (ACFE). 42% percent

Read more "
October 13, 2023

Cases, statistics and background

Status of the directive's implementation in the EU

Follow the progress of the implementation of the Whistleblower Directive in other EU countries on EU Blowing Monitor

Dress your employees

Would you like us to host a webinar for your employees about your whistleblowing scheme?

Employees must be briefed on the workplace whistleblowing scheme. We can arrange this. Contact us for more information. 

On Trend

Most popular posts

Explore more

Who detects fraud in businesses?

Companies lose an average of 5 percent of their annual revenue due to fraud. This is according to research from the Association of Certified Fraud Examiners (ACFE). 42% percent

create a whistleblower policy

What is a whistleblowing policy, why is it important and what to include?

student, notebook, female-865073.jpg

A whistleblowing policy describes the purpose of your workplace whistleblowing policy. Why it's important and what it should be used for. It is closely linked to the culture that management wants the workplace to have, such as zero tolerance for sexual harassment, bullying, unethical behavior and outright violations of the law. It's important to be specific about what these terms mean. What is considered acceptable in one workplace with a no-nonsense tone between employees may be perceived as unacceptable in another workplace.

A whistleblowing policy cannot stand alone. If your workplace has an undesirable culture, it's rarely enough to simply introduce a whistleblowing policy and expect things to improve.

There has recently been an example of a boarding school where there was undesirable behavior with examples of very serious bullying, harassment and outright violence. To deal with this, it is not enough to introduce a whistleblower scheme. It is also necessary to work on changing this kind of behavior. If there is a kind of perception among students that - even though it may seem grotesque - it is acceptable behavior, then you cannot expect the whistleblower system to be used to bring these issues to light to a large extent.

A whistleblowing policy is not a standard document that you can simply find online and download. To put it bluntly, it's like finding a template for a will and using it without considering the content. Obviously, that doesn't make sense.

Employees should also be informed of the rules in the Whistleblower Act, which protects against retaliation if the whistleblower chooses to come forward. The rules state that any form of negative treatment is illegal. How does management intend to implement this in practice?

It is rarely enough to post a whistleblower policy on, for example, a workplace intranet and expect all employees to thoroughly familiarize themselves with it. Describe how the company will communicate and educate employees about the whistleblower policy. This may include training and information sessions to ensure everyone is familiar with the policy's content and procedures.

A particular issue is how new employees get to know the scheme and get a thorough introduction on how to use it. 

It is important that the whistleblowing policy is specifically based on the conditions in the workplace in order for it to be credible and contribute to employees' trust in the system and it is important that they use it. 

points for a whistleblower policy

The purpose: It is important that management explains why the workplace has introduced a whistleblower scheme. It is not enough to refer to the fact that legislation requires that the workplace is obliged to have a whistleblowing scheme under the Whistleblower Act. Explain why it is important to have a whistleblowing policy and how it can help create transparency and accountability.

It goes without saying that violations of the law can of course be reported, but what about beyond that? What about health and safety regulations or the workplace Code of Conduct? Behavior that goes against the workplace values and what does this entail? Is the workplace certified according to e.g. ISO standards and must violations of these be reportable. according to e.g. ISO standards and must violations of these be reportable. A whistleblowing scheme is not intended for complaints, such as that you think you should get a pay rise or should be promoted.

Is it a link to an external scheme or is it an internal scheme that the workplace manages itself?

Who processes a whistleblower's report? What if it's a member of management that the report is about? Or the CEO. Does the report then go to the board? . how the report can be submitted (e.g. a dedicated hotline, email or an online form) and how the report will be processed.

It is required by law that the whistleblower receives a report on how the workplace has handled the report no later than 3 months after the report. What does it contain? 

Who can employees contact if they have questions about the scheme or if they are considering reporting but are unsure whether they should or should not do so. An external hotline could be considered here. 

Back to the top

Remember the legal documentation

According to section 16 of the Whistleblower Act, you must keep written documentation of how you have complied with the rules in the Whistleblower Act. This can largely be written into a whistleblower policy. As a customer of Whistle Tools, this documentation is included. 

Screenshot 2023-06-24 132304

You can't use a standard text

The rules on legal documentation are listed below. As you can see, you need to describe how your workplace complies with the rules. Please note that you cannot take a standard text from the web and use it. This is an individual description of the implementation at each workplace. 

As a Whistle Tools customer, all documentation is included. 

What does it mean to "document in writing"?

It is not enough to comply with the requirements of the Whistleblower Act to implement a whistleblower scheme. It must also be documented in writing. This means that it is not enough to have decided which system to use, how the company's whistleblowing unit is established, how to report, etc. 

Normally, legislation does not require you to document how you comply with it. It's enough to comply with the rules, but that doesn't apply here. 

A key point here is that subscribing to a whistleblowing system does not comply with the Whistleblower Act. You also need to explain how it meets the requirements of the law. 

The documentation requirement was introduced to make it easier to investigate whether a workplace complies with the rules. You could say that in the first instance, it is the workplace that has to prove compliance. It is not the authorities who have to prove that they have not been complied with. 

What should the legal documentation contain?

The documentation obligation must demonstrate compliance with sections 10-15 of the Whistleblower Act. As a minimum, it must contain: 

A review of the system chosen and how it complies with section 10 of the Whistleblower Act. For example, it must be described whether both a written and oral reporting option has been chosen and how a physical meeting can take place in the case of an oral report. If oral reporting is provided, it must be possible via telephone or other voice messaging systems and the procedure for summoning the whistleblower must be stated. 

A whistleblowing scheme must be designed, established and operated in a manner that ensures confidentiality of the identity of the whistleblower, the person concerned and any third party named in the report and prevents unauthorized access to it... It must describe how this is achieved. 

It must be described who is designated as the impartial person/department to receive reports and have contact with the whistleblower. 

 external third party or an employer of an affiliated company that must comply with the processing requirements arising from this Act

Describe how to follow up on reports and how to provide feedback to the whistleblower. 

The same applies to the procedures for acknowledging receipt of a report, how to follow up on reports and how to ensure that the whistleblower receives feedback as soon as possible and no later than 3 months from receipt of the report. 

In addition, the procedure for how employees can make a report to the internal whistleblower scheme, including encouragement to report internally in cases where the violation can be effectively addressed internally and where the whistleblower assesses that there is no risk of retaliation.

Staff members shall also be informed of the procedure for reporting externally to an authority and, where applicable, to the institutions, bodies, offices or agencies of the European Union.

Private sector employers with 50-249 employees can share a common system for receiving reports and any investigations. If this option is chosen, the content must be described. 

Back to the top

cgpr documentation

Under the GDPR, the data controller must document in writing that the rules of the GDPR are complied with. It is not enough to comply with the rules. It must also be documented. 

A whistleblower scheme should be used to report messages that often contain personal data - both ordinary, confidential and sensitive personal data. Information can be reported about suspects, others who are relevant to the report, e.g. someone who knows about the matter being reported. In addition, the whistleblower can provide personal data about themselves. The person can choose to give their name and not appear anonymous, but they can also provide personal data about themselves that does not reveal their identity. For example, it will

When a whistleblowing scheme is established, the GDPR documentation already prepared for e.g. employees' personal data must be updated to include the personal data processed in the whistleblowing scheme. 

The requirement follows directly from Article 24 of the GDPR, but also follows from the principle ofaccountability and transparency

The items that need to be updated include a number of items. The list below is not exhaustive, but just for inspiration: 

  • Purpose of data processing: Clearly describe the purpose of collecting and processing personal data in relation to the whistleblowing scheme. This should include the purpose for which the data is used and why it is necessary.
  • Legal basis: Indicate the relevant legal basis for the data processing. For whistleblowing schemes, this is usually the fulfillment of a legal obligation or the performance of a task in the public interest. In Denmark, section 22 of the Whistleblower Act states that you may process 
  • Information collection: Explain what types of personal data are collected through the whistleblowing scheme. This cannot be exhaustive when there is the option to enter information in free text fields. However, you can list examples of the personal data that can be expected to be sent through the system and the three different types of personal data that can be involved (see above).
  • Retention period (data retention): the period for which the personal data will be retained and the criteria for determining this period must be stated.
  • Data security: Describe the security measures and procedures in place to protect personal data. This also applies to how a report is handled after management has received a proposal from Whistle Tools with suggestions on how to handle the report. 
  • Data transfer: With Whistle Tools' solution, no data transfer to third countries is necessary. This must be mentioned.
  • Rights of data subjects: Explain how data subjects (the people whose data is collected) can exercise their rights under the GDPR, such as the right to access, rectify and erase data. 
  • Data breach reporting: Provide procedures for reporting and handling data breaches in accordance with the GDPR.
  • DPO role: If applicable, describe the role and responsibilities of a Data Protection Officer (DPO).
  • Confidentiality and protection of whistleblower identity: Ensure that the process for protecting whistleblower identity is clearly described and that only authorized individuals have access to identity information.
  • Documentation and reporting: Specify how you will document all steps of the data management process and keep the documentation available for supervisory authorities.
  • Compliance monitoring: Describe how you will continuously monitor and maintain compliance with the GDPR.
  • Contact details: Provide contact details for the controller and, if applicable, the data protection officer.
Whistle Tools has created GDPR documentation that can be used as is or incorporated into existing documentation. 
 
Back to the top