On 23 October 2019, a new directive of the European Parliament and the Council of the EU on the protection of persons who report breaches of Union law (the "Directive") was signed. It requires Member States to adopt laws, among other things, obliging companies to establish reporting channels and to ensure sufficient protection of whistleblowers. The Directive also provides for penalties applicable to both individuals and legal entities. Such national regulations and related whistleblowing measures shall come into force in less than two years. Please find below a brief summary of the legal aspects, the new obligations and the possible penalties in relation to the new whistleblowing Directive.

Who is whistleblower? And, how is whistleblowing regulated in the Czech Republic?

A whistleblower is anyone who has information about insider illegal activities or wrongdoings occurring within an organization, company or any other entity and reports such information to some higher authority, a senior officer, external specialized advisers, public bodies or generally to the public.

Compared to Slovakia, Ireland and other EU Member States, the Czech Republic has no special whistleblowing act providing  rules and protections for whistleblowers. The only existing regulation similar in nature applies to public officers who report any suspicion of an illegal offense being committed in a public service office (government regulation 145/2015 Coll.). In the private sector, the Czech Labour Code generally requires that employees prevent any harm or damage to the employer, other employees or third parties; and in the event there is such a risk, employees are obligated to inform their superiors. Further, the Czech Criminal Code lists criminal offences that require mandatory reporting and the failure to report such offenses will result in criminal prosecution.  While some Czech acts (e.g. the Criminal Proceedings Code, the Code of Administrative Procedure, etc.) relate somewhat to whistleblowing, there is no comprehensive whistleblowing law.

What is the new Directive? And, what are its objectives?

The purpose of the Directive is to lay down minimum standards of protection of persons reporting breaches of Union law in the areas of public procurement, financial services and prevention of money laundering, product safety and compliance, protection of the environment, personal data protection and others. However, the Directive does not affect the current law related to attorneyclient privilege. Therefore, any information disclosed to legal advisors within the whistleblowing programs will remain subject to an attorney's privacy obligations.

The Directive applies to both the private and the public sector and it aims to protect reporting persons who acquired information on breaches in a work-related context. Such persons include, for example, workers (employees), selfemployed persons, shareholders and persons in management.

The general rules for internal and external reporting as well as rules for public disclosures are also set by the Directive. Internal reporting should always precede other reporting forms. By 17 December 2023, Member States will be obliged to adopt laws under which legal entities in the private sector with more than 50 workers will have to establish channels and procedures for internal reporting as well as follow-up. Such channels will enable persons in a work-related context to report information on breaches of law. The reporting channels may be operated internally by a person or department designated for this purpose or externally, for example, by specialized legal advisors.

The Directive prohibits any form of retaliation against reporting persons such as suspension, dismissal, demotion or withholding of promotion, a negative performance assessment or employment reference, penalties, unfair treatment or any other harm, including harm to the reporting person's reputation.

Transposition of the Directive and the Bill on Protection of Whistleblowers

Member States must bring into force all national laws necessary to comply with the Directive by 17 December 2021. As regards to legal entities in the private sector with 50 to 249 workers, Member States must bring into force the relevant laws requiring such entities to establish internal reporting channels by 17 December 2023.

In 2018, the Government of the Czech Republic drafted a bill on the protection of reporting persons. However, this bill was strongly criticised. It was also prepared before the Directive was adopted. Therefore, it is now subject to a complete redrafting. One related hot topic is whether a new body, the Agency for Protection of Reporting Persons under the Ministry of Justice, should be established as the enforcing body or whether the enforcement should be assigned to various existing public bodies. Any further details related to the current draft of the Czech whistleblowing regulation are, at the moment, unknown.

Practical implications and new obligations for companies

As a result of the Directive and its transposition into Czech law, companies are obliged to introduce measures of protection through the implementation of various procedures and processes, including the following:

  1. the establishment of internal reporting channels which may be operated internally or externally by third party advisors and which will be suitable for the receipt of both written and oral reports (via telephone, voice message, email, post, physical meetings, etc.);
  2. the acknowledgement of receipt of the report to the reporting person within seven days of that receipt;
  3. the designation of an impartial person or department competent in following-up on reports (e.g. a designated employee, an internal department or specialized legal advisors);
  4. the diligent follow-up and feedback  within three months from the acknowledgement of receipt of the report;
  5. provision of information regarding the implemented whistleblowing measures and procedures to the competent authorities;
  6. the assurance that a duty of confidentiality is owed to the reporting person;
  7. the processing of data in accordance with personal data protection laws;
  8. the maintenance of record keeping systems of the reports; and
  9. the prohibition of and protection against any retaliation towards the reporting person.

Will there be any penalties for noncompliance?

Under the Directive, any individual or legal entity which in relation to a reporting person (i) hinders or attempts to hinder the reporting, (ii) retaliates, (iii) brings vexatious proceedings and/or (iv) breaches the duty of maintaining confidentiality will be punished by an effective, proportionate and dissuasive penalty. In practice, penalties commonly used in administrative law will be applied, especially administrative fines or the prohibition of certain business activities.

From the above summary, it is clear that the Directive requires introduction of rather complex whistleblowing policies and procedures. Therefore, it is advisable that companies take this into account and begin to prepare themselves for the establishment of the reporting mechanisms as an integral part of their current compliance systems.

Please take this newsletter as preliminary information on the Directive and its potential implications in the Czech Republic. We are monitoring the legislative process as well as all available information and will follow-up with more details and practical information as they become available.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.