The law on whistleblowing is perhaps one of the transpositions in the local legislation of a European Directive that brings us closer to a culture of “compliance” but one who also triggers memories of a recent era. On June 29th, the draft Law on the protection of whistleblowers was adopted by the Parliament, the Chamber of Deputies acting as decision-making chamber regarding this draft normative act.
2. What does the Law provide?
The law implements the 2019/1937 EU Directive on “whistleblowing”.
All private and public companies with over 249 employees will be required to establish internal reporting channels during 2022, within 60 days of the publication of the Law with the Official Gazette.
Controls are announced to be carried out shortly after its entry into force, thus it’s important to note that failure to comply with the requirements of the Law may result in fines.
Similar obligations are also provided for companies with 50 – 249 employees; however, in this case, the deadline for compliance has been postponed for a period of 1-2 years.
According to the final version of the Law that was sent for promulgation, companies will be required to implement special measures such as:
– designing, establishing and managing the manner of receiving reports so as to protect the confidentiality of the identity of the whistleblower and of any third party mentioned in the reporting and to prevent access to this information by unauthorized members of the company’s staff;
– the obligation to send to the whistleblower, within a fixed dealine, feedback regarding the reporting;
– designating a person / department / third party with attributions regarding the reception, registration, examination, subsequent actions and resolution of reports, who should act impartially and who will be granted autonomy in the exercise of these attributions.
It should be noted that the Law not only allows, but also encourages the use of digital platforms to meet all these rather complex obligations, such as establishing reporting channels, communicating with whistleblowers, developing and maintaining records for reporting.
In this respect, act legal Romania (act Botezatu Estrade Partners) already offers its clients the product LegalTegrity (used by several multinational companies at European level), a platform that allows compliance with the new Law. Beyond this, LegalTegrity complies with all the national law requirements, as well as with those of the US and UK (for example: the conditions for providing feedback within a deadline set by the Law or keeping an electronic register with all reports).
If the initial form of the Law regulated the possibility of sending anonymous reports, in the current version of the Law is mentioned that the whistleblower must disclose its identity when reporting. Furthermore, it is provided that reports that are made anonymously will not be given course.
Although the European Directive leaves it to the states to allow anonymous reporting through national regulation, a set of rules requiring whistleblowers to disclose their identity could have a discouraging effect on reporting irregularities at company level.
As the law imposes a relatively short deadline for compliance and provides sanctions for non-compliance with the requirements, it is mandatory that all companies covered by the law review their whistleblowing systems as soon as possible and initiate gap analysis procedures of existing systems in order to check their compatibility with the new legal obligations. This would enable companies to take the necessary steps to adapt and / or implement a whistleblowing system in accordance with national and European legislation, in order to avoid the sanctions imposed by law. Those companies which do not have a whistleblowing system should implement it. act legal Romania (act Botezatu Estrade Partners) already offers its clients the product LegalTegrity (used by several multinational companies at European level), a platform that allows compliance with the new Law.
Proactive behavior that starts with the assessment of internal irregularity reporting procedures and channels would reduce the risk of companies being sanctioned and acting under urgent pressure to implement legal measures, as it happened when the rules on the protection of personal data entered into force.