The Czech Republic has finally fulfilled its obligation and completed the implementation of the EU Whistleblowing Directive. The new regulations, Act No. 171/2023 Coll., on the Protection of Whistleblowers (the “Whistleblower Protection Act”) and Act No. 172/2023 Coll., amending certain acts in connection with the adoption of the Whistleblower Protection Act, entered into force on 1 August 2023. The final approval was preceded by a number of lay and professional debates and a number of changes were made during the legislative process compared to the initial draft. Who is affected by the new legislation? Which conduct can be reported? And what major impacts will the newly adopted regulations have on businesses?
According to the EU institutions, whistleblowers play a key role in detecting and preventing breaches of EU rules. However, potential whistleblowers may be prevented from reporting by concerns about the possible consequences of such a disclosure. The Whistleblowing Directive aims to create a safe area for whistleblowers by obliging Member State authorities and private bodies to set up appropriate mechanisms to protect them, while also ensuring that relevant disclosures are properly investigated, and corrective measures are adopted.
The Whistleblower Protection Act regulates the submission and assessment procedure for reports of possible unlawful conduct and the conditions for the protection of whistleblowers, i.e. natural persons who have reported. The acts to be covered by the whistleblower protection are, among others, those which fulfil the elements of criminal offences, or misdemeanours for which the upper rate of fine is at least CZK 100,000. This also includes conduct that violates the Whistleblower Protection Act, other legal regulations or EU regulations in selected areas – financial, tax or AML regulations, regulations on consumer protection, competition, personal data, the environment and many others. In this context, it should be mentioned that due to the possibility of reporting offences with a maximum fine of at least CZK 100,000, potential whistleblowers may report a much wider range of breaches than those in explicitly defined areas. These offences will include, for example, employers’ breaches of labour law, including illegal employment, failure to pay wages on time or failure to pay overtime, breaches of the obligation to provide employees with equal pay for equal work, discrimination against employees, breaches of employers’ obligations relating to the length and use of holidays, as well as failure to provide meal and rest breaks, and many others. When it comes to a “type”, there will also be other offences that may not be related to the employers’ labour law obligations, such as breach of the obligation of a legal entity to indicate its name on business documents, to file a petition for registration, amendment or deletion of the entry in the Commercial Register, to file mandatory documents in the collection of deeds, and others. A comprehensive list of these offences has not yet been established, which significantly reduces the clarity of the legal regulation of whistleblowing and may raise many practical issues with regard to the potential uncertainty of reporting persons about which infringements to actually report.
Measures and mechanisms to protect whistleblowers will have to be put in place by defined obliged entities under the Whistleblower Protection Act. These are, in particular, certain public authorities or contracting authorities (with certain exceptions, such as smaller municipalities and certain legal entities with an average number of less than 50 employees as of 1 January of the relevant calendar year, which are predominantly financed by the regions or municipalities or in which the regions and municipalities exercise controlling influence). In addition, they comprise private legal entities with a minimum threshold of 50 employees. The exceptions for which the number of employees will not be crucial in this respect will mainly be obliged persons under the AML Act, which are also obliged to set up a reporting system under the current legislation, and selected financial market entities which are not AML obliged persons.
However, it will not be possible for any person to submit a report covered by protection. This possibility will only apply to whistleblowers who have performed or are performing work or other similar activity for the person in relation to whom the unlawful conduct (which is being reported) occurred, or with whom they have been in contact in connection with the performance of work or other similar activity. Work or similar activity will then need to be understood to cover a wide range of activities from employment through volunteering to contracting activities. With exceptions (for example, in the AML area), the report will have to contain not only information about the possible infringement but also the personal data of the whistleblower enabling their identity inference.
The protection of whistleblowers will be implemented by the obliged entities, in particular through an internal reporting system (the “reporting system”), which the obliged entities must establish and maintain. At the same time, the Whistleblower Protection Act allows, with exceptions, the management of the reporting system to be outsourced to another person (external contractor) or shared within the group under certain conditions. In any event, the reporting system must allow whistleblowers to report in writing and orally. Upon request, whistleblowers must also be able to report in person. An audio recording of an oral report may only be made with the consent of the whistleblower. If the whistleblower does not give their consent, a written record of the report shall be made. The whistleblower shall have the right to comment on the transcription of the audio recording or the written recording. The obliged entity shall publish information on the means of reporting through their reporting system, including the relevant contact details for submitting the report and the means of reporting directly to the Ministry of Justice, in a manner that allows remote access, i.e. usually on their website. They shall also disclose that they exclude, where appropriate, the receipt of reports from third parties, i.e. persons who are not employees, job applicants, volunteers, trainees or interns of the obliged entity.
The obliged entity shall also designate a competent person (or persons) to carry out the obligations under the Whistleblower Protection Act. The competent person may only be a natural person of good repute, full age and with full legal capacity. This person shall, in particular, receive the reports submitted, assess their well-foundedness and propose measures to remedy or prevent the unlawful situation in accordance with the Whistleblower Protection Act. The competent person shall also be obliged to act impartially and to maintain confidentiality of the facts established.
The competent person must (with certain exceptions) notify the whistleblower in writing of the receipt of the report. They must also inform the whistleblower in writing of the outcome of the assessment of the well-foundedness of the report. If, in assessing the well-foundedness of the report, the competent person finds that a report does not meet the requirements of the Whistleblower Protection Act, for example, because the notified conduct is an offence for which the law sets a maximum fine of less than CZK 100,000, and at the same time it is not in breach of other specified regulations, the competent person shall notify the whistleblower in writing. The competent person therefore carries out an internal investigation, which consists of two parts: i) determining whether the report meets the requirements of the Whistleblower Protection Act and, if this condition is met, ii) assessing the well-foundedness of the report. If the competent person assesses the report as well-founded, they shall propose measures to the obliged entity to prevent or remedy the unlawful situation. If, however, they do not consider the report to be well-founded – i.e. if, on the basis of the facts set out in the report and the circumstances known to them, they do not suspect that unlawful conduct was committed or conclude that the report is based on false information – they shall also inform the whistleblower of that fact.
The core of the whistleblower protection is the prohibition of retaliation, i.e. an act or omission in connection with the whistleblower’s work or other similar activity that is triggered by making a report and that may cause harm to the whistleblower or persons linked to the whistleblower (e.g., an assistant in the discovery of information, a person close to the whistleblower, or a colleague). Retaliatory measures include, in particular, actions which have a negative impact on the employment or service relationship of such whistleblowers and persons linked to them (for example, termination of employment, non-renewal of a fixed-term contract or removal from a managerial position), their performance appraisal or remuneration (including non-award of a personal allowance). Thus, the person for whom the whistleblower performs work or other similar activity must not allow protected persons to be subjected to retaliation. In the event that they are harmed by the retaliation, they will be entitled not only to compensation for material damage under applicable legislation but also to appropriate compensation for non-pecuniary damage.
Whistleblowers will also be able to report in certain circumstances despite their contractual or legal obligations. For example, if a whistleblower is bound by a duty of confidentiality under specific legislation (for example, bank secrecy), they will be able to report provided that they had reasonable grounds to believe that the report was necessary to detect unlawful conduct without breaching the confidentiality. However, the new legislation provides for a number of exceptions to this rule, so that, for example, attorney-client, judicial or medical confidentiality will remain unbreached in this respect.
Given the illustrative nature of the list of possible retaliatory measures, employers who become obliged entities may be advised to train managers, be cautious in applying any sanctions for breaches of work discipline and document all relevant facts thoroughly. For example, if an employee has a long history of unsatisfactory performance, the employer should always gather sufficient compelling evidence of non-performance and bring the employee’s unsatisfactory performance to the employer’s attention in a timely and demonstrable manner before imposing disciplinary sanctions. This is, among other things, in order to avoid any potential consideration of disciplinary action as a retaliatory measure. At the same time, however, employers should not lose sight of the principle of strict compliance with the principle of equality in relation to granting bonuses, promotions or the application of other positive measures, which, if not implemented, may also be assessed as retaliation.
The implementation of the reporting system will also affect a number of other processes for obliged entities. In the context of receiving reports and investigating them, obliged entities are likely to process personal data that they did not process before or that they processed for a different purpose. Therefore, the changes are, in particular, in relation to the protection of personal data subject to the regulation provided for by the GDPR. This personal data may include a large amount of information about the whistleblower, the persons concerned, witnesses, but also other persons. It is therefore necessary to define the scope and the new purpose of the processing of personal data in the relevant documentation, especially in records of processing activities or internal directives for employees. In the pursuit of the highest possible transparency, obliged entities should adjust existing documents relating to the processing of personal data with the receipt and investigation of reports, but also in connection with the outsourcing of whistleblowing solutions. The security and data protection implications will also need to be carefully assessed in each individual investigation of reporting.
It will also be necessary to specify the lawful basis for the processing of personal data in connection with the report. If the obliged entity processes only the information contained in the report under the Whistleblower Protection Act, the personal data will be processed for the purpose of fulfilling their legal obligations. However, if a legal entity implements a reporting system even though it is not an obliged entity or, as an obliged entity, also allows reporting of infringements not covered by the Whistleblower Protection Act through the reporting system, the processing of the data in question can be inferred from the legitimate interest of the obliged entity. In such a case, however, we would draw attention, in particular, to the need to perform a balancing test for this processing.
When investigating reports, obliged entities must not forget to comply with all the principles set out in the GDPR, especially the principle of data minimisation. When investigating a report, obliged entities should not process more personal data than is necessary for the investigation. This may, of course, be problematic in practice, especially in view of the need to evaluate the data relevant to the investigation.
Another area where there may be a potential conflict between the new regulation and the protection of personal data is the handling of requests from data subjects exercising their rights in relation to the processing of personal data, in particular the right to erasure and right of access to personal data. If a data subject whose data have been obtained on the basis of a report (data subject, witness, whistleblower) requests the erasure of their personal data, this may be refused on the grounds that the personal data are still necessary for the purposes for which they are processed (the condition set out in Article 17(1)(a) of the GDPR allowing for the erasure is not met), or that the processing is necessary to comply with a legal obligation or for the defence, exercise or establishment of legal claims (pursuant to Article 17(3)(b) and (e) of the GDPR). If the data subject requests access to personal data, the personal data must be provided only to the extent that, according to Article 15(4) of the GDPR, it does not adversely affect the rights of third parties, i.e. it does not reveal, for example, the identity of the whistleblower, thereby frustrating the investigation, but also the rights of the employers themselves. All decisions not to comply with data subjects’ requests must be properly documented.
When implementing the reporting system, the obliged entities will also have to further review and possibly modify the shredding and archiving guidelines. The Whistleblower Protection Act explicitly provides for the obligation to retain the report and related documents for 5 years, which must be reflected in the shredding and archiving guidelines. The retention of personal data for statistical purposes for more than 5 years is only possible if all the data processed is anonymised. However, in this case, the possibility of indirect identification of the data subject, for example, on the basis of nationality, must also be taken into account and minimised.
Finally, obliged entities should set up appropriate technical and organisational safeguards for the personal data obtained on the basis of the reports. After all, the protection of whistleblowers and their personal data is one of the objectives of the adopted regulation and the Whistleblowing Directive.
The statutory obligations will raise a number of practical issues, especially in situations where companies already have a reporting system in place, for example, at a group level. A number of Czech subsidiaries use group systems where group companies benefit from a system administered by the parent company. Group solutions provide not only a reporting channel but also a professional team comprising the necessary experts to deal with the report. Thus, the report is not handled by a specific competent person, as required by our national law, but typically by a group compliance (or Legal and Compliance) department or a group internal audit department. Often the local company does not intervene in the investigation, primarily to ensure maximum independence and professionalism. This therefore covers situations where the report is directed to the management of the relevant local company, or where the local company does not have the capacity, knowledge and competence, as well as the technological background to investigate the report. With the adoption of the law, it will be necessary to align these procedures and systems not only with Czech law but also with laws in other countries.
In particular, we perceive as problematic the obligation to make the relevant report known only to a specific “competent person” or competent persons, if the company designates more than one, without the possibility of communicating the report to other persons who will participate in the investigation, e.g. a special internal group investigation team. This is because the competent person will never have sufficient practical experience, knowledge and practice to investigate serious allegations (e.g. of accounting fraud, corporate tunnelling, conflict of interest or corruption) as defined in our law. Thus, group compliance departments will largely lose control over “local” reports and will not be assured that these reports will be sufficiently professionally and thoroughly assessed.
It will therefore be a challenge for the creativity of group management as to how to deal with the new obligations in each EU jurisdiction, keep track and perhaps control of what is happening in each company, and how to reconcile group whistleblowing solutions with the local requirements of the relevant laws, particularly with respect to the ability to share and outsource whistleblowing solutions and support during the conduct of internal investigations.
Seminars, webcasts, business breakfasts and other events organized by Deloitte.
