Whistleblower protection finally in the Czech Republic

On 20 June 2023, a new Whistleblower Protection Act was published in the Collection of Laws under number 171/2023 Coll. The Act sets a minimum standard of whistleblower protection and requires obliged entities to establish an internal whistleblowing system, nominate a so-called “competent person”, assess the reasonableness of a whistleblower report, and take remedial measures. Which entities will be affected by the new obligations? And how to prepare for them? Find out in our article.

Who is a whistleblower?

Whistleblowers protected by the Whistleblower Protection Act may be, for example, both former and current employees , job applicants, volunteers, self-employed persons, members of statutory bodies or other persons working for suppliers of obliged entities.

With exceptions (e.g. in the AML area), the report will have to contain not only information about the possible infringement but also the personal data of the whistleblower allowing to infer their identity.

Who will be affected by the new regulation?

The obligations apply to public contracting authorities (e.g. municipalities under 10,000 inhabitants are an exception), certain public authorities and private sector entities with 50 or more employees, companies operating in selected sectors (especially financial and insurance services) and obliged persons under the AML Act.

What acts can be reported?

The acts to be covered by whistleblower protection are in particular those with the following characteristics:

  • criminal offences, misdemeanours for which the maximum fine rate is at least CZK 100,000;
  • breaches of the Whistleblower Protection Act; and
  • violations of other legislation or EU law in selected areas – financial, tax or AML regulations, consumer protection, competition, personal data, environmental and many others.

How will the newly adopted regulations affect entrepreneurs?

  • Establishment of internal whistleblowing system

The protection of whistleblowers will be implemented by the obliged entities in particular through an internal whistleblowing system, which they must establish and maintain. At the same time, the Whistleblower Protection Act allows, with exceptions, the management of the whistleblowing system to be outsourced to another person (external contractor) or, under certain conditions, to be shared within the group.

  • Designating a competent person to accept reports

The obliged entity must designate a competent person (or persons) to carry out the obligations under the Whistleblower Protection Act. The competent person may only be a law-abiding individual of legal age and full legal capacity. The person’s responsibilities under the Whistleblower Protection Act include, in particular, receiving and assessing the reasonableness of reports submitted and proposing measures to remedy or prevent the unlawful situation. The competent person will also be obliged to act impartially and to maintain confidentiality of the facts found.

  • Protection of whistleblowers from retaliation

At the core of whistleblower protection is the prohibition of retaliation, i.e. an act or omission in connection with the whistleblower’s work or other similar activity that is triggered by making a report and that may cause harm to the whistleblower or persons connected to the whistleblower (e.g. a person who provided assistance in ascertaining information contained in the report, a person close to the whistleblower, or a colleague). Retaliatory measures include, in particular, actions which have a negative impact on the employment or service relationship of such whistleblowers and persons linked to them (for example, termination of employment, non-renewal of a fixed-term contract or removal from a management position), their performance appraisal or remuneration (including the refusal to pay a personal bonus).

  • Recording and storage of reports

The implementation of the whistleblowing system will also affect a number of other processes for obliged entities. In the context of receiving reports and investigating them, obliged entities are likely to process personal data that they did not process before or that they processed for a different purpose. Therefore, the changes are mainly in relation to the protection of personal data subject to regulation under the GDPR. This personal data may include a large amount of information about the whistleblower, the persons concerned, witnesses, but also other persons. The Whistleblower Protection Act explicitly provides for the obligation to store the report and related documents for 5 years.

Important to Remember

  • Violations of obligations of the obliged entities are punishable by sanctions of up to CZK 1 million.
  • Violations of obligations of the competent person are punishable by a penalty of up to CZK 100 thousand.
  • The Act will enter into effect on 1 August 2023.
  • Obliged entities with up to 250 employees (except for contracting authorities) are obliged to implement an internal whistleblowing system by 15 December 2023.
Whistleblowing dReport newsletter

Upcoming events

Seminars, webcasts, business breakfasts and other events organized by Deloitte.

    Show morearrow-right