On 20 June 2023, a new Whistleblower Protection Act was published in the Collection of Laws under number 171/2023 Coll. The Act sets a minimum standard of whistleblower protection and requires obliged entities to establish an internal whistleblowing system, nominate a so-called “competent person”, assess the reasonableness of a whistleblower report, and take remedial measures. Which entities will be affected by the new obligations? And how to prepare for them? Find out in our article.
Whistleblowers protected by the Whistleblower Protection Act may be, for example, both former and current employees , job applicants, volunteers, self-employed persons, members of statutory bodies or other persons working for suppliers of obliged entities.
With exceptions (e.g. in the AML area), the report will have to contain not only information about the possible infringement but also the personal data of the whistleblower allowing to infer their identity.
The obligations apply to public contracting authorities (e.g. municipalities under 10,000 inhabitants are an exception), certain public authorities and private sector entities with 50 or more employees, companies operating in selected sectors (especially financial and insurance services) and obliged persons under the AML Act.
The acts to be covered by whistleblower protection are in particular those with the following characteristics:
The protection of whistleblowers will be implemented by the obliged entities in particular through an internal whistleblowing system, which they must establish and maintain. At the same time, the Whistleblower Protection Act allows, with exceptions, the management of the whistleblowing system to be outsourced to another person (external contractor) or, under certain conditions, to be shared within the group.
The obliged entity must designate a competent person (or persons) to carry out the obligations under the Whistleblower Protection Act. The competent person may only be a law-abiding individual of legal age and full legal capacity. The person’s responsibilities under the Whistleblower Protection Act include, in particular, receiving and assessing the reasonableness of reports submitted and proposing measures to remedy or prevent the unlawful situation. The competent person will also be obliged to act impartially and to maintain confidentiality of the facts found.
At the core of whistleblower protection is the prohibition of retaliation, i.e. an act or omission in connection with the whistleblower’s work or other similar activity that is triggered by making a report and that may cause harm to the whistleblower or persons connected to the whistleblower (e.g. a person who provided assistance in ascertaining information contained in the report, a person close to the whistleblower, or a colleague). Retaliatory measures include, in particular, actions which have a negative impact on the employment or service relationship of such whistleblowers and persons linked to them (for example, termination of employment, non-renewal of a fixed-term contract or removal from a management position), their performance appraisal or remuneration (including the refusal to pay a personal bonus).
The implementation of the whistleblowing system will also affect a number of other processes for obliged entities. In the context of receiving reports and investigating them, obliged entities are likely to process personal data that they did not process before or that they processed for a different purpose. Therefore, the changes are mainly in relation to the protection of personal data subject to regulation under the GDPR. This personal data may include a large amount of information about the whistleblower, the persons concerned, witnesses, but also other persons. The Whistleblower Protection Act explicitly provides for the obligation to store the report and related documents for 5 years.
Important to Remember
- Violations of obligations of the obliged entities are punishable by sanctions of up to CZK 1 million.
- Violations of obligations of the competent person are punishable by a penalty of up to CZK 100 thousand.
- The Act will enter into effect on 1 August 2023.
- Obliged entities with up to 250 employees (except for contracting authorities) are obliged to implement an internal whistleblowing system by 15 December 2023.
Seminars, webcasts, business breakfasts and other events organized by Deloitte.
