Valid from 21.11.2023
Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
Full document in English on an official website of the European Union, EUR-Lex.
The purpose of whistleblowing is to reveal and stop wrongdoing and irregularities concerning breaches of Union law. The EU Whistleblowing Directive (EU Directive 2019/1937), which entered into force in December 2019, obliges employers to ensure that there is an internal whistleblowing function.
Persons who, in their work-related activities, receive information about, or a suspicion of, activities that harm the public interest under specific areas of Union law must be able to report this in a safe and easy way.
Luxid ensures that whistleblower protection is in accordance with the current legislation.
The law covers Luxid employees as well as self-employed people, freelancers, consultants, contractors, suppliers, volunteers, unpaid trainees and job applicants.
You can make a notification at our Viestikanava service, but please read the information provided on this page first.
What is a whistleblower?
The Commission's proposal defines a whistleblower as someone reporting or disclosing information on violations of EU law that they observe in their work-related activities. That means it covers employees but also self-employed people, freelancers, consultants, contractors, suppliers, volunteers, unpaid trainees and job applicants.
To avoid penalising people who act in good faith, whistleblowers also qualify for protection, if they had reasonable grounds to believe that the information reported was true at the time of reporting, or if they have serious suspicions that they observed an illegal activity.
What is the aim of the directive?
It establishes rules and procedures to protect ‘whistleblowers’, individuals who report information they acquired in a work-related context on breaches of EU law in key policy areas. Breaches include both unlawful acts or omissions and abusive practices.
Report: oral or written communication informing of a breach.
Breach: act or omission that is unlawful or defeats the aim of the EU legislation.
The directive covers reports on:
breaches of rules in the following areas public procurement
- financial services, products and markets; prevention of money laundering and terrorist financing
- product safety and compliance
- transport safety in the railway, road, maritime and inland waters sectors
- protection of the environment, ranging from waste management to chemicals
- radiation protection and nuclear safety
- food and feed safety, animal health and welfare
- public health, including patients’ rights and tobacco controls
- consumer protection
- protection of privacy and personal data, security and information systems;
- breaches affecting the EU’s financial interests;
- breaches relating to the internal market, including breaches of EU competition and State aid rules, and breaches of national corporate tax rules.
The directive complements specific EU legislation which already includes rules on whistleblowing (notably on financial services, money laundering, terrorist financing, transport safety and environmental protection).
The directive does not:
- affect the responsibility of EU governments to protect their national security;
- affect EU or national law on protection of classified information, legal and medical professional privilege, secrecy of judicial proceedings or criminal procedural rule;
- override national rules on rights of employees to consult their representatives or trade unions.
The legislation covers
The legislation covers a wide range of people working in the private and public sectors, including those who report after their work-based relationship has ended:
- employees, self-employed people, shareholders, persons belonging to the administrative, management and supervisory bodies of businesses, volunteers, trainees and job applicants;
- persons who help whistleblowers in a confidential manner, persons connected to a whistleblower who might suffer retaliation at work, and legal entities linked to the whistleblower.
Retaliation: any direct or indirect behaviour at work which could harm the whistleblower.
Individuals are protected if they go public with their concerns provided, they:
- first reported (internally and) externally but no action was taken;
- reasonably believe that there is an imminent or clear danger to the public interest, a risk of retaliation or little likelihood of their concern being properly addressed.
The notification concerns the violation of both national and EU legislation in the areas mentioned above. Reporting of other violations or negligence is not covered by the Whistleblower Protection Act. For example, harassment or bullying within the work community or violent and property crimes encountered in connection with client work do not fall within the scope of the law.
However, we at Luxid also accept notifications other than those covered by the Whistleblower Protection Act in our notification channel. In these cases, the reporting protection, or procedural regulations according to the Reporting Protection Act do not apply to the processing of reports. For example, negligence related to employment relationships is not covered by the Whistleblower Protection Act.
You must register before you can make a notification
Enter a username that does not contain any personal data, such as your name or date of birth. You can use this username to log in to the service. It will not be disclosed to the company for which you are creating a notification.
The email address you register with will not be disclosed to the company for which you are creating a notification. The email address will only be used in case you need to reset a lost password.
The information provided by the notifier (such as their IP address or the email address used for registration) will not be disclosed, and the notifier cannot be identified using this information.
Question 2. I am working in the USA and wish to report a violation or negligence covered by The EU Whistleblowing Directive using Luxid's WB reporting channel (Viestikanava). How is my data transferred and processed?
Answer: When a report concerning a violation or negligence covered by The EU Whistleblowing Directive is made from outside the EU via Luxid's WB reporting channel (Viestikanava), the information is not processed outside the EU territory.
The option to report anonymously is always available, and you can select whether you enter your name or leave the fields empty, thus ensuring full anonymity.
However, if the report pertains to, for instance, a US colleague and the issue undergoes investigation in the USA, the collected data will then be transferred to the United States.
We maintain offices and facilities in Finland, the United Kingdom, and the United States. The European Commission has granted an "adequacy decision" concerning the data protection laws of each of these countries. Any data transfers to these countries are safeguarded by suitable measures, specifically the utilisation of standard data protection clauses adopted or approved by the European Commission. A detailed version of these clauses can be accessed at: https://edps.europa.eu/data-protection/data-protection/reference-library/international-transfers_en.
Question 3. I wish to report a violation or negligence NOT covered by The EU Whistleblowing Directive using Luxid's WB reporting channel (Viestikanava). How is my data handled and transferred?
Answer: In such instances, the legal basis for processing your data rests on what we refer to as a 'legitimate interest'. When employing legitimate interest as our justification for processing personal data, a balance test must be undertaken. At Luxid, we've conducted this test. Here's an overview:
Legitimate interest: an overview
- Legitimate interest is a provision under the General Data Protection Regulation (GDPR).
- Data subjects' fundamental rights and freedoms aren't overridden by the collection and use of data outside the scope of the directive.
- We firmly believe that the legitimate interest, coupled with respect for data subject rights, offers a practical foundation for data processing.
- We've thoroughly evaluated the real-world implications of processing personal data under the legitimate interest premise.
- Some data acquired might be sensitive, even if it doesn’t fall under the directive.
- Nonetheless, our assessment indicates minimal negative or uncertain consequences. At worst, there might be minor emotional discomfort.
- We don't store sensitive identifiers like birth dates or social security numbers. Coupled with our robust IT infrastructure and knowledgeable staff, risks are further mitigated.
Data protection principles:
Adhering to GDPR guidelines, we:
- Ensure lawful, fair, and transparent data processing.
- Maintain data confidentiality and security.
- Adhere to specific and lawful processing objectives.
- Limit data collection to what’s necessary.
- Update, correct, or erase any flawed data promptly.
- Retain identifiable data only for its intended purpose duration.
Benefits of data processing:
- Data outside the directive's purview can offer insights that bolster both data subject and controller safety.
- Our findings suggest mutual benefits for both data handlers and subjects.
Consequences of not processing:
- Not handling this data might jeopardise our business, environment, and even the data subjects.
- The reporting mechanism promotes responsibility, minimises risks, and fosters ethical behaviours, all of which underscore the value of legitimate interest.
Data management and safety:
- The reporting channel's database is distinct, holding only essential data, like reporter names and report subjects (if provided).
- Data from reports undergo role-based access restriction, with all systems safeguarded via a secure (TLS) connection.