On 16 December 2019, the European Union adopted the Directive on the protection of persons who report breaches of Union Law, Directive (EU) 2019/ 1937, or otherwise the “Whistleblowing Directive”.

The Whistleblowing Directive was transposed into national law on 4 February 2022 under the Protection of Persons Reporting Breaches of Union and national Law of 2022 (“the Law”).

The purpose of the Whistleblowing Law is to encourage individuals to report illegal activities and to place upon organisations the obligation to set up adequate procedures for transparency and to protect reporting persons.

A ‘whistleblower’ is a person who discloses and reports insider information on illegal activities occurring within an organisation and are harmful to the public interest.

As persons within a private or public organisation, whistleblowers may provide any information on unlawful acts or behaviour of which the board of directors or compliance officers or other regulators in the origination might not otherwise be aware of.

The Law applies to civil servants, employees, self-employed persons, shareholders and persons belonging to the administrative, management, or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees, among others.

Τhe Law affords protection to persons who report acts or omissions relating to criminal acts, in particular corruption offences, acts or omissions related to non-compliance with any legal obligation imposed on a person, acts which endangers or which is likely to endanger the health and safety of a person, and breaches of the law that lease to environmental damage.

Applicable Breaches
The breaches mentioned in the Law cover the following areas:
- public procurement
- financial services,
- products and markets,
- prevention of money laundering
- terrorist financing
- product safety
- compliance, transport safety
- protection of the environment
- radiation and nuclear exposure
- food and feed safety
- animal welfare
- consumer protection
- protection of privacy and personal data
- security of network and information systems, breaches affecting the financial interests and internal market of the European Union.

Applicability of Whistleblowing Law and Channels of Disclosure

Protection applies to a wide spectrum of individuals which might become aware of any activity violating the EU Law in a work-related context, including employees having the status of worker, individuals who are pursuing activities as self-employed persons, shareholders, executive and non-executive members of a company, volunteers, paid or unpaid trainees, individuals working with contractors, subcontractors and suppliers.

The law extends protection to reporting persons whose employment relationship has ended and to those who became aware of the reportable information during the recruitment process and pre-contractual negotiations. Furthermore, the Law applies to facilitators, to third-parties related to the reporting persons who could be confronted with retaliatory measures - this broad coverage shows that the legislator acknowledges that not only the reporting persons may face negative consequences but also individuals connected to them, raising the standard of protection to a higher level - and as well to organisations connected with reporting persons in a work-related context.

Invoking the Protection of the Law
- Reporting persons must have reasonable grounds to believe that the information reported was true at the time of reporting and secondly, that the information reported falls within the breaches enumerated by Law. If these criteria are met, then the whistleblower enjoys full protection whether the reporting of the information was made internally, externally or publicly.

- Protection is also afforded to persons who have reported information on breaches of the EU Law anonymously, but whose identity has subsequently been revealed and hence they may be subject to retaliatory action.

Internal and External Reporting Procedure
- Companies with more than 50 employees are obliged to implement internal reporting channels through which employees can report possible infringements of EU law. Internal reporting process may be entrusted to a person or department designated for reporting or may be outsources.

- Legal entities must appoint independent persons whose responsibility is to examine the report by the reporting employee and ensure communication with the reporting person.

- The competent authority or person must acknowledge to the reporting person that the report was received within seven days and must provide feedback within a period of three months from the acknowledgement of the receipt or, in case that no acknowledgement was given to the reporting person, three months from the expiry of the seven-day period that the report was made.

- External reporting is when the information on violation of EU law is reported outside of one’s workplace to a competent authority. The employee has the option to either report to a designated person within the company or to external competent authorities. The Law stipulates that in case of external reporting, authorities have the option to disregard the obligation to acknowledge receipt of the report if this would endanger the protection of the reporting person’s identity. In any case, the external authority has to provide feedback within a period of three months and this timeframe might be extended to six months in duly justified cases.

Public Disclosure
Reporting persons may disclose information through public channels, such as the media, internet platforms or civil society organisations.
For the protection to apply, public disclosures must fulfil any of the following conditions:

- Reporting persons have to make the information public as a last resort and only after all other efforts have failed to procure the desired result.
- Public disclosure is justifiable only if the person has reasonable grounds to believe that the violation of the EU law will endanger public interest or cause irreversible damage.
- Person can report publicly if they are convinced that retaliatory measures will be taken against them or that the breach reported will be concealed or evidence will be destroyed.

Prohibition of Retaliatory Actions 
The Law prohibits retaliatory actions such as:
- suspension, lay-off, dismissal or equivalent measures, demotion or withholding of promotion
- change of the working conditions without the consent of the employee, discrimination or disadvantageous or unfair treatment, mobbing
- blocking advancement opportunities and a series of actions that would have a negative or even harmful impact on the employee’s reputation or career progress.

Protection Measures
- Entitlement to advice and information regarding their rights
- effective assistance before any authority responsible for securing their protection against any act of retaliation as well as legal aid in criminal and in cross-border civil proceedings.

Reporting persons shall not be held liable for internal, external or public disclosure, provided that they had reasonable grounds to believe that the reporting of such information was necessary in accordance with the provisions of the Law.