Whistleblower scheme: Applies from 50 employees - this is how you reach your goals

We are facing a massive further rollout of thousands of whistleblower schemes as a result of Act on the Protection of Whistleblowers. Below we have summarized the most important from the directive, law and guidelines on the subject, so that you have one place to look up and start your search for answers and resources.

Contents:

  1. The management perspective
  2. The HR perspective: Use the usual problem-busting methods
  3. Common rules of the game for the vast majority of whistleblower schemes
  4. Which organizations must have an internal whistleblower scheme?
  5. Back to basics: What's the point of the madness?
  6. Who can whistleblow?
  7. Does the whistleblower have a right to remain anonymous?
  8. What can be whistle-blowed about?
  9. The whistleblower can also make the violation public
  10. How does the protection work?
  11. Conditions to be protected
  12. The whistleblower unit and processing of a report
  13. You must inform about the whistleblower scheme
  14. What about GDPR?
  15. Documentation obligation: Your whistleblower policy
  16. Sources

1. The management perspective

The management can either see whistleblower schemes as another burden that complicates an everyday life that is already plagued by too many rules and bureaucracy, or the management can see whistleblower schemes as a tool to - basically - get the most for the money and avoid even to get into the grease dish. Reports in a whistleblower scheme are thus – ideally – a welcome opportunity to examine in more detail whether the organization is effectively realizing the management's strategies at the tactical and operational level.

All medium-sized companies (i.e. with 50-249 employees) must now establish a whistleblower scheme from 17 December 2023.

From December 2021, the requirement only applied to public employers with 50 or more employees as well as larger private companies (i.e. with 250 or more employees). Now, however, the scheme is being rolled out further, so that far more companies must establish a whistleblower scheme. Dansk Erhverv has already done a solid job process, which can be taken as a starting point.

In addition, since 2021 we have had The National Whistleblower Scheme, which can be expected to become more widely known through the upcoming rollout, and which functions as a supplementary channel where employees can also report violations.

Such an approach can be seen, for example, at Supervision of the customs and tax administration's IT area. The whistleblower scheme there must, in other words, ensure

"[..] that employees, former employees and business partners in the Ministry of Taxation are given the opportunity to comment - also anonymously - on errors or inappropriateness in both IT operations and IT development, so that action can be taken in time and problems can be resolved. "

It must be assumed that a number of reports end up in the whistleblower scheme.

You see something similar in finanstilsynet, where employees are activated via the internal whistleblower scheme to improve the quality of work.

2. The HR perspective: Use the usual problem-busting methods

From an HR perspective, reports can certainly play a role in dealing with a poor and thus ineffective working environment. However, the whistleblower scheme should only be seen as a supplement to the direct and daily communication in the workplace about errors and other unsatisfactory conditions. The scheme thus only constitutes a supplement to the existing options for drawing attention to inappropriate conditions, including for example by contacting the immediate manager, HR or using the trade union representative and the industrial law system.

3. Common rules of the game for the vast majority of whistleblower schemes

The financial sector has long had whistleblower schemes. It has been possible to report violations both internally to the individual bank and externally to the Danish Financial Supervisory Authority. The same has been the case for the auditors: The individual audit firm – apart from companies with only one approved auditor and companies that do not issue audit statements – must establish an internal whistleblower scheme, which is supplemented by the external scheme at the Danish Business Authority.

The Whistleblower Act basically creates common rules of the game for all whistleblower schemes: the internal ones, which must be established by the individual employer, as well as the external ones, which in certain cases must or have already been established by the authorities. So far, among other things, it has been different across the applicable rules, how the individual whistleblower is protected, as well as how the report should be handled in more detail. One can say here that the current state of the law has been characterized by uncoordinated button-shooting, which is now sought to be harmonized with the Whistleblower Act.

The rules for the external arrangements are also embodied in a announcement, which originates from the whistleblower act.

Finally, there are whistleblower schemes which were established on a national basis before the Whistleblower Act came into force. These schemes generally fall outside the Whistleblower Act's rules on, for example, protection, but may themselves contain rules on the protection of the whistleblower, such as this arrangement about fraud with covid-19 compensation.

4. Which organizations must have an internal whistleblower scheme?

The starting point: Public and private employers with 50 or more employees must establish an internal whistleblower scheme.

Postponed deadline: Employers in the private sector with between 50 and 249 employees can, however, as mentioned, wait until 17 December 2023.

Calculation of the number of employees: When calculating the number of employees, all employees, regardless of employment level, who receive remuneration for personal work in a service relationship are included. The calculation can be made on the basis of the information on the number of employees that appears in the CVR register. The obligation to establish a whistleblower scheme begins when a workplace has had an average of 50 or more employees in the four most recent preceding quarters.

Extended scope of application:

  1. Workplaces that have already established a whistleblower scheme on the basis of EU law must meet both the requirements of the Whistleblower Act and the relevant EU law. Examples of this are § 75 ai of the Financial Business Act and § 28 ai of the Auditors Act. In such cases, the rule on the number of employees is subordinate. These existing whistleblower schemes must therefore, unless otherwise stated in another law, have a makeover so that they live up to the high standard in the whistleblower act.
  2. After a concrete risk assessment and after negotiation with the relevant minister, the Minister of Justice can order workplaces with fewer than 50 employees in a specific sector to establish a whistleblower scheme. This can happen, for example, if there is a risk of violations of legislation or guidelines that have a significant impact on public health or environmental conditions.

5. Back to basics: What is the meaning of the madness?

It's a classic joke in the GRC world that trust is good, control better and search far preferable. If you are to assess the internal whistleblower schemes from an honest perspective, it is difficult to completely avoid the fact that they taste like searches. In other words, the management here gets the opportunity to check some of the employees' activities, which for one reason or another are not reported through the established channels. In other words, management can use whistleblower schemes to shed light on the blind spots that exist everywhere.

The opposite can be said about the external whistleblower schemes. Here, the employees have the opportunity to get the management very much in the fat. As a whistleblower, you are not obliged to report to the workplace's whistleblower scheme before you use an external whistleblower scheme with an authority.

Is it non-Danish? Are whistleblower schemes breaking down our strong trust-based culture? That is a discussion that does not need to be unfolded here. In the United States, they have long since gone a step further. As a whistleblower, depending on the circumstances, you can look forward to this a handsome reward. And as can be seen below, in Denmark we have expanded what can be reported in a whistleblower scheme.

In any case sounds EU's intention with the rules as follows:

” (1) Persons who work for a public or private organization or have contact with such in connection with their work-related activities are often the first to become aware of threats to or damage to public interests that arise in this connection. By reporting violations of EU law that harm the public interest, such persons act as whistleblowers and thereby play a crucial role in revealing and preventing such violations and ensuring the welfare of society. [..].”

Put another way: the EU legislator wants the EU's rules to be complied with to a greater extent than now. And for that purpose, it is essential that people dare to come forward in the workplace and report the violations. For that to happen, whistleblowers must be protected in return.

As can be seen above, the directive actually only covers breaches of EU law – and even only certain areas of EU law. In Denmark, however, we expanded under the legislative preparation the protection to also cover reports of serious offenses and other serious matters (see underlining):

"It is in the public interest that serious offenses and other serious matters in public and private workplaces come to light. Illegal acts and abuses can occur in any sector or industry and cannot be confined to specific areas of EU law. Whistleblowers can play a vital role in exposing serious offenses and other serious matters in public and private workplaces, and the spread of whistleblower schemes in the public and private sectors could support the effective disclosure, investigation and prosecution of such matters.

The bill aims to introduce a comprehensive and coherent framework for the protection of whistleblowers in Danish law. It is therefore proposed that the law's protection will not only cover reports of violations of certain areas of EU law as covered by the directive, but also reports that otherwise concern serious violations of Danish law and EU law as well as other serious matters. "

6. Who can whistleblow?

It may a natural person, who have information about violations to which the person has gained access in connection with the person's work-related activities, and who belong to one or more of the following groups of people:

  1. Workers
  2. Independent trader
  3. Shareholders and members of the executive board, board of directors, supervisory board or equivalent
  4. Volunteers
  5. Paid or unpaid interns
  6. Persons who work under the supervision and management of contractors, subcontractors and suppliers
  7. Former employees
  8. Job applicants

If the violation was not obtained in connection with work-related activities, the concerned citizen must use the appropriate one external whistleblower scheme. In other words, it's about hitting the right box with the information about an infringement that you are aware of.

However, employers are only obliged to make an internal whistleblower scheme available to the employer's employees. However, this does not rule out that the employer can decide to make the whistleblower scheme available to all the groups of people mentioned above, who – and this must be remembered – still have access to report to the external schemes.

7. Does the whistleblower have a right to remain anonymous?

No, and your whistleblower unit (see below) is not obliged to process anonymous reports.

If the workplace provides the opportunity to report anonymously, the whistleblower unit must therefore only confirm receipt of the report (see below), if possible. This will not be the case if you have received, for example, an anonymous letter in a physical mailbox.

8. What can be whistle-blowed about?

The external arrangements are sector-specific and can be used to report the violations to which the external arrangements relate. This applies, for example, to the offshore area.

For the internal arrangements, which are those that the covered employers must establish, it applies that certain EU-regulated areas and serious legal offenses or other serious matters can be reported.

Whistleblowing can be done on certain EU-regulated areas

The internal arrangements at the private and public workplaces and The National Whistleblower Scheme can be used to report violations in the following areas:

  1. Public tender
  2. Financial services
  3. Products and markets
  4. Money laundering and financing of terrorism
  5. Product safety and compliance
  6. Transport safety
  7. Environmental protection
  8. Radiation protection and nuclear safety
  9. Food and feed safety
  10. Animal health and animal welfare
  11. Public health
  12. consumer Protection
  13. Protection of privacy and personal data and security of network and information systems
  14. Violations affecting the EU's financial interests
  15. Violations related to the internal market, including violations of EU competition and state aid rules

Serious offenses or other serious matters can also be reported

As described, Denmark expanded what can be reported on. Therefore, the internal arrangements can also be used for serious offenses or other serious matters. This includes both breaches of national law and, paradoxically, breaches of the parts of EU law not mentioned above.

The criterion "serious offences" or other "serious circumstances" implies that, as a starting point, it must be information about violations that are of public interest. There must therefore be a real public interest in bringing the violation to light.

The whistleblower will thus also obtain protection under the law if the person in question is aware of and reports:

  1. information about criminal offences, including breach of any duty of confidentiality, misuse of financial resources, theft, fraud, embezzlement, fraud, bribery, etc.
  2. information about gross or repeated violations of other legislation, including legislation on the use of force, the Public Administration Act and principles of administrative law, including the principle of investigation, requirements for objectivity, the principle of abuse of power and proportionality, the Public Disclosure Act, and depending on the circumstances, e.g. legislation which aims to ensure public health, safety in the transport sector or protection of nature and the environment, etc
  3. information about sexual harassment and other serious personal conflicts at the workplace, e.g. serious harassment, be covered.
  4. information about any form of sexual harassment.
  5. information about disregard of professional standards, e.g. could cause a risk to the safety and health of persons,
  6. information about serious errors and serious irregularities connected with IT operation or IT system management,
  7. information about minor cooperation difficulties that involve high risks and thus constitute a serious matter (see more below), and finally
  8. information about serious and/or repeated violations of internal regulations and compliance regulations.

This cannot be whistle-blowed

The internal arrangements at private and public workplaces and the National Whistleblower Scheme cannot be used for violations in the following areas:

  1. Reports about your own employment, unless such a report relates to a serious offense or an otherwise serious matter, e.g. sexual harassment. NB: There may, however, be very special cases where even minor cooperation difficulties can concretely entail major risks and will thus constitute serious matters within the meaning of the law. It can, for example, be the case in sectors where critical functions are carried out, including in the health, defense or transport sectors, where minor conflicts etc. can pose a real risk of serious damage etc., and where reports of this will fall within the scope of application. It can, for example, be the case if critical functions and processes are inhibited as a result of personal conflicts, or if conflicts etc. concretely involve a risk of harm to people's lives or health or otherwise involve a real risk of significant harm.
  2. Information about violations of internal guidelines of a less serious nature, for example absence due to illness, alcohol, clothing, private use of office supplies, etc. and information on minor personnel-related conflicts at the workplace
  3. Violations of a trivial nature and violations of ancillary provisions, including documentation obligations and notification obligations
  4. Reports of violations of the procurement rules regarding defense or security aspects
  5. Classified information that falls within the scope of the Ministry of Justice's circular on the security protection of information of common interest to the countries of NATO or the EU, other classified information as well as information of security interest in general that is also confidential
  6. Information covered by lawyers' duty of confidentiality in accordance with Section 129 of the Administration of Justice Act
  7. Information covered by healthcare professionals' duty of confidentiality in accordance with Section 40 of the Health Act
  8. Information about the court's deliberations and voting, which is subject to confidentiality
  9. Cases within criminal justice

9. The whistleblower can also publish the violation

The whistleblower can publish the information about a violation free of liability and protected in the following situation:

  1. If a report has first been made to the workplace's whistleblower scheme and an external whistleblower scheme or directly to an external whistleblower scheme, without an appropriate follow-up being carried out within the deadline of either the internal or the external scheme. If you e.g. have made a report without receiving a response within the deadline, or without an adequate investigation of the reported matter being carried out within the deadline, publication can be made with protection.
  2. If you have reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest. The requirements of "imminent danger" and "obvious danger" imply that there must be a real and concrete risk of non-insignificant damage occurring in the near future. It can, for example, be the case if it is an emergency situation or there is a risk of irreparable damage. Danger to the "public interest" can e.g. be a danger to the life or safety of individuals.
  3. If you have reasonable grounds to assume that there is a risk of reprisals when reporting to an external whistleblower scheme with an authority, or that due to the specific circumstances of the case there is little prospect that the violation will be dealt with effectively. It can, for example, be the case where evidence could be concealed or destroyed, or where there could be collusion between an authority and the person who committed or is involved in the offense

10. How does the protection work?

The rules are described in the Ministry of Justice's guidance for whistleblowers: It goes without saying that if a whistleblower system is to be established that works where people dare to come forward, including possibly through a lawyer, then the entire chain that has contributed to a report or a publication must be protected. When a whistle-blower has been blown, it also goes without saying that, for example, companies and authorities that the whistle-blower owns or works for must be protected against reprisals.

Reprisals

The protection therefore first and foremost implies that not only the whistleblower, but also intermediaries, third parties, companies and authorities, who in one way or another may risk being affected by the whistleblowing, must not be subjected to reprisals, including threats of or attempts at reprisals.

For each of the protected groups, the reprisals can look like this:

  1. For employees, reprisals can include include suspension, dismissal, demotion or withholding of promotion, transfer of duties, transfer, reduction of pay, changes in working hours, denial of training activities, negative evaluation of the person's performance or negative employment reference.
  2. For independent traders who provide services, independent contractors, subcontractors and suppliers, reprisals will typically take the form of e.g. interruption or cancellation of a contract for services, a license or permit, loss of revenue, loss of income, coercion, intimidation or harassment, blacklisting or business boycott or damage to their reputation.
  3. For shareholders and persons in leading bodies, reprisals can e.g. be financial in nature or take the form of intimidation or harassment, blacklisting or damage to their reputation.
  4. For candidates for jobs in an organization that acquires information in connection with the employment procedure, reprisals can e.g. take the form of negative employment references or blacklisting.
  5. For volunteers and paid or unpaid interns, reprisals can e.g. take the form of their services being no longer used, being given a negative employment reference, or their reputation or career prospects being otherwise damaged

For all groups of people, reprisals can also take the form of harassment lawsuits, i.e. that the person concerned faces groundless legal proceedings as a result of the person concerned having made a report or publication in accordance with the Whistleblower Act.

rights

As a whistleblower, you are also protected by certain rights that apply before, during and after you have reported or published. These rights cannot be impaired by the workplace, not even after specific agreement in e.g. the employment agreement.

  1. that one does not incur responsibility for disclosing confidential information (e.g. information covered by a statutory duty of confidentiality) if one has reasonable grounds to believe (i.e. in good faith) that the information in a report or publication are necessary to reveal breaches of EU law, a serious offense or a serious matter. In the assessment of necessity, emphasis can be placed on the nature of the information, including whether one has acted in the legitimate pursuit of an obvious public interest or for one's own benefit or that of others.
  2. that you do not incur liability if you publish under the conditions described above.
  3. that you are not liable for disclosing the contents of documents to which you have lawful access, or if you take copies of such documents or remove them from the premises of your workplace. This also applies even if it is contrary to contractual provisions, the employment agreement or other provisions which stipulate that the documents belong to the workplace. However, there is a limit. Thus, one must not violate the criminal law by, for example, committing burglary in order to gain access to the information.
  4. that it is forbidden to (attempt to) prevent someone from making a report. An illegal obstacle will, for example, exist if you ask your colleague or boss how to make a report, and you are then threatened with reprisals (e.g. dismissal).
  5. that the reverse burden of proof applies after reporting or publication and the whistleblower and other intermediaries and third parties connected to the whistleblower are at a slight disadvantage. In that case, it is up to the other party (e.g. the workplace) to prove that there is no reprisal as a result of the report or publication.
  6. that the whistleblower or other intermediaries and third parties connected to the whistleblower are entitled to compensation if you have been subjected to reprisals as a result of the report. In the event that you have been dismissed, and if you yourself wish to do so, you generally have the right to retain your employment or be re-employed.

11. Conditions for being protected

Good faith that the information is correct

The Act's protection only applies if the whistleblower had reasonable grounds to assume that the information reported or published was correct at the time of the report or publication and that the information fell within the scope of the Act (see above).

It is thus a prerequisite for obtaining protection that the whistleblower is in good faith about the accuracy of the information and that good faith existed at the time of the report. In the event that the whistleblower makes a disclosure, good faith will have to exist at the time of the disclosure.

The question of good faith regarding the correctness of the information must be assessed on the basis of the specific circumstances, including the information available to the person concerned at the time of the report. Whether the whistleblower was in good faith will thus depend on a concrete assessment of the overall circumstances of the case.

This means that a person who in good faith reports or publishes incorrect information about violations is also covered by the law's protection. The whistleblower's motives for reporting or publishing are basically irrelevant to whether the person is entitled to protection.

At the same time, it implies that persons who knowingly report or publish incorrect information do not enjoy protection. Knowingly reporting or publishing false information is also punishable.

It is not a prerequisite for obtaining protection that information about violations is accompanied by actual proof of the violation. Information that raises reasonable doubt or suspicion of actual or potential violations thus also triggers the protection of the law.

However, information about violations that is already known to the public and information about violations that are manifestly unfounded, including unfounded rumors and gossip, do not trigger the protection of the law.

Good faith that information is reported to the correct system

According to the proposed provision, it is also a prerequisite to obtain protection under the law that the whistleblower had reasonable grounds to assume that the reported or published information belonged to the areas that can be reported on (see above).

In the same way as described above, the question of whether the whistleblower was in good faith about the scope will depend on a concrete assessment of the overall circumstances of the case.

12. The whistleblower unit and processing of a report

Designation

Covered workplaces must establish a whistleblower unit, which must receive and process reports. The unit must consist of one or more impartial persons (may consist of a department). It will depend on the organization of the workplace which persons or departments are best suited to act as a whistleblower unit.

The requirement of impartiality implies that the appointed persons must behave objectively and factually when processing the reports received, regardless of which persons the reported information relates to. When appointing people to the whistleblower unit, the workplace should take into account that no conflicts of interest must arise.

In this connection, the workplace must ensure that the whistleblower unit is independent of the workplace's day-to-day management (management) in relation to the specific case handling. This means that management must not instruct or order the whistleblower unit to handle a report in a certain way.

For smaller workplaces, it may be sufficient to appoint a single person who is well placed to be able to follow up on the individual reports, and who, as a supplement to the person's regular work duties, is tasked with acting as the workplace's whistleblower unit.

It can, for example, be a compliance or HR officer, a legal officer, a finance manager, a senior auditor, a member of the board or the data protection advisor.

It can be an advantage for the appointed person to have a function where the person is close to the workplace's top management in their day-to-day work, as there may be cases where it is necessary for management to be involved in following up on a report.

For very large workplaces, it may be necessary to put together a team of people who must jointly act as the workplace's whistleblower unit.

Workplaces, which are divided into departments, can e.g. place the whistleblower unit in the legal department or the HR department.

The tasks

The unit must carry out the following tasks:

  1. Receive reports and have contact with the whistleblower.
  2. Follow up on reports, which includes any action to a) assess the veracity of the allegations made in the report and, where relevant, to b) address the reported violation, including through actions such as an internal investigation, an investigation, prosecution, action for recovery of funds or settlement.
  3. Provide feedback to the whistleblower, which involves notifying the whistleblower of follow-up and of the rationale for such follow-up.

Share resources

The tasks above can be carried out by an external third party or an employer in a group-affiliated company.

The work process in the unit

An internal whistleblower scheme must be designed, established and operated in a way that ensures confidentiality about the identity of the whistleblower, the affected person and any third party mentioned in the report and prevents unauthorized access to it. However, there is nothing to prevent selected IT employees from having access to the reports as part of normal IT operations.

An employer must therefore introduce appropriate procedures for the whistleblower scheme that ensure the following:

  1. That the whistleblower receives a confirmation of receipt of the report within 7 days of receiving it.
  2. That reports are carefully followed up (see above).
  3. That the whistleblower receives feedback (see above) as soon as possible and no later than 3 months from confirmation of receipt.

An internal whistleblower unit can reject reports that are not covered by the scope (see above) and is not obliged to forward these to the authorities.

It is sufficient that the workplace's whistleblower scheme allows for either written or oral reporting. The workplace is therefore free to choose whether the whistleblower scheme should provide the opportunity to report orally, in writing or both.

Confidentiality

The persons who form part of the whistleblower unit have a duty of confidentiality regarding the information that is included in the report, but not about the additional information that the unit may choose to collect.

May the identity of the whistleblower be disclosed by disclosure?

The whistleblower unit can only in special cases pass on information that can directly or indirectly identify the identity of the whistleblower. Whether a piece of information makes the whistleblower identifiable depends on the specific circumstances and the context in which the information is included.

Eg. job title can be information that makes the whistleblower identifiable if the whistleblower is the only employee with this position in the workplace. In many cases, however, the job title will hardly be information that makes the whistleblower identifiable.

Information about the whistleblower's identity can be passed on within the workplace's whistleblower unit among the people who process reports.

In addition, information about the whistleblower's identity can only be passed on to relevant authorities (e.g. the police or the Danish Financial Supervisory Authority) or with the whistleblower's consent. In such cases, as a rule, you must be notified that a transfer has taken place.

A person who, in connection with a disclosure, becomes aware of information in a report can be fined if the person in question violates his duty of confidentiality.

As mentioned, the identity of the whistleblower must remain secret, but the parties (i.e. the persons mentioned) in the case must basically have access to the other information of the case, which is of course not an easy consideration of what information should actually be shared in a specific case.

In connection with a report on e.g. a person-related conflict at the workplace such as serious harassment, it may at some point be necessary to give consent to the disclosure of the identity if the whistleblower unit is to process the case further.

13. You must inform about the whistleblower scheme

The workplace must provide information on the procedures for making the report in a visible place that is accessible to the persons covered by the workplace's whistleblower scheme.

A visible place can, for example, be the workplace's website. If the whistleblower scheme is only made available to the workplace's employees, the intranet can also be a visible and accessible place for the circle of people covered.

The workplace must encourage reporting internally in cases where the violation can be dealt with effectively internally, and where the whistleblower at the same time assesses that there is no risk of reprisals. At the same time, however, it must be clearly stated that the whistleblower can freely choose between submitting a report to the workplace's whistleblower scheme or an external whistleblower scheme.

The workplace must therefore make a range of information available to at least the employees about the procedure for reporting to the internal whistleblower scheme:

  1. Information on which violations can be reported
  2. How reports are processed and recorded
  3. How to make use of the whistleblower scheme
  4. What rights the whistleblower and the affected person have
  5. Who can report to the whistleblower scheme
  6. Whether it is possible to report anonymously
  7. The procedure for reporting to an external whistleblower scheme

14. What about GDPR?

Covered workplaces may, according to Section 22 of the Whistleblower Act, process personal data, including sensitive information and information about criminal offences, if it is necessary to process a report received in connection with the workplace's whistleblower scheme.

The basic processing principles, the rights of the data subjects and requirements for processing security, must basically be observed when personal data is processed in the whistleblower scheme, but this is subject to significant modifications. For example, the whistleblower unit's duty of confidentiality implies that the usual duty to inform about the processing of personal data does not apply in relation to a reported person.

Finally, however, it is important to keep in mind that a whistleblower scheme, in addition to the issue of processing authority and obligation to provide information, activates at least the following GDPR obligations:

  1. The IT security surrounding the scheme must be appropriately based on a risk assessment
  2. The whistleblower scheme must be mapped in Article 30
  3. Deletion and storage policy must be adopted and followed
  4. Any data processing agreement with an IT supplier of a reporting portal must be entered into

15. Documentation obligation: Your whistleblower policy

The workplace must keep written documentation for the establishment of and procedures for the whistleblower scheme.

This means that the workplace must be able to document that a whistleblower unit has been appointed to administer the whistleblower scheme in accordance with the requirements of the law.

Whistleblower policy

The obligation to document can be fulfilled by drawing up a management-approved policy stating that the workplace has decided to implement a whistleblower scheme in a way that complies with the law. The whistleblower policy must state the following:

  1. That a whistleblower unit has been appointed, including which person(s) or department are responsible for the unit or if outsourcing or resource sharing has taken place
  2. That the case processing must meet the requirements of the Whistleblower Act, including e.g. about confidentiality
  3. That the information obligation must be fulfilled and how

The purpose of the documentation obligation is to facilitate a possible investigation, and failure to comply can in itself be punished with a fine.

16. Sources:

Love

Whistleblower Protection Act

The Auditors Act (retsinformation.dk)

Promulgation of the Financial Business Act (retsinformation.dk)

bill

Proposal for an Act on the Protection of Whistleblowers (retsinformation.dk)

The Ministry of Justice's guidelines

Guidance on whistleblower schemes in private workplaces

Guidance on whistleblower schemes in public workplaces

Guidance for whistleblowers

Directive

DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons reporting breaches of EU law

Proclamation

Order on requirements for external whistleblower schemes (retsinformation.dk)

External whistleblower schemes

The Danish Financial Supervisory Authority: https://www.finanstilsynet.dk/Whistleblower/FTs-eksterne-whistleblowerordning

Whistleblower scheme in the area of ​​auditors: https://erhvervsstyrelsen.dk/whistleblowerordning

Scams with covid-19 compensation: https://erhvervsstyrelsen.dk/whistleblowerordning-anmeld-svindel-med-kompensation

Internal whistleblower arrangements

The Danish Financial Supervisory Authority's internal whistleblower scheme

The Securities and Exchange Commission

https://www.sec.gov/news/press-release/2023-89

Supervision of the customs and tax administration's IT area

Our tasks – The Norwegian IT Authority (itti.dk)

Whistleblower scheme – The Norwegian IT Authority (itti.dk)

Order on the processing of reports from whistleblower schemes by the IT area of ​​the Customs and Tax Administration (retsinformation.dk)

Pssst! We are right here...

We love hearing from you! Send us a message and we'll get back to you quickly.

Lyshøjen 12, 1. tv. – DK-8520 Lystrup

CVR: 40 97 80 89

E-Mail: info@unitas.consulting

Protection of data

Privacy Policy
Data ethics

Unitas is D-marked and has several approved advisers who can secure your D-mark.

Unitas is on the SKI 02.14 framework agreement and can provide consulting services on competitive terms to the public sector.

Unitas has been appointed by Børsen as Gazelle 2024
(as the 10th fastest growing company in Central Jutland)

Contact Unitas – your partner in security and compliance

Unitas provides reliable advice in compliance, IT and information security. With a pragmatic approach, we help companies in regulated industries manage security and operational responsibility effectively. Contact us to discuss how we can help you.

Form for contact page

NIS 2 implementation calculates

We throw ourselves around with knowledge...

Order your free material here and receive it in a few minutes in your inbox. To be safe, check your SPAM folder if necessary.

Get material ordered on the website sent

Wanna join? Sign up Unitas' newsletter

Registration form for newsletter

UNITAS vulnerability scanning