A Bill for an Act on the protection of whistleblowers – persons who report breaches and publicly disclose information, (“The Act”) has been brought to the Parliament for consideration more than once, because of the need to synchronize the legal regulation in the field with the European Union Law (precisely the need to transpose the Directive (EU) 2019/1937 of the European parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (“The Directive”)). Thereby on January 27, 2023 such Act is adopted by Parliament and is published in issue No 11 of February 2, 2023 of the State Gazette. The main aim of the Act is to establish the regulation of and to ensure the protection of whistleblowers in both, the public and the private sectors, as well as to regulate the procedure of reporting breaches and examining such reports or publicly disclosed information. The adopted Act builds on from the base, laid by the previous Bills which have the same objective, and is part of the National recovery plan.
Obliged subjects
The Act obliges:
- public sector employers, except for municipalities with population less than 10 000 citizens or with less than 50 employees;
- private sector employers with 50 or more employees;
- private sector employers, regardless of the number of their employees, if their activity falls under the scope of certain European Union acts.
The subjects are obliged to provide clear information on the whistleblowing procedure on their website and on a visible and accessible place in the working premises.
Required measures
With the adoption of the law the regulation in the field is unified – until that moment multiple public authorities were responsible for the control of the process of reporting breaches in the public sector and they all used different rules and standards. In the meantime a regulation for the whistleblowing procedure in the private sector was lacking.
The new Act envisions only one public body to control the external reporting of breaches. This function will be performed by the Commission for Personal Data Protection (“The Commission”), which will have to organize the reception of the reports and refer them to the competent authorities so that they are examined; approves forms for the reception of reports; coordinate and control the examination of reports and etc. The Commission also publishes public information on the whistleblowing procedure and the protection of the whistleblowers.
Apart from the external reporting of breaches, the creation of internal whistleblowing channels by the obliged subjects is envisioned. The management of the channels should guarantee the completeness, integrity and confidentiality of the information, as well as to hinder the access to it by unauthorized people and to allow its safekeeping. The employers are obliged to conduct periodic reviews of their rules on the internal whistleblowing procedure and on the following actions. The obliged subjects also must create a register for the reports on breaches.
Sanctions
The Act envisions sanctions – fines and financial sanctions, for the obliged subjects that do not follow the provisions of the Act; for people who hinder or try to hinder the whistleblowing; for people who deliberately give false information in their reports or who publicly disclose false information; as well as for people who take actions for repressing the whistleblowers.
Deadlines
Whitin three months of the publication of the Act in the State Gazette, the Commission shall align its Rules of procedure. Within six months from the publication, it shall adopt a Regulation on the keeping of the register for the reports on breaches and on the referring of internal reports to the Commission and the guidelines for the obliges subjects.
Already entered into force, the Act is yet to be complemented and to achieve its objectives, protecting and encouraging the whistleblowers.
The full text of the Act can be read here.
