After the adoption of the Act on the protection of whistleblowers (“The Act”) on 27 January 2023 and its entry into force on 4 May 2023 the Commission for Personal Data Protection (“The Commission”), has already begun taking measures for the implementation of the Act. For private sector employers with between 50 and 249 employees, the statutory requirements for external reporting will start to apply from 17.12.2023. Till then, they have to take necessary actions and measures to bring their activities in compliance.
In accordance with the regulations of the Act, from the day of its entry into force, all public and private employers, that fall under the Act’s scope, are obliged to ensure the possibility for filing reports via internal channels. In order to achieve this objective, the Commission sets up a system for generating an Unique identification number (UIN), that shall be taken by the officials that are assigned to examine the submitted reports. The number should be used to guarantee that every signal will be registered and examined as well as to guarantee that the necessary accountability and traceability of alerts is in place. In order to receive an UIN the Commissions requires that the employee provides to the competent controlling authority:
- Name and UIC/Bulstat of the employer, to which the report was made;
- Identification on the employer responsible for examining the report;
- Subject of the report;
- Method of receiving the report.
UIN number can be obtained from the following link: https://uin.cpdp.bg/
Apart from the measures taken in order to meet the requirements regarding the internal whistleblowing channels, the Commission has the obligation to ensure the possibility of using an external channel for submitting reports by 4 August 2023 – 6 months after the publication of the Act in the State Gazette. In this respect the Act on the protection of whistleblowers envisions also that the Commission must adopt a Regulation on the keeping of the register of reports and the forwarding of internal reports to the Commission in the same time period – such regulation has not been adopted yet.
To outline the main stages of implementing the system, envisioned by the Act, the Commission has published a guideline. It sets out both the actions already taken for the application of the Act, and the ones that are yet to be taken within 15 months after the publication of the Act in the State Gazette. Among them are the organization of trainings to help overcome different challenges in the implementation of the legal framework, adopting conditions and procedures for examining high-priority reports of serious breaches, etc.
Even when not all the measures envisioned by the Act have been adopted and put into force so far, the actions, already taken by the Commission are a fact and their efficiency remains to be seen.
You can find more detailed information on the regulation, envisioned by the Act here.