Skip to main content

Checklist preparation and implementation of procedure for whistleblowers

Share this page


Employees can play a key role in exposing and preventing breaches of important legislation by the company or organization they work for. These breaches can be very harmful to the public interest. However, potential whistleblowers are often discouraged from reporting such breaches for fear of retaliation. 

Therefore, the Directive (EU) 2019/1937 imposes certain minimal obligations on the protection of whistleblowers who report breaches of Union law. Member States may, in certain cases, provide for further protective provisions.

The Directive applies to both the private and public sectors and applies to anyone who reports or discloses the obtained information concerning breaches in a work-related context. (Ex-)Employees, civil servants, consultants, (un)remunerated trainees, directors, shareholders: they are all protected when they report a breach in good faith.

The material scope of the Directive is wide. It concerns a.o. breaches on financial services and markets, money laundering, public procurement, transport safety, protection of the environment, consumer protection, public health, protection of privacy and personal data, as well as breaches relating to the internal market. The national legislation can extend this scope with a view to ensuring that there is a comprehensive and coherent whistleblower protection framework. 

Existing systems, such as the intervention procedures in case of psychosocial risks or the right to be assisted by a trade union representative, are of course not affected.

Internal procedures

Every company (in the sense of a legal entity) in the private sector with 50 or more employees must provide for a sufficiently confidential and secure channel or procedure for internal reporting by whistleblowers. In the public sector, in principle, all entities are targeted, but the Member State can provide for certain exemptions (e.g. not for entities with less than 50 employees). 

Member States have the possibility to refuse anonymous reports. The Belgian Privacy Commission (predecessor of the current GBA) defended in an earlier recommendation in 2006 that anonymous reports should be prohibited.

External procedures

Member States must provide for an independent, autonomous and adequate external reporting channel and will have to designate certain authorities to receive and deal with reports. 

There is no obligation to use the internal channel first, but Member States should encourage the reporting through internal channels. 

Prohibition of retaliatory measures

There is a prohibition of retaliatory measures for whistleblowers. The prohibition is extensive and covers not only dismissal, but e.g. also a negative evaluation, no promotion or demotion, a modification of the working conditions, disciplinary sanctions, non-renewal of an employment contract, intimidation or harassment. Legal or contractual obligations imposed on employees, such as loyalty clauses or confidentiality obligations, cannot prevent the application of the protection.

Effective sanctions

On the one hand, Member States should provide for effective sanctions, among others for those who obstruct reports or take retaliatory measures. On the other hand, they should also provide for penalties for reporters who knowingly report false information.

Data protection

Since whistleblowing involves the processing of personal data, the general obligations of the GDPR apply and must be fulfilled.


Belgium has to implement this directive in national legislation by 17 December 2021. 

There is currently no legislation in place, except for the banking and insurance sectors and for certain public authorities or organizations. It is not yet clear whether, and if so to what extent, Belgium will provide more protective rules. 

However, by 17 December 2021, all companies with 50 or more employees in the private sector and all public sector organizations must comply with the minimum obligations of the directive. For companies with 50 to 249 employees, a Member State can still provide an exception regarding the obligation to set up internal reporting channels: this obligation can be postponed until 17 December 2023.

Therefore, companies would be well advised to prepare themselves to comply with these obligations. For some companies (e.g. banking and insurance sector or branch of a multinational company which already have a global procedure), this means that they need to review their existing whistleblowing procedure against the minimum obligations of the Directive. For other companies, it means that they should consider preparing a whistleblowing procedure in order to be compliant with the obligations of the Directive in time. 

We will keep our finger on the pulse and inform you as soon as there is more news about the legislation.


Here, you will find a checklist to help you prepare for a whistleblowing procedure.