EU Whistleblowing Directive 2019/1937: What Every HR Team Must Do to Comply

EU Directive 2019/1937 — commonly referred to as the EU Whistleblowing Directive — is the most significant piece of whistleblower protection legislation enacted in Europe in decades. It establishes minimum standards for the protection of persons who report breaches of EU law, and it places concrete obligations on organizations with 50 or more employees operating in EU member states.

If your organization meets that threshold and operates anywhere in the EU, this directive applies to you. If your organization has not yet fully implemented a compliant reporting channel, it is likely in breach of national implementing law in the EU member states where it operates.

This guide covers what the Directive requires, how it has been transposed in key member states, the penalties for non-compliance, and exactly what HR teams need to implement to achieve compliance.

---

Background: What Is EU Directive 2019/1937?

The EU Whistleblowing Directive was adopted on 23 October 2019 and required transposition into national law by EU member states by 17 December 2021. The Directive sets minimum standards — member states may provide stronger protections, but not weaker ones.

The Directive was motivated by evidence that whistleblowers who report violations of EU law face significant barriers, including retaliation, lack of confidentiality protection, and inadequate legal standing. It was designed to create a consistent baseline of protection across the EU and to encourage reporting of breaches of EU law that harm the public interest.

Scope: What Violations Does It Cover?

The Directive covers reports of breaches in a defined list of EU law areas, including:

• Public procurement
• Financial services, products, and markets (including anti-money laundering and counter-terrorism financing)
• Food and product safety
• Transport safety
• Environmental protection
• Nuclear safety
• Public health
• Consumer protection
• Privacy and personal data protection (including GDPR violations)
• Network and information systems security
• Competition law and state aid
• Tax avoidance and tax fraud (corporate tax rules)

Many member states have gone further in transposition, extending Directive protections to reports of national law violations or to all good-faith reports of misconduct — not just breaches of EU law. Germany, for example, extended the scope significantly in its Hinweisgeberschutzgesetz (HinSchG) of 2023.

Who Is Protected?

The Directive protects a broad range of persons, including:

• Employees (full-time, part-time, temporary)
• Self-employed persons and freelancers
• Volunteers and trainees
• Shareholders and members of boards
• Suppliers, contractors, and subcontractors
• Former employees who obtained information during their employment
• Job applicants who obtained information during the recruitment process

Facilitors — persons who assist a whistleblower — are also protected, as are third parties connected to the whistleblower (such as colleagues or family members) who may face retaliation.

The Core Obligations for Organizations

Obligation 1: Establish Internal Reporting Channels

Organizations with 50 or more employees must establish internal reporting channels. The channels must be:

• Confidential — the reporter's identity must be protected and not disclosed to anyone beyond the persons authorized to receive and follow up on reports
• Secure — designed and operated to ensure confidentiality
• Capable of receiving reports in writing, orally, or both — the reporter must be able to choose their preferred method
• Operated by an appropriate designated person or department — typically an HR Director, Compliance Officer, internal audit, or legal function; or an external provider

For organizations with 50–249 employees, shared resources for receiving and investigating reports may be used. For organizations with 250 or more employees, dedicated resources are expected.

Obligation 2: Acknowledge Reports Within 7 Days

Upon receiving a report, the organization must acknowledge receipt within 7 days. This acknowledgment must be sent to the reporter through the same confidential channel through which they reported — which means if the reporter used an anonymous channel, the acknowledgment must be deliverable to an anonymous recipient.

This is a critical practical point: if your reporting channel does not support two-way communication with anonymous reporters, you cannot meet the 7-day acknowledgment requirement for anonymous reports.

Obligation 3: Provide Feedback Within 3 Months

The organization must provide feedback to the reporter within 3 months of the acknowledgment. Feedback means informing the reporter of what action has been taken or planned, or the reasons for not taking action.

Again, this requirement assumes a channel capable of communicating with anonymous reporters. A phone hotline that takes a one-way call cannot satisfy this requirement. A digital platform with two-way anonymous messaging can.

Obligation 4: Protect Reporter Confidentiality

The reporter's identity — and any information from which it could be deduced — must not be disclosed to persons other than the authorized staff handling the report, without the reporter's explicit consent. Exceptions exist only when disclosure is required by national law and the reporter is notified in advance.

Breach of confidentiality is both a legal violation and a practical undermining of the entire system. Once confidentiality is breached even once and becomes known in the organization, the reporting channel's effectiveness is significantly damaged.

Obligation 5: Prohibit and Prevent Retaliation

Organizations must take all necessary measures to prohibit retaliation. The Directive lists specific prohibited retaliatory acts, including:

• Suspension, dismissal, or equivalent measures
• Demotion or denial of promotion
• Transfer of duties, change of location, or reduction in wages
• Negative performance assessments
• Coercion, intimidation, or harassment
• Discrimination or disadvantageous or unfair treatment
• Damage to reputation, particularly in social media
• Premature termination of contracts for goods or services

The Directive also requires that the burden of proof is reversed in retaliation claims: once a whistleblower establishes that they reported and then suffered an adverse action, the employer must demonstrate the adverse action was for a reason entirely unrelated to the report.

Obligation 6: Maintain Records of Reports

Organizations must maintain records of every report received. Each report must be documented and retained in accordance with applicable data protection requirements. The records serve both to demonstrate compliance and to support any legal proceedings.

Retention periods vary by member state but are typically defined in national implementing legislation. GDPR principles apply: data must not be retained longer than necessary, and personal data in reports must be handled lawfully, fairly, and transparently.

Key Deadlines and Transposition Status

The Directive required transposition by 17 December 2021.

Member states transposed at varying speeds and with varying scope:

Member State	Transposition Status	Key Notes
Germany	HinSchG in force July 2023	Extended to national law breaches; significant penalties for non-compliance
France	Sapin II updated; Directive transposed 2022	Extended scope; independent authority (AFA) role
Netherlands	Whistleblowers Authority Act (Wbk) 2023	New independent authority; strong worker protections
Ireland	Protected Disclosures (Amendment) Act 2022	Extended to private sector; broad scope
Sweden	Transposed December 2021	Broad employee protection
Spain	Law 2/2023 in force March 2023	Extended to all serious misconduct; mandatory compliance programs
Italy	Transposed July 2023	Applies to private organizations with 50+ employees
Poland	Transposed June 2024	One of the last to transpose; penalties up to €1.1M

For organizations operating across multiple EU member states, compliance requires attention to both the minimum Directive requirements and any enhancements enacted in each national implementation.

What GDPR Requires of Your Reporting Channel

Reports through a whistleblowing channel will typically contain personal data — about the reporter (unless anonymous), about the persons named in the report, and potentially about third parties. This means the reporting channel must comply with GDPR.

Key GDPR requirements for reporting channels:

• Legal basis for processing — typically legitimate interests of the organization (investigation of misconduct) or compliance with a legal obligation
• Data minimization — collect only what is necessary for the specific purpose
• Retention limitation — retain data only as long as necessary; anonymous reports with no identified subject may be retained differently from reports involving named individuals
• Subject access requests — persons named in reports may submit data subject access requests; organizations must be able to respond while protecting the reporter's identity
• Data breach notification — if the reporting system is breached, GDPR notification obligations apply
• Data Protection Impact Assessment (DPIA) — processing of sensitive personal data in an anonymous reporting context likely requires a DPIA

A reporting platform that is designed for GDPR compliance — not just EU-headquarters-located but architecturally compliant — simplifies this significantly.

Penalties for Non-Compliance

Penalties vary by member state but are substantial:

• Germany (HinSchG): Up to €50,000 for failure to establish reporting channels; up to €100,000 for retaliation against whistleblowers
• Spain (Law 2/2023): Up to €1,000,000 for serious violations; up to €300,000 for minor violations
• Ireland: Fines and potential personal liability for individuals who engage in retaliation
• France: Criminal penalties for retaliation; fines for organizations
• Poland: Up to approximately PLN 5,000,000 (approximately €1.1M) for non-compliance

Beyond financial penalties, non-compliance creates legal exposure to civil claims by whistleblowers, regulatory investigations, and significant reputational damage.

The Practical Compliance Checklist

What HR teams need to have in place:

Reporting Channel Requirements

• Digital reporting channel accessible 24/7 via web browser
• No account required for submission — reporters should not need to create a login
• Written submission capability — as a minimum; oral capability (phone or recorded meeting) may also be required under some national implementations
• Two-way anonymous communication — mandatory to satisfy the 7-day acknowledgment and 3-month feedback requirements for anonymous reporters
• Document upload capability — to allow reporters to submit supporting evidence
• Secure and confidential architecture — no IP address logging, encrypted storage, access limited to authorized personnel

Process Requirements

• Designated responsible person or department — identified and trained on handling reports
• Documented acknowledgment process — automated or manual, within 7 days
• Investigation workflow — defined process from receipt to resolution with accountability
• Feedback process — mechanism to communicate outcome or status to anonymous reporter within 3 months
• Confidentiality protocols — clear rules about who can access report contents and under what circumstances
• Report retention policy — documented retention periods aligned with GDPR and national law
• Anti-retaliation protocols — monitoring of employment actions involving reporters; escalation process for retaliation claims

Documentation Requirements

• Written policy — published to all employees in all relevant languages
• Channel communication — employees informed of the existence, accessibility, and scope of the reporting channel
• Training records — managers and designated staff trained on receiving and handling reports
• DPIA — completed for the reporting channel's processing of personal data

How VoxWel Meets the Directive's Requirements

VoxWel was designed with EU Directive 2019/1937 compliance as a core product requirement.

Confidentiality: VoxWel does not log IP addresses. No account is required for submission. Reports are encrypted at rest using AES-256 encryption. Access to report contents is controlled by role-based permissions.

Two-way anonymous communication: The platform includes built-in anonymous messaging, enabling the 7-day acknowledgment and 3-month feedback requirements to be met for anonymous reporters.

Audit trail: Every action in the case workflow is automatically timestamped. The organization has a complete, auditable record of when each report was received, acknowledged, investigated, and resolved.

GDPR compliance: VoxWel is designed to meet GDPR data minimization, retention, and security requirements. A DPIA template is available for customers completing their own DPIA.

Multi-language support: The platform supports multiple languages, enabling deployment across EU member states with appropriate localization.

Setup: Under 24 hours. No IT project. No enterprise contract.

Cost: $1 per employee per month. All features included.

Organizations operating in the EU cannot afford to defer this compliance. The transposition deadlines have passed. National enforcement authorities are active. The question is not whether to comply — it is how quickly the compliance gap can be closed.

Start a free 14-day trial at voxwel.com — no credit card required. Your compliant reporting channel can be live within 24 hours.

---

VoxWel is an anonymous employee reporting platform built for HR Directors and Compliance Officers who are serious about building speak-up workplace cultures. Start your free 14-day trial at voxwel.com.