On July 7, 2022, a new (third) version of the draft Act on the protection of persons reporting violations of the law .
In today's article, we would like to summarize for you the most important changes that this new project provides for.
It should be noted that, compared to the previous version of the act, the current modifications are not revolutionary, but merely cosmetic.
Below is a list of the most significant modifications introduced in the new draft law:
1. The deadline for establishing the procedure for internal and external reporting or the procedure for accepting external reporting has been extended from 1 month to 2 months from the date of entry into force of the Act.
2. The period of storage of personal data processed by:
• a legal entity or a public authority in connection with a report – it is 15 months after the end of the calendar year in which the follow-up actions or other proceedings initiated by these actions were completed ;
• the Commissioner for Human Rights – it is 12 months after the end of the calendar year in which the report was forwarded to the competent public authority .
3. A change has been made regarding the storage period of personal data and other information collected in :
• the register of internal reports kept by a legal entity – according to the new draft, it is 15 months after the end of the calendar year in which the follow-up action was completed or after the proceedings initiated by these actions were completed;
• the register of external reports kept by the Commissioner for Human Rights – it is 12 months after the end of the calendar year in which the external report was forwarded to the public authority competent to take follow-up action.
4. Personal data contained in a whistleblower's report that are not relevant to its consideration shall not be collected , and in the event of accidental collection, shall be deleted immediately, within 14 days of determining that they are not relevant to the case.
5. The notification registers maintained by legal entities, public entities, and the Commissioner for Human Rights will also collect personal data of the reporting party and the data of the person concerned . Interestingly, the registers also specify the collection of the reporting party's contact address in the case of the register of internal reports maintained by legal entities and the register of external reports maintained by the Commissioner for Human Rights. However, this was omitted in the case of the register of external reports maintained by public authorities (which is likely an oversight during the project and will be corrected in the future) . In the case of the register of reports maintained by the Commissioner for Human Rights, the register also includes the collection of dates on which the reporting party was informed that the case had been forwarded to the public authority responsible for taking follow-up action or that the report had not been forwarded.
6. It is not new that public authorities and the Commissioner for Human Rights are to authorize authorized individuals to receive, verify, and process external reports. What is new, however, is that such an employee is to be designated based on professional qualifications, in particular expertise in data protection law and practices, and the ability to perform the assigned tasks . It has also been clarified that authorized individuals are obligated to maintain confidentiality regarding the information and personal data they obtain in the course of receiving, verifying, and following up on reports .
7. An external report may be left unprocessed by the Commissioner for Human Rights or a public authority if the violation was previously reported by the same or another person, and the new report does not contain new, significant information about the violations compared to the previous report. The Commissioner for Human Rights may also leave a subsequent report unprocessed if it previously refrained from forwarding the report to the relevant public authority . The authority's notification to the whistleblower about the report being left unprocessed in these situations should include a justification. However, in the case of subsequent reports, the unprocessed report will be left unprocessed without notifying the reporting party .
8. The definition of "person associated with the reporting person" has been modified - for the purposes of the Act, in accordance with the new draft, this concept will mean an individual who may experience retaliation in a work-related context, including a co-worker or family member of the reporting person, however, a witness will not be considered a related person .
9. A clear provision has been introduced indicating that the burden of proof rests with the employer to prove that actions taken against a whistleblower are not retaliatory . In the previous draft of the Act, the modified provision was highly questionable, as it indicated that an attempt or threat of retaliation could also be considered retaliatory, "unless the employer proves that it was guided by objective and duly justified reasons." The unfortunate wording of the provisions suggested that the employer's burden of proof only applied to the attempt or threat of retaliation, without referring to the actual measure taken.
10. The concept of the applicant’s “contact address” has been clarified and may be either a correspondence address or an e-mail address.
11. The definition of an incentive system for using the internal reporting procedure has been moved from an optional element of the internal reporting procedure to its mandatory elements – in cases where the violation of the law can be effectively addressed within the organizational structure of the legal entity and the reporting person believes there is no risk of retaliation. Therefore, the employer will not have the discretion to decide whether to implement such an incentive system, but will be legally obligated to do so.
12. Under the new bill, attempting to obstruct the filing of a report will not be subject to criminal sanctions . Obstructing the filing of a report itself will still constitute an offense punishable by a fine or restriction of liberty. The new bill further specifies that the act of failing to implement an internal reporting procedure will be punished under the provisions of the Code of Petty Offenses.
13. The scope of the initial verification of an external report by a public authority has been clarified – this is to determine whether the report concerns information on a violation of the law and whether the report concerns violations in the area falling within the scope of that authority’s activities, and if not – to determine the public authority competent to take follow-up action.
Looking at the changes resulting from the publication of the new draft of the Whistleblower Act, one cannot help but feel that they are primarily technical in nature, streamlining the pending regulations. In particular, the most anticipated amendment by many is missing: expanding the list of reportable violations to include labor law matters.
The greater emphasis on the security of personal data protection – not only of the whistleblower himself, but of all personal data processed in connection with the report submitted – should undoubtedly be assessed as a positive change.
However, it should still be remembered that the legislative process is ongoing and we can expect further modifications to the regulations being processed.
Legal basis:
• Draft of 4 July 2022 of the Act on the protection of persons reporting violations of the law.
This article is for informational purposes only and does not constitute legal advice.
author:
