EU Whistleblower Directive: Key Takeaways for Private Companies in Bulgaria

Like the majority of EU Member States, Bulgaria missed the deadline to transpose Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the “Whistleblower Directive”) on time, i.e. by December 2021. With a more of a year delay, the Parliament (in its second attempt after its failure to adopt the bill in December 2022) passed the bill transposing the Whistleblower Directive into Bulgarian law. The act (the “Whistleblower Act” or the “Act”) was promulgated in the State Gazette on 3 February 2023 and will enter into force after three months, meaning in the beginning of May 2023. However, the provisions for establishing an internal whistleblower channel in private companies with from 50 to 249 employees shall apply as of 17 December 2023.

Below are answers to ten questions that companies may have in the process of preparation for the commencement of the Act:

1)                Does the Whistleblower Act apply to my company?

If your company is in the private sector and has 50 or more employees, you are obliged to comply with the Act. In addition, for private entities that pursue activities listed in the Act, including (without limitation) financial services, management of UCITs, insurance and insurance intermediation, payment services, crowdfunding, and prevention of money laundering, and terrorist financing, the obligation applies regardless of the number of employees.

2)              What obligations my company has under the Act? 

The main obligation of your company under the Whistleblower Act is to establish channel and procedures for internal, confidential reporting of information on breaches of laws within the scope of the Act. This channel and procedures must:

  •  provide a mechanism for whistleblowers (see item 4 below) to be able to raise concerns before their employer; 
  • provide for reports to be made either in writing, orally or both. Oral reporting must be possible by telephone or through other voice messaging systems, and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe; 
  • if a report is made, you will have to acknowledge this report in writing to the reporting person within 7 days of its receipt;
  • be secure and ensure the confidentiality of the whistleblower and anyone mentioned in the report; 
  • designate an impartial person(s) to diligently follow up on reports (see item 7 below). The designated person must maintain communication with the reporting person, ask for further information if necessary, and provide feedback to them in a reasonable period and, in any case, within 3 months. Feedback must include information on action taken or envisaged as follow-up and the grounds for such follow-up; 
  • provide information on procedures for reporting externally to competent authorities or EU entities. 

The company must maintain a non-public register for reportable concerns received. Records of every report received must be kept on a durable medium for the purpose of inspection and further investigation.

The reporting channel be operated internally or provided externally by a third party.

Companies are required to provide clear and easily accessible information regarding procedures that are put in place to comply with the Act. Such information should be published on the company’s webpage and on visible places in the offices and working premises.

3)              What kinds of reports are caught by the Whistleblower Act? 

The Act’s requirements apply to raising concerns related to breaches of EU law or affect the financial interests of the EU or relate to the internal market (including, among others, public procurement, financial services, the prevention of money laundering and terrorist financing, product safety, protection of the environment, consumer protection, data privacy, breaches of EU competition and State Aid rules, and breaches of corporate tax law). 

Bulgaria has availed of the Member States’ discretion to extend the Directive to a broader range of reports, including also reports for infringements the Bulgarian law that relates to the above sectors and, moreover, for breaches of the Bulgarian rules for payment of due public and municipal obligation, employment and civil servant Bulgarian legislation, as well as reports for a publicly prosecuted crime the whistleblower has become aware of in a working context.

4)              Who could be a protected reportable person? 

An important feature of the Directive and the Whistleblower Act is that the envisaged protections are not limited to employees. The protections must also be afforded to any reporting person who acquires information on a breach in a work-related context. This includes employees and self-employed, shareholders, third-party contractors, suppliers, volunteers, and those working under the supervision and direction of contractors, subcontractors, and suppliers. A reporting person is entitled to protection whether that work-based relationship is current, concluded, or prospective. For an individual to be able to invoke the protection granted by the Whistleblower Act, the person must have reasonable grounds to believe that the information reported was true at the time of reporting and that the information on breaches falls within the scope of the Act. 

5)              What duties of confidentiality do we owe to whistleblowers?

The Whistleblower Act states that the identity of the reporting person must not be disclosed to anyone beyond the authorized staff members competent to receive or follow up on reports, without the explicit consent of that person. This also applies to any information from which the reporting person’s identity may be deduced. 

6)              Must the company accept anonymous reports? 

In contrast to countries like Belgium, the Whistleblower Act follows the prevailing view among EU countries and explicitly provides that no investigation shall be initiated upon the submission of anonymous signals. If a worker gives a reportable concern through an anonymous report and is then identified and penalized for this they can be protected by the Act.

7)              Who should the company designate to follow up on reports?

Companies will have flexibility as to which individual(s) or corporate function to designate to follow up on reports. The Whistleblower Act suggests that such a person may be the data protection officer (if the company has such) and requires the absence of a conflict of interest. Recital 56 of the Directive provides guidance that the function could in a smaller entity “be a dual function held by a company officer well placed to report directly to the organizational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board. 

Employers should put in place a whistleblowing policy and should ensure that the person(s) designated under this policy to deal with such reports are trained and understand the requirements under the Act. 

8)              How does the Act protect whistleblowers?

Whistleblowers are protected against different forms of retaliation enumerated in the Act, including (without limitation) termination of employment, negative impacts on promotions or salary, unjustified negative performance assessments, transfers and changes of the workplace, and harassment or discrimination. Protection measures compensation for damage suffered by whistleblowers, such as termination of their employment, legal aid, release from certain types of potential liability, and others.

9)              Are there penalties if the obligations under the Act are not duly observed? 

The Directive is silent on specific penalties but obliges member states to impose effective and proportionate sanctions on companies that do not adhere to the reporting system, including failing to maintain the confidentiality of whistleblowers and hindering attempts to report breaches. Some member states (including France, Denmark, and Cyprus) have introduced criminal liability for whistleblowing infringements; Bulgaria is not among such countries. 

According to the Whistleblower Act, failure to comply with the obligation to establish internal channels for reporting, may be penalized with a fine in the range of EUR 2,500 –10,000, approximately. Breach of confidential obligations, obstruction to the submission of a signal, failure or delay to take the necessary follow-up actions on the signal deliberately and failure to provide information on the follow-up of the whistleblower within three months may be sanctioned with EUR 200 to EUR 2,000, approximately. A fine in the range of EUR 1,000 – EUR 2,000, approximately, may be imposed on a person who takes an action for the purpose of retaliation against the whistleblower or against a person related to him/her. Compared to the penalties under the GDPR, these sanctions are minimal, so it remains to be seen how effective the sanctions will be. 

10)  Are there benefits from a strong internal reporting channel? 

Having a good internal tool to facilitate the detection of possible misconduct at an early stage and to maintain internal control is thus to be recommended. It will help you avoid external reporting and public disclosures, which could harm your company’s reputation and could even result in sensitive or confidential information (such as trade secrets) being leaked.

We are happy to support you with additional questions regarding the implementation of an internal whistleblower channel. If you have any questions and for more information, get in touch with your regular contact at Stoeva Tchompalov & Znepolski.