With more than two years delay, on 27 January 2023. The National Assembly finally adopted the Law on the Protection of Whistleblowers or Public Disclosers ("the Law"), promulgated in the Extraordinary Issue No. 11 of 02.02.2023 of the Official Journal. It is part of the Recovery and Sustainability Plan. The Act entered into force on 4 May 2023 and the section on "Internal Whistleblowing" applies to private sector employers with between 50 and 249 employees from 17 December 2023. With this law, the Bulgarian state fulfills its obligation to implement in national legislation Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law (the "Directive"), the so-called Whistleblower Directive.
Objectives of the new law
The reasons for adopting the Directive at the EU level are dictated by the need to protect so-called “whistleblowers”. In English, these people are called whistleblowers, which literally means “people who blow the whistle”. These are individuals who bring to the attention of the public illegal actions and data on crimes or who publicly disclose information about corruption schemes in the organizations in which they work.
The main purpose of the Act is to regulate and guarantee the protection of persons, both in the private and public sectors, who file reports or publicly disclose information. for violations of Bulgarian legislation or Union law, which became known to them during or in connection with the performance of their employment or official duties. Often, in their workplace, workers or employees witness irregularities and illegal practices, but decide to remain silent about them, for fear of adverse consequences. Namely, in order to create conditions to encourage these individuals to file reports without fear of possible reprisals, the Law regulates measures for their protection. With the implementation of the directive in the Member States, the harmonization of procedures and protection measures when filing such reports is achieved.
Obliged entities
The following groups of persons fall within the scope of the adopted law:
- public sector employers, with the exception of municipalities with a population of less than 10,000 people or fewer than 50 workers or employees;
- employers in the private sector with 50 or more workers or employees;
- employers in the private sector regardless of the number of workers or employeesif the activity they carry out falls within the scope of certain acts of European Union law (e.g. financial services, prevention of money laundering and terrorist financing).
Scope
The law outlines a fairly broad scope that applies to violations of Bulgarian legislation or of the European Union acts listed in the Act in the following areas: 1) public procurement; 2) financial services, products and markets and prevention of money laundering and terrorist financing; 3) product safety and compliance; 4) transport safety; 5) environmental protection; 6) radiation protection and nuclear safety; 7) food and feed safety, animal health and welfare; 8) public health; 9) consumer protection; 10) protection of privacy and personal data and security of networks and information systems. It also covers infringements affecting the EU's financial interests, as well as infringements relating to the Union's internal market, such as competition and state aid. In paragraph 2, Art. 2 of the Directive, Member States are given the option to extend the protection under national law to areas or actions not listed above.
Persons to whom protection is granted
Under this law, protection is provided to a whistleblower, who may be: an individual reporting or publicly disclosing information about a violation that has become known to him/her in his/her capacity as:
1. a worker, employee, civil servant or other person who performs paid work, regardless of the nature of the work, the method of payment and the source of financing;
2. a person who works without an employment relationship and/or exercises a freelance profession and/or a craft activity;
3. volunteer or intern;
4. partner, shareholder, sole owner of the capital, member of a management or control body of a commercial company, member of the audit committee of an enterprise;
5. a person who works for a natural or legal person, its subcontractors or suppliers;
6. a job applicant who participated in a competition or other form of selection for employment and received in this capacity information about a violation;
7. an employee or worker, when the information was received within the framework of an employment or service relationship that was terminated at the time of filing the report or public disclosure.
It should be noted that protection under this law is provided and to any other whistleblower who reports a violation that has become known to them in a work context.
Persons benefiting from protection may also be:
- persons who assist the reporting person in the reporting process;
- persons who are associated with the reporting person and who may be subject to retaliatory action due to the reporting;
- legal entities in which the reporting person owns a stake, works for or is otherwise connected in a work context.
Conditions for the protection of whistleblowers
A person reporting violations through an internal or external channel within the meaning of this law has the right to protection, provided that:
- had reasonable grounds to believe that the information submitted about the violation in the report was correct at the time of submission and that this information falls within the scope of the law;
- has filed a report of a violation under the terms and conditions of this law.
Where these conditions are met, the right to protection also applies to the person who reports a breach to the institutions, bodies, offices or agencies of the European Union. Such reporting shall be considered as reporting through an external channel.
Requirements for creating an internal reporting channel
The law introduces an obligation for employers to establish internal reporting channels for violations. These channels must be managed in a way that guarantees the completeness, integrity and confidentiality of the information and prevents access by unauthorized persons, as well as allowing its storage on a durable medium.
It is important to note that the law provides that obligated persons to engage one or more employees to be responsible for handling signals. Such employees may be the officials in the structure of each of the obligated entities performing functions related to the processing and protection of personal data. Based on the regulation of the issue in the legislation of member states that have previously adopted this law, we can propose the following persons to be entrusted with these duties: the so-called corporate ombudsman (if one has been appointed); members of the Ethics Committee (if there are internal codes of ethics in the relevant legal entity); a member or secretary of a collective management body (Board of Directors, Management Board), as well as an internal legal advisor (legal counsel).
When whistleblowing functions are assigned to an internal person who is already employed by an obligated entity, this could be by concluding an additional agreement to the already existing employment contract between the parties on the basis of Art. 119 of the Labor Code. It is by including these additional obligations in the employee's job description that the employee will also be engaged in the functions of a person receiving and processing the signals of violations regulated by law.
Obliged entities may assign the functions of receiving and registering reports of violations to another natural or legal person outside their structure, subject to the requirements of this law, and may use an internal reporting channel established by the economic group to which they belong, if the channel meets the requirements of this law.
Obliged persons are required to provide clear and easily accessible information regarding the conditions and procedure for submitting reports. The information could be incorporated into the Internal Labor Regulations (ILR)., but only when it is intended for workers or employees within the enterprise. We recommend that these rules be contained in a separate document, which should be placed in a prominent place in the offices and work premises, as well as on the websites of the obligated entities. There is an opportunity to bring the rules to the attention of workers or employees by conducting special instruction.
Another obligation provided for employers is the creation and maintenance of a register of reports of violations, whose purpose is to facilitate the provision of evidence for the signals received, and also to guarantee the right of the affected person to effective protection in any legal or other proceedings.
Central authority for external reporting
The new law defined Personal Data Protection Commission for Central authority for external reporting and for the protection of the persons to whom such protection is granted. Namely The Commission will organize the reception of the signals and direct them to the competent authorities. for the purpose of their verification and taking subsequent actions. It will approve forms for receiving signals, will coordinate and control the activities of considering signals by the obliged entities, as well as all bodies and organizations that receive or work with such signals. The CPDP will provide methodological instructions to the obliged entities and will conduct trainings for their employees responsible for considering signals under this law. Within 6 months from the promulgation of the Law in the State Gazette, the Commission should adopt an ordinance on the maintenance of the register under Article 18, paragraph 4 of the Act and on forwarding internal signals to it.
The material is for informational purposes only and does not constitute legal opinion or advice. If you need any advice or additional information regarding the issues discussed, please contact us.