EU Whistleblower Directive 2019/1937: What SaaS Companies with 50+ Employees Must Do

The obligation most growing SaaS companies are ignoring

Ask ten SaaS founders about GDPR and they know the basics. Ask them about EU Directive 2019/1937 and you'll get blank looks. But if your company has crossed 50 employees anywhere in the EU, you are legally required to have a formal whistleblower reporting channel — and most startups don't.

The EU Whistleblower Directive was required to be transposed into national law by December 2021 (large organisations) and December 2023 (50–249 employees). Enforcement is catching up. Fines vary by member state, but reputational damage and civil liability for failing to protect reporters are the real risk.

This guide explains what the Directive requires, what your policy must cover, and what happens if someone in your organisation gets fired after blowing the whistle without proper protections in place.

Scope: who must comply

The Directive applies to:

Private sector organisations with 50+ employees — anywhere in the EU where you have staff
All public sector organisations — regardless of size
Private sector organisations with fewer than 50 employees — not required to have an internal channel, but national law may extend requirements further. Best practice is to implement one regardless.

The 50-employee threshold is calculated per legal entity, not group. A SaaS group with multiple EU subsidiaries, each with fewer than 50 employees, may still trigger the requirement depending on national transposition. Germany, for instance, requires all companies with 50+ employees globally that have any operations in Germany to implement a compliant system (HinSchG 2023).

Who counts as a reporter? The Directive protects:

Current employees (including part-time, fixed-term)
Contractors, freelancers, and self-employed persons
Shareholders and board members
Volunteers and trainees (paid or unpaid)
Former employees (for wrongdoing they learned of during employment)
Job applicants (protected from retaliation in the selection process)
Facilitators: persons who assist the reporter
Third parties related to the reporter (family members, colleagues)

What disclosures are protected

The Directive mandates protection for disclosures of violations of EU law in 10 policy areas:

Public procurement
Financial services, products, and markets (including AML)
Product safety and compliance
Transport safety
Environmental protection
Food and feed safety, animal health and welfare
Public health
Consumer protection
Privacy and personal data protection and security of network and information systems
Competition law and state aid violations

For SaaS companies, item 9 is the most relevant: GDPR violations, NIS2 incidents, and data security breaches are squarely within the mandatory scope of protection. So is competition law (item 10), which matters for B2B SaaS operating in concentrated markets.

Organisations may — and should — extend the scope of their policy beyond the mandatory EU law minimum to cover additional categories such as financial fraud, ethical misconduct, harassment, health and safety violations, and violations of company policies. This is best practice and reduces the risk of reporters going external (to regulators) because internal channels seem too narrow.

What your internal reporting channel must include

1. Written and verbal reporting (Art. 9)

The channel must accept both written and verbal reports. Written includes web forms, emails, and physical letters. Verbal includes phone hotlines and in-person meetings. If a verbal report is made, the organisation must offer to document it in a written transcript that the reporter can review and sign.

2. Acknowledgement within 7 days (Art. 11(1)(b))

You must acknowledge receipt of the report within 7 calendar days. This is an absolute requirement, not a best effort.

3. Feedback within 3 months (Art. 11(1)(d))

You must provide feedback to the reporter on the action taken or planned within 3 months of acknowledging the report. This can be extended to 6 months in duly justified cases. The feedback must be proportionate — you don't have to share investigation findings in detail, but you must tell the reporter whether an investigation was opened, closed, or referred externally.

4. Confidentiality (Art. 16)

The identity of the reporter must be kept confidential and may not be disclosed without their explicit consent, except where required by law (e.g. criminal proceedings). Importantly, even if the identity is eventually disclosed in judicial proceedings, the reporter must be notified first and given an opportunity to challenge this.

This means your internal investigation team must operate on a need-to-know basis and your reporting platform must have appropriate access controls.

5. Independence and impartiality (Art. 8)

The person or team handling reports must be designated, impartial, and competent. The Directive allows outsourcing this to a third-party provider, which is common for companies that want to demonstrate independence. This could be an external law firm, compliance service provider, or a dedicated whistleblowing platform.

6. External reporting option

Reporters have the right to bypass your internal channel and report directly to competent national authorities — this is guaranteed by the Directive (Art. 10) and cannot be contractually waived. Your policy must acknowledge this right. You should include the relevant external authority contacts for your jurisdiction.

Anti-retaliation: the most important section

The anti-retaliation provisions are the heart of the Directive. Art. 19 prohibits retaliation in any form, including:

Suspension, lay-off, dismissal, or equivalent measures
Demotion or withholding of promotion
Transfer of duties, change of location, reduction in wages, or change in working hours
Negative performance assessments or employment references
Imposition of any disciplinary measure, reprimand, or other penalty
Coercion, intimidation, harassment, or ostracism
Exclusion from training or development opportunities
Blacklisting of the reporter
Damage to the reporter's reputation
Referral of the reporter for psychiatric or medical assessment

The critical point on enforcement: under Art. 21(5), the burden of proof shifts to the employer. If a reporter is dismissed within a reasonable period of making a protected disclosure, the employer must prove that the dismissal was not connected to the disclosure. This is not a theoretical risk — employment tribunals across the EU are taking this seriously.

Protection scope

Protection applies even if:

The reporter reported through an external channel rather than the internal one first
The reported wrongdoing turns out not to be provable
The reported wrongdoing was not in fact illegal

Protection does NOT apply if:

The reporter knew the information was false when they reported (bad faith)
The report was made maliciously or vexatiously with no reasonable belief in the truth of the information

GDPR intersection: processing reporter data

Your whistleblower channel processes personal data — about the reporter (if they identify themselves), about the persons accused in the report, and about witnesses. GDPR applies fully.

Processing Activity	GDPR Lawful Basis	Key Requirements
Receiving and recording the report	Art. 6(1)(c) — legal obligation	Data minimisation: collect only what's needed for the investigation
Processing data about the accused	Art. 6(1)(c) — legal obligation	Must be treated with same confidentiality as reporter data; Art. 14 transparency notice may be deferred until it no longer jeopardises the investigation
Special category data (health, trade union, political opinions)	Art. 9(2)(b) — employment, social security, social protection law	Strict access controls; encryption; not shared beyond investigation team
Retention after investigation closure	Art. 5(1)(e) storage limitation	Retain only as long as necessary; EU Directive Art. 18 applies (3 years minimum per some member state transpositions)

You must include your whistleblower channel in your GDPR Records of Processing Activities (RoPA) and your privacy notices. The accused person's Art. 15 access right may be temporarily restricted to protect the investigation and the reporter — GDPR Art. 23 allows member states to restrict rights for this purpose.

Member state variations: what to watch

The Directive sets a minimum — member states can go further. Key national variations:

Country	Law	Key additions
Germany	HinSchG (2023)	Anonymous reporting must be technically possible; companies with 50–249 employees had until 17 December 2023; significant fines (up to €50,000 for minor violations, up to €1M for systematic non-compliance)
France	Sapin II (2016) + transposition (2022)	Applies to companies with 50+ employees; AFA can audit compliance; financial incentives for reporters in some cases
Netherlands	Wet bescherming klokkenluiders (2023)	Anonymous reporting must be possible; obligation to acknowledge within 7 days and respond within 3 months
Sweden	Visselblåsarlagen (2021)	Transposed early; includes protection for disclosures of imminent and serious risks even without EU law violation
Ireland	Protected Disclosures (Amendment) Act 2022	Strong protections; covers very broad range of wrongdoing; Protected Disclosures Office established
Estonia	Töötajate usaldusisiku seadus + Rikkumisest teavitaja kaitse seadus (RTKS)	Whistleblower Protection Act since June 2023; covers violations of Estonian law and EU law

UK: PIDA 1998 — the original whistleblower law

The UK Public Interest Disclosure Act 1998 (PIDA) predates the EU Directive by 21 years and remains in force post-Brexit. Key differences:

No minimum employee threshold — PIDA applies to all employers regardless of size
Broader scope — covers any criminal offence, any failure to comply with legal obligations, health and safety dangers, environmental damage, and miscarriages of justice
Employment Tribunal route — qualifying disclosures to employers, prescribed persons (regulators), or the wider public (in specific circumstances) are protected
Uncapped compensation — no cap on Tribunal compensation for automatically unfair dismissal under PIDA
Personal liability — individual managers can be personally liable for detriment acts under s47B ERA 1996

The UK Government has announced plans to strengthen PIDA, including extending protections to volunteers and extending the scope of prescribed persons, but as of mid-2026 the core framework remains the same.

Practical implementation: what you need to set up

Designate a responsible person: Compliance Officer, General Counsel, or equivalent. They must be impartial — cannot be reporting to the person who might be the subject of reports.
Establish at least one reporting channel: A dedicated web form or encrypted email is the minimum. A phone hotline adds verbal reporting capability. Third-party platforms (EQS Integrity Line, NAVEX, WhistleB, Speakfully) are increasingly popular for SMEs because they provide independence and professional management.
Enable anonymous reporting: Not legally mandatory under the Directive in all member states, but strongly recommended. Germany (HinSchG) requires it. Anonymous reports must be treated as seriously as identified reports.
Write a policy: The policy must explain what can be reported, who is protected, how the process works, what anti-retaliation measures are in place, and how confidentiality is maintained.
Train your staff: All employees must understand the policy exists and how to use it. Managers need specific training on anti-retaliation obligations.
Integrate with GDPR: Add whistleblower data processing to your RoPA, privacy notices, and data retention policy.

Generate your whistleblower policy now

ComplyKit's Whistleblower Policy Generator creates a comprehensive policy tailored to your jurisdiction, employee count, reporting channels, and applicable legislation (EU Directive, UK PIDA, US SOX). Free, no account required.

Related tools and guides

⚠️ This guide is for informational purposes only and does not constitute legal advice. Whistleblower protection laws vary significantly by member state. Consult a qualified employment lawyer in your jurisdiction before implementing a whistleblower reporting programme.