← All guides
Employment Law10 min read9 July 2026

EU Whistleblowing Directive Compliance for Companies: Internal Channels, GDPR Intersection, and Anti-Retaliation (2026)

EU Directive 2019/1937 requires companies with 50+ employees to establish internal whistleblowing channels with 7-day acknowledgment, 3-month follow-up, and anti-retaliation protection. Here's what's required and how GDPR applies.

Who must comply with the EU Whistleblowing Directive?

EU Directive 2019/1937 on the protection of persons who report breaches of Union law was transposed into national law across the EU between 2021 and 2024. The core obligation: organisations above a certain size must establish internal reporting channels and protect whistleblowers from retaliation.

The thresholds and deadlines by employer size:

  • 250+ employees: deadline was 17 December 2021 — you should already be compliant.
  • 50–249 employees: deadline was 17 December 2023 — you should already be compliant.
  • Fewer than 50 employees: generally not required unless you operate in financial services, aviation, environmental law, or food safety (where the Directive applies regardless of size).

Most EU member states have now transposed the Directive. Key national laws: Germany (Hinweisgeberschutzgesetz — HinSchG, June 2023), France (amended Sapin II / Loi Waserman, March 2022), Netherlands (Wet bescherming klokkenluiders — WBPP, February 2023), Estonia (Whistleblower Protection Act), Sweden (Visselblåsarlag, December 2021). Each national law adds nuances — some extend the scope to national law breaches, some require anonymous channels, some impose stricter penalties.

What the internal reporting channel must include

Article 9 is precise about channel requirements. The channel must:

  • Accept reports in writing (email, web form, post).
  • Accept reports orally by telephone or recorded voicemail — with a transcript or recording provided to the reporter for review and correction.
  • Allow reporting in person if the reporter requests a meeting.

An email-only channel does not meet the Directive's requirements. This is one of the most common compliance failures among SMEs. A dedicated telephone line or in-person meeting option must be available alongside written reporting.

The channel must be operated by someone who is independent and competent — typically a designated compliance officer, general counsel, or third-party provider. The designated person must be distinct from general HR management when the report concerns HR matters.

The 7-day and 3-month clocks

Article 11 sets two hard deadlines:

  • 7 days: written acknowledgment of receipt must be sent to the reporter within 7 days of receiving the report. The clock starts when the report enters the system, not when someone reviews it. For anonymous reporters using a platform that allows re-contact via token, the acknowledgment goes through the same channel.
  • 3 months: the organisation must carry out diligent follow-up and provide feedback to the reporter on the follow-up actions taken or envisaged within 3 months of the acknowledgment.

"Diligent follow-up" is a standard with teeth. Courts in Germany (Bundesarbeitsgericht) and France (Cour de Cassation) have interpreted this to require genuine investigation proportionate to the seriousness of the allegation — not a box-checking exercise. A follow-up log documenting each step taken, evidence reviewed, and decision made is essential both for compliance and for litigation defence.

Feedback to the reporter does not require disclosing the full investigation outcome. The Directive balances the reporter's right to information against investigation integrity — feedback can be limited to confirmation that the report was acted upon, reasons for not investigating further (if applicable), or referral to an external authority.

Anonymous reports: required in most member states

The Directive (Art. 6(2)) permits but does not mandate anonymous reporting channels. However, most EU member states have gone further in their national transpositions: Germany's HinSchG requires anonymous channels; France's amended Sapin II strongly encourages them; the Netherlands' WBPP permits but does not require. In practice, operating a channel that cannot accept anonymous reports is a reputational risk even where not legally mandatory.

Dedicated third-party platforms (EQS Integrity Line, Navex Global, AllVoices, Convercent, SpeakUp, Vault Platform) provide anonymous two-way communication between the reporter and the investigator via a secure token — enabling follow-up even when the reporter's identity is unknown. This is the gold standard for anonymous channel operation.

Confidentiality requirements — and why email channels fail

Article 16 is unambiguous: the identity of the reporter must be kept confidential and must not be disclosed to anyone other than the designated person and, where absolutely necessary for the investigation, named colleagues bound by confidentiality obligations.

A standard corporate email channel fails this requirement because:

  • Email metadata (sender, timestamp, routing headers) can identify reporters even when names are omitted.
  • IT administrators, email archiving systems, and email security products typically have access to mailbox contents.
  • Forwarding risks are high — emails are easily forwarded to unintended recipients.
  • There is no audit trail showing who accessed the report and when.

Purpose-built whistleblowing platforms strip identifying metadata, apply role-based access controls, maintain access logs, and provide a dedicated encrypted communication channel between the reporter and the investigator. For organisations that cannot afford a third-party platform, a dedicated email with full-disk encryption, strict access controls, and signed confidentiality obligations for all who can access it is the minimum viable approach.

GDPR intersection — the most complex part

Whistleblowing channels process personal data about both the reporter and the persons accused or mentioned in reports. This creates a complex GDPR overlay:

Lawful basis

The safest lawful basis for processing the reporter's data is Article 6(1)(c) — legal obligation, since the Directive mandates the channel. This avoids the balancing exercise required for legitimate interests (Art. 6(1)(f)). For accused persons' data, Art. 6(1)(c) or Art. 6(1)(f) may apply depending on the processing step.

DPIA recommendation

Whistleblowing channels almost certainly require a Data Protection Impact Assessment (DPIA) under GDPR Art. 35. The processing involves sensitive personal data, data about criminal allegations, and systematic monitoring — factors that trigger the DPIA threshold. The DPO must be consulted in the DPIA process.

Privacy notices

Two separate privacy notices are typically required:

  • Art. 13 notice for reporters: provided at the point of reporting (on the channel form or before submission). Covers the data controller, purpose, legal basis, data recipients, retention, and data subject rights.
  • Art. 14 notice for accused persons: provided when their data is first processed by the organisation. However, under Art. 14(5)(b), this notice can be deferred or withheld if it would seriously compromise the investigation. The deferral decision must be documented, and the notice must be served at the earliest opportunity that does not jeopardise the investigation.

Data retention

Reports must be deleted "no longer than necessary" per GDPR Art. 5(1)(e). Member states vary: France's Sapin II suggests 2 months after case closure (absent legal proceedings); Germany's HinSchG applies general GDPR principles; Netherlands WBPP suggests 2 years as a standard maximum. Legal proceedings (employment litigation, regulatory investigations) trigger litigation holds that extend retention. The retention schedule should be documented in the ROPA and in the channel's privacy notice.

Data subject access requests from accused persons

A common practical problem: the accused person submits a GDPR Art. 15 data subject access request (DSAR) seeking a copy of the report. The general rule is that DSARs must be honoured — but GDPR Art. 23 allows member states to restrict rights where necessary to protect others' rights and freedoms (including the reporter's identity under Art. 16 of the Directive). Most national transpositions include explicit protection for reporter identity against DSARs. Legal counsel should be engaged when a DSAR from an accused person arrives while an investigation is open.

Anti-retaliation — the Directive's teeth

Article 19 of the Directive provides a non-exhaustive list of prohibited retaliation forms: dismissal, demotion, reduction of salary or hours, withholding of promotion, negative performance appraisal, imposition of disciplinary measures, coercion, intimidation or harassment, blacklisting, referral for psychiatric evaluation, early termination of contracts for goods or services, cancellation of licences or permits, and damage to reputation.

The critical legal mechanism is in Article 21(5) — the reversed burden of proof. Where a whistleblower demonstrates they made a report and suffered a detriment, the burden shifts to the employer to prove the detriment was not connected to the report. This is a significant litigation risk. Any adverse employment decision regarding a known whistleblower — even a legitimate one — should be documented contemporaneously with independent business reasons, reviewed by employment counsel before execution, and approved through a management chain that excludes anyone connected to the report's subject matter.

Common compliance failures to avoid

Based on enforcement actions and regulatory guidance across the EU, the most common failures are:

  1. Email-only channel: no oral or in-person option available — violates Art. 9(2).
  2. No designated person: reports land in a general inbox with no defined ownership — violates Art. 8(5).
  3. 7-day acknowledgment missed: reports sit unreviewed for weeks — violates Art. 11(1)(a).
  4. No anonymous option: required in most member states; also reduces reporting rates significantly.
  5. Scope too narrow: policy covers only HR matters or only one national law — violates Art. 2 material scope.
  6. No GDPR privacy notice: reporters and accused persons not informed — GDPR Art. 13/14 violation.
  7. Manager retaliation, undetected: no training for managers on non-retaliation — leads to Art. 21(5) reversed burden claims.
  8. No retention policy: reports kept indefinitely — GDPR Art. 5(1)(e) violation.

Assess your compliance with our free tool

We've built a free EU Whistleblowing Directive Compliance Checker covering all 22 compliance checks across channel setup (Art. 8-9), acknowledgment and follow-up (Art. 11), confidentiality and GDPR (Art. 16-17), anti-retaliation (Art. 19-21), policy scope and communication (Art. 7), and record-keeping (Art. 18). Answer the checks, get a compliance score, and generate a detailed gap assessment report for your legal and HR teams.

Related tools: our GDPR Data Processing Agreement Generator (for data processing agreements with your whistleblowing platform vendor), GDPR Privacy Policy Generator, and ISO 37001 Anti-Bribery Checklist (anti-bribery management systems that typically operate alongside whistleblowing programmes).