It is advisable to start preparing a whistleblowing channel now

As a general rule, the whistleblowing channel must be established in companies that employ at least 50 people

The new whistleblower legislation that is being drafted mainly obligates companies or public sector actors that employ at least 50 people to establish an internal reporting channel. Through the channel, the company’s employees, for example, can report suspected misconduct that concerns the violation of certain legislation, such as consumer protection, environmental protection, data protection or public procurement. When submitting a report, the whistleblower is protected in the manner required by the Act. The Act also provides a period during which the company can exclusively examine the reports.

At the moment, the Act is being discussed by Parliament, and it is to enter into force within three months from its approval. By then, companies that employ at least 250 people will have to adopt an internal whistleblowing channel. The government bill, however, includes a transitional period under which private sector organisations that regularly employ 50–249 people must adopt a whistleblowing channel by 17 December 2023 at the latest.

The whistleblower legislation is based on the EU Whistleblowing Directive, which must be implemented into national legislation by the EU Member States. In Finland, the drafting of the whistleblower legislation has been delayed from the original timetable. In some EU Member States, the Directive has already been implemented into national legislation.

Establishing an internal whistleblowing channel

The main purpose of the new regulation is to protect the whistleblower from retaliation and to provide the organization receiving the report an opportunity to appropriately investigate the suspected misconduct internally. Furthermore, the new legislation will set minimum requirements for the establishment of the whistleblowing channel and for the procedures for processing notifications, such as the processing times and confidentiality. The organisation can largely decide the technical implementation itself, and under certain boundary conditions, it is also possible to outsource the maintenance of the channel to a service provider. According to the proposal, companies that belong to the same group can under certain conditions establish a common reporting channel.

The regulation also creates new obligations to inform for the organisations. Stakeholders that are entitled to report suspected misconduct must, among other things, be informed of the internal whistleblowing channel, the possibility to report through an external reporting channel maintained by the authorities and of the requirements for protecting the whistleblower. In addition, the persons responsible for processing the reports must be appointed and trained in the processing.

Data protection obligations must be taken into account

Requirements based on data protection legislation and, with respect to the personnel, also on the Co-operation Act, must be taken into account so that the reports submitted through the reporting channel and personal data included in them can legally be processed. A whistleblowing channel that meets data protection obligations along with proper data protection documentation are key tools for an organisation to demonstrate that they are in compliance with legislation. 

The processing of personal data collected through the whistleblowing channel is subject to the same privacy obligations as the processing of other personal data. For example, the legal basis and purposes for processing personal data as well as how long the data is stored must be defined in accordance with statutory requirements and any unnecessary personal data must be deleted. The individuals whose data is processed must also be informed of the processing, and the organisation must make sure that the statutory data subjects’ rights are respected. It is important to keep in mind that the new legislation sets certain exceptional limits to the rights of the data subjects. In addition, the Finnish data protection authority: Data Protection Ombudsman has ruled that controllers must conduct a data protection impact assessment on data processing relating to whistleblowing channels.

How to prepare for the new obligations?

A whistleblowing channel that meets the requirements of the new legislation protects the company as well as the whistleblower, because a whistleblowing channel makes it possible for the company to uncover misconduct and provides a period during which the company can exclusively process reports. Though the legislation is still being drafted, it is advisable to prepare for the adoption of a channel now. First, it is advisable to make an assessment of the necessary measures.