Legal provisions of COM(2018)218 - Protection of persons reporting on breaches of Union law

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2018)218 - Protection of persons reporting on breaches of Union law.
document COM(2018)218 EN
date October 23, 2019

Contents

CHAPTER I - SCOPE, DEFINITIONS AND CONDITIONS FOR PROTECTION

Article 1 - Purpose

The purpose of this Directive is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law.

Article 2 - Material scope

1. This Directive lays down common minimum standards for the protection of persons reporting the following breaches of Union law:

(a)breaches falling within the scope of the Union acts set out in the Annex that concern the following areas:

(i)public procurement;

(ii)financial services, products and markets, and prevention of money laundering and terrorist financing;

(iii)product safety and compliance;

(iv)transport safety;

(v)protection of the environment;

(vi)radiation protection and nuclear safety;

(vii)food and feed safety, animal health and welfare;

(viii)public health;

(ix)consumer protection;

(x)protection of privacy and personal data, and security of network and information systems;

(b)breaches affecting the financial interests of the Union as referred to in Article 325 TFEU and as further specified in relevant Union measures;

(c)breaches relating to the internal market, as referred to in Article 26(2) TFEU, including breaches of Union competition and State aid rules, as well as breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

2. This Directive is without prejudice to the power of Member States to extend protection under national law as regards areas or acts not covered by paragraph 1.

Article 3 - Relationship with other Union acts and national provisions

1. Where specific rules on the reporting of breaches are provided for in the sector-specific Union acts listed in Part II of the Annex, those rules shall apply. The provisions of this Directive shall be applicable to the extent that a matter is not mandatorily regulated in those sector-specific Union acts.

2. This Directive shall not affect the responsibility of Member States to ensure national security or their power to protect their essential security interests. In particular, it shall not apply to reports of breaches of the procurement rules involving defence or security aspects unless they are covered by the relevant acts of the Union.

3. This Directive shall not affect the application of Union or national law relating to any of the following:

(a)the protection of classified information;

(b)the protection of legal and medical professional privilege;

(c)the secrecy of judicial deliberations;

(d)rules on criminal procedure.

4. This Directive shall not affect national rules on the exercise by workers of their rights to consult their representatives or trade unions, and on protection against any unjustified detrimental measure prompted by such consultations as well as on the autonomy of the social partners and their right to enter into collective agreements. This is without prejudice to the level of protection granted by this Directive.

Article 4 - Personal scope

1. This Directive shall apply to reporting persons working in the private or public sector who acquired information on breaches in a work-related context including, at least, the following:

(a)persons having the status of worker, within the meaning of Article 45(1) TFEU, including civil servants;

(b)persons having self-employed status, within the meaning of Article 49 TFEU;

(c)shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees;

(d)any persons working under the supervision and direction of contractors, subcontractors and suppliers.

2. This Directive shall also apply to reporting persons where they report or publicly disclose information on breaches acquired in a work-based relationship which has since ended.

3. This Directive shall also apply to reporting persons whose work-based relationship is yet to begin in cases where information on breaches has been acquired during the recruitment process or other pre-contractual negotiations.

4. The measures for the protection of reporting persons set out in Chapter VI shall also apply, where relevant, to:

(a)facilitators;

(b)third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context, such as colleagues or relatives of the reporting persons; and

(c)legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context.

Article 5 - Definitions

For the purposes of this Directive, the following definitions apply:

(1)‘breaches’ means acts or omissions that:

(i)are unlawful and relate to the Union acts and areas falling within the material scope referred to in Article 2; or

(ii)defeat the object or the purpose of the rules in the Union acts and areas falling within the material scope referred to in Article 2;

(2)‘information on breaches’ means information, including reasonable suspicions, about actual or potential breaches, which occurred or are very likely to occur in the organisation in which the reporting person works or has worked or in another organisation with which the reporting person is or was in contact through his or her work, and about attempts to conceal such breaches;

(3)‘report’ or ‘to report’ means, the oral or written communication of information on breaches;

(4)‘internal reporting’ means the oral or written communication of information on breaches within a legal entity in the private or public sector;

(5)‘external reporting’ means the oral or written communication of information on breaches to the competent authorities;

(6)‘public disclosure’ or ‘to publicly disclose’ means the making of information on breaches available in the public domain;

(7)‘reporting person’ means a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities;

(8)‘facilitator’ means a natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be confidential;

(9)‘work-related context’ means current or past work activities in the public or private sector through which, irrespective of the nature of those activities, persons acquire information on breaches and within which those persons could suffer retaliation if they reported such information;

(10)‘person concerned’ means a natural or legal person who is referred to in the report or public disclosure as a person to whom the breach is attributed or with whom that person is associated;

(11)‘retaliation’ means any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person;

(12)‘follow-up’ means any action taken by the recipient of a report or any competent authority, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure;

(13)‘feedback’ means the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up;

(14)‘competent authority’ means any national authority designated to receive reports in accordance with Chapter III and give feedback to the reporting person, and/or designated to carry out the duties provided for in this Directive, in particular as regards follow-up.

Article 6 - Conditions for protection of reporting persons

1. Reporting persons shall qualify for protection under this Directive provided that:

(a)they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of this Directive; and

(b)they reported either internally in accordance with Article 7 or externally in accordance with Article 10, or made a public disclosure in accordance with Article 15.

2. Without prejudice to existing obligations to provide for anonymous reporting by virtue of Union law, this Directive does not affect the power of Member States to decide whether legal entities in the private or public sector and competent authorities are required to accept and follow up on anonymous reports of breaches.

3. Persons who reported or publicly disclosed information on breaches anonymously, but who are subsequently identified and suffer retaliation, shall nonetheless qualify for the protection provided for under Chapter VI, provided that they meet the conditions laid down in paragraph 1.

4. Persons reporting to relevant institutions, bodies, offices or agencies of the Union breaches falling within the scope of this Directive shall qualify for protection as laid down in this Directive under the same conditions as persons who report externally.

CHAPTER II - INTERNAL REPORTING AND FOLLOW-UP

Article 7 - Reporting through internal reporting channels

1. As a general principle and without prejudice to Articles 10 and 15, information on breaches may be reported through the internal reporting channels and procedures provided for in this Chapter.

2. Member States shall encourage reporting through internal reporting channels before reporting through external reporting channels, where the breach can be addressed effectively internally and where the reporting person considers that there is no risk of retaliation.

3. Appropriate information relating to the use of internal reporting channels referred to in paragraph 2 shall be provided in the context of the information given by legal entities in the private and public sector pursuant to point (g) of Article 9(1), and by competent authorities pursuant to point (a) of Article 12(4) and Article 13.

Article 8 - Obligation to establish internal reporting channels

1. Member States shall ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up, following consultation and in agreement with the social partners where provided for by national law.

2. The channels and procedures referred to in paragraph 1 of this Article shall enable the entity's workers to report information on breaches. They may enable other persons, referred to in points (b), (c) and (d) of Article 4(1) and Article 4(2), who are in contact with the entity in the context of their work-related activities to also report information on breaches.

3. Paragraph 1 shall apply to legal entities in the private sector with 50 or more workers.

4. The threshold laid down in paragraph 3 shall not apply to the entities falling within the scope of Union acts referred to in Parts I.B and II of the Annex.

5. Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party. The safeguards and requirements referred to in Article 9(1) shall also apply to entrusted third parties operating the reporting channel for a legal entity in the private sector.

6. Legal entities in the private sector with 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out. This shall be without prejudice to the obligations imposed upon such entities by this Directive to maintain confidentiality, to give feedback, and to address the reported breach.

7. Following an appropriate risk assessment taking into account the nature of the activities of the entities and the ensuing level of risk for, in particular, the environment and public health, Member States may require legal entities in the private sector with fewer than 50 workers to establish internal reporting channels and procedures in accordance with Chapter II.

8. Member States shall notify the Commission of any decision they take to require legal entities in the private sector to establish internal reporting channels pursuant to paragraph 7. That notification shall include the reasons for the decision and the criteria used in the risk assessment referred to in paragraph 7. The Commission shall communicate that decision to the other Member States.

9. Paragraph 1 shall apply to all legal entities in the public sector, including any entity owned or controlled by such entities.

Member States may exempt from the obligation referred to in paragraph 1 municipalities with fewer than 10 000 inhabitants or fewer than 50 workers, or other entities referred to in the first subparagraph of this paragraph with fewer than 50 workers.

Member States may provide that internal reporting channels can be shared between municipalities or operated by joint municipal authorities in accordance with national law, provided that the shared internal reporting channels are distinct from and autonomous in relation to the relevant external reporting channels.

Article 9 - Procedures for internal reporting and follow-up

1. The procedures for internal reporting and for follow-up as referred to in Article 8 shall include the following:

(a)channels for receiving the reports which are designed, established and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members;

(b)acknowledgment of receipt of the report to the reporting person within seven days of that receipt;

(c)the designation of an impartial person or department competent for following-up on the reports which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person;

(d)diligent follow-up by the designated person or department referred to in point (c);

(e)diligent follow-up, where provided for in national law, as regards anonymous reporting;

(f)a reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made;

(g)provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities pursuant to Article 10 and, where relevant, to institutions, bodies, offices or agencies of the Union.

2. The channels provided for in point (a) of paragraph 1 shall enable reporting in writing or orally, or both. Oral reporting shall be possible by telephone or through other voice messaging systems, and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe.

CHAPTER III - EXTERNAL REPORTING AND FOLLOW-UP

Article 10 - Reporting through external reporting channels

Without prejudice to point (b) of Article 15(1), reporting persons shall report information on breaches using the channels and procedures referred to in Articles 11 and 12, after having first reported through internal reporting channels, or by directly reporting through external reporting channels.

Article 11 - Obligation to establish external reporting channels and to follow up on reports

1. Member States shall designate the authorities competent to receive, give feedback and follow up on reports, and shall provide them with adequate resources.

2. Member States shall ensure that the competent authorities:

(a)establish independent and autonomous external reporting channels, for receiving and handling information on breaches;

(b)promptly, and in any event within seven days of receipt of the report, acknowledge that receipt unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of the report would jeopardise the protection of the reporting person's identity;

(c)diligently follow up on the reports;

(d)provide feedback to the reporting person within a reasonable timeframe not exceeding three months, or six months in duly justified cases;

(e)communicate to the reporting person the final outcome of investigations triggered by the report, in accordance with procedures provided for under national law;

(f)transmit in due time the information contained in the report to competent institutions, bodies, offices or agencies of the Union, as appropriate, for further investigation, where provided for under Union or national law.

3. Member States may provide that competent authorities, after having duly assessed the matter, can decide that a reported breach is clearly minor and does not require further follow-up pursuant to this Directive, other than closure of the procedure. This shall not affect other obligations or other applicable procedures to address the reported breach, or the protection granted by this Directive in relation to internal or external reporting. In such a case, the competent authorities shall notify the reporting person of their decision and the reasons therefor.

4. Member States may provide that competent authorities can decide to close procedures regarding repetitive reports which do not contain any meaningful new information on breaches compared to a past report in respect of which the relevant procedures were concluded, unless new legal or factual circumstances justify a different follow-up. In such a case, the competent authorities shall notify the reporting person of their decision and the reasons therefor.

5. Member States may provide that, in the event of high inflows of reports, competent authorities may deal with reports of serious breaches or breaches of essential provisions falling within the scope of this Directive as a matter of priority, without prejudice to the timeframe as set out in point (d) of paragraph 2.

6. Member States shall ensure that any authority which has received a report but does not have the competence to address the breach reported transmits it to the competent authority, within a reasonable time, in a secure manner, and that the reporting person is informed, without delay, of such a transmission.

Article 12 - Design of external reporting channels

1. External reporting channels shall be considered independent and autonomous, if they meet all of the following criteria:

(a)they are designed, established and operated in a manner that ensures the completeness, integrity and confidentiality of the information and prevents access thereto by non-authorised staff members of the competent authority;

(b)they enable the durable storage of information in accordance with Article 18 to allow further investigations to be carried out.

2. The external reporting channels shall enable reporting in writing and orally. Oral reporting shall be possible by telephone or through other voice messaging systems and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe.

3. Competent authorities shall ensure that, where a report is received through channels other than the reporting channels referred to in paragraphs 1 and 2 or by staff members other than those responsible for handling reports, the staff members who receive it are prohibited from disclosing any information that might identify the reporting person or the person concerned, and that they promptly forward the report without modification to the staff members responsible for handling reports.

4. Member States shall ensure that competent authorities designate staff members responsible for handling reports, and in particular for:

(a)providing any interested person with information on the procedures for reporting;

(b)receiving and following up on reports;

(c)maintaining contact with the reporting person for the purpose of providing feedback and requesting further information where necessary.

5. The staff members referred to in paragraph 4 shall receive specific training for the purposes of handling reports.

Article 13 - Information regarding the receipt of reports and their follow-up

Member States shall ensure that competent authorities publish on their websites in a separate, easily identifiable and accessible section at least the following information:

(a)the conditions for qualifying for protection under this Directive;

(b)the contact details for the external reporting channels as provided for under Article 12, in particular the electronic and postal addresses, and the phone numbers for such channels, indicating whether the phone conversations are recorded;

(c)the procedures applicable to the reporting of breaches, including the manner in which the competent authority may request the reporting person to clarify the information reported or to provide additional information, the timeframe for providing feedback and the type and content of such feedback;

(d)the confidentiality regime applicable to reports, and in particular the information in relation to the processing of personal data in accordance with Article 17 of this Directive, Articles 5 and 13 of Regulation (EU) 2016/679, Article 13 of Directive (EU) 2016/680 and Article 15 of Regulation (EU) 2018/1725, as applicable;

(e)the nature of the follow-up to be given to reports;

(f)the remedies and procedures for protection against retaliation and the availability of confidential advice for persons contemplating reporting;

(g)a statement clearly explaining the conditions under which persons reporting to the competent authority are protected from incurring liability for a breach of confidentiality pursuant to Article 21(2); and

(h)contact details of the information centre or of the single independent administrative authority as provided for in Article 20(3) where applicable.

Article 14 - Review of the procedures by competent authorities

Member States shall ensure that competent authorities review their procedures for receiving reports, and their follow-up, regularly, and at least once every three years. In reviewing such procedures, competent authorities shall take account of their experience as well as that of other competent authorities and adapt their procedures accordingly.

CHAPTER IV - PUBLIC DISCLOSURES

Article 15 - Public disclosures

1. A person who makes a public disclosure shall qualify for protection under this Directive if any of the following conditions is fulfilled:

(a)the person first reported internally and externally, or directly externally in accordance with Chapters II and III, but no appropriate action was taken in response to the report within the timeframe referred to in point (f) of Article 9(1) or point (d) of Article 11(2); or

(b)the person has reasonable grounds to believe that:

(i)the breach may constitute an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible damage; or

(ii)in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.

2. This Article shall not apply to cases where a person directly discloses information to the press pursuant to specific national provisions establishing a system of protection relating to freedom of expression and information.

CHAPTER V - PROVISIONS APPLICABLE TO INTERNAL AND EXTERNAL REPORTING

Article 16 - Duty of confidentiality

1. Member States shall ensure that the identity of the reporting person is not disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person. This shall also apply to any other information from which the identity of the reporting person may be directly or indirectly deduced.

2. By way of derogation from paragraph 1, the identity of the reporting person and any other information referred to in paragraph 1 may be disclosed only where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned.

3. Disclosures made pursuant to the derogation provided for in paragraph 2 shall be subject to appropriate safeguards under the applicable Union and national rules. In particular, reporting persons shall be informed before their identity is disclosed, unless such information would jeopardise the related investigations or judicial proceedings. When informing the reporting persons, the competent authority shall send them an explanation in writing of the reasons for the disclosure of the confidential data concerned.

4. Member States shall ensure that competent authorities that receive information on breaches that includes trade secrets do not use or disclose those trade secrets for purposes going beyond what is necessary for proper follow-up.

Article 17 - Processing of personal data

Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, shall be carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680. Any exchange or transmission of information by Union institutions, bodies, offices or agencies shall be undertaken in accordance with Regulation (EU) 2018/1725.

Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay.

Article 18 - Record keeping of the reports

1. Member States shall ensure that legal entities in the private and public sector and competent authorities keep records of every report received, in compliance with the confidentiality requirements provided for in Article 16. Reports shall be stored for no longer than it is necessary and proportionate in order to comply with the requirements imposed by this Directive, or other requirements imposed by Union or national law.

2. Where a recorded telephone line or another recorded voice messaging system is used for reporting, subject to the consent of the reporting person, legal entities in the private and public sector and competent authorities shall have the right to document the oral reporting in one of the following ways:

(a)by making a recording of the conversation in a durable and retrievable form; or

(b)through a complete and accurate transcript of the conversation prepared by the staff members responsible for handling the report.

Legal entities in the private and public sector and competent authorities shall offer the reporting person the opportunity to check, rectify and agree the transcript of the call by signing it.

3. Where an unrecorded telephone line or another unrecorded voice messaging system is used for reporting, legal entities in the private and public sector and competent authorities shall have the right to document the oral reporting in the form of accurate minutes of the conversation written by the staff member responsible for handling the report. Legal entities in the private and public sector and competent authorities shall offer the reporting person the opportunity to check, rectify and agree the minutes of the conversation by signing them.

4. Where a person requests a meeting with the staff members of legal entities in the private and public sector or of competent authorities for reporting purposes pursuant to Articles 9(2) and 12(2), legal entities in the private and public sector and competent authorities shall ensure, subject to the consent of the reporting person, that complete and accurate records of the meeting are kept in a durable and retrievable form.

Legal entities in the private and public sector and competent authorities shall have the right to document the meeting in one of the following ways:

(a)by making a recording of the conversation in a durable and retrievable form; or

(b)through accurate minutes of the meeting prepared by the staff members responsible for handling the report.

Legal entities in the private and public sector and competent authorities shall offer the reporting person the opportunity to check, rectify and agree the minutes of the meeting by signing them.

CHAPTER VI - PROTECTION MEASURES

Article 19 - Prohibition of retaliation

Member States shall take the necessary measures to prohibit any form of retaliation against persons referred to in Article 4, including threats of retaliation and attempts of retaliation including in particular in the form of:

(a)suspension, lay-off, dismissal or equivalent measures;

(b)demotion or withholding of promotion;

(c)transfer of duties, change of location of place of work, reduction in wages, change in working hours;

(d)withholding of training;

(e)a negative performance assessment or employment reference;

(f)imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty;

(g)coercion, intimidation, harassment or ostracism;

(h)discrimination, disadvantageous or unfair treatment;

(i)failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he or she would be offered permanent employment;

(j)failure to renew, or early termination of, a temporary employment contract;

(k)harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income;

(l)blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;

(m)early termination or cancellation of a contract for goods or services;

(n)cancellation of a licence or permit;

(o)psychiatric or medical referrals.

Article 20 - Measures of support

1. Member States shall ensure that persons referred to in Article 4 have access, as appropriate, to support measures, in particular the following:

(a)comprehensive and independent information and advice, which is easily accessible to the public and free of charge, on procedures and remedies available, on protection against retaliation, and on the rights of the person concerned;

(b)effective assistance from competent authorities before any relevant authority involved in their protection against retaliation, including, where provided for under national law, certification of the fact that they qualify for protection under this Directive; and

(c)legal aid in criminal and in cross-border civil proceedings in accordance with Directive (EU) 2016/1919 and Directive 2008/52/EC of the European Parliament and of the Council (48), and, in accordance with national law, legal aid in further proceedings and legal counselling or other legal assistance.

2. Member States may provide for financial assistance and support measures, including psychological support, for reporting persons in the framework of legal proceedings.

3. The support measures referred to in this Article may be provided, as appropriate, by an information centre or a single and clearly identified independent administrative authority.

Article 21 - Measures for protection against retaliation

1. Member States shall take the necessary measures to ensure that persons referred to in Article 4 are protected against retaliation. Such measures shall include, in particular, those set out in paragraphs 2 to 8 of this Article.

2. Without prejudice to Article 3(2) and (3), where persons report information on breaches or make a public disclosure in accordance with this Directive they shall not be considered to have breached any restriction on disclosure of information and shall not incur liability of any kind in respect of such a report or public disclosure provided that they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary for revealing a breach pursuant to this Directive.

3. Reporting persons shall not incur liability in respect of the acquisition of or access to the information which is reported or publicly disclosed, provided that such acquisition or access did not constitute a self-standing criminal offence. In the event of the acquisition or access constituting a self-standing criminal offence, criminal liability shall continue to be governed by applicable national law.

4. Any other possible liability of reporting persons arising from acts or omissions which are unrelated to the reporting or public disclosure or which are not necessary for revealing a breach pursuant to this Directive shall continue to be governed by applicable Union or national law.

5. In proceedings before a court or other authority relating to a detriment suffered by the reporting person, and subject to that person establishing that he or she reported or made a public disclosure and suffered a detriment, it shall be presumed that the detriment was made in retaliation for the report or the public disclosure. In such cases, it shall be for the person who has taken the detrimental measure to prove that that measure was based on duly justified grounds.

6. Persons referred to in Article 4 shall have access to remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings, in accordance with national law.

7. In legal proceedings, including for defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, or for compensation claims based on private, public, or on collective labour law, persons referred to in Article 4 shall not incur liability of any kind as a result of reports or public disclosures under this Directive. Those persons shall have the right to rely on that reporting or public disclosure to seek dismissal of the case, provided that they had reasonable grounds to believe that the reporting or public disclosure was necessary for revealing a breach, pursuant to this Directive.

Where a person reports or publicly discloses information on breaches falling within the scope of this Directive, and that information includes trade secrets, and where that person meets the conditions of this Directive, such reporting or public disclosure shall be considered lawful under the conditions of Article 3(2) of the Directive (EU) 2016/943.

8. Member States shall take the necessary measures to ensure that remedies and full compensation are provided for damage suffered by persons referred to in Article 4 in accordance with national law.

Article 22 - Measures for the protection of persons concerned

1. Member States shall ensure, in accordance with the Charter, that persons concerned fully enjoy the right to an effective remedy and to a fair trial, as well as the presumption of innocence and the rights of defence, including the right to be heard and the right to access their file.

2. Competent authorities shall ensure, in accordance with national law, that the identity of persons concerned is protected for as long as investigations triggered by the report or the public disclosure are ongoing.

3. The rules set out in Articles 12, 17 and 18 as regards the protection of the identity of reporting persons shall also apply to the protection of the identity of persons concerned.

Article 23 - Penalties

1. Member States shall provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons that:

(a)hinder or attempt to hinder reporting;

(b)retaliate against persons referred to in Article 4;

(c)bring vexatious proceedings against persons referred to in Article 4;

(d)breach the duty of maintaining the confidentiality of the identity of reporting persons, as referred to in Article 16.

2. Member States shall provide for effective, proportionate and dissuasive penalties applicable in respect of reporting persons where it is established that they knowingly reported or publicly disclosed false information. Member States shall also provide for measures for compensating damage resulting from such reporting or public disclosures in accordance with national law.

Article 24 - No waiver of rights and remedies

Member States shall ensure that the rights and remedies provided for under this Directive cannot be waived or limited by any agreement, policy, form or condition of employment, including a pre-dispute arbitration agreement.

CHAPTER VII - FINAL PROVISIONS

Article 25 - More favourable treatment and non-regression clause

1. Member States may introduce or retain provisions more favourable to the rights of reporting persons than those set out in this Directive, without prejudice to Article 22 and Article 23(2).

2. The implementation of this Directive shall under no circumstances constitute grounds for a reduction in the level of protection already afforded by Member States in the areas covered by this Directive.

Article 26 - Transposition and transitional period

1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 17 December 2021.

2. By way of derogation from paragraph 1, as regards legal entities in the private sector with 50 to 249 workers, Member States shall by 17 December 2023 bring into force the laws, regulations and administrative provisions necessary to comply with the obligation to establish internal reporting channels under Article 8(3).

3. When Member States adopt the provisions referred to in paragraphs 1 and 2, those provisions shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made. They shall forthwith communicate to the Commission the text of those provisions.

Article 27 - Reporting, evaluation and review

1. Member States shall provide the Commission with all relevant information regarding the implementation and application of this Directive. On the basis of the information provided, the. Commission shall, by 17 December 2023, submit a report to the European Parliament and the Council on the implementation and application of this Directive.

2. Without prejudice to reporting obligations laid down in other Union legal acts, Member States shall, on an annual basis, submit the following statistics on the reports referred to in Chapter III to the Commission, preferably in an aggregated form, if they are available at a central level in the Member State concerned:

(a)the number of reports received by the competent authorities;

(b)the number of investigations and proceedings initiated as a result of such reports and their outcome; and

(c)if ascertained, the estimated financial damage, and the amounts recovered following investigations and proceedings, related to the breaches reported.

3. The Commission shall, by 17 December 2025, taking into account its report submitted pursuant to paragraph 1 and the Member States' statistics submitted pursuant to paragraph 2, submit a report to the European Parliament and to the Council assessing the impact of national law transposing this Directive. The report shall evaluate the way in which this Directive has functioned and consider the need for additional measures, including, where appropriate, amendments with a view to extending the scope of this Directive to further Union acts or areas, in particular the improvement of the working environment to protect workers' health and safety and working conditions.

In addition to the evaluation referred to in the first subparagraph, the report shall evaluate how Member States made use of existing cooperation mechanisms as part of their obligations to follow up on reports regarding breaches falling within the scope of this Directive and more generally how they cooperate in cases of breaches with a cross-border dimension.

4. The Commission shall make the reports referred to in paragraphs 1 and 3 public and easily accessible.

Article 28 - Entry into force

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 29 - Addressees

This Directive is addressed to the Member States.