Better Protection of Persons When Disclosing Breaches in the Workplace
Author: Nina Ličen
The Whistleblower Protection Act (“ZZPri“) was adopted by the National Assembly on 27 January 2023 and has been in force since 22 February 2023. It transposes Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (“Directive 2019/1937/EU“) into the Slovenian legal order.
The ZZPri sets out (i) the methods and procedures for reporting breaches of the regulations in force in the Republic of Slovenia, namely for breaches of which individuals become aware in the work environment; (ii) the manner in which a report is handled and the protection available to an individual who reports or publicly discloses information about a breach; (iii) the powers of the Commission for the Prevention of Corruption and (iv) the protective and supportive measures for preventing or eliminating retaliation.
A natural person who reports or publicly discloses information about a breach obtained in their work environment enjoys protection under the ZZPri. The report must be made either as an internal report or an external report, or as a public disclosure of a breach, and the whistleblower must have reasonable grounds to believe that the information provided is accurate. An additional condition for eligibility for protection is that the report must be made within 2 years of the cessation of the breach. In addition to the whistleblower, intermediaries or related parties are also protected if they would also face retaliation.
Below, I briefly summarise the key highlights of each of the channels for reporting breaches under the ZZPri:
The following entities are obliged to set up an internal reporting channel:
- public and private sector entities with 50 or more employees;
- entities with fewer than 50 employees but at least 10 employees if their main registered activity is in the specific fields of health, waste, water, raw materials and environmental remediation;
- certain public sector bodies, units, services, etc.; and
- private sector entities with fewer than 50 employees, where they are required to do so by Slovenian law or directly applicable European Union regulations relating to financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety and environmental protection.
The way in which an internal report is made and the procedure for handling internal reports must be laid down by the obliged entities in an internal act, which must be easily accessible and transparent. Crucially, obliged entities should specify (i) the contact details for receiving reports; (ii) the measures to prevent the identity of the whistleblower from being disclosed and (iii) a trustee. The procedure for handling the report should ensure the completeness, integrity and confidentiality of the information and prevent unauthorised persons of the obliged entity from gaining access to the content of the report, information about the whistleblower and about the persons concerned by the report.
In order to protect whistleblowers to the greatest extent possible, the obliged entity is , inter alia, required to appoint a trustee whose role is to examine and deal with the report of breaches and to provide information to the whistleblower, such as information on retaliation, protection, other procedures, etc. The trustee is obliged to complete the examination of the report within 3 months of its receipt. The trustee has to write a notification on the report and inform the whistleblower of the outcome of the procedure.
By 1 March of the current year, the obliged entity must report to the Commission for the Prevention of Corruption on the number of anonymous and substantiated reports received and the number of retaliatory measures dealt with.
Deadlines for Setting up an Internal Reporting Channel
Private sector obliged entities with 250 or more employees and public sector obliged entities must set up internal reporting channels within 90 days after ZZPri enters into force, i.e., by 23 May 2023.
However, private sector obliged entities with up to 249 employees must have internal reporting channels in place by 17 December 2023.
The whistleblower also has the possibility to submit a report through an external channel in cases where: i) there is no internal channel for reporting; ii) the internal report could not be dealt with in an effective manner or iii) the whistleblower considers that there is a risk of retaliation in the case of an internal report.
The ZZPri lists 24 authorities to which whistleblower may submit an external report. The whistleblower has to submit an external report to the external reporting body which is competent to deal with the reported breach in accordance with its competences and tasks, or, if there is no such body, to the Commission for the Prevention of Corruption. Even in cases where the whistleblower submits a report to a non-competent external reporting body, the latter shall refer the report to the authority competent to deal with the breach.
Key information on how to make an external report (e.g., contact details of the notifying officers, reporting procedure, etc.) should be available on the authority’s website.
The external reporting body must inform the whistleblower about the receipt of the external report and process it in accordance with the external reporting body’s competence, in the manner and according to the procedure laid down in the sectoral regulations. The whistleblower must be informed when the procedure is completed and provided with information on its outcome.
If the whistleblower is threatened with or has already been subject to retaliation, the external report officer must advise the whistleblower on the protection and legal options available to them and assist them in administrative and judicial proceedings for retaliation.
Public Disclosure of Breaches
Public disclosure means to make information about a breach in the workplace available to the public. Not all public disclosure provide protection to the whistleblower under the ZZPri. In fact, a whistleblower is only entitled to protection due to a public disclosure if (i) the whistleblower has first made an internal or external report and no appropriate action has been taken to remedy the breach within 3 months or (ii) the whistleblower has reasonable grounds to believe that the breach may constitute an imminent or apparent danger to the public interest, life, public health and safety, a risk of irreparable harm or a risk of retaliation in the case of an external report, or, due to the particularities of the case, there is little prospect of the breach being properly dealt with.
Mechanisms to Protect Whistleblowers
The ZZPri also introduces various mechanisms to protect whistleblowers.
In order to protect the whistleblower to the greatest extent possible, the ZZPri prohibits the disclosure of the whistleblower’s identity without their express consent. Such a prohibition also applies to any other information from which the identity of the whistleblower could be established, directly or indirectly. However, the whistleblower’s identity may be disclosed to a trustee, to an external reporting body, when necessary for the investigation of criminal offences, at the request of a public prosecutor or for the purposes of legal proceedings. The employer must not be allowed to inquire about the identity of the whistleblower.
The ZZPri prohibits retaliatory measures against whistleblowers, such as dismissal, demotion, reduction of work commitments, low performance rating, disciplinary action, discrimination, etc.
Other safeguards available to whistleblowers include (i) exclusion of the whistleblower’s liability; (ii) judicial protection and interim injunctions in the event of retaliation; (iii) free legal aid; (iv) unemployment benefits and (v) psychological help.
The ZZPri provides for fines in cases of breaches by ether the whistleblower or the obliged entities.
A fine between EUR 400 and EUR 1,200 is imposed on any whistleblower who knowingly declares or publicly discloses false information.
Fines are imposed for systemic offences, which include the following breaches: (i) failure to establish an internal reporting channel; (ii) failure to describe the reporting channel in an internal act or (iii) failure to report to the Commission for the Prevention of Corruption within the deadline. Minor offences include breaches of: (i) inquiring about the identity of a whistleblower, intermediary or related person and (ii) threatening or attempting to retaliate. The actual execution of the retaliatory measure is considered a more serious offence.
The fines for obliged entities vary according to the size of the company and the seriousness of the offence, but generally range from EUR 2,000 to EUR 60,000, and from EUR 1,000 to EUR 15,000 for sole traders or self-employed individuals. For a responsible person of a legal person, a responsible person of a sole proprietor or a self-employed individual, a responsible person of a state body or a self-governing local authority, the fine ranges from EUR 300 to EUR 2,500. A fine between EUR 300 and EUR 2,500 is imposed on an individual who discloses information about the whistleblower, related persons or an intermediary.