Menu
De Groote De Man

The new whistleblower law: what does it entail?

Blog
25 October 2023

With the new Belgian legislation, large companies must allow employees to report wrongdoing internally without being sanctioned by Dec. 17, 2023, at the latest.
Our experts can help implement a whistleblower policy and set up internal reporting channels.

Ready, set, blow! Urgent action points under the new Belgian Whistleblower Act

In an era when transparency and ethics are held in high regard, Belgium recently took an important step in protecting so-called whistleblowers or “whistleblowers” within companies. You know the term from a few employees who exposed abuses within their organizations. Think of Edward Snowden at the NSA, Christopher Wylie at Cambridge Analytica or Frances Haugen, known for raising the alarm at Facebook and leaking thousands of documents.

With the new Belgian legislation, large companies must, by Dec. 17, 2023 at the latest, allow their employees to report abuses internally without being sanctioned. In other words, another deadline to comply with a new regulation is already approaching for these companies. In this blog, we discuss the key points of this legislation, the steps you need to take and how we can help.

The new whistleblower law: what does it entail?

On Nov. 28, 2022, the Belgian legislature passed a law regarding the protection of whistleblowers who report regulatory violations within private entities. The law implements an earlier European Directive and came into force on Feb. 16, 2023. It applies to the private sector and forms the basis for the introduction of a low-threshold whistleblower system in every company with more than 50 employees in Belgium. Reporting systems previously established by companies remain valid but must be brought into compliance with the law.

Specifically, companies must set up at least one internal reporting channel through which employees in the broad sense (this includes, for example, job applicants, management, subcontractors, etc.) can report illegal or fraudulent behavior within the company. The law cites various topics for which those involved can make a report. These include breaches of cyber security, privacy, (tax) fraud, money laundering, product safety, environmental protection, and so on. Naturally, it is crucial for a whistleblower policy that such a report is made in complete confidentiality: throughout the entire procedure, the identity of the person making the report, the person to whom the report relates and others involved must be kept secret at all times. For companies with more than 250 employees, it is even compulsory to report anonymously.

In each company, someone must also be designated as the so-called “reporting manager.” This person is responsible for receiving reports confidentially and to start investigating them internally. Setting up an internal reporting channel and appointing a reporting manager should not remain a mere formality. Therefore, the law prescribes a further procedure to be followed when a report is made internally.

Furthermore, under the law, employees are also free, depending on the type of breach, to go externally to report to the competent authorities (e.g. FSMA, Data Protection Authority, etc.) or to the Federal Ombudsman. Under certain conditions under this law, an employee may even consider going to the press.

Crucially, the law expressly prohibits the company from retaliating or imposing sanctions against an employee who has made a reasonable report, as well as family members or colleagues who helped the employee do so. For example, the company may not suspend, demote or impose any other adverse action on the employee merely because of a report the employee made about a supervisor committing fraud. If a company retaliates against a whistleblower, the latter may seek damages of up to 26 weeks’ wages.

For companies with 250 employees or more, the law’s provisions on internal reporting and follow-up have already applied since the law went into effect Feb. 16, 2023. Companies with 50 to 249 employees still have until Dec. 17, 2023, to establish internal channels that are in line with the law. That makes for a tight deadline for companies to set up their whistleblower systems.

The five steps every company should take:

  1. Set up an internal reporting channel: Companies with more than 50 employees are required to set up internal reporting channels through which a whistleblower can confidentially make a report. This can be by mail, via a secure email address, for example, but also by phone, in a confidential meeting or even via an online portal on the company’s website. The law also allows internal reporting channels to be outsourced to external parties, so they may be more inclined to make a report confidentially. However, it does require that before setting up channels, employers consult with social partners (if there are any within the company, such as the works council) on the matter.
  2. Designate an independent hotline: Companies should internally designate a reporting manager responsible for receiving and confidentially following up on reports. This hotline should be independent and should be adequately resourced. This can be an individual or sector (e.g. HR). To ensure complete independence, the law also allows this to be outsourced to an external partner.
  3. Establish a whistleblower policy: Companies must establish and distribute a clear and accessible whistleblower policy to their employees. This policy should describe the procedure for reporting wrongdoing through the customary internal channels and ensure that whistleblowers are treated confidentially. This can take the form of a policy but does not have to be included in the labor regulations. That way, the same policy immediately applies to independent employees, for example.
  4. Keep a report register: The law requires every company to keep a record of every report received. Reports must be kept throughout the entire contractual relationship with the employee-reporter in question.
  5. Comply with data protection legislation: When dealing with reports, the hotline will process personal data of the person making the report, persons who have helped the person making the report and persons who may be affected by the report. Companies should therefore protect this data adequately and keep it confidential, given the sensitive nature of the matter. If necessary, the privacy policy and the processing register will have to be updated and it may even be advisable to check whether or not a DPIA is required

Better blown hard than burned mouth: don’t wait to act!

As a company in Belgium, it is crucial to take the new whistleblower legislation seriously and take appropriate and timely measures to comply. Those who fail to set up the necessary internal channels or appoint a reporting manager in a timely manner risk, among other things, heavy fines.

Moreover, the new legislation is an important step toward creating a healthier business environment. Compliance with this whistleblower legislation is not only required by law, but it can also contribute to a positive corporate culture and enhance the company’s reputation.

Implementation of a whistleblower policy.

  • Our experts can help implement a whistleblower policy and set up internal reporting channels.
  • De Groote – De Man itself also acts as an internal reporting channel and/or reporting manager for various companies.
  • In addition, we provide internal training to make employees aware of their rights and obligations under the new legislation.
  • Finally, in the event of a report, we can assist you in conducting an internal investigation and managing any disputes that may arise.

Contact our experts.

Written by

Lars Vandecasteele

Mr. Lars Vandecasteele is advocaat Data, Tech & Entertainment.