In this blogpost Legal Business Partner Salha Hanna will share with you the need-to-know essentials of the Finnish national implementation of the EU Whistleblower Protection Directive and explain the action required of Finnish companies in practice.

You may have heard about the upcoming obligation for companies within the EU to establish an internal whistleblowing channel. This is due to the EU Whistleblower Protection Directive (Directive 2019/1937/EU), which is to be implemented into national law by 17 December 2021. On 2 July, a draft legislative proposal for implementing the Directive was published by the Ministry of Justice in Finland. The new Finnish Whistleblower Protection Act will immediately upon its enactment be applicable to organizations with at least 250 workers. Smaller organizations with 50-249 workers will benefit from a transitional period of two years.

Choosing the right solution for implementing the internal reporting channel is one thing, but another important consideration for ensuring cost-efficient compliance with legal obligations is understanding what the actual underlying requirements are. In this blog post, we will take a closer look at the proposed Act and explain the action that Finnish organizations will need to take in practice.

What is the Whistleblower Protection Act all about?

In short, the Whistleblower Protection Act provides for a three-layered system for reporting breaches of EU law and policies and protecting reporters of such breaches. On the first level, there is a general obligation for organizations with 50+ workers, to establish internal reporting channels. A corporate group may also organize the channel on the group level, as long as the channel is available to all individual group companies’ stakeholders. On the second level, if internal reporting is impossible or impracticable (e.g. in the fear of retaliation), the breach may be reported to an external channel upheld by a competent authority, which is proposed to be the Chancellor of Justice in Finland. On the third level, as a last resort, the reporter may finally report the breach in question publicly.

The reporting channel is intended for reporting serious breaches that are either unlawful (and can lead to sanctions) or may otherwise severely jeopardize the attainment of public interest objectives. The scope of reporting is, perhaps a little surprisingly, restricted to certain topics, such as breaches in the fields of financial services, protection of the environment, consumer protection, data protection and cybersecurity, competition law and tax evasion. Employment-related matters, occupational health and safety issues, as well as personal grievances in the workplace, have been excluded from the scope and are to be handled in other internal and authority processes.

Organizations must protect the whistleblowers against all direct and indirect retaliation. Firstly, the confidentiality of the whistleblower’s identity must be guaranteed throughout the process, and secondly, certain protective measures are offered by the Act to guarantee the adequate protection of whistleblowers. The proposed Whistleblower Protection Act, however, only protects persons who report violations in good faith, meaning persons who have reasonable grounds to believe that the matters reported by them are true.

Of course, despite the abovementioned limitations of scope, an organization may nevertheless encourage stakeholders to report other types of breaches as well, such as breaches against corporate policies or discriminatory practices at the workplace. A private organization may also choose to provide appropriate protection for the whistleblowers under their own internal policies. This allows the company to also maximize its own benefits from the implementation of the reporting obligations.

Who can report breaches?

The expression used in the Directive is “worker”, rather than “employee”. The expression includes not only employees, but also e.g. agency workers, interns, freelancers, contractors and consultants working for the benefit of the organization. However, the Finnish legislator has taken the standpoint that a private organization is only obligated to allow internal reporting for persons with formal employee status (or civil servants in the case of public authorities).

In the end, it is up to each organization to decide on who to open the channel for. If internal reporting is not available to a worker, they will nevertheless have the possibility to report breaches to authorities via the external channel. Therefore, to ensure it receives meaningful reports and is the first to receive reports of possible breaches, it may be more beneficial for the company to make the channel more broadly available to different stakeholders than absolutely required by law.

What needs to be done to reach compliance?

As always in compliance matters, there are several ways to reach the desired outcome. Organizations should choose the way that best suits their culture, regulatory environment, and budget. Here are some things to consider when establishing an internal whistleblower channel:

    1. Choose a suitable channel. The proposed Act does not specify the means of reporting to be used. Legally speaking, a physical (locked!) letterbox, a secured email or a telephone hotline to a nominated manager may be as compliant as a special SaaS solution designed for the purpose (there are quite many on the market). In addition to the cost, you should also consider the message you wish to convey to your employees and other stakeholders, as well as the security and confidentiality of the reporting. For the whistleblowing channel to be efficient, the stakeholders must feel comfortable and secure in using the channel.
    2. Adapt your existing channel to meet the new requirements. If a whistleblower channel already exists in your organization, you should map out the new requirements introduced by the Act and adapt the channel to meet the new regulatory requirements. If you rely on a service provider, they may even offer an update for your existing channel on their own initiative. Since the reporting does not only consist of the technical solution, but also of the processes around it, it is advisable to perform a gap analysis between the existing solution and the desired outcome to identify the compliance gaps. The analysis can be carried out either internally or with the assistance of external consultants.
    3. Determine where the channel is to be available and who can report. As explained above, the proposed Whistleblower Protection Act only requires for the channel to be provided to formal employees, so access to the channel or the contact details of the person responsible for receiving reports may well be made available in the organization’s intranet or similar platform accessible to the entire personnel. Some organizations have also chosen to make the channel available on their public website enabling also other stakeholders, such as former employees, customers, or job seekers, to have the opportunity to report potential breaches.
    4. Design the processes around the channel. While setting up the channel is a good start, the work doesn’t end there. An organization must design and implement processes for deploying and maintaining the channel, as well as handling the reports in a confidential, yet effective manner. The allocation of responsibilities and the management’s access to meaningful information must be ensured. Who receives the reports? How is the reporter able to follow the progress of their report? How is the investigation conducted and when is the matter resolved?
    5. Conduct a Data Protection Impact Assessment (DPIA). As per the Data Protection Ombudsman’s decision, a data protection impact assessment (DPIA) must be performed before introducing a channel, as the whistleblowing channel is considered to inherently “include high risks to the rights and freedoms of natural persons” (GDPR Art. 35). A DPIA is a process for systematically identifying and managing data protection risks, in connection with which both risks to the reporters, risks to the subjects of the reported violations, and risks to other persons (e.g. impacts on the family members of the “suspects”) should be considered.
    6. Inform, consult and train your personnel. The successful implementation of a whistleblowing channel requires for the personnel to be appropriately informed and trained. Prior to implementing an internal whistleblowing channel, it must also be discussed in the co-operation procedure, where the personnel’s views can be taken into consideration. Involving the personnel in the process and genuinely addressing their potential concerns is crucial for building trust and promoting the use of the channel.

All in all, compliance with the Whistleblower Protection Act requires developing the corporate culture towards transparency and openness. Establishing and upholding the channel also requires multi-disciplinary co-operation within the organization, as the reporting channel is linked to compliance, information security and data protection, employment law, and (impartial) investigation of reported breaches.


Should you wish to discuss these topics further or need help with the implementation of an internal whistleblower channel, please don’t hesitate to contact us. The CVs and contact details of our lawyers are available here.