At Machas & Partners we proudly introduce our new Information Guide on the Protection of Persons reporting Violations of EU Law, according to Law 4990/2022.
Our holistic approach to the issue is aimed at protecting individuals who act as “whistleblowers of public interest” by reporting violations of EU law. We understand that reporting such violations can be a scary prospect, especially when it involves one’s workplace, and that is why we have created this guide. Maria Antoniadou, Managing Partner, Anastasia Karantana, Senior Associate and Sofia Chrysakopoulou, Associate from our firm’s Civil law team, author this Information Guide presenting all aspects of the law and furthermore what can be done as to prevent and deter violations of EU law that harm the public interest and consolidate trust in the system.
Read the full Information Guide on the Protection of Persons reporting Violations of EU Law, as follows.
By law 4990/2022 (Government Gazette A’ 210/11.11.2022), which incorporated EU Directive 1937/2019, the issue of protecting persons reporting violations of EU law is addressed. These individuals act as “whistleblowers of public interest”. Specifically, individuals who work for a public or private organization or who are in a professional relationship with such an organization within the scope of their work activities are often the ones who identify existing or imminent breaches of legal obligations by the organization itself or its personnel, detrimental to public interest. However, due to fear of retaliation, reporting such violations is not a common occurrence.
The contribution to compliance with Law 4808/2021 for the elimination of violence and harassment in the workplace, as well as the promotion of the independence, impartiality, and transparency of the relevant Authority, is by no means negligible, enhancing its compliance with the established legislative framework.
The desired goals of implementing the evaluated regulation are:
→ To encourage individuals who have become aware of an event or information that constitutes or may constitute a violation of EU law to report it to the competent authorities.
→ To establish an effective framework for protecting individuals who report violations of EU law, so that these individuals can safely report violations of the legislation.
→ To strengthen the framework for protecting employees who report violations of the law by prohibiting the imposition of possible sanctions.
→ To prevent and deter violations of EU law that distort free competition or harm the public interest.
→ To consolidate the sense of trust of those who wish to report violations of EU law.
What is the scope of application in substance?
The provisions of the Law apply for the protection of persons who report or disclose:
● violations of Union law, as specifically defined in Part I of the Annex to the Law, in the areas of:
1. public contracts,
2. financial services, products and markets, as well as the prevention of money laundering and terrorist financing,
3. safety and conformity of products,
4. transport safety,
5. environmental protection,
6. protection against radiation and nuclear safety,
7. food and feed safety, as well as animal health and welfare,
8. public health,
9. consumer protection,
10. protection of privacy and personal data, as well as the security of network and information systems,
● violations affecting the financial interests of the Union under Article 325 of the Treaty on the Functioning of the European Union (TFEU),
● violations relating to the internal market, as referred to in Article 26(2) TFEU, including violations of Union rules on competition and State aid, violations concerning the internal market relating to acts that infringe the rules on corporate taxation or settlements, the purpose of which is to secure a tax advantage that defeats the object or purpose of the applicable legislation on corporate taxation.
Note: the scope does not include violations relating to defense or security issues.
Which individuals are covered by the protection mechanism introduced by the evaluated regulation?
In order to increase the provided protection, it is observed that the personal scope of application is particularly wide. The evaluated regulation applies to whistleblowers who are employed in both the public and private sectors and have obtained information about violations in the course of their work. The law adopts a broad definition of the term “worker,” including every worker, regardless of whether their employment is full-time or part-time, permanent or seasonal, or if they are seconded from another entity, every non-employee, self-employed person or consultant, every worker working from home, every shareholder and person belonging to the administrative, managerial or supervisory body of a company, including non-executive members, volunteers, paid or unpaid trainees, and any person working under the supervision and instructions of contractors, subcontractors and suppliers.
Additionally, in the personal scope of application of the law, any person who, without having the status of “employee”, is likely to acquire information about violations during the exercise of their activities, becomes vulnerable and exposed to various forms of retaliation if they report or disclose such violations. By analogy, the protection provided extends to cases where individuals report or disclose public information about violations that have been acquired within the framework of an employment relationship that is either inactive, expired, or has not yet started.
Finally, protection is provided against retaliation, which is not only exercised directly against the reporting individuals themselves but also indirectly against intermediaries, third parties such as colleagues or relatives of the reporting individuals, and legal entities that belong to the reporting individuals, such as personal businesses or legal entities of their interests or legal entities with which the reporting individuals are connected through an employment relationship.
Under what conditions is protection provided to those reporting violations?
Reporters are entitled to protection if at the time of the report they had reasonable grounds, which create a justified belief, that the information they acquired was true at the time of the report and fell within the scope of the Law.
In addition, reporters should have transmitted the information through one of the channels provided for in Directive (EU) 2019/1937, as incorporated into national law.
What categories of reports are provided for in the Law?
A) The procedure for internal reporting is determined, which involves the internal submission, receipt, monitoring either in writing or orally – via telephone or other voice messaging systems, and through personal meetings with the Reporting and Monitoring Officer (RMO) of a legal entity in the public or private sector.
The obligation of both public and private sector entities, which employ personnel from fifty (50) employees, to appoint RMOs regarding violations falling within the scope of the Law is legislatively regulated. For the private sector, the number of personnel is determined independently of the nature of their activities and the duration of each employee’s employment within the year.
For public sector entities that employ up to forty-nine (49) employees, the Integrity Advisor under Article 23 of Law 4795/2021 or the supervising Ministry’s Integrity Advisor exercises the responsibilities of the Ministry of Administrative Reconstruction. In contrast, private sector entities that employ less than fifty (50) employees do not have a corresponding obligation, but they can appoint an Integrity Advisor. If the latter do not appoint someone as an Integrity Advisor, the report can be submitted to the National Transparency Authority (NTA).
As an exception, regarding private sector entities that operate in the financial services, products and markets, transportation, and environment sectors, entities that operate based on an environmental terms approval decision, or whose activities can by their nature pose a risk to the environment and public health, are obliged to appoint an Integrity Advisor regardless of the number of employees they employ.
Therefore, a plethora of legal entities and organizations must comply with the requirements of the above-mentioned law, including Local Government Authorities, insurance companies, hospitals, pharmaceutical companies, banks and financial service providers, telecommunications providers, associations and institutions, non-governmental organizations (NGOs), and others.
Regarding the Receiver and Monitor of Reports, it is stipulated that their term lasts at least one calendar year, while there is the possibility of early termination for an important reason. As for the private sector, the Receiver and Monitor of Reports can be either an employee of the entity or a third party. The “impartial person” who handles the report must be a person with a role and training relevant to legal compliance. However, the company should carefully examine the identity, experience, and duties of this person in order to avoid possible conflicts of interest or potential impediments to their appointment (such as pending criminal prosecution or conviction for crimes and other offenses, disciplinary misconduct, being on leave or availability).
B) The process of external reporting is established, which consists of providing information about violations to the National Transparency Authority through oral means – via telephone or other voice messaging systems and through personal meetings – or in writing, or through an electronic platform. In other words, the NTA is established as an external reporting channel, which functions as the competent authority for receiving, managing, and monitoring reports submitted to it directly.
-> In how much time should a report be examined?
After receiving a report, confirmation of receipt must be provided within 7 working days. Then, the Ministry of Environment and Energy or the Independent Authority for Public Revenue (IAPR) is obliged to monitor the report, provide the reporter with updates on the actions being taken, and respond within a reasonable period of time, which shall not exceed 3 months from the confirmation of receipt. If no confirmation has been sent to the reporter, the three-month period begins after the end of the 7 working days from the submission of the report.
Note: Failure to meet these deadlines gives the person who submitted the complaint the opportunity to benefit from protection as a whistleblower, even if they disclose their complaint. Therefore, strict compliance with the deadlines is important.
C) Refers to the law and the case of Public Disclosure, where it concerns the direct dissemination of information to the public regarding violations, especially through mass media and online platforms.
Individuals who make public disclosures are entitled to protection in the following cases:
1. The person first reported internally to the Ministry of Public Administration and Governance or the Ombudsman, or directly to the Independent Authority for Public Revenue (IAPR), but no appropriate action was taken within the prescribed time limits.
2. The person has reasonable grounds to believe that the violation constitutes a danger to the public interest, or there is a state of emergency or a risk of irreparable harm, or in the case of reporting to the IAPR, a risk of reprisals, or a low prospect of effective redress of the violation due to the particular circumstances of the case.
Are regulations foreseen concerning the obligation of confidentiality and the lawful processing of personal data?
As a rule, the identity of the reporter shall not be disclosed unless consent is provided by the reporter (obligation of confidentiality). The identity of the reporter is disclosed only in exceptional cases when it constitutes a necessary and proportionate obligation imposed by legislation, in the context of investigations or judicial proceedings, after written notification to the reporter, who has the opportunity to submit written comments.
In addition, regulations are foreseen regarding the lawful processing of personal data in accordance with Regulation 2016/679 of the European Parliament and of the Council and Law 4624/2019. In any case, the data controller is obliged, before the start of the processing, to provide general information to the data subjects regarding the processing of their personal data. Any processing of personal data, including the exchange or transmission of personal data by the competent authorities, must take into account the General Data Protection Regulation (GDPR). Finally, there is a special obligation based on the principles of “data minimization” and “limited storage”. The obligation to keep a file of reports by the competent authorities is provided for, for a reasonable period of time, in order to be retrievable, and in any case until the completion of each investigation or judicial process.
What are the measures for the protection of the reporting individuals?
1. Prohibition of retaliation: all forms of retaliation, retaliatory actions, and harmful actions against the reporter, whether they come from the employer or third parties, are prohibited. The prohibited retaliatory actions include but are not limited to termination, dismissal, denial of promotion, salary reduction, change of working hours, negative evaluation, harassment, intentional harm, defamation, etc.
2. Protection measures against retaliation: the responsibility of the reporter regarding the acquisition or access to information is lifted, provided that the acquisition or access does not constitute a separate criminal offense. The responsibility of the reporter for violating criminal, administrative, or civil law provisions that prevent reporting is also lifted if they had reasonable grounds to believe that the report/public disclosure was necessary to expose the violation. Procedural safeguards are provided for the protection of the reporter until the completion of the investigation of their report.
3. Support measures: the individuals referred to are expected to be included in the forecasts for the provision of legal aid and psychological support.
4. Remedial measures: the individuals referred to have the right to compensation for any kind of retaliation, while it is considered that the harm they suffered was in retaliation for their report/public disclosure, with a reversal of the burden of proof. Legally recognized measures that are considered retaliation are null and void, and the right to restoration to the previous situation is provided, provided that this is objectively possible and does not become disproportionately burdensome for the obligor (e.g. in case of suspension of business operations).
Can legal action be taken against the persons referred to in the report?
These persons have the ability to use all legal means of defense to protect their rights. There are provisions for protective measures similar to those for protecting the identity of the persons making the report, and for the persons against whom the report is directed. Criminal sanctions provided for by the violation of the provisions of this law are combined with offenses under the Penal Code, such as defamation, false accusation, perjury, etc.
What are the deadlines for compliance with the obligation to establish an internal reporting channel and what are the consequences of non-compliance?
Private sector businesses with 50-249 employees must comply by 17.12.2023 and within two (2) months of compliance, inform the Labour Inspection or the competent supervisory authority, while private sector businesses with more than 249 employees must do so within six (6) months from the entry into force of the Law. Public sector entities are required to comply within six (6) months from the entry into force of the Law.
By joint ministerial decision, the Activity Code Numbers (K.A.D.) of businesses falling within the scope of the Law will be determined.
The obligation to appoint a D.P.P.A. (Data Protection Officer) is determined by the competent Labour Inspection, which informs the S.A.D. for statistical purposes.
Violation of this obligation entails the imposition of a fine by the Labour Inspection or the competent supervisory authority.
What steps should each organization follow immediately?
→ Harmonization with the applicable legislation, consistency in following procedures and monitoring deadlines.
→ Selection of an appropriate internal reporting system, creation of a link to the internal reporting systems on each organization’s website and referral to an external reporting channel with the corresponding link displayed on the website.
→ Updating and training of staff on the new legislation, procedures, and platform capabilities.
→ Ensuring confidentiality and incorporating guarantees for the protection of personal data and access to it.
- For any related questions, you can always contact our specialized Civil law team -> Managing Partner Maria Antoniadou, Senior Associate Anastasia Karantana and Associate Sofia Chrysakopoulou.
- You can also find the full Information Guide in Greek here.
- You can download the full Information Guide in English below.
