Short summary
Directive 2019/1937 is now fully in force. Here is what your organisation must have in place — secure reporting channels, record-keeping, anti-retaliation protections, and a response procedure that holds up under regulatory scrutiny.
- What the compliance workflow needs to prove.
- Which controls and evidence buyers should check.
- How HubSecure fits without replacing legal advice.
EU Whistleblowing Directive: A Compliance Guide for Regulated Businesses: Everything regulated businesses need to know about the EU Whistleblowing Directive (2019/1937): who must comply, secure reporting channels,…
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
The EU Whistleblowing Directive (Directive 2019/1937/EU) requires any organisation with 50 or more employees to operate a confidential internal reporting channel. Smaller regulated businesses — particularly in financial services, healthcare, and legal — face the same obligation regardless of headcount. National transposition deadlines have now passed in all EU member states. If you are not yet compliant, you are already at risk.
This guide covers the directive's core requirements, common implementation mistakes, and a practical 12-step compliance checklist.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
Scope: Who Must Comply?
The directive has a broad scope. Mandatory internal reporting channels apply to:
Private-sector organisations
- 50+ employees — full obligations including written procedures, response timelines, and record retention
- 10–49 employees — may share channels with other SMEs under national law, but core protections apply
- Under 50 employees in regulated sectors (AML, financial services, aviation, nuclear) — full obligations regardless of size
- All legal entities in financial services subject to the acts listed in Part II of the Annex
For most law firms, fintechs, accountancies, and healthcare organisations, the "regulated sector" carve-out means the employee threshold is irrelevant — you are in scope from day one.
The Seven Core Requirements
Secure, confidential reporting channel
The channel must allow reporting in writing (electronic or paper) and, if requested, verbally. Channels must protect the identity of the reporter and any third parties mentioned. Telephone lines must be non-recordable unless the reporter consents; recorded calls must be transcribed and made available for review.
Designated, impartial handler
An impartial person or department must be designated to receive, follow up, and communicate with the reporter. The handler may be internal (e.g. Compliance Officer, Head of Legal) or an external third party — but must be independent from operational management.
Acknowledgement within 7 days
Reporters must receive written acknowledgement within 7 calendar days. This is a hard deadline. Most organisations fail here simply because they lack a workflow to trigger the acknowledgement automatically.
Diligent follow-up and feedback within 3 months
A diligent follow-up must occur, and feedback on what action was taken (or why none was taken) must be provided within 3 months of the acknowledgement. The feedback must be as detailed as confidentiality allows.
Clear information on external channels
Reporters must be informed about external reporting channels — national competent authorities, EU institutions, and in appropriate cases, public disclosure. Providing this information does not waive internal reporting; it is a directive requirement.
Anti-retaliation protections
Any form of retaliation against a reporter — dismissal, demotion, harassment, negative performance review, disciplinary action — is prohibited and must be reversed. The burden of proof shifts to the employer: you must show any adverse action was not linked to the report.
Record-keeping for 5 years
All reports, follow-up actions, and communications must be retained for at least 5 years. Records must be stored securely, access-controlled, and available for audit. They must not be retained longer than necessary — striking a balance between minimum retention and data minimisation under GDPR.
The GDPR Intersection
Running a whistleblowing channel means processing personal data — often sensitive data about suspected misconduct. This creates a direct conflict between your obligation to investigate thoroughly and your obligation to minimise personal data processing.
Key GDPR obligations for whistleblowing channels
- Lawful basis: Article 6(1)(c) — legal obligation — covers both the mandatory establishment and operation of the channel
- Special category data: If reports involve criminal allegations, health, or union activity, Article 9(2)(b) or (g) applies
- Data subject rights: Suspects (reported individuals) have limited — not zero — rights. You may delay disclosure of information if it would jeopardise the investigation
- Retention: 5-year minimum under the directive; GDPR requires you do not retain longer than necessary. Document your retention rationale explicitly
- DPA notification: Several national DPAs (including the Dutch AP and the French CNIL) have issued specific guidance requiring DPIA for whistleblowing systems
Penalties for Non-Compliance
| Violation | Penalty exposure | Who enforces |
|---|---|---|
| Failure to establish a channel | National law — typically $10K–$1M+ | National competent authority |
| Retaliation against a reporter | Civil liability, reinstatement, damages | Labour courts + competent authority |
| Breach of confidentiality | Criminal liability in some member states | Prosecution service |
| Hindering a report (obstruction) | Criminal / administrative fines | Competent authority |
| GDPR breach (channel mishandling) | Up to $20M / 4% global turnover | Data Protection Authority |
Common Implementation Mistakes
1. Using email as the reporting channel. Email does not guarantee confidentiality, creates mixed retention issues, and cannot enforce access controls. Most national DPAs have flagged generic email inboxes as non-compliant.
2. Naming only the CEO or HR director as handler. Reporters will not use a channel if they believe it feeds back to management. The handler must be genuinely impartial — ideally the Compliance Officer or an external provider.
3. No written policy published to staff. Employees must be informed of the channel's existence, how to use it, and the protections available to them. A policy buried in the employee handbook does not satisfy this. It must be actively communicated.
4. Missing the 7-day acknowledgement. This deadline is often missed because there is no automated workflow triggering an acknowledgement. A single missed deadline is a provable directive breach.
5. Failing to document "no action" outcomes. If a report is assessed as unfounded and no action taken, this must be documented with reasoning. A blank record implies the report was ignored.
Anonymous Reporting: Do You Have to Accept It?
The directive does not require organisations to accept anonymous reports. However, national law varies:
- France: The Sapin II tradition means anonymous reports must be accepted and handled
- Germany (HinSchG): Anonymous channels recommended but not mandatory
- Netherlands: Anonymous reports should be handled "as far as possible"
- Ireland, UK (post-Brexit PIDA): Anonymous disclosures accepted but reduced protections
Best practice is to accept anonymous reports, treat them with the same follow-up diligence, and document that the reporter chose to remain anonymous. If a report cannot be meaningfully investigated without more information, document why.
12-Step Compliance Checklist
Implementation checklist
Built-in whistleblowing module
HubSecure includes a GDPR-compliant whistleblowing channel with encrypted submissions, automated 7-day acknowledgement, 3-month tracking, and 5-year audit-ready retention — no bolt-on tool required.