Click on video below
Law transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law
This law extends the material scope of the directive to all national law. It guarantees effective and balanced protection for whistleblowers by granting them genuine whistleblower status, with clearly defined rights and obligations. As a result, it reduces the legal uncertainty to which whistleblowers are currently exposed. It helps to increase respect for the rule of law and generates general interest effects.
Scope of application
Although the directive only covers certain European Union legislation and policy areas, the Luxembourg government has decided, in accordance with the coalition programme, to extend the material scope of the directive to all national law. The government’s decision was motivated by the desire to guarantee a comprehensive and coherent framework that is easily understandable and accessible. Article 1 specifies that whistleblowers shall be protected against any form of retaliation when they report acts or omissions that are unlawful or defeat the object or purpose of directly applicable provisions of national or European law.
Where conditions for the application of a specific mechanism for reporting breaches and protecting the whistleblower provided for by law or by sector-specific European Union legislation are met, and provided that said mechanism is no less favourable, these provisions shall apply.
- The amended law of 5 April 1993 on the financial sector, for example, already contains its own tried and tested whistleblowing procedures, offering similar guarantees to whistleblowers (Articles 58-1).
- The same applies to the fight against money laundering and the financing of terrorism (Article 8-3 of the amended law of 12 November 2004)
The law’s objectives
The key aim of the new law is to guarantee effective and balanced protection for whistleblowers through clearly defined rights and obligations, to reduce the current legal insecurities to which whistleblowers are exposed and, in so doing, to help increase respect for the rule of law.
The target audience
The law applies to whistleblowers working in the private or public sector who have obtained information on breaches in a professional setting. This includes, for example, self-employed or employed workers, shareholders and members of administrative bodies, paid or unpaid volunteers and interns, persons working under the supervision and direction of contractors, subcontractors and suppliers, whistleblowers whose employment relationship has not yet begun in cases where information on breaches has been obtained during the recruitment process or other pre-contractual negotiations, as well as third parties who are related to whistleblowers, such as colleagues or relatives.
Internal and external reporting channels
Public and private-sector legal entities are required to set up channels and procedures for internal reporting and follow-up. Public-sector legal entities include any entity belonging to, or controlled by, them including local authorities with 10,000 or more inhabitants. Private-sector legal entities are only subject to the requirement if they have at least 50 employees.
Where specific rules concerning the establishment of internal reporting channels are laid down in the provisions referred to in Part II of the Annex to Directive 2019/1937 (on financial services, money laundering and terrorism financing, transport security or environmental protection), the provisions of the law shall apply only to matters not regulated by said provisions.
Private-sector legal entities employing between 50 and 249 workers are required to set up internal channels by 17 December 2023.
For private-sector legal entities with 250 or more employees, the requirement is immediate.
Reporting channels may be managed internally by a designated person or department or provided externally by a third party.
Competent authorities shall check that private-sector legal entities falling within their respective spheres of competence have set up internal reporting channels correctly. To this end, they may ask private-sector legal entities to provide them with all the necessary information.
Procedure, follow-up and sanctions
Whistleblowing channels shall be designed, set up and managed so as to guarantee the confidentiality of the whistleblower’s identity and that of any third party mentioned in the report and to prevent access to said channels by unauthorised personnel.
Once a report has been made, an acknowledgement of receipt is sent to the whistleblower within seven days.
The person responsible for receiving reports shall be an impartial person or department competent to ensure follow-up (legal department, data protection officer, specially designated person, etc.).
The whistleblower shall be guaranteed feedback within three months.
Reports via internal channels can be made in writing, or verbally, or both, in one of the three administrative languages, in accordance with the amended law of 24 February 1984 on the Luxembourg language regime, or in any other language agreed by the legal entity. Verbal reports can be made by telephone or via other voice messaging systems and, at the whistleblower’s request, by means of a face-to-face meeting within a reasonable period of time.
In the event of failure to comply with these provisions, the competent authorities may impose an administrative fine of between €1,500 and €250,000 on private-sector legal entities, the maximum fine being doubled in the event of a repeat offence within 5 years.
External channels, procedure and follow-up
Whistleblowers are free to choose whether to report internally or externally, i.e. to a competent authority.
The law lists the competent authorities in article 18:
- The Luxembourg Financial Services Authority - CSSF
- The Luxembourg Insurance Commission - CAA
- The Luxembourg competition authority
- The Luxembourg Registration Duties, Estates and VAT Authority - AED
- The Luxembourg Inspectorate of Labour and Mines - ITM
- The Luxembourg Data Protection Commission - CNPD
- The Luxembourg Equal Opportunities Centre - CET
- The Mediator, as part of his mission to carry out external checks on places where people are deprived of their liberty
- The Ombudsman for children and youth
- Luxembourg Regulatory Institute - ILR
- Luxembourg Independent Regulator for Audiovisual Media Services - ALIA
- Luxembourg and Diekirch Bar Association
- Luxembourg Chamber of Notaries
- Luxembourg Medical Board
- Nature and Forest Administration - ANF
- Water Management Administration - AGE
- Air Navigation Administration - ANA
- National Consumer Ombudsman Service
- Order of Architects and Consulting Engineers - OAI
- Luxembourg Association of Chartered Accountants - OEC
- Luxembourg Institute of Auditors - IRE
- Luxembourg Direct Tax Administration – ACD
The procedure and follow-up for reports made to a competent authority are much the same as for internal reports, with a few exceptions:
- The competent authorities may decide that a reported breach is clearly minor and requires no further action other than closure.
- The competent authorities may not act on a repeat report containing no new information.
Internal and external channels shall strictly guarantee the confidentiality of the whistleblower’s identity, except in the event of a necessary and proportionate obligation imposed by directly applicable national, or European, law during investigations, in particular, with a view to safeguarding the rights of defence of the person concerned.
Internal and external channels shall comply with legislation on personal data processing. Reports are only kept for as long as is legally necessary and proportionate.
Any person making a public disclosure is protected by law if one of the following conditions is met:
The person first made an internal and external report, or made a direct external report, but no appropriate action has been taken in response to the report within the specified timeframe.
The person has reasonable grounds to believe that:
- the breach may represent an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible harm
- in the case of external reporting, there is a risk of retaliation or there is little likelihood that the breach will actually be remedied, due to the particular circumstances of the case, such as where evidence may be concealed or destroyed or where an authority may be colluding with the perpetrator of the breach or may be involved in the breach
The whistleblowing office and its mission
A whistleblowing office has been set up by authority of the Minister of Justice, charged with the following tasks:
- Informing and assisting anyone wishing to make a report, in particular, by explaining the procedures to be followed
- Raising public awareness of whistleblower protection legislation
- Informing the respective competent authorities of any breaches of obligations to set up internal channels of which the office is aware
- Collect, in collaboration with the competent authorities and the judicial authorities, the information needed to draw up the annual report
- Drawing up recommendations on any matter relating to the application of this law
- Carrying out the tasks assigned to it under the external reporting procedure
Whistleblower status – conditions for protection
The law establishes the status of the “whistleblower”, who enjoys protection under the following conditions:
- the whistleblower shall have reasonable grounds for believing that information on breaches was true at the time of reporting and that this information falls within the scope of application of this law, and
- the report has already been made internally or externally via the channels provided for this purpose or a public disclosure has been made in accordance with the applicable provisions.
Persons who have reported or disclosed information on breaches anonymously but who are subsequently identified and subjected to retaliation shall enjoy the protection provided by this law. The same applies to persons reporting breaches to competent European Union institutions, bodies, offices or agencies.
Terms of protection
All forms of retaliation, including threats and attempted reprisals, are prohibited for reports made under the terms of this law.
Examples include dismissal or equivalent measures, demotion, transfer of duties, change of workplace, disciplinary measures, disadvantageous or unfair treatment, negative performance appraisal or certificate of employment, or early termination or cancellation of a contract for goods or services.
Retaliatory measures are automatically null and void.
Persons suffering retaliation may ask the competent court to declare the retaliation null and void and to order it to cease.
Persons not invoking the nullity of the retaliatory measure may still take legal action for compensation for the damage suffered.
Retaliatory measures taken are presumed to be retaliatory. It is, therefore, up to the person taking the prejudicial action to establish the grounds for such action à Reversal of the burden of proof in favour of the whistleblower.
Whistleblowers shall not be deemed to have breached any restrictions on the disclosure of information and shall not incur any liability as a result of said disclosure, provided that they had reasonable grounds for believing that the reporting or public disclosure of such information was necessary to reveal a breach under this law.
Whistleblowers shall not be liable for obtaining or gaining access to information that is reported or publicly disclosed, provided that obtaining or gaining access to such information does not constitute a separate criminal offence.
In legal proceedings, including for defamation, breach of copyright, breach of secrecy, breach of data protection rules or disclosure of business secrets, or for claims for compensation based on private law, public law or collective labour law, the persons referred to in Article 2 shall not incur any liability as a result of reports or public disclosures made under this law. Such persons shall be entitled to rely on said report or public disclosure to request that the proceedings be discontinued, provided that they had reasonable grounds for believing that the report or public disclosure was necessary to reveal a breach under this law.
Penalties for malicious reporting
Anyone who knowingly reports or publicly discloses false information may be subject to a prison sentence of between 8 days and 3 months and a fine of between €1,500 and €50,000.
Those making false reports will be held civilly liable. The entity suffering the damage may claim compensation before the competent court for the loss suffered.
This provision is necessary to prevent abusive reporting, the sole purpose of which may be to “take revenge” or to try to benefit from protection even in the event of dismissal or a legitimate sanction.
The Whistleblowing Office (“office des signalements”) will be operational from 1 September 2023. If you have any questions, please contact: email@example.com