The EU Directive 2019/1937, also known as the "EU Whistleblower Directive," should have been implemented into national law by the Member States of the European Union by December 17, 2021.
With a delay of more than a year, the National Council has now passed the Whistleblower Protection Act ("HSchG") on February 1, 2023. The next step will be for the Federal Council to deal with it.
The following article summarizes the most important key points of the HSchG.

Who is a whistleblower?

A whistleblower is a person who, due to a professional connection, has obtained information about legal violations and provides or publishes a tip about it. This includes not only traditional employees, but also self-employed individuals, applicants, interns and former employees.

Which violations can be reported?

The protection for whistleblowers applies only to reports related to legal violations in areas of special public interest. Thus, the Whistleblower Protection Act applies to violations of regulations in various areas, including public procurement, money laundering, product safety, traffic safety, environmental protection, animal welfare, food safety, consumer protection and data protection.

Who is affected? What are the deadlines?

Companies (and legal entities in the public sector) and public institutions with more than 250 employees must implement the whistleblowing system within six months after the law enters into force (this deadline is expected to end in August 2023). Starting from December 17, 2023, legal entities in the private and public sectors with more than 50 employees will also be required to implement the system.

What is meant by "internal" and "external" channels?

The law provides for both internal and external channels for reporting whistleblowing cases. External reporting channels include not only the Federal Bureau of Anti-Corruption, but also other institutions such as the Financial Market Authority (FMA), the Money Laundering Reporting Office, the Austrian Audit Oversight Authority and the whistleblowing systems of the Federal Competition Authority and the Accounting Authority. Since reporting to an external authority can have far-reaching consequences for the whistleblower's employer, the Austrian legislature prefers that the whistleblower reports to an internal channel at first instance. An internal channel is a natural person or organizational unit within a company or a legal entity in the public sector that receives, investigates and further handles reports. Therefore, external reporting channels should only be involved after an unsuccessful intervention by the internal channel.

The identity of the whistleblower must also be kept confidential internally. Only individuals who are necessary for the handling of the report may be involved in the process.

Which measures need to be implemented?

The Whistleblower Protection Act obliges affected companies and legal entities of the public sector to establish an internal reporting system where reports can be submitted in writing or orally. At the request of the whistleblower, the report can also be able to be made in person. The system should enable whistleblowers to give priority to reporting to the internal channel over reporting through an external channel. The design of the system must be technically and organizationally compliant with the GDPR. The law also provides for the possibility of anonymous reporting.

After receiving a report, it must be documented and a confirmation must be sent to the whistleblower immediately (within a maximum of 7 days). Following the reporting, follow-up measures (such as internal investigations and inquiries) must be taken. At the latest three months after receipt of the report, the internal department must inform the whistleblower of the follow-up measures. If no follow-up measures are taken, the informant must be informed why the report is not being pursued further. The internal department or a responsible body may be entrusted with taking follow-up measures.

What sanctions can be expected?

Violations of the Whistleblower Protection Act may result in administrative fines of up to EUR 20.000,- and in case of repeated violations, up to EUR 40,000,-. Punishable actions include impeding a report or taking retaliatory measures against whistleblowers.