(1)

Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context. By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level.

(2)

At Union level, reports and public disclosures by whistleblowers are one upstream component of enforcement of Union law and policies. They feed national and Union enforcement systems with information, leading to effective detection, investigation and prosecution of breaches of Union law, thus enhancing transparency and accountability.

(3)

In certain policy areas, breaches of Union law, regardless of whether they are categorised under national law as administrative, criminal or other types of breaches, may cause serious harm to the public interest, in that they create significant risks for the welfare of society. Where weaknesses of enforcement have been identified in those areas, and whistleblowers are usually in a privileged position to disclose breaches, it is necessary to enhance enforcement by introducing effective, confidential and secure reporting channels and by ensuring that whistleblowers are protected effectively against retaliation.

(4)

Whistleblower protection currently provided in the Union is fragmented across Member States and uneven across policy areas. The consequences of breaches of Union law with a cross-border dimension reported by whistleblowers illustrate how insufficient protection in one Member State negatively impacts the functioning of Union policies not only in that Member State, but also in other Member States and in the Union as a whole.

(5)

Common minimum standards ensuring that whistleblowers are protected effectively should apply as regards acts and policy areas where there is a need to strengthen enforcement, under-reporting by whistleblowers is a key factor affecting enforcement, and breaches of Union law can cause serious harm to the public interest. Member States could decide to extend the application of national provisions to other areas with a view to ensuring that there is a comprehensive and coherent whistleblower protection framework at national level.

(6)

Whistleblower protection is necessary to enhance the enforcement of Union law on public procurement. It is necessary, not only to prevent and detect procurement-related fraud and corruption in the context of the implementation of the Union budget, but also to tackle insufficient enforcement of rules on public procurement by national contracting authorities and contracting entities in relation to the execution of works, the supply of products or the provision of services. Breaches of such rules create distortions of competition, increase costs for doing business, undermine the interests of investors and shareholders and, in general, lower attractiveness for investment and create an uneven playing field for all businesses across the Union, thus affecting the proper functioning of the internal market.

(7)

In the area of financial services, the added value of whistleblower protection has already been acknowledged by the Union legislator. In the aftermath of the financial crisis, which exposed serious shortcomings in the enforcement of the relevant rules, measures for the protection of whistleblowers, including internal and external reporting channels, as well as an explicit prohibition of retaliation, were introduced in a significant number of legislative acts in the area of financial services as indicated by the Commission in its communication of 8 December 2010 entitled ‘Reinforcing sanctioning regimes in the financial services sector’. In particular, in the context of the prudential framework applicable to credit institutions and investment firms, Directive 2013/36/EU of the European Parliament and of the Council (4) provides for whistleblower protection which applies in the context of Regulation (EU) No 575/2013 of the European Parliament and of the Council (5).

(8)

As regards the safety of products placed on the internal market, businesses involved in the manufacturing and distribution chain are the primary source of evidence, with the result that reporting by whistleblowers in such businesses has a high added value, since they are much closer to information about possible unfair and illicit manufacturing, import or distribution practices regarding unsafe products. Accordingly, there is a need to introduce whistleblower protection in relation to the safety requirements applicable to products regulated by the Union harmonisation legislation as set out in Annexes I and II to Regulation (EU) 2019/1020 of the European Parliament and of the Council (6), and in relation to the general product safety requirements as set out in Directive 2001/95/EC of the European Parliament and of the Council (7). Whistleblower protection as provided for in this Directive would also be instrumental in avoiding diversion of firearms, their parts and components and ammunition, as well as of defence-related products, since it would encourage the reporting of breaches of Union law, such as document fraud, altered marking and fraudulent acquisition of firearms within the Union where breaches often imply a diversion from the legal to the illegal market. Whistleblower protection as provided for in this Directive would also help prevent the illicit manufacture of homemade explosives by contributing to the correct application of restrictions and controls regarding explosives precursors.

(9)

The importance of whistleblower protection in terms of preventing and deterring breaches of Union rules on transport safety, which can endanger human lives, has already been acknowledged in sectorial Union acts on aviation safety, namely in Regulation (EU) No 376/2014 of the European Parliament and of the Council (8), and maritime transport safety, namely in Directives 2013/54/EU (9) and 2009/16/EC (10) of the European Parliament and of the Council, which provide for tailored measures of protection for whistleblowers as well as specific reporting channels. Those acts also provide for the protection of workers who report their own honest mistakes against retaliation, so-called ‘just culture’. It is necessary to complement the existing elements of whistleblower protection in those two sectors, as well as to provide protection in other transport modes, namely inland waterway, road and railway transport, to enhance the enforcement of safety standards as regards those transport modes.

(10)

As regards the area of protection of the environment, evidence-gathering, preventing, detecting and addressing environmental crimes and unlawful conduct remain a challenge and actions in that regard need to be reinforced, as acknowledged by the Commission in its communication of 18 January 2018 entitled ‘EU actions to improve environmental compliance and governance’. Given that before the entry into force of this Directive, the only existing whistleblower protection rules related to environmental protection are provided for in one sectorial act, namely Directive 2013/30/EU of the European Parliament and of the Council (11), the introduction of such protection is necessary to ensure effective enforcement of the Union environmental acquis, the breaches of which can cause harm to the public interest with possible spillover impacts across national borders. The introduction of such protection is also relevant in cases where unsafe products can cause environmental harm.

(11)

Enhancing whistleblower protection would also contribute to preventing and deterring breaches of European Atomic Energy Community rules on nuclear safety, radiation protection and responsible and safe management of spent fuel and radioactive waste. It would also strengthen the enforcement of the relevant provisions of Council Directive 2009/71/Euratom (12), concerning promotion and enhancement of an effective nuclear safety culture and, in particular, point (a) of Article 8b(2) of that Directive, which requires, inter alia, that the competent regulatory authority establishes management systems which give due priority to nuclear safety and promote, at all levels of staff and management, the ability to question the effective delivery of relevant safety principles and practices and to report in a timely manner on safety issues.

(12)

The introduction of a whistleblower protection framework would also contribute to strengthening the enforcement of existing provisions, and to preventing breaches of Union rules, in the area of the food chain and, in particular, on food and feed safety, as well as on animal health, protection and welfare. The different Union rules laid down in those areas are closely interlinked. Regulation (EC) No 178/2002 of the European Parliament and of the Council (13) sets out the general principles and requirements which underpin all Union and national measures relating to food and feed, with a particular focus on food safety, in order to ensure a high level of protection of human health and consumers' interests in relation to food, as well as the effective functioning of the internal market. That Regulation provides, inter alia, that food and feed business operators are prevented from discouraging their employees and others from cooperating with competent authorities where such cooperation could prevent, reduce or eliminate a risk arising from food. The Union legislator has taken a similar approach in the area of animal health through Regulation (EU) 2016/429 of the European Parliament and of the Council (14) establishing the rules for the prevention and control of animal diseases which are transmissible to animals or to humans and in the area of the protection and well-being of animals kept for farming purposes, of animals used for scientific purposes, of animals during transport and of animals at the time of killing, through Council Directive 98/58/EC (15) and Directive 2010/63/EU of the European Parliament and of the Council (16), as well as Council Regulations (EC) No 1/2005 (17) and (EC) No 1099/2009 (18), respectively.

(13)

The reporting of breaches by whistleblowers can be key to detecting and preventing, reducing or eliminating risks to public health and to consumer protection resulting from breaches of Union rules, which might otherwise remain hidden. In particular, consumer protection is also strongly linked to cases where unsafe products can cause considerable harm to consumers.

(14)

Respect for privacy and protection of personal data, which are enshrined as fundamental rights in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (the ‘Charter’), are other areas in which whistleblowers can help to disclose breaches, which can harm the public interest. Whistleblowers can also help disclose breaches of Directive (EU) 2016/1148 of the European Parliament and of the Council (19) on the security of network and information systems, which introduces a requirement to provide notification of incidents, including those that do not compromise personal data, and security requirements for entities providing essential services across many sectors, for example energy, health, transport and banking, for providers of key digital services, for example cloud computing services, and for suppliers of basic utilities, such as water, electricity and gas. Whistleblowers' reporting in this area is particularly valuable for the prevention of security incidents that would affect key economic and social activities and widely used digital services, as well as for the prevention of any infringement of Union data protection rules. Such reporting helps ensure the continuity of services that are essential for the functioning of the internal market and the wellbeing of society.

(15)

Furthermore, the protection of the financial interests of the Union, which is related to the fight against fraud, corruption and any other illegal activity affecting Union expenditure, the collection of Union revenues and funds or Union assets, is a core area in which enforcement of Union law needs to be strengthened. The strengthening of the protection of the financial interests of the Union is relevant also for the implementation of the Union budget as regards expenditure that is incurred on the basis of the Treaty establishing the European Atomic Energy Community (Euratom Treaty). Lack of effective enforcement in the area of protection of the financial interests of the Union, including as regards prevention of fraud and corruption at national level, leads to a decrease of Union revenues and a misuse of Union funds, which can distort public investments, hinder growth and undermine citizens' trust in Union action. Article 325 of the Treaty on the Functioning of the European Union (TFEU) requires the Union and the Member States to counter fraud and any other illegal activities affecting the financial interests of the Union. Relevant Union measures in this respect include, in particular, Council Regulation (EC, Euratom) No 2988/95 (20) and Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (21). Regulation (EC, Euratom) No 2988/95 is complemented, for the most serious types of fraud-related conduct, by Directive (EU) 2017/1371 of the European Parliament and of the Council (22) and by the Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on the protection of the European Communities' financial interests of 26 July 1995 (23), including the Protocols thereto of 27 September 1996 (24), of 29 November 1996 (25) and of 19 June 1997 (26). That Convention and those Protocols remain in force for the Member States not bound by Directive (EU) 2017/1371.

(16)

Common minimum standards for the protection of whistleblowers should also be laid down for breaches relating to the internal market as referred to in Article 26(2) TFEU. In addition, in accordance with the case law of the Court of Justice of the European Union (the ‘Court’), Union measures aimed at establishing or ensuring the functioning of the internal market are intended to contribute to the elimination of existing or emerging obstacles to the free movement of goods or to the freedom to provide services, and to contribute to the removal of distortions of competition.

(17)

Specifically, the protection of whistleblowers to enhance the enforcement of Union competition law, including concerning State aid, would serve to safeguard the efficient functioning of markets in the Union, allow a level playing field for business and deliver benefits to consumers. As regards competition rules applying to undertakings, the importance of insider reporting in detecting competition law infringements has already been recognised in the leniency policy pursued by the Commission under Article 4a of Commission Regulation (EC) No 773/2004 (27) as well as with the recent introduction of an anonymous whistleblower tool by the Commission. Breaches relating to competition law and State aid rules concern Articles 101, 102, 106, 107 and 108 TFEU and rules of secondary law adopted for their application.

(18)

Breaches of corporate tax law and arrangements of which the purpose is to obtain a tax advantage and to evade legal obligations, thereby defeating the object or purpose of the applicable corporate tax law, negatively affect the proper functioning of the internal market. Such breaches and arrangements can give rise to unfair tax competition and extensive tax evasion, distorting the level playing field for businesses and resulting in a loss of tax revenues for Member States and for the Union budget as a whole. This Directive should provide for protection against retaliation for persons who report evasive and/or abusive arrangements that could otherwise go undetected, with a view to strengthening the ability of competent authorities to safeguard the proper functioning of the internal market and remove distortions and barriers to trade that affect the competitiveness of businesses in the internal market, and that are directly linked to the free movement rules and are also relevant for the application of the State aid rules. Whistleblower protection as provided for in this Directive would add to recent Commission initiatives aimed at improving transparency and the exchange of information in the field of taxation, and creating a fairer corporate tax environment within the Union with a view to increasing Member States' effectiveness in identifying evasive and/or abusive arrangements, and would help deter such arrangements. However, this Directive does not harmonise provisions relating to taxes, whether substantive or procedural, and does not seek to strengthen the enforcement of national corporate tax rules, without prejudice to the possibility of Member States to use reported information for that purpose.

(19)

Point (a) of Article 2(1) defines the material scope of this Directive by means of a reference to a list of Union acts set out in the Annex. This implies that where those Union acts, in turn, define their material scope by reference to Union acts listed in their annexes, the latter acts also form part of the material scope of this Directive. In addition, the reference to the acts in the Annex should be understood as including all national and Union implementing or delegated measures adopted pursuant to those acts. Moreover, the reference to the Union acts in the Annex is to be understood as a dynamic reference, in accordance with the standard referencing system for legal acts of the Union. Thus, if a Union act in the Annex has been or is amended, the reference relates to the act as amended; if a Union act in the Annex has been or is replaced, the reference relates to the new act.

(20)

Certain Union acts, in particular in the area of financial services, such as Regulation (EU) No 596/2014 of the European Parliament and of the Council (28), and Commission Implementing Directive (EU) 2015/2392 (29), adopted on the basis of that Regulation, already contain detailed rules on whistleblower protection. Any specific rules in that regard provided for in such existing Union legislation, including the Union acts listed in Part II of the Annex to this Directive, which are tailored to the relevant sectors, should be maintained. This is of particular importance for ascertaining which legal entities in the area of financial services, the prevention of money laundering and terrorist financing are currently obliged to establish internal reporting channels. At the same time, in order to ensure consistency and legal certainty across Member States, this Directive should be applicable in respect of all matters not regulated under the sector-specific acts, and thereby should complement such acts, so that they are fully aligned with minimum standards. In particular, this Directive should provide further detail as to the design of the internal and external reporting channels, the obligations of competent authorities, and the specific forms of protection to be provided at national level against retaliation. In that regard, Article 28(4) of Regulation (EU) No 1286/2014 of the European Parliament and of the Council (30) provides for Member States to be able to provide for an internal reporting channel in the area covered by that Regulation. For reasons of consistency with the minimum standards laid down by this Directive, the obligation to establish internal reporting channels provided for in this Directive should also apply in respect of Regulation (EU) No 1286/2014.

(21)

This Directive should be without prejudice to the protection granted to workers when reporting breaches of Union employment law. In particular, in the area of occupational safety and health, Article 11 of Council Directive 89/391/EEC (31) already requires Member States to ensure that workers or workers' representatives are not placed at a disadvantage because of requests or proposals they make to employers to take appropriate measures to mitigate hazards for workers and/or to remove sources of danger. Workers and their representatives are entitled, under that Directive, to raise issues with the competent authority if they consider that the measures taken, and the means employed, by the employer are inadequate for the purposes of ensuring safety and health.

(22)

Member States could decide to provide that reports concerning interpersonal grievances exclusively affecting the reporting person, namely grievances about interpersonal conflicts between the reporting person and another worker, can be channelled to other procedures.

(23)

This Directive should be without prejudice to the protection granted by the procedures for reporting possible illegal activities, including fraud or corruption, that are detrimental to the interests of the Union, or for reporting conduct relating to the discharge of professional duties, which could constitute a serious failure to comply with the obligations of officials and other servants of the European Union established under Articles 22a, 22b and 22c of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (32). This Directive should apply where officials and other servants of the Union report breaches that occur in a work-related context outside their employment relationship with the Union institutions, bodies, offices or agencies.

(24)

National security remains the sole responsibility of each Member State. This Directive should not apply to reports of breaches related to procurement involving defence or security aspects where those are covered by Article 346 TFEU, in accordance with the case law of the Court. If Member States decide to extend the protection provided under this Directive to further areas or acts, which are not within its material scope, it should be possible for them to adopt specific provisions to protect essential interests of national security in that regard.

(25)

This Directive should also be without prejudice to the protection of classified information which Union law or the laws, regulations or administrative provisions in force in the Member State concerned require, for security reasons, to be protected from unauthorised access. Moreover, this Directive should not affect the obligations arising from Council Decision 2013/488/EU (33) or Commission Decision (EU, Euratom) 2015/444 (34).

(26)

This Directive should not affect the protection of confidentiality of communications between lawyers and their clients (‘legal professional privilege’) as provided for under national and, where applicable, Union law, in accordance with the case law of the Court. Moreover, this Directive should not affect the obligation of maintaining the confidential nature of communications of health care providers, including therapists, with their patients and of patient records (‘medical privacy’) as provided for under national and Union law.

(27)

Members of professions other than lawyers and health care providers should be able to qualify for protection under this Directive when they report information protected by the applicable professional rules, provided that reporting that information is necessary for the purposes of revealing a breach falling within the scope of this Directive.

(28)

While this Directive should provide, under certain conditions, for a limited exemption from liability, including criminal liability, in the event of a breach of confidentiality, it should not affect national rules on criminal procedure, particularly those aiming at safeguarding the integrity of the investigations and proceedings or the rights of defence of persons concerned. This should be without prejudice to the introduction of measures of protection into other types of national procedural law, in particular, the reversal of the burden of proof in national administrative, civil or labour proceedings.

(29)

This Directive should not affect national rules on the exercise of the rights of employees' representatives to information, consultation, and participation in collective bargaining and their defence of workers' employment rights. This should be without prejudice to the level of protection granted under this Directive.

(30)

This Directive should not apply to cases in which persons who, having given their informed consent, have been identified as informants or registered as such in databases managed by authorities appointed at national level, such as customs authorities, and report breaches to enforcement authorities, in return for reward or compensation. Such reports are made pursuant to specific procedures that aim to guarantee the anonymity of such persons in order to protect their physical integrity, and that are distinct from the reporting channels provided for under this Directive.

(31)

Persons who report information about threats or harm to the public interest obtained in the context of their work-related activities make use of their right to freedom of expression. The right to freedom of expression and information, enshrined in Article 11 of the Charter and in Article 10 of the Convention for the Protection of Human Rights and Fundamental Freedoms, encompasses the right to receive and impart information as well as the freedom and pluralism of the media. Accordingly, this Directive draws upon the case law of the European Court of Human Rights (ECHR) on the right to freedom of expression, and the principles developed on this basis by the Council of Europe in its Recommendation on the Protection of Whistleblowers adopted by its Committee of Ministers on 30 April 2014.

(32)

To enjoy protection under this Directive, reporting persons should have reasonable grounds to believe, in light of the circumstances and the information available to them at the time of reporting, that the matters reported by them are true. That requirement is an essential safeguard against malicious and frivolous or abusive reports as it ensures that those who, at the time of the reporting, deliberately and knowingly reported wrong or misleading information do not enjoy protection. At the same time, the requirement ensures that protection is not lost where the reporting person reported inaccurate information on breaches by honest mistake. Similarly, reporting persons should be entitled to protection under this Directive if they have reasonable grounds to believe that the information reported falls within its scope. The motives of the reporting persons in reporting should be irrelevant in deciding whether they should receive protection.

(33)

Reporting persons normally feel more at ease reporting internally, unless they have reasons to report externally. Empirical studies show that the majority of whistleblowers tend to report internally, within the organisation in which they work. Internal reporting is also the best way to get information to the persons who can contribute to the early and effective resolution of risks to the public interest. At the same time, the reporting person should be able to choose the most appropriate reporting channel depending on the individual circumstances of the case. Moreover, it is necessary to protect public disclosures, taking into account democratic principles such as transparency and accountability, and fundamental rights such as freedom of expression and the freedom and pluralism of the media, whilst balancing the interest of employers to manage their organisations and to protect their interests, on the one hand, with the interest of the public to be protected from harm, on the other, in line with the criteria developed in the case law of the ECHR.

(34)

Without prejudice to existing obligations to provide for anonymous reporting by virtue of Union law, it should be possible for Member States to decide whether legal entities in the private and public sector and competent authorities are required to accept and follow up on anonymous reports of breaches which fall within the scope of this Directive. However, persons who anonymously reported or who made anonymous public disclosures falling within the scope of this Directive and meet its conditions should enjoy protection under this Directive if they are subsequently identified and suffer retaliation.

(35)

This Directive should provide for protection to be granted in cases where persons report, pursuant to Union legislation, to institutions, bodies, offices or agencies of the Union, for example in the context of fraud concerning the Union budget.

(36)

Persons need specific legal protection where they acquire the information they report through their work-related activities and therefore run the risk of work-related retaliation, for instance, for breaching the duty of confidentiality or loyalty. The underlying reason for providing such persons with protection is their position of economic vulnerability vis-à-vis the person on whom de facto they depend for work. Where there is no such work-related power imbalance, for instance in the case of ordinary complainants or citizen bystanders, there is no need for protection against retaliation.

(37)

Effective enforcement of Union law requires that protection should be granted to the broadest possible range of categories of persons, who, irrespective of whether they are Union citizens or third-country nationals, by virtue of their work-related activities, irrespective of the nature of those activities and of whether they are paid or not, have privileged access to information on breaches that it would be in the public interest to report and who may suffer retaliation if they report them. Member States should ensure that the need for protection is determined by reference to all the relevant circumstances and not merely by reference to the nature of the relationship, so as to cover the whole range of persons connected in a broad sense to the organisation where the breach has occurred.

(38)

Protection should, firstly, apply to persons having the status of ‘workers’, within the meaning of Article 45(1) TFEU, as interpreted by the Court, namely persons who, for a certain period of time, perform services for and under the direction of another person, in return for which they receive remuneration. Protection should, thus, also be granted to workers in non-standard employment relationships, including part-time workers and fixed-term contract workers, as well as persons with a contract of employment or employment relationship with a temporary agency, precarious types of relationships where standard forms of protection against unfair treatment are often difficult to apply. The concept of ‘worker’ also includes civil servants, public service employees, as well as any other persons working in the public sector.

(39)

Protection should also extend to categories of natural persons, who, whilst not being ‘workers’ within the meaning of Article 45(1) TFEU, can play a key role in exposing breaches of Union law and may find themselves in a position of economic vulnerability in the context of their work-related activities. For instance, as regards product safety, suppliers are much closer to the source of information about possible unfair and illicit manufacturing, import or distribution practices concerning unsafe products; and as regards the implementation of Union funds, consultants providing their services are in a privileged position to draw attention to breaches they witness. Such categories of persons, which include self-employed persons providing services, freelance workers, contractors, subcontractors and suppliers, are typically subject to retaliation, which can take the form, for instance, of early termination or cancellation of a contract for services, a licence or permit, loss of business, loss of income, coercion, intimidation or harassment, blacklisting or business boycotting or damage to their reputation. Shareholders and persons in managerial bodies can also suffer retaliation, for instance in financial terms or in the form of intimidation or harassment, blacklisting or damage to their reputation. Protection should also be granted to persons whose work-based relationship has ended, and to candidates for employment or persons seeking to provide services to an organisation, who acquire information on breaches during the recruitment process or another pre-contractual negotiation stage, and who could suffer retaliation, for instance in the form of negative employment references, blacklisting or business boycotting.

(40)

Effective whistleblower protection implies protecting also categories of persons who, whilst not relying on their work-related activities economically, can nevertheless suffer retaliation for reporting breaches. Retaliation against volunteers and paid or unpaid trainees could take the form of no longer making use of their services, or of giving them a negative employment reference or otherwise damaging their reputation or career prospects.

(41)

Protection should be provided against retaliatory measures taken not only directly vis-à-vis reporting persons themselves, but also those that can be taken indirectly, including vis-à-vis facilitators, colleagues or relatives of the reporting person who are also in a work-related connection with the reporting person's employer or customer or recipient of services. Without prejudice to the protection that trade union representatives or employees' representatives enjoy in their capacity as such representatives under other Union and national rules, they should enjoy the protection provided for under this Directive both where they report in their capacity as workers and where they have provided advice and support to the reporting person. Indirect retaliation also includes actions taken against the legal entity that the reporting person owns, works for or is otherwise connected with in a work-related context, such as denial of provision of services, blacklisting or business boycotting.

(42)

Effective detection and prevention of serious harm to the public interest requires that the notion of breach also includes abusive practices, as defined by the case law of the Court, namely acts or omissions which do not appear to be unlawful in formal terms but defeat the object or the purpose of the law.

(43)

Effective prevention of breaches of Union law requires that protection is granted to persons who provide information necessary to reveal breaches which have already taken place, breaches which have not yet materialised, but are very likely to take place, acts or omissions which the reporting person has reasonable grounds to consider as breaches, as well as attempts to conceal breaches. For the same reasons, protection is justified also for persons who do not provide positive evidence but raise reasonable concerns or suspicions. At the same time, protection should not apply to persons who report information which is already fully available in the public domain or unsubstantiated rumours and hearsay.

(44)

There should be a close link between reporting and the adverse treatment suffered, directly or indirectly, by the reporting person, for that adverse treatment to be considered to be retaliation and consequently for the reporting person to be able to enjoy legal protection in that respect. Effective protection of reporting persons as a means of enhancing the enforcement of Union law requires a broad definition of retaliation, encompassing any act or omission occurring in a work-related context and which causes them detriment. This Directive should not, however, prevent employers from taking employment-related decisions which are not prompted by the reporting or public disclosure.

(45)

Protection against retaliation as a means of safeguarding freedom of expression and the freedom and pluralism of the media should be provided both to persons who report information about acts or omissions within an organisation (‘internal reporting’) or to an outside authority (‘external reporting’) and to persons who make such information available in the public domain, for instance, directly to the public through online platforms or social media, or to the media, elected officials, civil society organisations, trade unions, or professional and business organisations.

(46)

Whistleblowers are, in particular, important sources for investigative journalists. Providing effective protection to whistleblowers from retaliation increases legal certainty for potential whistleblowers and thereby encourages whistleblowing also through the media. In this respect, protection of whistleblowers as journalistic sources is crucial for safeguarding the ‘watchdog’ role of investigative journalism in democratic societies.

(47)

For the effective detection and prevention of breaches of Union law, it is vital that the relevant information reaches swiftly those closest to the source of the problem, most able to investigate and with powers to remedy it, where possible. As a principle, therefore, reporting persons should be encouraged to first use internal reporting channels and report to their employer, if such channels are available to them and can reasonably be expected to work. That is the case, in particular, where reporting persons believe that the breach can be effectively addressed within the relevant organisation, and that there is no risk of retaliation. As a consequence, legal entities in the private and public sector should establish appropriate internal procedures for receiving and following up on reports. Such encouragement also concerns cases where such channels were established without it being required by Union or national law. This principle should help foster a culture of good communication and corporate social responsibility in organisations, whereby reporting persons are considered to significantly contribute to self-correction and excellence within the organisation.

(48)

For legal entities in the private sector, the obligation to establish internal reporting channels should be commensurate with their size and the level of risk their activities pose to the public interest. All enterprises having 50 or more workers should be subject to the obligation to establish internal reporting channels, irrespective of the nature of their activities, based on their obligation to collect VAT. Following an appropriate risk assessment, Member States could also require other enterprises to establish internal reporting channels in specific cases, for instance due to the significant risks that may result from their activities.

(49)

This Directive should be without prejudice to Member States being able to encourage legal entities in the private sector with fewer than 50 workers to establish internal channels for reporting and follow-up, including by laying down less prescriptive requirements for those channels than those laid down under this Directive, provided that those requirements guarantee confidentiality and diligent follow-up.

(50)

The exemption of small and micro enterprises from the obligation to establish internal reporting channels should not apply to private enterprises which are obliged to establish internal reporting channels by virtue of Union acts referred to in Parts I.B and II of the Annex.

(51)

It should be clear that, in the case of legal entities in the private sector that do not provide for internal reporting channels, reporting persons should be able to report externally to the competent authorities and such persons should enjoy the protection against retaliation provided by this Directive.

(52)

In order to ensure, in particular, that the public procurement rules in the public sector are respected, the obligation to put in place internal reporting channels should apply to all contracting authorities and contracting entities, at local, regional and national level, whilst being commensurate with their size.

(53)

Provided the confidentiality of the identity of the reporting person is ensured, it is up to each individual legal entity in the private and public sector to define the kind of reporting channels to establish. More specifically, the reporting channels should enable persons to report in writing and submit reports by post, by physical complaint box(es), or through an online platform, whether it be on an intranet or internet platform, or to report orally, by telephone hotline or other voice messaging system, or both. Upon request by the reporting person, such channels should also enable reporting by means of physical meetings, within a reasonable timeframe.

(54)

Third parties could also be authorised to receive reports of breaches on behalf of legal entities in the private and public sector, provided they offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy. Such third parties could be external reporting platform providers, external counsel, auditors, trade union representatives or employees' representatives.

(55)

Internal reporting procedures should enable legal entities in the private sector to receive and investigate in full confidentiality reports by the workers of the entity and of its subsidiaries or affiliates (‘the group’), but also, to any extent possible, by any of the group's agents and suppliers and by any persons who acquire information through their work-related activities with the entity and the group.

(56)

The choice of the most appropriate persons or departments within a legal entity in the private sector to be designated as competent to receive and follow up on reports depends on the structure of the entity, but, in any case, their function should be such as to ensure independence and absence of conflict of interest. In smaller entities, this function could be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.

(57)

In the context of internal reporting, informing, as far as legally possible and in the most comprehensive way possible, the reporting person about the follow-up to the report is crucial for building trust in the effectiveness of the overall system of whistleblower protection and reduces the likelihood of further unnecessary reports or public disclosures. The reporting person should be informed within a reasonable timeframe about the action envisaged or taken as follow-up to the report and the grounds for the choice of that follow-up. Follow-up could include, for instance, referral to other channels or procedures in the case of reports exclusively affecting individual rights of the reporting person, closure of the procedure based on lack of sufficient evidence or other grounds, launch of an internal enquiry and, possibly, its findings and any measures taken to address the issue raised, referral to a competent authority for further investigation, insofar as such information would not prejudice the internal enquiry or the investigation or affect the rights of the person concerned. In all cases, the reporting person should be informed of the investigation's progress and outcome. It should be possible to ask the reporting person to provide further information, during the course of the investigation, albeit without there being an obligation to provide such information.

(58)

A reasonable timeframe for informing a reporting person should not exceed three months. Where the appropriate follow-up is still being determined, the reporting person should be informed about this and about any further feedback to expect.

(59)

Persons who are considering reporting breaches of Union law should be able to make an informed decision on whether, how and when to report. Legal entities in the private and public sector that have internal reporting procedures in place should be required to provide information on those procedures as well as on external reporting procedures to relevant competent authorities. It is essential that such information be clear and easily accessible, including, to any extent possible, also to persons other than workers, who come in contact with the entity through their work-related activities, such as service-providers, distributors, suppliers and business partners. For instance, such information could be posted at a visible location accessible to all such persons and on the website of the entity, and could also be included in courses and training seminars on ethics and integrity.

(60)

Effective detection and prevention of breaches of Union law require ensuring that potential whistleblowers can easily and in full confidentiality bring the information they possess to the attention of the relevant competent authorities that are able to investigate and to remedy the problem, where possible.

(61)

It may be the case that internal channels do not exist or that they were used but did not function properly, for instance because the report was not dealt with diligently or within a reasonable timeframe, or no appropriate action was taken to address the breach despite the results of the related internal enquiry confirming the existence of a breach.

(62)

In other cases, the use of internal channels cannot reasonably be expected to function properly. This is most notably the case where reporting persons have valid reasons to believe that they would suffer retaliation in connection with the reporting, including as a result of a breach of confidentiality, or that competent authorities would be better placed to take effective action to address the breach. Competent authorities would be better placed, for example, where the ultimate responsibility holder within the work-related context is involved in the breach, or there is a risk that the breach or related evidence could be concealed or destroyed; or, more generally, the effectiveness of investigative actions by competent authorities might otherwise be jeopardised, such as in the case of reported cartel arrangements and other breaches of competition rules; or the breach requires urgent action, for instance to safeguard the health and safety of persons or to protect the environment. In all cases, persons reporting externally to the competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union should be protected. This Directive should also grant protection where Union or national law requires the reporting persons to report to the competent national authorities, for instance as part of their job duties and responsibilities or because the breach is a criminal offence.

(63)

Lack of confidence in the effectiveness of reporting is one of the main factors discouraging potential whistleblowers. Accordingly, there is a need to impose a clear obligation on competent authorities to establish appropriate external reporting channels, to diligently follow up on the reports received, and, within a reasonable timeframe, give feedback to reporting persons.

(64)

It should be for the Member States to designate the authorities competent to receive information on breaches falling within the scope of this Directive and give appropriate follow-up to the reports. Such competent authorities could be judicial authorities, regulatory or supervisory bodies competent in the specific areas concerned, or authorities of a more general competence at a central level within a Member State, law enforcement agencies, anticorruption bodies or ombudsmen.

(65)

As recipients of reports, the authorities designated as competent should have the necessary capacities and powers to ensure appropriate follow-up, including assessing the accuracy of the allegations made in the report and addressing the breaches reported by launching an internal enquiry, investigation, prosecution or action for recovery of funds, or other appropriate remedial action, in accordance with their mandate. Alternatively, those authorities should have the necessary powers to refer the report to another authority that should investigate the breach reported, while ensuring that there is appropriate follow-up by such authority. In particular, where Member States wish to establish external reporting channels at a central level, for instance in the area of State aid, Member States should put in place adequate safeguards in order to ensure that the requirements of independence and autonomy laid down in this Directive are respected. The establishment of such external reporting channels should not affect the powers of the Member States or of the Commission concerning supervision in the field of State aid, nor should this Directive affect the exclusive power of the Commission as regards the declaration of compatibility of State aid measures in particular pursuant to Article 107(3) TFEU. With regard to breaches of Articles 101 and 102 TFEU, Member States should designate as competent authorities those referred to in Article 35 of Council Regulation (EC) No 1/2003 (35) without prejudice to the powers of the Commission in this area.

(66)

Competent authorities should also give feedback to the reporting persons about the action envisaged or taken as follow-up, for instance, referral to another authority, closure of the procedure based on lack of sufficient evidence or other grounds, or launch of an investigation, and possibly its findings and any measures taken to address the issue raised, as well as about the grounds for the choice of that follow-up. Communications on the final outcome of the investigations should not affect the applicable Union rules, which include possible restrictions on the publication of decisions in the area of financial regulation. This should apply mutatis mutandis in the field of corporate taxation, if similar restrictions are provided for by the applicable national law.

(67)

Follow-up and feedback should take place within a reasonable timeframe, given the need to promptly address the problem that is the subject of the report, as well as the need to avoid unnecessary public disclosures. Such timeframe should not exceed three months, but could be extended to six months where necessary due to the specific circumstances of the case, in particular the nature and complexity of the subject of the report, which may require a lengthy investigation.

(68)

Union law in specific areas, such as market abuse, namely Regulation (EU) No 596/2014 and Implementing Directive (EU) 2015/2392, civil aviation, namely Regulation (EU) No 376/2014, or safety of offshore oil and gas operations, namely Directive 2013/30/EU, already provides for the establishment of internal and external reporting channels. The obligations to establish such channels laid down in this Directive should build as far as possible on the existing channels provided by specific Union acts.

(69)

The Commission, as well as some bodies, offices and agencies of the Union, such as the European Anti-Fraud Office (OLAF), the European Maritime Safety Agency (EMSA), the European Aviation Safety Agency (EASA), the European Security and Markets Authority (ESMA) and the European Medicines Agency (EMA), have in place external reporting channels and procedures for receiving reports of breaches falling within the scope of this Directive, which mainly provide for confidentiality of the identity of the reporting persons. This Directive should not affect such external reporting channels and procedures, where they exist, but should ensure that persons reporting to institutions, bodies, offices or agencies of the Union benefit from common minimum standards of protection throughout the Union.

(70)

To ensure the effectiveness of the procedures for following up on reports and addressing breaches of the Union rules concerned, Member States should be able to take measures to alleviate burdens for competent authorities resulting from reports of minor breaches of provisions falling within the scope of this Directive, repetitive reports or reports of breaches of ancillary provisions, for instance provisions on documentation or notification obligations. Such measures could consist in allowing competent authorities, after due assessment of the matter, to decide that a reported breach is clearly minor and does not require further follow-up pursuant to this Directive, other than closure of the procedure. It should also be possible for Member States to allow competent authorities to close the procedure regarding repetitive reports which do not contain any meaningful new information adding to a past report in respect of which the relevant procedures were concluded, unless new legal or factual circumstances justify a different form of follow-up. Furthermore, Member States should be able to allow competent authorities to prioritise the treatment of reports of serious breaches or breaches of essential provisions falling within the scope of this Directive in the event of high inflows of reports.

(71)

Where provided for under Union or national law, the competent authorities should refer cases or relevant information on breaches to institutions, bodies, offices or agencies of the Union, including, for the purposes of this Directive, OLAF and the European Public Prosecutor Office (EPPO), without prejudice to the possibility for the reporting person to refer directly to such bodies, offices or agencies of the Union.

(72)

In many policy areas falling within the material scope of this Directive, there are cooperation mechanisms through which national competent authorities exchange information and carry out follow-up activities in relation to breaches of Union rules with a cross-border dimension. Examples range from the Administrative Assistance and Cooperation System established by Commission Implementing Decision (EU) 2015/1918 (36), in cases of cross-border breaches of the Union agri-food chain legislation, and the Food Fraud Network under Regulation (EC) No 882/2004 of the European Parliament and of the Council (37), the rapid alert system for dangerous non-food products established by Regulation (EC) No 178/2002 of the European Parliament and of the Council (38), the Consumer Protection Cooperation Network under Regulation (EC) No 2006/2004 of the European Parliament and of the Council (39), to the Environmental Compliance and Governance Forum set up by the Commission Decision of 18 January 2018 (40), the European Competition Network established pursuant to Regulation (EC) No 1/2003, and the administrative cooperation in the field of taxation under Council Directive 2011/16/EU (41). Member States' competent authorities should make full use of such existing cooperation mechanisms where relevant as part of their obligation to follow up on reports regarding breaches falling within the scope of this Directive. In addition, Member States' authorities could also cooperate beyond the existing cooperation mechanisms in cases of breaches with a cross-border dimension in areas where such cooperation mechanisms do not exist.

(73)

In order to enable effective communication with staff members who are responsible for handling reports, it is necessary that the competent authorities have in place channels that are user-friendly, secure, ensure confidentiality for receiving and handling information provided by the reporting person on breaches, and that enable the durable storage of information to allow for further investigations. This could require that such channels are separated from the general channels through which the competent authorities communicate with the public, such as normal public complaints systems or channels through which the competent authority communicates internally and with third parties in its ordinary course of business.

(74)

Staff members of the competent authorities who are responsible for handling reports should be professionally trained, including on applicable data protection rules, in order to handle reports and to ensure communication with the reporting person, as well as to follow up on the report in a suitable manner.

(75)

Persons intending to report should be able to make an informed decision on whether, how and when to report. Competent authorities should therefore provide clear and easily accessible information about the available reporting channels with competent authorities, about the applicable procedures and about the staff members responsible for handling reports within those authorities. All information regarding reports should be transparent, easily understandable and reliable in order to promote and not deter reporting.

(76)

Member States should ensure that competent authorities have in place adequate protection procedures for the processing of reports and for the protection of the personal data of the persons referred to in the report. Such procedures should ensure that the identity of every reporting person, person concerned, and third persons referred to in the report, for example witnesses or colleagues, is protected at all stages of the procedure.

(77)

It is necessary that staff members of the competent authority who are responsible for handling reports and staff members of the competent authority who have the right of access to the information provided by a reporting person comply with the duty of professional secrecy and confidentiality when transmitting the data both inside and outside the competent authority, including where a competent authority opens an investigation or an internal enquiry or engages in enforcement activities in connection with the report.

(78)

The regular review of the procedures of competent authorities and the exchange of good practices between them should guarantee that those procedures are adequate and thus serving their purpose.

(79)

Persons making a public disclosure should qualify for protection in cases where, despite internal and external reporting, the breach remains unaddressed, for instance in cases where the breach was not appropriately assessed or investigated, or no appropriate remedial action was taken. The appropriateness of the follow-up should be assessed according to objective criteria, linked to the obligation of the competent authorities to assess the accuracy of the allegations and to put an end to any possible breach of Union law. The appropriateness of the follow-up will thus depend on the circumstances of each case and of the nature of the rules that have been breached. In particular, a decision by the authorities that a breach was clearly minor and no further follow-up, other than closure of the procedure, was required could constitute appropriate follow-up pursuant to this Directive.

(80)

Persons making a public disclosure directly should also qualify for protection in cases where they have reasonable grounds to believe that there is an imminent or manifest danger to the public interest, or a risk of irreversible damage, including harm to a person's physical integrity.

(81)

Persons making a public disclosure directly should also qualify for protection where they have reasonable grounds to believe that in the case of external reporting there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence could be concealed or destroyed or where an authority could be in collusion with the perpetrator of the breach or involved in the breach.

(82)

Safeguarding the confidentiality of the identity of the reporting person during the reporting process and investigations triggered by the report is an essential ex-ante measure to prevent retaliation. It should only be possible to disclose the identity of the reporting person where that is a necessary and proportionate obligation under Union or national law in the context of investigations by authorities or judicial proceedings, in particular to safeguard the rights of defence of persons concerned. Such an obligation could derive, in particular, from Directive 2012/13/EU of the European Parliament and of the Council (42). The protection of confidentiality should not apply where the reporting person has intentionally revealed his or her identity in the context of a public disclosure.

(83)

Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, should be undertaken in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (43) and with Directive (EU) 2016/680 of the European Parliament and of the Council (44). Any exchange or transmission of information by Union institutions, bodies, offices or agencies should be undertaken in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council (45). Particular regard should be had to the principles relating to processing of personal data set out in Article 5 of Regulation (EU) 2016/679, Article 4 of Directive (EU) 2016/680 and Article 4 of Regulation (EU) 2018/1725, and to the principle of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679, Article 20 of Directive (EU) 2016/680 and Articles 27 and 85 of Regulation (EU) 2018/1725.

(84)

The procedures provided for in this Directive and related to follow-up on reports of breaches of Union law in the areas falling within its scope serve an important objective of general public interest of the Union and of the Member States, within the meaning of point (e) of Article 23(1) of Regulation (EU) 2016/679, as they aim to enhance the enforcement of Union law and policies in specific areas where breaches can cause serious harm to the public interest. The effective protection of the confidentiality of the identity of reporting persons is necessary for the protection of the rights and freedoms of others, in particular those of the reporting persons, provided for under point (i) of Article 23(1) of Regulation (EU) 2016/679. Member States should ensure that this Directive is effective, including, where necessary, by restricting, by legislative measures, the exercise of certain data protection rights of persons concerned in line with points (e) and (i) of Article 23(1) and Article 23(2) of Regulation (EU) 2016/679 to the extent, and as long as, necessary to prevent and address attempts to hinder reporting or to impede, frustrate or slow down follow-up, in particular investigations, or attempts to find out the identity of the reporting persons.

(85)

The effective protection of the confidentiality of the identity of reporting persons is equally necessary for the protection of the rights and freedoms of others, in particular those of the reporting persons, where reports are handled by authorities as defined in point (7) of Article 3 of Directive (EU) 2016/680. Member States should ensure that this Directive is effective, including, where necessary, by restricting, by legislative measures, the exercise of certain data protection rights of persons concerned in line with points (a) and (e) of Article 13(3), points (a) and (e) of Article 15(1), points (a) and (e) of Article 16(4) and Article 31(5) of Directive (EU) 2016/680 to the extent, and as long as, necessary to prevent and address attempts to hinder reporting or to impede, frustrate or slow down follow-up, in particular investigations, or attempts to find out the identity of the reporting persons.

(86)

Member States should ensure that there is adequate record-keeping as regards all reports of breaches, that every report is retrievable and that information received through reports can be used as evidence in enforcement actions where appropriate.

(87)

Reporting persons should be protected against any form of retaliation, whether direct or indirect, taken, encouraged or tolerated by their employer or customer or recipient of services and by persons working for or acting on behalf of the latter, including colleagues and managers in the same organisation or in other organisations with which the reporting person is in contact in the context of his or her work-related activities

(88)

Where retaliation occurs undeterred and unpunished, it has a chilling effect on potential whistleblowers. A clear legal prohibition of retaliation would have an important dissuasive effect, and would be further strengthened by provisions for personal liability and penalties for the perpetrators of retaliation.

(89)

Potential whistleblowers who are not sure about how to report or whether they will be protected in the end may be discouraged from reporting. Member States should ensure that relevant and accurate information in that regard is provided in a way that is clear and easily accessible to the general public. Individual, impartial and confidential advice, free of charge, should be available on, for example, whether the information in question is covered by the applicable rules on whistleblower protection, which reporting channel might best be used and which alternative procedures are available in the event that the information is not covered by the applicable rules, so-called ‘signposting’. Access to such advice can help to ensure that reports are made through the appropriate channels, in a responsible manner, and that breaches are detected in a timely manner or even prevented. Such advice and information could be provided by an information centre or a single and independent administrative authority. Member States could choose to extend such advice to legal counselling. Where such advice is given to reporting persons by civil society organisations which are bound by a duty of maintaining the confidential nature of the information received, Member States should ensure that such organisations do not suffer retaliation, for instance in the form of economic prejudice through a restriction on their access to funding or blacklisting that could impede the proper functioning of the organisation.

(90)

Competent authorities should provide reporting persons with the support necessary for them to access protection effectively. In particular, they should provide proof or other documentation required to confirm to other authorities or courts that external reporting has taken place. Under certain national frameworks and in certain cases, reporting persons may benefit from forms of certification of the fact that they meet the conditions of the applicable rules. Notwithstanding such possibilities, they should have effective access to judicial review, whereby it is for the courts to decide, based on all the individual circumstances of the case, whether they meet the conditions of the applicable rules.

(91)

It should not be possible to rely on individuals' legal or contractual obligations, such as loyalty clauses in contracts or confidentiality or non-disclosure agreements, so as to preclude reporting, to deny protection or to penalise reporting persons for having reported information on breaches or made a public disclosure where providing the information falling within the scope of such clauses and agreements is necessary for revealing the breach. Where those conditions are met, reporting persons should not incur any kind of liability, be it civil, criminal, administrative or employment-related. It is appropriate that there be protection from liability for the reporting or public disclosure under this Directive of information in respect of which the reporting person had reasonable grounds to believe that reporting or public disclosure was necessary to reveal a breach pursuant to this Directive. Such protection should not extend to superfluous information that the person revealed without having such reasonable grounds.

(92)

Where reporting persons lawfully acquire or obtain access to the information on breaches reported or the documents containing that information, they should enjoy immunity from liability. This should apply both in cases where reporting persons reveal the content of documents to which they have lawful access as well as in cases where they make copies of such documents or remove them from the premises of the organisation where they are employed, in breach of contractual or other clauses stipulating that the relevant documents are the property of the organisation. The reporting persons should also enjoy immunity from liability in cases where the acquisition of or access to the relevant information or documents raises an issue of civil, administrative or labour-related liability. Examples would be cases where the reporting persons acquired the information by accessing the emails of a co-worker or files which they normally do not use within the scope of their work, by taking pictures of the premises of the organisation or by accessing locations they do not usually have access to. Where the reporting persons acquired or obtained access to the relevant information or documents by committing a criminal offence, such as physical trespassing or hacking, their criminal liability should remain governed by the applicable national law, without prejudice to the protection granted under Article 21(7) of this Directive. Similarly, any other possible liability of the reporting persons arising from acts or omissions which are unrelated to the reporting or are not necessary for revealing a breach pursuant to this Directive should remain governed by the applicable Union or national law. In those cases, it should be for the national courts to assess the liability of the reporting persons in the light of all relevant factual information and taking into account the individual circumstances of the case, including the necessity and proportionality of the act or omission in relation to the report or public disclosure.

(93)

Retaliation is likely to be presented as being justified on grounds other than the reporting and it can be very difficult for reporting persons to prove the link between the reporting and the retaliation, whilst the perpetrators of retaliation may have greater power and resources to document the action taken and the reasoning. Therefore, once the reporting person demonstrates prima facie that he or she reported breaches or made a public disclosure in accordance with this Directive and suffered a detriment, the burden of proof should shift to the person who took the detrimental action, who should then be required to demonstrate that the action taken was not linked in any way to the reporting or the public disclosure.

(94)

Beyond an explicit prohibition of retaliation provided in law, it is crucial that reporting persons who do suffer retaliation have access to legal remedies and compensation. The appropriate remedy in each case should be determined by the kind of retaliation suffered, and the damage caused in such cases should be compensated in full in accordance with national law. The appropriate remedy could take the form of actions for reinstatement, for instance, in the event of dismissal, transfer or demotion, or of withholding of training or promotion, or for restoration of a cancelled permit, licence or contract; compensation for actual and future financial losses, for example for lost past wages, but also for future loss of income, costs linked to a change of occupation; and compensation for other economic damage, such as legal expenses and costs of medical treatment, and for intangible damage such as pain and suffering.

(95)

While the types of legal action may vary between legal systems, they should ensure that compensation or reparation is real and effective, in a way which is proportionate to the detriment suffered and is dissuasive. Of relevance in this context are the Principles of the European Pillar of Social Rights, in particular Principle 7 according to which ‘Prior to any dismissal, workers have the right to be informed of the reasons and be granted a reasonable period of notice. They have the right to access to effective and impartial dispute resolution and, in case of unjustified dismissal, a right to redress, including adequate compensation.’. The remedies established at national level should not discourage potential future whistleblowers. For instance, providing for compensation as an alternative to reinstatement in the event of dismissal might give rise to a systematic practice, in particular by larger organisations, thus having a dissuasive effect on future whistleblowers.

(96)

Of particular importance for reporting persons are interim remedies pending the resolution of legal proceedings that can be protracted. Particularly, actions of interim relief, as provided for under national law, should also be available to reporting persons in order to stop threats, attempts or continuing acts of retaliation, such as harassment or to prevent forms of retaliation, such as dismissal, which might be difficult to reverse after the lapse of lengthy periods and which can ruin the individual financially, a perspective which can seriously discourage potential whistleblowers.

(97)

Action taken against reporting persons outside the work-related context, through proceedings, for instance, related to defamation, breach of copyright, trade secrets, confidentiality and personal data protection, can also pose a serious deterrent to whistleblowing. In such proceedings, reporting persons should be able to rely on having reported breaches or made a public disclosure in accordance with this Directive as a defence, provided that the information reported or publicly disclosed was necessary to reveal the breach. In such cases, the person initiating the proceedings should carry the burden of proving that the reporting person does not meet the conditions laid down by this Directive.

(98)

Directive (EU) 2016/943 of the European Parliament and of the Council (46) lays down rules to ensure a sufficient and consistent level of civil redress in the event of unlawful acquisition, use or disclosure of a trade secret. However, it also provides that the acquisition, use or disclosure of a trade secret is to be considered lawful to the extent that it is allowed by Union law. Persons who disclose trade secrets acquired in a work-related context should only benefit from the protection granted by this Directive, including in terms of not incurring civil liability, provided that they meet the conditions laid down by this Directive, including that the disclosure was necessary to reveal a breach falling within the material scope of this Directive. Where those conditions are met, disclosures of trade secrets are to be considered allowed by Union law within the meaning of Article 3(2) of Directive (EU) 2016/943. Moreover, both Directives should be considered as being complementary and the civil redress measures, procedures and remedies as well as exemptions provided for in Directive (EU) 2016/943 should remain applicable for all disclosures of trade secrets falling outside the scope of this Directive. Competent authorities that receive information on breaches that includes trade secrets should ensure that they are not used or disclosed for purposes going beyond what is necessary for proper follow-up of the reports.

(99)

A significant cost for reporting persons contesting retaliation measures taken against them in legal proceedings can be the relevant legal fees. Although they could recover such fees at the end of the proceedings, they might not be able to pay those fees if charged at the outset of proceedings, especially if they are unemployed and blacklisted. Assistance for criminal legal proceedings, particularly where the reporting persons meet the conditions of Directive (EU) 2016/1919 of the European Parliament and of the Council (47), and, more generally, support to those who are in serious financial need might be key, in certain cases, for the effective enforcement of their rights to protection.

(100)

The rights of the person concerned should be protected in order to avoid reputational damage or other negative consequences. Furthermore, the rights of defence and access to remedies of the person concerned should be fully respected at every stage of the procedure following the report, in accordance with Articles 47 and 48 of the Charter. Member States should protect the confidentiality of the identity of the person concerned and ensure the rights of defence including the right of access to the file, the right to be heard and the right to seek effective remedy against a decision concerning the person concerned under the applicable procedures set out in national law in the context of investigations or subsequent judicial proceedings.

(101)

Any person who suffers prejudice, whether directly or indirectly, as a consequence of the reporting or public disclosure of inaccurate or misleading information should retain the protection and the remedies available to him or her under the rules of general national law. Where such inaccurate or misleading information was reported or publicly disclosed deliberately and knowingly, the persons concerned should be entitled to compensation in accordance with national law.

(102)

Criminal, civil or administrative penalties are necessary to ensure the effectiveness of the rules on whistleblower protection. Penalties against those who take retaliatory or other adverse actions against reporting persons can discourage further such actions. Penalties against persons who report or publicly disclose information on breaches which is demonstrated to be knowingly false are also necessary to deter further malicious reporting and preserve the credibility of the system. The proportionality of such penalties should ensure that they do not have a dissuasive effect on potential whistleblowers.

(103)

Any decision taken by authorities adversely affecting the rights granted by this Directive, in particular decisions by which competent authorities decide to close the procedure regarding a reported breach on account of it being clearly minor or on account of the report being repetitive, or decide that a particular report does not deserve priority treatment, is subject to judicial review in accordance with Article 47 of the Charter.

(104)

This Directive introduces minimum standards and it should be possible for Member States to introduce or maintain provisions which are more favourable to the reporting person, provided that such provisions do not interfere with the measures for the protection of persons concerned. The transposition of this Directive should, under no circumstances, provide grounds for reducing the level of protection already granted to reporting persons under national law in the areas to which it applies.

(105)

In accordance with Article 26(2) TFEU, the internal market needs to comprise an area without internal frontiers in which the free movement of goods and services is ensured. The internal market should provide Union citizens with added value in the form of better quality and safety of goods and services, ensuring high standards of public health and environmental protection as well as free movement of personal data. Thus, Article 114 TFEU is the appropriate legal basis to adopt the measures necessary for the establishment and functioning of the internal market. In addition to Article 114 TFEU, this Directive should have additional specific legal bases in order to cover the fields that rely on Article 16, Article 43(2), Article 50, Article 53(1), Articles 91 and 100, Article 168(4), Article 169, Article 192(1) and Article 325(4) TFEU and Article 31 of the Euratom Treaty for the adoption of Union measures.

(106)

The material scope of this Directive is based on the identification of areas where the introduction of whistleblower protection appears justified and necessary on the basis of currently available evidence. Such material scope could be extended to further areas or Union acts, if that proves necessary as a means of strengthening their enforcement in the light of evidence that may come to the fore in the future, or on the basis of the evaluation of the way in which this Directive has functioned.

(107)

Where future legislative acts relevant to the policy areas covered by this Directive are adopted, they should specify, where appropriate, that this Directive applies. Where necessary, the material scope of this Directive should be adapted and the Annex should be amended accordingly.

(108)

Since the objective of this Directive, namely to strengthen enforcement in certain policy areas and as regards acts where breaches of Union law can cause serious harm to the public interest, through effective whistleblower protection, cannot be sufficiently achieved by the Member States acting alone or in an uncoordinated manner, but can rather be better achieved at Union level by laying down common minimum standards for whistleblower protection, and given that only Union action can provide coherence and align the existing Union rules on whistleblower protection, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.

(109)

This Directive respects fundamental rights and the principles recognised in particular by the Charter, in particular Article 11 thereof. Accordingly, it is essential that this Directive be implemented in accordance with those rights and principles by ensuring full respect for, inter alia, freedom of expression and information, the right to protection of personal data, the freedom to conduct a business, the right to a high level of consumer protection, the right to a high level of human health protection, the right to a high level of environmental protection, the right to good administration, the right to an effective remedy and the rights of defence.

(110)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001,