Reports of breaches are submitted by the whistleblower through internal or external reporting channels (managed by competent authorities), or through public disclosure. It should be noted that the whistleblower may only use external reporting channels when:
There is no internal reporting channel;
The internal reporting channel only accepts the submission of reports by employees, and the whistleblower is not;
You have reasonable grounds to believe that the breach cannot be effectively known or resolved internally, or that there is a risk of retaliation;
Has initially lodged an internal report without having been notified of the measures envisaged or taken within a maximum period of three months from the date of receipt of the report.
The infraction constitutes a crime or misdemeanor punishable by a fine of up to €50,000.00.
However, all legal persons, including the State and other legal persons under public law, employing 50 or more employees are required to establish internal reporting channels. This obligation also applies to all legal persons active in the fields of financial services, products and markets and the prevention of money laundering and terrorist financing.
This obligation must be fulfilled by June 18, 2022, the date on which Law 93/2021 comes into force, failing which a number of administrative offenses may be committed (see points 9 and 10 of this article).
Local authorities which, despite employing 50 or more workers, have less than 10,0000 inhabitants been excluded from this obligation, and it should be noted that, as regards obliged entities which are not governed by public law and which employ between 50 and 249 workers, they may share resources as regards the receipt of reports and their follow-up.
Purpose of The Report Channels
Allow secure submission and tracking of reports to ensure completeness, integrity and preservation of the report, confidentiality of the identity or anonymity of the reports and confidentiality of the identity of third parties mentioned in the reports, and to prevent access by unauthorized persons.
Independence, impartiality, confidentiality, data protection, secrecy, and absence of conflicts of interest must be guaranteed in the performance of duties.
Who Can Report
Employees in the private, social or public sector.
Service providers, contractors, subcontractors and suppliers, as well as any persons acting under their supervision and direction.
Shareholders and persons belonging to administrative or management bodies or supervisory bodies of legal entities, including non-executive members.
Volunteers and interns paid or unpaid.
Important note: the fact that the information was obtained during a professional relationship that has ended, as well as during the recruitment process or during another pre-contractual negotiation phase of an existing or unformed professional relationship, does not preclude reporting or public disclosure of an infringement.
Subject and Conten of the Report
The report or public disclosure may concern breaches committed, in the process of being committed or which can be reasonably foreseen, as well as attempts to conceal such violations, namely in the scope of.
Financial services, products and markets and prevention of money laundering and financing of terrorism.
Security and conformity of products.
Radiation protection and nuclear safety.
Food and feed safety, animal health, and animal welfare.
Privacy and personal data protection and network and information systems security.
Violent crime, especially violent and highly organized crime.
Thus, this type of report is not foreseen for harassment situations, as there are already proper and legally required channels for this purpose.
Form and Admissibility of Internal Reporting
Written and/or verbal reports are admitted, with the identification of the whistleblower or in anonymity. Verbal report implies its presentation by telephone or other voice message systems and, at the request of the whistleblower, in a face-to-face meeting. It may also be submitted by means of electronic authentication with a citizen card or through the digital mobile key.
Procedures to be Adopted in Case of Report Reception
Notify the whistleblower within seven days of report reception, informing him/her in a clear and accessible manner, of the requirements, competent authorities and form and admissibility of the external report.
Carry out the appropriate internal acts to verify the allegations contained therein (establishing credibility, gathering evidence and making inquiries) and, where appropriate, terminating the reported breaches, including by opening an internal investigation or communicating to the competent authority to investigate the breaches (such as the Public Prosecutor’s Office, criminal police body, among others)
Communicate to the whistleblower the measures envisaged or adopted to follow up on the report and the respective grounds, within a maximum period of three days from the date of receipt of the report.
Communicate the results and determination of the consequences: there must be complete documentation of the results obtained, grounds and conclusions drawn.
We emphasize that there must be a worker/employee (who in this case is a third party to the situation reported) responsible for handling reports, having received appropriate training for this purpose.
Provisions Applicable to Internal and External Reports
Confidentiality and restricted access to data: regarding the identity of the whistleblower, as well as all information from which it is possible to deduce the identity. It should be noted that the identity of the whistleblower may only be disclosed during a legal obligation or a court order.
Processing of personal data: in compliance with the provisions of the General Data Protection Regulation, particularly regarding the processing of personal data for the purposes of prevention, detection, investigation or prosecution of criminal offences or the enforcement of criminal sanctions, except that personal data that is clearly not relevant to the processing of the report shall not be stored and shall be deleted immediately.
Keeping reports: keeping a record of reports received and retaining them for at least five years and, irrespective of that period, while judicial or administrative proceedings relating to the report are pending.
Whistleblower Protection Measures
Prohibition of retaliation against the whistleblower: any act or omission that directly or indirectly, occurring in a professional context and motivated by an internal or external whistleblower or public disclosure, causes or may cause the whistleblower, unjustifiably, material or non-material damage.
Important Note: the following acts, when practiced up to two years after the report or public disclosure, are presumed to be motivated by a report, until proven otherwise
a) Changes in working conditions, such as duties, hours, place of work or remuneration, non-promotion of the employee or breach of work duties;
b) Suspension of employment contract;
c) Negative performance evaluation or negative reference for employment purposes;
d) Failure to convert a fixed-term employment contract into an indefinite-term contract, whenever the employee had legitimate expectations of such conversion;
e) Non-renewal of a fixed-term employment contract;
g) Inclusion on a list, based on an industry-wide agreement, which may lead to the whistleblower not being able to find employment in the sector or industry in question in the future;
h) Termination of a supply or service contract;
i) Revocation of an administrative act or termination of an administrative contract, as defined under the terms of the Administrative Procedure Code.
The disciplinary sanction applied to the whistleblower up to two years after the whistleblowing or public disclosure is presumed to be abusive.
Recall that the Labor Code, following Law No. 73/2017 of August 16, enshrined, in paragraph 6 of its Article 29, the prohibition of disciplinary sanctions against the employee reporting harassment, or the witnesses he or she has called, based on statements or facts contained in the records of judicial or administrative proceedings motivated by the report, before the respective final decision.
On the other hand, it is common understanding in case-law that when the employee makes a report he is not violating his duty of loyalty to his employer. However, once the report has been made, it is up to the employee to prove the veracity of the facts reported, failing which he will be in breach of his duties of loyalty, respect and protection of the employer’s good name.
Legal Protection: you may benefit from witness protection measures in criminal proceedings;
Guarantees of access to the courts to defend legally protected rights and interests;
Non-application of disciplinary, civil, misdemeanor or criminal liability in cases of report or public disclosure of infractions made in accordance with the requirements imposed by law.
Penalties and Fines Forseen
It is a very serious administrative infraction, punishable with fines of between 1.000,00€ and 25.000,00€ or 10.000,00€ to 250.000,00€ depending on whether the agent is a natural or legal person.
Impeding the lodging or follow-up of a report.
Engaging in retaliatory acts.
Failure to comply with the duty of confidentiality.
Communicating or publicly disclosing false information.
It is a serious administrative offence, punishable with fines from €500.00 to 12.500,00€ or from 1.000,00€ to 125.000,00€, depending on whether the offender is an individual or a company.
Not having an internal whistleblowing channel.
Having an internal reporting channel without guarantees of completeness, integrity or preservation of reports or confidentiality of the identity or anonymity of advertisers or the identity of third parties mentioned in the report, or without rules to prevent access by unauthorized persons.
Receiving or following up on a report in violation of the requirements of independence, impartiality and absence of conflicts of interest.
Having an internal whistleblowing channel that does not guarantee the possibility of whistleblowing to all employees, does not guarantee the possibility of submitting a report with the identification of the whistleblower or anonymously, or does not guarantee the submission of the report in writing, orally, or both.
Refuse to meet face-to-face with the whistleblower in case of admissibility of verbal whistleblowing.
Failure to notify the whistleblower of receipt of the report or of the requirements for filing an external report within seven days.
Failure to communicate or incomplete or inaccurate communication to the whistleblower of the procedures for submitting external report to the competent authorities.
Failure to inform the whistleblower of the outcome of the review of the report, if the whistleblower has requested it.
Not having an external whistleblowing channel.
Having an external whistleblowing channel that is not independent and autonomous, or that does not ensure the completeness, integrity, confidentiality or preservation of the report, or that does not prevent access to unauthorized persons.
Does not designate employees responsible for handling reports.
Failing to provide training to the employees responsible for handling beaches.
Not reviewing, every three years, the procedures for receiving and following up on beaches in order to verify whether corrections are needed or improvements can be made.
Not having an external reporting channel that allows, simultaneously, the submission of denunciations in writing, verbally, with identification of the whistleblower or anonymously.
Refuse a face-to-face meeting with the whistleblower.
Fail to publish the elements referred to in points a) to h) of article 16 in a separate, easily identifiable and accessible section of the respective websites.
Fail to register or retain the breaches report for at least five years or during the pendency of judicial or administrative proceedings relevant to the reports received.
Record report through the means in Article 20(3) and (5) without the whistleblower’s consent.
Not allow the whistleblower to view, rectify or approve the transcript or minutes of the communication or meeting.