Greece passes long-awaited Law on the protection of whistleblowers

Law 4990/2022 transposed into Greek law EU Directive 2019/1937 on the protection of persons who report breaches of EU law.

Law 4990/2022 introduces provisions for the protection of whistleblowers who report breaches of EU law, an obligation to appoint an Officer responsible to receive and manage reports, and an obligation to implement appropriate technical and organisational measures to ensure confidentiality; importantly, criminal sanctions and monetary fines are provided for non-compliance with provisions of Law 4990/2022.

1. Private companies that are affected

Law 4990/2022 (the “Law”) primarily affects companies with 50 or more employees, also companies operating in financial sector services, products and markets, transport sector and environment sector regardless of the number of employees; such companies are obliged to put in place appropriate internal reporting channels to enable reporting of EU law violations, protect the confidentiality of the whistleblowers’ identity and ensure that whistleblowers are protected against retaliation.

2. What can be reported

Under the Law whistleblowers are granted protection when reporting or disclosing:

1. breaches falling within the scope of EU law that concern the following areas: (i) public procurement; (ii) financial services, products and markets, and prevention of money laundering and terrorist financing; (iii) product safety and compliance; (iv) transport safety; (v) protection of the environment; (vi) radiation protection and nuclear safety; (vii) food and feed safety, animal health and welfare; (viii) public health; (ix) consumer protection; and (x) protection of privacy and personal data, and security of network and information systems can be reported;
2. breaches relating to fraud or any other illegal activities affecting the financial interests of the EU; and
3. breaches relating to the internal market, as referred to in Art. 26 (2) TFEU (free movement of goods, persons, services and capital), including infringements competition law rules, state aid rules and corporate tax rules.

3. Who can be a whistleblower

Reports can be submitted by persons working in the private (or public) sector, who acquired information on or observed violations of EU law in their work-related activities. That said, whistleblowers can be:

• employees (full or part-time, indefinite or fixed term, posted, etc.);
• self-employed persons, consultants and home workers;
• shareholders and persons belonging in the administrative, management or supervisory bodies of the company, including non-executive members, as well as volunteers and paid or unpaid trainees;
• any person working under the supervision and direction of contractors, subcontractors and suppliers.

Furthermore, the Law applies to any person who reports or publicly discloses information on EU law violations, which they acquired in the context of a work-based relationship which has ended (in any way, including retirement) or is yet to begin (e.g., during the recruitment process or other pre-contractual negotiations).

4. Are anonymous reports allowed?

It seems that the Law allows anonymous reports, as it provides that anonymous reporting persons will enjoy protection, if they are identified at a later stage and if retaliation measures would apply. The Law does not specify any particulars as to when or how they shall be identified, and in its current form it does not provide any other clarifications as to anonymous reporting.

5. Obligations for private sector companies

• Private sector companies within scope must establish an internal reporting channel ensuring the confidentiality of the identity of whistleblowers by appointing an Officer for Receipt and Follow Up on Reports (the “Officer”). In particular, companies with 50 or more employees (under any kind of employment relationship, except trainees), must appoint an Officer. Companies operating in financial sector services, products and markets, transport sector and environmental sector must appoint an Officer irrespective of the number of their employees.
• The Officer can be either an employee of the company or a third party; the Law sets outs their specific competencies and responsibilities.
• Internal reporting must be available in writing or verbally, or through an electronic platform, which should be accessible to persons with disabilities as well. Verbal reporting is possible by telephone or through other voice messaging systems, and, upon request by the whistleblower, by means of a physical meeting within a reasonable timeframe. 
• Companies must ensure the confidentiality of the personal data and any information that may lead to the identification of the whistleblower, the person concerned, and any third party mentioned in such report, by implementing appropriate technical and organisational measures, such pseudonymisation measures, during both report follow-ups and communication with the competent authorities. Generally, any processing activity in the context of the internal reporting channel, must be in compliance with General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Law 4624/2019, which supplements the GDPR in the Greek legal framework. In this regard, the Law sets out certain exemptions regarding transparency obligations, responding to data subject requests and notifying breach incidents.
• Companies must maintain a record for each report; specific provisions regulate how reports made verbally (e.g., by telephone or physical meeting) can be recorded.

6. Protection offered to whistleblowers

The Law prohibits any form of retaliation against whistleblowers, including threats of retaliation and attempts of retaliation including, indicatively, in the form of suspension, dismissal, demotion or withholding of promotion, change of location of place of work, reduction in wages, change in working hours, withholding of training, discrimination, disadvantageous or unfair treatment, failure to renew, or early termination of, a temporary employment contract, etc. Moreover, whistleblowers who do suffer retaliation may be entitled to compensation. Also, any termination of employment in the form of retaliation is invalid. Last but not least, whistleblowers are entitled to free legal advice and respresentation from lawyers included a relevant legal aid catalogue.

7. Sanctions

The Law provides for both criminal sanctions and monetary fines for persons who (a) obstruct or attempt to obstruct reporting, (b) retaliate or bring vexatious proceedings against reporting persons, and (c) infringe the obligation to maintain the confidentiality of the identity of whistleblowers, persons concerned and any other person mentioned in a report.

On the other hand, the Law includes criminal sanctions and monetary fines for whistleblowers who knowingly report or publicly disclose false information.

If any of the abovementioned infringements has been committed to the benefit or on the behalf of a company, that may lead to the imposition of a fine in the range of 10,000 – 500,000 euros against the said company.

The breach of the obligation to designate an Officer may lead to the imposition of a fine by the Labour Inspectorate or other competent supervisory authority. 

8. Deadline for appointment of an Officer

• Companies with 50 to 249 employees must appoint an Officer until 17 December 2023 and notify the Labour Inspectorate or the competent supervisory authority within 2 months as of the appointment.
• Companies with more than 249 employees must appoint an Officer latest by 11 May 2023, and notify the Labour Inspectorate or the competent supervisory authority within 2 months as of the appointment.

9. How to comply (in a nutshell)

Private sector companies with more than 50 employees or which operate in financial sector services, products and markets, transport sector and environmental sector must:

1. appoint an Officer who will receive and manage the reports (internal reporting channel);
2. ensure compliance of whistleblowing procedures with data protection and privacy laws, e.g., carry out a data protection impact assessment (DPIA);
3. draft and implement a whistleblowing policy; and
4. inform employees and other concerned persons about the existence of a whistleblowing scheme and processing of personal data in this context.