Bozhikov & Vatev Law Firm

Bozhikov Vatev law firm Sofia


of 23 October 2019

on the protection of persons who report breaches of Union law

Executive Summary

  1. Introduction

Currently, there is a large discrepancy between the whistleblower protections each Member State provides. On 23.10.2019, the European Parliament and the Council of the European Union published a directive for the protection of whistleblowers within the Member States, with the aim of breaching the gap. It sets out common minimum standards and requires the states to adopt laws that offer protection, as outlined in the Directive, within their respective national laws.

  1. Implementation Deadline

The deadline set for the transposition of the Directive into national law was 17.12.2021.

As of the date of writing this article, the Republic of Bulgaria has not adopted a law in compliance with the requirements of the Directive. The legislative process has started, however, and on October 18th 2021 the procedure for public discussion of the structure of the bill (not the bill itself) and the consultation document on the bill on the Protection of Persons who submit signals or publicly disclose information about violations1. There is no publicly announced bill on the part of the competent state bodies, hence such a bill has not been submitted before the National Assembly.

With regards to legal entities in the private sector with 50 to 249 workers, and the setting up of internal reporting channels, the deadline for transposition of the Directive into national law is 17.12.2023.2 Member States have the discretion to introduce or retain provisions which are more favourable to the rights of whistleblowers than the ones set out the Directive.3

By 17.12.2023, the Commission must submit a report to the European Parliament and the Council on the implementation and application of the Directive.4

According to Article 288 of the Treaty on the Functioning of the European Union (TFEU), if a Member State fails to transpose a directive, the Commission may initiate infringement proceedings and bring proceedings against the state before the Court of Justice of the EU.

  1. Who does the Directive apply to?

The Directive applies to reporting persons working in the private or public sector. These include, as outlined in Article 4, at least:

  • persons having the status of worker, within the meaning of Article 45(1) TFEU, including civil servants;

  • persons having self-employed status, within the meaning of Article 49 TFEU;

  • shareholders, persons belonging to the administrative, management or supervisory body of an undertaking, and non-executive members;

  • volunteers and paid or unpaid trainees;

  • persons working under the supervision and direction of contractors, subcontractors and suppliers

  • reporting persons whose work-based relationship has ended;

  • reporting persons whose work-based relationship is yet to begin;

  • facilitators, who assist the reporting person in the reporting process in a work-related context;5

  • third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context;

  • legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context;

  • reporting persons who reported anonymously but are subsequently identified and suffer retaliation.6

As outlined in Article 6, reporting persons shall qualify for protection provided that:

  • they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting;

  • the information fell within the scope of the Directive;

  • they reported either internally, externally, or made a public disclosure, in accordance with Article 7, 10 or 15.

Protected is the reporting of the following breaches, as outlined in Article 2 of the Directive:

  • breaches in the areas of public procurement; financial services, products and market, prevention of money laundering and terrorist financing; product safety and compliance; transport safety; protection of the environment; radiation protection and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data, and security of network and information systems;

  • breaches affecting the financial interests of the Union;

  • breaches relating to the internal market;

  • breaches of Union competition and State aid rules;

  • breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law;

  • breaches acquired in a work-based relationship which has since ended;7

  • breaches acquired during the recruitment process or other pre-contractual negotiations.8

Member States can extend the protection to areas and acts which are not covered by Article 1. Therefore, it remains interesting to see if there will be any additional protections provided by the Bulgarian law transposing this Directive.

  1. Liability

As per Article 24, Member States must ensure that the rights and remedies provided by the Directive cannot be waived or limited by any agreement, policy, form or condition of employment, including a pre-dispute arbitration agreement.

According to Article 21, persons who have reported breaches or made public disclosures in accordance with the Directive will not be liable for:

  • breaching any restrictions on disclosure of information, provided that they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary for revealing a breach pursuant to the Directive;

  • the acquisition of or access to the information that was reported or publicly disclosed, provided that such acquisition or access did not constitute a self-standing criminal offence;

  • defamation, breach of copyright, breach of secrecy, breach of data protection, rules, disclosure of trade secrets, or for compensation claims based on private, public, or on collective labour law, provided that they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary for revealing a breach pursuant to the Directive.

  1. Retaliation

Article 5 (11) defines retaliation as ‘any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person’.

Member States must prohibit any form of retaliation against reporting persons, including threats of retaliation and attempts of retaliation in the form of:9

  • suspension, lay-off, dismissal or equivalent measures;

  • demotion or withholding of promotion;

  • transfer of duties, change of location of place of work, reduction of wages, change in working hours;

  • withholding of training;

  • a negative performance assessment or employment reference;

  • imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty;

  • coercion, intimidation, harassment or ostracism;

  • discrimination, disadvantageous or unfair treatment;

  • failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he or she would be offered permanent employment;

  • failure to renew, or early termination of, a temporary employment contract;

  • harm, including to the person’s reputation, particularly in social media, or financial loss, including loss of business and loss of income;

  • blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;

  • early termination or cancellation of a contract for goods or services;

  • cancellation of a licence or permit;

  • psychiatric or medical referrals.

According to Article 21(5), if a reporting person suffers a detriment, it will be presumed that the detriment was made in retaliation for the report or the public disclosure. The person who has taken the detrimental measure will have to prove that the measure was duly justified.

Reporting persons will have access to remedial measures against retaliation in accordance with national law.10

  1. Reporting channels

  1. Internal channels

As per Article 5 (4), internal reporting covers the oral or written reporting of breaches within a legal entity within the private or public sector. All legal entities in the public sector must establish internal reporting channels. Exempt from establishing internal reporting channels may be:11

  • municipalities with fewer than 10,000 inhabitants;

  • municipalities with fewer than 50 workers;

  • legal entities with fewer than 50 workers.

Member States may require legal entities in the private sector with fewer than 50 workers to establish internal reporting channels and procedures if, after an appropriate risk assessment, it has been established that the nature of the entities’ activities pose a risk to the environment and public health12. Member States must notify the Commission if such a decision has been made13. As mentioned above, it would be interesting and indicative to follow the Bulgarian parliament’s reaction to this and see if it decides to expand the scope of the obligated legal entities under national law.

Articles 8 and 9 outline the obligations for establishing internal reporting channels, and their procedures for reporting and follow-up. Pursuant to Article 8, Member States should ensure that:

  • private legal entities with 50 or more workers (with the exception of entities that fall within the scope of Union acts referred to in Parts I.B and II of the Annex of the Directive) establish channels and procedures for internal reporting and follow-up;14

  • public sector legal entities establish channels and procedures for internal reporting and follow-up;15

  • where provided for by national law, the channels are established after consultation and in agreement with the social partners;16

  • the channels enable the persons outlined in Article 4 to report breaches;17

  • reporting channels may be operated internally by a person or department designed for that purpose, or externally by a third party.18

The reporting channels must:19

  • be securely designed, established and operated;

  • ensure the confidentiality of the identity of the reporting persons and any third party mentioned in the report;

  • prevent access by non-authorised staff members to the information;

  • acknowledge the receipt of the report to the reporting person within seven days of its receipt;

  • designate an impartial person or department competent to follow-up on the reports (it could be the same person or department that received the report);

  • maintain communication with the reporting person;

  • ask for further information from and provide feedback to the reporting person when necessary;

  • diligently follow-up;

  • provide feedback within three months from the acknowledgement of receipt of the report;

  • provide feedback within three months from the expiry of the seven-day period after the report was made, if no acknowledgement of receipt was sent to the reporting person;

  • provide clear and easily accessible information about the procedures for external reporting to competent public authorities;

  • enable reporting in writing or orally, or both;

  • if reporting orally, allow for reporting via telephone or other voice messaging systems and;

  • enable physical meetings within a reasonable timeframe, if requested by the reporting person.

Internal reporting channels may be shared between municipalities or operated by joint municipal authorities, provided that they are distinct from and autonomous in relation to the relevant external reporting channels.20

Legal entities in the private sector with 50 to 249 workers may share resources as to the receipt of reports and the carrying out of investigations, as long as confidentiality is maintained, feedback is provided and the reported breaches are addressed.21

Member States should encourage reporting persons to go through the available internal channels, as long as they feel safe doing so, before turning to external channels.22 Appropriate information about the available internal reporting channels and how they operate should be provided.23

  1. External channels

As per Articles 5 (5) and 5 (14), external reporting covers the oral or written reporting of breaches to the competent authorities, where competent authorities are any national authorities designed:

  • to receive reports of breaches and provide feedback to the reporting person;

  • to carry out the duties provided for in the Directive, in particular as regards to follow-up.

Article 5 (12) defines ‘follow-up’ as any action taken by the recipient of a report or any competent authority to:

  • assess the accuracy of the allegations;

  • to address the reported breach through internal enquiries, investigations, prosecutions, actions for recovery of funds, closures of procedures, or other such actions.

Articles 11 and 12 outline the obligations to establishing external reporting channels and to follow-up, as well as to provide the design of said channels. Pursuant to Article 11, Member States should designate competent authorities to receive reports, give feedback and follow up; and must provide them with adequate resources. Member States should also ensure that any report made to an authority that does not have the capacity to address the breach, is transmitted securely to the competent authority within a reasonable time, and the reporting person is informed of the transmission without delay.24

The competent authorities must:

  • establish independent and autonomous external reporting channels, for receiving and handling reports on breaches;25

  • ensure that the channels are designed, established and operated in a manner that ensures completeness, integrity and confidentiality, and prevents access to the information by non-authorised staff members;26

  • ensure that the channels enable the durable storage of information in accordance with Article 18 to allow further investigations to be carried out;27

  • acknowledge the receipt of reports within seven days, unless the reporting person specifically requests otherwise, or the authority reasonably believes that acknowledgement of the receipt will jeopardise the protection of the reporting person’s identity;28

  • diligently follow up on reports;

  • within three months, or sixth months in duly justified cases, provide feedback to the reporting person;

  • in accordance with national law, communicate the final outcome of the investigation to the reporting person;

  • where provided for under Union or national law, transmit in due time for further investigation the information in the report to competent institutions, bodies, offices, or agencies of the Union;

  • enable reporting in writing and orally;29

  • if reporting orally, allow for reporting via telephone or other voice messaging systems or enable physical meetings within a reasonable timeframe, if requested by the reporting person;

  • designate staff members responsible for handling reports, in particular for providing any interested person with information on the reporting procedures, receiving and following up on reports, maintaining contact with the reporting person to provide feedback and request further information if necessary;30

  • ensure that the designated staff members shall receive specific training for the purpose of handling reports;31

  • review their procedures for receiving reports and their follow-up at least once every three years;32

  • ensure that the identity of the reporting persons is protected for as long as the report or public disclosure are under ongoing investigation.33

As per Articles 11(3) and 11(4), Member States may allow competent authorities to decide that a reported breach is minor, does not require further follow-up pursuant to the Directive and the procedure can be closed, as long as the authorities have duly assessed the matter and can clearly show the breach is minor. Competent authorities may also be allowed to close procedures in the cases of repetitive reports which do not provide meaningful new information on breaches. In the above-mentioned cases, the competent authorities must inform the reporting person of their decision and provide their reasoning.

Pursuant to Article 11(5), if there is a high inflow of reports, Member States may allow competent authorities to prioritise reports of serious breaches or breaches of essential provisions falling within the scope of the Directive, without prejudice to the three and six-month timeframe.

Pursuant to Article 12(3), if the report is received through channels other than the external channels provided for in the Directive, or by staff members other than those responsible for handling the reports, then the competent authorities must make sure that the staff members who have received the reports are prohibited from disclosing any information that might identify the reporting person or the person concerned, and that they promptly forward the report without modification to the staff members responsible for handling reports.

As per Article 13, competent authorities must publish on their websites in a separate, easily identifiable and accessible section at least:

  • the conditions for qualifying for protection under this Directive;

  • the contract details for the external reporting channels (the electronic and postal addresses, and the phone numbers for such channels, indicating whether the phone conversations are recorded);

  • the procedures applicable to the reporting of breaches;

  • the time frame for providing feedback and what that feedback could include, as well as the nature of the follow-ups to the reports;

  • the confidentiality regime applicable to the reports;

  • information relation to the processing of personal data;

  • the nature of the follow-up to be given to reports;

  • the remedies and procedures for protection against retaliation;

  • the availability of confidential advice for reporting persons;

  • a statement clearly explaining the conditions under which persons reporting to the competent authority are protected from liability for a breach of confidentiality;

  • contact details of the information centre or of the single independent administrative authority.

  1. Public disclosures

Public disclosure, as defined in Article 5(6), is the action of making the information on breaches publicly available.

Pursuant to Article 15, persons making reports through public disclosures can qualify for protection if:

  • the person first reported internally and externally, or directly externally, but no appropriate action was taken in response to the report within the specified time frame;

  • the person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest;

  • in the case of external reporting, there is a risk of retaliation, or there is a low prospect of the breach being effectively addressed (for example, when evidence can be concealed or destroyed, or where they may be collusion between the authority and the perpetrator).

  1. Supportive measures

Pursuant to Article 20, Member States must provide the following supportive measures to reporting persons:

  • easily accessible to the public and free of charge comprehensive and independent information and advice on the available protections against retaliation, and on the rights of the reporting persons;

  • effective assistance from competent authorities before any relevant authority involved in their protection against retaliation;

  • certification that they qualify for protection under the Directive where provided under national law;

  • legal aid in criminal and in cross-border civil proceedings;

  • legal aid in further proceedings and legal counselling or other legal assistance in accordance with national law.

Member States may also provide financial assistance and support measures, including psychological support for the reporting persons. The above-mentioned support measures may be provided by an information centre or a single and clearly identified independent administrative authority.

  1. Penalties

As outlined in Article 23, Member States must penalise natural or legal persons that:

  • hinder or attempt to hinder reporting;

  • retaliate against reporting persons;

  • bring vexatious proceedings against reporting persons;

  • breach the duty of maintaining the confidentiality of the identity of reporting persons;

  • knowingly report or publicly disclose false information.

In accordance with national law, Member States must provide remedies and full compensation for damage suffered by reporting persons.34

January 31st, 2022

Martha Deneva

Bozhikov & Vatev Law Firm

If after having read this article you find that the Directive (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons who report breaches of Union law applies to your company or to you as a reporting person, Bozhikov & Vatev Law firm is fully prepared and ready to assist you in implementing the high demands of the Directive and the relevant Bulgarian national legislation or to aid you in exercising your rights as a reporting person under the Directive.

If you have any further questions or would like to enquire about our services, please feel free to contact us at

Please note that this article is of a solely informative nature and aims only to outline the topic presented therein and does not constitute legal advice, nor is it a substitute for such.