Rules on the protection of whistleblowers

The draft Law on the protection of whistleblowers in public interest (the “Project”) initiated to transpose the Whistleblowing Directive (EU Directive 1.937/2019) sets the general framework for the protection of persons who report violations of the law, which have occurred or are likely to occur within certain legal entities, while regulating issues such as the content of the reports or the procedure for their submission and management.

The provisions of this Project are not currently in force, but it is expected that they will be applicable soon, so there is the need for certain categories of legal entities to already initiate steps in this regard.

We present below some issues of the Project which are significant to the relevant private entities.

Entities that must set up internal reporting channels

The obligation to implement or identify internal reporting channels and to regulate the preparation and management of the reports through specific internal procedures is incumbent on

  • entities that have at least 50 employees
  • entities that have less than 50 employees and are included in the scope of the normative deeds listed in Annex 3 to the Project.

The obligation of private entities having between 50 and 249 employees to identify or establish internal reporting channels takes effect on December 17, 2023. For the rest of the entities, in the absence of a derogation period, these obligations come into force along with the law.

The whistleblower

The whistleblower in public interest is the natural person who reports or publicly discloses information regarding violations of the law, obtained within a professional context. This category includes workers, candidates, former employees, persons involved in pre-contractual negotiations, self-employed persons, shareholders, persons who are members of the administrative, management or supervisory body, non-executive members of the board of directors, volunteers and trainees, remunerated or unpaid, as well as any person working under the direction and supervision of the natural or legal person with whom the agreement was concluded, its subcontractors and suppliers.

The professional context in which breaches can be identified is any professional activity, current or previous, remunerated or unpaid, based on which persons may obtain information on breaches of the law and may be retaliated against if they are reported. The professional context may include the recruitment process, the pre-contractual negotiation, the performance of the employment agreement or another type of agreement, the exercise of the competences within the corporate law bodies or the exercise of the capacity of shareholder.

Subject of the reporting

For the purposes of the Project, breaches of the law refer to virtually any breach of the legal provisions, including breaches of European Union rules, which represent disciplinary violations, contraventions or offenses, or which are contrary to the subject or purpose of the law. As can be seen, the definition of breaches of the law is very broad. Although some areas where infringements may occur are listed, they are given by way of example, and the list is not exhaustive.

Thus, it will be possible to report any fact that represents a violation of the law or even a reasonable suspicion of actual or potential violations of the law, including information regarding attempts to conceal such violations, which have occurred or are likely to occur within the entities to which the future law applies.

Ways of reporting

Reporting can be done both through internal and external reporting channels. It is important to note that the whistleblower can choose between the two, considering the risk of retaliation, the inability to remedy the breach effectively through the reporting channels or the lack of an internal reporting channel.

In-house reporting will be the main way of reporting and will be possible through the means provided by the entities included in the scope of the law. External reporting will be possible through external channels provided by the competent authorities to receive such reports, such as the National Integrity Agency.

Reporting can be done in one of the following ways:

  • in writing, on paper or in electronic format
  • by communicating on the telephone lines or by other voice messaging systems
  • by face-to-face meeting.

In addition, there is the possibility of publicly disclosing information about the violation of the law. In this case, the whistleblower is protected only under certain conditions, such as, for example, the situation in which he/she first reported internally and externally or directly externally, but considers that no appropriate measures have been taken within the legal deadline. This can be done through the press, professional, trade union or employer organizations, non-governmental organizations, parliamentary committees or by making available the information regarding violations of the law, in any way, in the public space.

Content of the reports

The report must include at least the following information:

  • name, surname and contact details of the whistleblower
  • professional context in which the information was obtained
  • designated person, if known
  • description of the deed likely to represent a violation of the law
  • evidence in support of the reporting
  • date and signature

As an exception, anonymous reporting is also allowed. Thus, the report which does not include the name, surname, contact details or signature of the whistleblower in the public interest is examined and resolved, insofar as it contains sufficient information regarding violations of the law.

It is important to note that the maximum retention period for the reports is 5 years, after which they are destroyed, regardless of the medium on which they are kept.

The private entities having between 50 and 249 employees have the possibility to group together and use or share resources in terms of receiving reports and subsequent actions.

Obligation to keep confidentiality

There are express rules on the protection of the identity of the whistleblower, the designated person and the third parties referred to in the report. For example, with regard to the whistleblower, as a rule, from which certain exceptions are provided, the person designated to resolve the reporting has an obligation not to disclose the identity of the whistleblower or the information that would lead to his/her identification.

Exceptions include the situation where the disclosure of the identity is required by law or when there is the express consent of the whistleblower regarding the disclosure of his identity. Although not expressly provided, we deem that such consent should be obtained in writing.

The identity of the designated person shall be protected for as long as the actions subsequent to the reporting or public disclosure are ongoing, unless the innocence of the data subject is found as a result of the settlement of the reporting or disclosure. The designated person has the right to defense, including the right to be heard and the right to access their file.

Internal reporting procedure

We briefly mention the elements that companies need to consider when it comes to the internal reporting procedure:

  • How to manage the reports, so as to ensure the confidentiality of the identity of the whistleblower and of any third party involved
  • The obligation to confirm to the whistleblower the receipt of the report within maximum 7 days from the receipt
  • Designation of a person/compartment/third party responsible for the reporting procedure
  • The obligation to inform the whistleblower of the status of actions subsequent to reporting within 3 months from confirmation of receipt or from expiry of the confirmation period, if this has not been delivered, as well as whenever the actions progress and there is no risk of endangering their development
  • The obligation to inform the company’s management and the whistleblower about the method to resolve the reporting
  • The obligation to provide clear and easily accessible information on external reporting procedures to competent authorities
  • The designated person, as well as the means of reporting must be communicated to the employees, by posting on the website and by posting at the headquarters, in a visible and accessible place
  • The obligation to ensure that at least one means of reporting is accessible
  • The obligation to have records of reports in a register that can be kept on paper or electronically and that is kept confidential
  • Any form of retaliation against whistleblowers for such reporting such as suspension of the employment agreement, dismissal, demotion, disciplinary action, discrimination, refusal to convert a fixed-term employment agreement into an indefinite one, etc. is prohibited

If, for example, the reporting channel is an un-recorded telephone line, the conversation shall be documented by the designated person in a complete and accurate transcript report, with the possibility for the whistleblower to check, rectify and express his/her consent about to the content by signing it.

If a recorded telephone line is used, the obligation to document the reporting may be accomplished by recording the conversation with the consent of the whistleblower. In the absence of the consent of the whistleblower to transcribe or record the conversation, he/she may be instructed to report in writing.

If the whistleblower requests that the report take place in the presence of the designated person, the latter shall be required to draw up a record minutes, the contents of which shall be certified by the whistleblower by his/her signature.

If the whistleblower does not consent to the transcript or recording of the conversation, he/she is instructed to report it in writing, on paper or in electronic format, to a dedicated mailing address.

The way in which the reported issues may be resolved may also include dismissal when not enough information has been provided to resolve the claim or closing the proceedings if it is found that it is a minor infringement that does not require further action.


The subject treated in the Project is not a novelty in the Romanian legislative framework, since there are already some similar regulations, especially regarding public authorities. However, the Project brings important changes, inter alia, to certain categories of private entities, as it sets several obligations regarding the implementation and keeping a reporting channel and some procedures regarding the internal reporting performed by a whistleblower.

A relevant issue for the private entities is the implementation and enforcement of applicable personal data protection requirements in the process of setting up and managing reporting channels. Thus, given that the Project provides in general the obligation to comply with the requirements on personal data protection in relation to reporting, the actual manner of meeting these requirements will be determined by each entity, taking into consideration the applicable legal provisions.

The issues addressed in the Project are already in practice in the field of personal data protection, with some guidance at European level on so-called internal whistleblowing mechanisms since 2006. Although those guidelines specifically targeted certain areas, such as banking or the fight against corruption, whistleblowing mechanisms were also implemented for private companies with other objects of activity, which could justify a legitimate interest in carrying out such processing operations. However, with the adoption of the Project, for certain legal entities the implementation of such reporting mechanisms will no longer be done voluntarily, becoming mandatory regardless of their object of activity.

It is important to note that the new law will not apply to warnings issued and not resolved before its entry into force.

Particular attention will also need to be paid by employers to the way in which the procedure provided by this new law will interfere with potential disciplinary investigation proceedings following the reporting.

Ileana Lucian – Partner          

Maria Dosan – Managing Associate          

Adela Rusu – Associate

Leave a Reply

Your email address will not be published. Required fields are marked *