On the 2nd of February 2023 in the State Gazette vol. 11 was promulgated the Protection Of Persons Reporting Or Publicly Disclosing Information On Breaches Act (the “Whistleblowing Act”), which establishes a regulation of the relations regarding the provision of protection to persons in the public and private sectors who report breaches or publicly disclose information about breaches of the Bulgarian legislation or acts of the European Union (“EU”), as well as the terms and conditions for submitting and considering such reports or publicly disclosed information.
The Whistleblowing Act transposes into the Bulgarian legal order Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
The main points in the legal act have been examined by Georgiev, Todorov & Co and in particular by Dobrina Pavlova and Dimitar Stefanov.
I. KEY PROVISIONS
- Field of application
The Whistleblowing Act applies to reports or public disclosure of information about a wide range of breaches of both Bulgarian legislation and acts of the EU, which are expressly stated in an appendix to the Act.
More specifically, some of the breaches to which the Whistleblowing Act applies are in the field of: (i) public procurement; (ii) financial services, products and markets; (iii) the prevention of money laundering and terrorist financing; (iv) consumer protection; (v) the protection of privacy and personal data; (vi) labor law, etc.
It is important to highlight the applicability of the newly adopted legal act to breaches of the rules of the EU internal market, breaches related to cross-border tax schemes, the purpose of which is to obtain a tax advantage that is contrary to the object or purpose of the applicable law in the field of corporate taxation, as well as a committed crime which is prosecuted by public prosecution, about which a person who is granted protection has learned in connection with the performance of his work or in the performance of his official duties.
Specific exceptions from the scope of the act, to which it does not apply, have also been established. Thus, for example, its application is excluded regarding breaches of the protection of classified information within the meaning of the Protection of Classified Information Act, as well as breaches that have become known to persons exercising a legal profession and for which there is an obligation under the law to protect professional secrecy.
- Persons granted protection
The Whistleblowing Act lists a wide range of persons to whom protection is granted. All the mentioned categories include persons who in some forms are in a legal relationship with the obliged person – employees or other persons who perform hired work, partner, shareholder, sole owner of the capital, member of the management or control body of a commercial company, member of the audit a committee of an enterprise, a person who works for a natural or legal person, its subcontractors or suppliers, etc.
The list cannot be considered exhaustive, as there is an express statutory provision under which protection is also provided to any other whistleblower who reports a breach that has become known to him in a work context.
The Whistleblowing Act provides protection to three categories of persons who do not perform the actual reporting of a breach. These are: (a) persons who assist the whistleblower in the whistleblowing process; (b) persons who are associated with the whistleblower and who may be subject to repressive retaliation due to the whistleblowing, and (c) legal persons in which the whistleblower owns shares, works for, or is otherwise associated with in work context.
- Obliged persons
The obliged persons under the Whistleblowing act are divided into three categories:
- employers in the public sector, with the exception of municipalities with a population of less than 10,000 people or less than 50 employees;
- employers in the private sector with 50 or more employees;
- employers in the private sector, regardless of the number of employees, if their activity falls within the scope of the European Union acts specified in the annex to the Whistleblowing act.
It is important to note that although the Whistleblowing act will enter into force three months after its promulgation, the provisions governing internal whistleblowing will apply to private sector employers who have between 50 and 249 employees from 17 December 2023.
- Central body for external whistleblowing
The central body for external whistleblowing and for the protection of persons to whom such protection is granted is the Personal Data Protection Commission (the “Commission”). Part of the Commission’s competences include: organizing the receiving of reports and directing them to the competent authorities for the purpose of their inspection and taking follow-up actions, coordinating and controlling the activities of consideration of reports by the obliged persons, as well as all authorities and organizations, who receive or work with such reports, ensuring the protection of the persons submitting reports or publicly disclosing information about breaches, including through the application of the administrative measures provided for in the Act.
II. SUBMITTING A REPORT
- Internal Whistleblowing
According to the Whistleblowing act, “internal whistleblowing” is a verbal or a written communication of information about breaches within a given legal entity in the private or public sector.
Obliged persons shall create an internal whistleblowing channel that meets the requirements specified in the Act. They are also required to prepare rules for internal whistleblowing and follow-up actions, which rules shall be reviewed and updated at least once every three years.
Obliged persons designate one or more employees who are responsible for handling reports for breach. Obliged persons from the private sector may assign the functions of receiving and registering reports of breaches to another natural or legal person outside their structure, complying with the requirements of the law.
If the entities are part of an economic group, they may use an internal whistleblowing channel established by the economic group to which they belong, if the channel meets the requirements of the Bulgarian Whistleblowing act.
The report shall be submitted to the employee in charge of handling reports, in writing, including by e-mail, or orally. For the registration of reports are used forms according to a model approved by the Commission, the minimum content of which is specified in the Whistleblowing act.
Obliged persons are shall create and maintain a register of reports of breaches, which is not public. The information entered in the register is stored in a way that guarantees its confidentiality and security.
- External Whistleblowing
According to the Whistleblowing act “external whistleblowing” is a verbal or a written communication of information about breaches to the competent authorities.
The Commission shall create an external whistleblowing channel. The channel for external whistleblowing is an independent structural unit of the Commission, provided with a sufficient number of employees specially trained for the work of processing reports.
The Commission’s employees review the received reports and forward them for inspection to the relevant competent authority in view of the subject of the report. They maintain continuous contact with the whistleblower and with the competent authority responsible for carrying out the inspection, assisting in the exchange of information between the two parties. In certain cases, these employees also carry out independent inspections based on reports of breaches.
The commission adopts an ordinance for keeping the register of reports of breaches and for forwarding internal reports to it.
III. PROTECTION MEASURES
The Whistleblowing act prohibits any form of retaliatory action against protected persons that is reprisal and puts them in a disadvantageous position, as well as threats or attempts for such actions.
In the event of a breach of the prohibition, the whistleblower has the right to compensation for the material and non-material damages suffered. Damages caused to the whistleblower in connection with the whistleblower’s report or publicly disclosed information are considered to be caused intentionally until proven otherwise.
For the protection of whistleblowers, it is provided that they shall not be liable for the acquisition of, or access to, the information about which the report has been filed or publicly disclosed, provided that such acquisition or such access does not constitute a separate crime.
It is essential that the protected person can request the ceasing of proceedings (criminal, civil or administrative) initiated against him/her in connection with a report submitted by him/her or publicly disclosed information, when there was a reasonable cause to assume that the submission of the report or public disclosure of the information was necessary to detect a breach.
IV. ADMINISTRATIVE SANCTIONS
The newly adopted act provides for many types of administrative breaches, which are punishable by a fine or a pecuniary sanction.
A person who has not fulfilled his/her obligation to create a channel for internal whistleblowing or to prepare and update rules for internal whistleblowing shall be punished with a fine in the amount of BGN 1,000 to 5,000. When the same breach is committed by a legal person or sole trader, the penalty is a pecuniary sanction in the amount of BGN 5,000 to BGN 20,000.
A person who knowingly filed a report or publicly disclosed false information is also penalized. The punishment in this case is a fine in the amount of BGN 3,000 to BGN 7,000.
* This text does not constitute a legal advice and should not be taken into account in resolving legal disputes, but only to inform readers.
The team of Georgiev, Todorov & Co. Law Offices remains available for assistance and additional information related to the implementation of the new Protection of Persons Reporting or Publicly Disclosing Information on Breaches Act.
Whistleblower Protection Act_GTCo