Whistleblowing

Whistleblowing is the reporting of legal violations, serious irregularities or other reprehensible matters in a workplace. Since 2023, organisations with 50 or more employees in Denmark have been required to have an internal whistleblowing scheme that protects the reporter against retaliation.

Back to Dictionary

What is whistleblowing?

Whistleblowing is when a person reports serious legal violations or irregularities that they have become aware of in a work-related context. It could be an employee who discovers fraud, a breach of GDPR, bribery or serious safety issues.

The purpose of whistleblowing schemes is to detect problems early, before they grow. Experience shows that many serious cases could have been discovered and handled far earlier if there had been a secure channel for reporting.

The EU Whistleblower Directive (2019/1937) was implemented in Danish law through the Act on the Protection of Whistleblowers, which entered into force in December 2021. Since December 2023, all organisations with 50 or more employees have been required to have an internal scheme in place.

The Danish Whistleblower Act

The Danish Whistleblower Act sets requirements in three main areas:

Who is covered? All private organisations with 50 or more employees and all public authorities and municipalities with 50 or more employees. Organisations in the financial sector have requirements regardless of size.

What can be reported? Violations of EU law in a wide range of areas: public procurement, financial services, anti-money laundering, product safety, transport safety, environmental protection, food safety, public health, consumer protection, data protection and network and information security. In addition, serious violations of Danish law and other serious matters.

Protection: The reporter is protected against retaliation. It is prohibited to dismiss, demote, harass, discriminate against or otherwise penalise a person for making a report in good faith. The reporter's identity is confidential.

Requirements for the whistleblowing scheme

The Act sets a number of specific requirements for the scheme:

Internal reporting channel: You must establish a channel where employees can report in writing, orally or both. The channel must ensure confidentiality regarding the reporter's identity.
Impartial whistleblowing unit: A person or department must be designated to receive and follow up on reports. This function must be independent and impartial.
Follow-up deadline: The reporter must receive an acknowledgement within 7 days and feedback on follow-up within 3 months.
Documentation: All reports must be documented in accordance with confidentiality requirements. Personal data in reports must be processed in accordance with GDPR.
Information: Employees must be informed of the scheme's existence, what can be reported and how.

You can choose to administer the scheme internally or use an external service provider. Many organisations choose an external solution to ensure independence and specialist expertise.

Implementation in practice

Start by drafting a whistleblowing policy that describes the scheme's purpose, what can be reported, who handles reports and how the reporter is protected. The policy should form part of your policies and procedures.

Choose a reporting channel that is accessible and easy to use. It could be a digital platform, a dedicated email address, a telephone line or a combination. Consider allowing anonymous reports to lower the threshold.

Designate and train your whistleblowing unit. The people who receive and handle reports must understand the Act's requirements, handle confidential information correctly and be able to assess whether a report falls within the scheme's scope.

Communicate the scheme to all employees. A whistleblowing scheme that nobody knows about has no value. Include information in the onboarding process and refresh it regularly as part of your security awareness training.

Remember that the whistleblowing scheme processes personal data. You must have a legal basis, a data protection impact assessment and appropriate security measures. The scheme must appear in your record of processing activities.

Frequently Asked Questions about Whistleblowing

Who is covered by the Whistleblower Act?

All organisations with 50 or more employees must have an internal whistleblowing scheme. Public authorities and municipalities with 50 or more employees are also covered. The financial sector has requirements regardless of size.

What can be reported through a whistleblowing scheme?

Violations of EU law in a range of areas, as well as serious legal violations and other serious matters. Everyday complaints about collaboration issues or dissatisfaction with salary are not covered by the scheme.

How is the whistleblower protected?

The Act prohibits retaliation against reporters, including dismissal, demotion, harassment and discrimination. The reporter's identity is confidential and may only be shared with the persons handling the report.

Must the scheme allow anonymous reports?

The Act does not require it but recommends it. Many organisations choose to allow anonymous reports to lower the threshold and increase trust in the scheme.