On May 4th 2023, the Whistleblower Protection Act adopted by the Bulgarian National Assembly will enter into force. The provisions relating to employers in the private sector with 50 to 249 employees shall come into force on 17.12.2023.
The law transposes Directive (EU) 2019/1937 of the European Parliament and the Council of 23 October 2019 on the protection of whistleblowers, which we wrote about earlier in 2021.
A total of 17 of the 27 EU Member States have adopted transposing laws, and only Hungary has not yet taken action to transpose the Directive into national law.
Scope of the Law
The broad scope of the Act is conditioned by its purpose – to ensure the protection of persons in the public and private sector who report or publicly disclose information about violations of Bulgarian legislation or acts of the European Union that have become known to them in the course of or in connection with the performance of their work or official duties or in another work context.
The Act applies to whistleblowing or public disclosure of information about violations of both Bulgarian law and European Union acts in any of the following areas:
(a) public procurement;
(b) financial services, products and markets and the prevention of money laundering and terrorist financing;
(c) product safety and compliance;
(d) transport safety;
(e) environmental protection;
(f) radiation protection and nuclear safety;
(g) food and feed safety, animal health and animal welfare;
(h) public health;
(i) consumer protection;
(k) protection of privacy and personal data;
(l) the security of networks and information systems;
The Bulgarian transposing act has also provided protection against infringements affecting the financial interests of the European Union, to infringements affecting the functioning of internal markets, and also to infringements relating to cross-border tax schemes the purpose of which is to obtain a tax advantage that is contrary to the object or purpose of the applicable corporate tax law.
The term “infringements” within the context of the Act
“Infringements” within the meaning of the Act are both acts and omissions that are unlawful and are related to Bulgarian law or EU acts or are contrary to the object or purpose of the rules in the EU acts and areas described above. This means that infringements can also take the form of acts or omissions which, on the face of it, are not formally unlawful, but in reality, circumvent the law and lead to the achievement of an unlawful objective.
The circle of persons eligible for protection shall be as wide as possible. The legislator has provided that protection shall be granted from the moment the alert is lodged or the information about the infringement is made public.
In the first place, these are workers, employees, civil servants, or any person who performs wage labour. Whistleblowers can also be persons who work without an employment relationship and/or who exercise a freelance profession and/or craft, volunteers, or trainees. In general, these are all persons who could, in one way or another, obtain information about the infringement committed.
The persons to whom protection is granted need not have a direct relationship with the organisation. On the contrary, the legislator has expressly provided that persons who assist the whistleblower in the whistleblowing process, or who are in any way related to the whistleblower and who may be subject to retaliation for whistleblowing – colleagues and relatives, as well as legal entities in which the whistleblower has a shareholding, works for, or is otherwise associated with in a work context – are also protected.
The only condition that the reporting person shall meet in order to benefit from the protection of the law is that they should have had a reasonable cause to believe that the violation was actual at the time of reporting. The idea is to avoid possible abuses by not giving protection to persons who deliberately report false information.
Protection is also granted to those who publicly disclose information about infringements – for example, via media or social networks. The explanatory memorandum to the draft law points out that this Act is the first to regulate public disclosure of information with special rules.
Generally speaking, protection consists of prohibition on retaliation against persons who have reported or made public information about an infringement. For purposes of the Act, “retaliation” is any direct or indirect act or omission that occurs in a work – related context, is prompted by an internal or external whistleblowing or public disclosure, and that causes or is likely to cause unjustified detriment to the reporting person.
In other words, all forms of “retaliation” by the employer are prohibited. For instance, these include such acts as dismissal, suspension, demotion, negative performance appraisal, termination of a licence or permit, and if the person is a supplier – early termination or cancellation of a contract for the supply of goods or services, or even referring the reporting person for a medical examination.
Subjects to obligation within the Act
These are public sector employers and private sector employers having more than 50 employees/workers. Municipalities with fewer than 10,000 inhabitants or fewer than 50 employees are not covered by the law – they can share resources to receive and follow up on whistleblower reports.
Their main duty is to establish internal reporting channels. What does this mean? The employer designates for that purpose one or more employees within the legal entity in the private or public sector who are responsible for dealing with whistleblowing. They may also carry out other activities assigned by the employer, if their coordination does not lead to a conflict of interest.
The Whistleblower Protection Act’s reasoning states that it is intended to encourage individuals to report internally in the first instance, thereby limiting both the negative reputational consequences for the organisation. In addition, the legislator has also stated that “this strengthens the employee-employer relationship on the basis of trust and an internal belief that any issue can be effectively and efficiently resolved with the maximum degree of confidentiality”.
However, shall the person determine that an internal channel alert would be unsuccessful or that retaliation would follow, they may use an external channel to report.
One should bear in mind that the organisation can outsource this activity, i.e., this person may be provided externally by a third party.
Pursuant to the requirements of Directive (EU) 2019/1937 of the European Parliament and of the Council, the Bulgarian legislator has designated the Commission for Personal Data Protection (CPDP) a general competence authority at a central level for external whistleblowing.
Reports shall be submitted to the person responsible for handling reports within the organisation concerned. It may be submitted in writing, by e-mail, or orally. The legislator has provided for the possibility of making an oral report via telephone hotline, via other voice messaging systems. At the request of the reporting person, a physical meeting within a reasonable timeframe agreed between the parties has also been provided.
The written whistleblowing shall be submitted by filling in a form approved by the CPDP. The report may be accompanied by any sources of information supporting the allegations made and/or by reference to documents, including details of people who could corroborate the reported data or provide additional information.
Persons Concerned and Measures for their Protection
A “person concerned” within the meaning of the Act is any natural or legal person who is named in the submission of the alert or in the public disclosure of information as the person to whom the breach is attributed or with whom that person is associated, i.e. the person against whom the report is directed.
If they wish, the person concerned shall be provided with all the evidence collected and shall be given the opportunity to object to it and to submit new evidence to be collected in the course of the inspection. The person concerned shall enjoy the full rights of defense and to a fair trial, as well as the presumption of innocence, including the right to be heard, and the right of access to their file.
The general idea of the Act is to protect whistleblowers’ rights and their anonymity to the fullest extent at each and every stage of the procedure.
Obliged entities and the CPDP must take all necessary measures to protect whistleblower information and to protect the identity of whistleblowers.
Last but not least, the overall collection and processing of personal data under the law must be carried out in accordance with the GDPR, as well as the Bulgarian Data Protection Act.
The impact in the private sector is expected to be mainly on small and medium-sized enterprises, which should establish internal reporting channels. For this reason, the legislator has provided for a period of time within which all obliged entities have the opportunity to bring their activities into compliance with the legal requirements – to establish the appropriate organisation for the examination of the signals and to take measures to ensure the highest degree of protection for the whistleblowers and the persons concerned.
The specific assessment of whether a company/organisation should take action to implement the law, and to what extent and at what level the necessary organisation should be built, is made after further analysis of the number of employees it employs, as well as its structural and functional organisation.
Author: Ivana Manginova, trainee at Stankov, Todorov, Hinkov & Spasov, Attorneys-at-Law