Free whistleblower policy template for EU Directive 2019/1937 #

Every organization with 50 or more employees in the EU needs a written whistleblower policy. This is not optional — it is required under EU Directive 2019/1937, and most member states have transposed it into national law with penalties for non-compliance.

A whistleblower policy does two things: it tells employees how to report wrongdoing, and it tells your organization how to handle those reports. Without a clear policy, reports fall through the cracks, handlers improvise, and your organization risks both legal exposure and reputational damage.

Below is a complete policy template you can copy and adapt. Replace the bracketed placeholders with your organization’s details. The template covers every element the Directive requires.

Whistleblower policy template #

[ORGANIZATION NAME]

Whistleblower protection policy

Effective date: [DATE]

Approved by: [NAME / TITLE]

Version: 1.0

1. Purpose and scope #

This policy establishes a framework for reporting suspected breaches of law, regulation, or internal rules within [ORGANIZATION NAME]. It implements the requirements of EU Directive 2019/1937 on the protection of persons who report breaches of Union law, as transposed into [MEMBER STATE] national law.

This policy applies to all operations, subsidiaries, and business units of [ORGANIZATION NAME] within the European Union.

2. Who can report #

In accordance with Article 4 of the Directive, the following persons may submit a report through the channels described in this policy:

• Current and former employees, including those on probation or notice periods
• Job applicants who obtained information during the recruitment process
• Contractors, subcontractors, and suppliers
• Shareholders and members of the administrative, management, or supervisory body
• Volunteers and trainees, whether paid or unpaid
• Any person working under the supervision and direction of contractors, subcontractors, or suppliers
• Persons whose work-based relationship has not yet begun, where information on breaches was acquired during the recruitment process or pre-contractual negotiations

Protection also extends to facilitators, third persons connected with the reporting person (such as colleagues or relatives), and legal entities that the reporting person owns, works for, or is otherwise connected with in a work-related context (Article 4(4)).

3. What can be reported #

Reports may concern breaches of Union law in the areas covered by the Directive (Article 2), including but not limited to:

• Public procurement irregularities
• Financial services, anti-money laundering, and counter-terrorist financing violations
• Product safety and compliance breaches
• Transport safety violations
• Environmental protection breaches
• Radiation protection and nuclear safety issues
• Food and feed safety, animal health and welfare concerns
• Public health violations
• Consumer protection breaches
• Privacy and personal data protection violations
• Security of network and information systems
• Competition and state aid rule breaches
• Corporate tax arrangements that undermine the object or purpose of applicable tax law
• Fraud, corruption, or other criminal offenses affecting the financial interests of the EU

Reports may also concern breaches of internal company policies, codes of conduct, and applicable national law, provided [MEMBER STATE] national transposition law extends protection to such reports.

4. How to report #

Internal reporting channel #

[ORGANIZATION NAME] provides a secure, confidential internal reporting channel:

• Online portal: [URL OF REPORTING PORTAL]
• Designated person: [NAME / TITLE OF DESIGNATED PERSON OR DEPARTMENT]
• Alternative methods: [POSTAL ADDRESS / EMAIL / IN-PERSON MEETING REQUEST PROCESS, as applicable]

Reports can be submitted anonymously. Reporters who choose to remain anonymous will receive an access code to check the status of their report and communicate securely with the case handler.

[ORGANIZATION NAME] encourages the use of the internal reporting channel as a first step, as this allows the organization to investigate and address breaches promptly.

External reporting to competent authorities #

Reporting persons have the right to report externally to the relevant competent authority at any time, as provided under Article 10 of the Directive. Reporting persons are not required to use the internal channel before reporting externally.

The competent authority in [MEMBER STATE] is: [NAME AND CONTACT DETAILS OF NATIONAL AUTHORITY].

Public disclosure #

In exceptional circumstances defined in Article 15 of the Directive, reporting persons may make a public disclosure and still receive protection — for example, where they have reasonable grounds to believe that the breach constitutes an imminent or manifest danger to the public interest, or where there is a risk of retaliation.

5. Confidentiality #

The identity of the reporting person will not be disclosed to anyone beyond the authorized staff members competent to receive or follow up on reports, without the explicit consent of the reporting person (Article 16).

This confidentiality obligation applies to all information from which the identity of the reporting person may be directly or indirectly deduced.

The identity of the reporting person may only be disclosed where this is a necessary and proportionate obligation imposed under Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defense of the person concerned.

Any person who discloses the identity of a reporting person in violation of this policy will be subject to disciplinary action.

6. Prohibition of retaliation #

[ORGANIZATION NAME] strictly prohibits any form of retaliation against reporting persons, in accordance with Articles 19 to 21 of the Directive. Retaliation includes, but is not limited to:

• Suspension, dismissal, or equivalent measures
• Demotion, withholding of promotion, or change of duties or work location
• Reduction of wages or changes to working hours
• Withholding of training
• Negative performance assessment or employment reference
• Coercion, intimidation, harassment, or ostracism
• Discrimination or unfavorable treatment
• Failure to convert a temporary employment contract into a permanent one
• Non-renewal or early termination of a temporary employment contract
• Harm, including to reputation or financial loss
• Blacklisting
• Early termination or cancellation of a contract for goods or services
• Cancellation of a license or permit
• Psychiatric or medical referrals

The burden of proof in retaliation proceedings is reversed: where a reporting person establishes that they made a report and subsequently suffered a detriment, it is presumed that the detriment was made in retaliation. The person who took the detrimental action must prove it was based on duly justified grounds unrelated to the report (Article 21(5)).

Any employee found to have engaged in retaliation will be subject to disciplinary action, up to and including termination.

7. Investigation process #

Upon receipt of a report, [ORGANIZATION NAME] will:

1. Acknowledge receipt within seven calendar days of receiving the report (Article 9(1)(b)).
2. Assess the report to determine whether it falls within the scope of this policy and warrants investigation.
3. Investigate diligently by gathering relevant information, interviewing witnesses as necessary, and reviewing documents, while maintaining confidentiality throughout.
4. Provide feedback to the reporting person within three months of acknowledgment. Feedback will include information on the status of the investigation and, where possible, the outcome and any measures taken or envisaged (Article 9(1)(f)).
5. Close the case with documented findings and, where appropriate, recommend corrective actions, disciplinary measures, or referral to competent authorities.

Where a report is assessed as falling outside the scope of this policy, the reporting person will be informed and, where appropriate, redirected to the relevant procedure.

8. Data protection #

Reports and all related data will be processed in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law.

Personal data that is manifestly not relevant to the handling of a specific report will not be collected or, if accidentally collected, will be deleted without undue delay (Article 17(3)).

Report data will be retained for no longer than is necessary and proportionate to comply with the requirements of this policy and applicable law. [ORGANIZATION NAME] will define and document specific retention periods in accordance with national transposition law.

9. Training and awareness #

[ORGANIZATION NAME] will:

• Train all designated case handlers on their obligations under this policy and applicable law
• Inform all employees and other persons covered by Section 2 about the availability and use of the internal reporting channel
• Make this policy easily accessible, including on the company intranet and as part of the onboarding process for new employees

10. Review #

This policy will be reviewed at least annually and updated as necessary to reflect changes in applicable law, organizational structure, or best practices.

11. Contact #

For questions about this policy or the reporting channel:

• Designated person: [NAME / TITLE]
• Email: [EMAIL ADDRESS]
• Reporting portal: [URL]

End of policy document.

Using this template #

Copy the text above into your company’s document format, replace every bracketed placeholder, and have it reviewed by your legal team. The template covers the requirements of Directive 2019/1937, but national transposition laws in your member state may impose additional obligations — check with local counsel.

Once your policy is in place, you need a technical channel to receive reports. EthicsPortal provides a secure, anonymous reporting portal that meets the Directive’s requirements for internal channels — set up in minutes, starting at €49/month.