EU Whistleblower Directive compliance #
EthicsPortal is built to keep your organization compliant with EU Directive 2019/1937 and GDPR. Every feature maps directly to a legal requirement — no feature bloat, no upsells.
Directive 2019/1937 — Article-by-article coverage #
Reporting channels (Art. 8) #
Organizations with 50 or more employees must establish secure internal reporting channels.
| Requirement | How EthicsPortal handles it |
|---|---|
| Secure channel for reporting | Encrypted web portal with unique URL per organization |
| Confidentiality of reporter identity | End-to-end encryption of all personal data, no IP logging, automatic metadata stripping from uploaded files |
| Accessible to all workers | Web-based portal works on any device, no app install or account required |
| Customizable to the organization | Configurable categories, brand color, and welcome message |
Reporting procedures (Art. 9) #
| Requirement | Article | How EthicsPortal handles it |
|---|---|---|
| Designate impartial person or department | Art. 9(1)(a) | Case assignment system with role-based access — only authorized handlers see reports |
| Acknowledge receipt within 7 days | Art. 9(1)(b) | Automatic deadline tracking with email notifications to handlers when the 7-day deadline approaches or is missed |
| Diligent follow-up | Art. 9(1)(c) | Case management with status workflow (received, acknowledged, investigating, closed), internal notes for handler collaboration, and full audit trail |
| Communicate feedback timeframe to reporter | Art. 9(1)(d) | Portal displays the 3-month feedback timeline; reporters can check status at any time via their access code |
| Provide feedback within 3 months | Art. 9(1)(f) | Automatic 3-month deadline tracking with overdue alerts to all organization admins |
| Offer oral reporting (telephone or in-person) | Art. 9(1)(e) | Configurable phone number displayed on portal; handlers can log phone, in-person, and letter reports directly in the system |
| Inform about external reporting options | Art. 9(1)(g) | Portal displays information about the reporter’s right to contact national competent authorities, citing Directive 2019/1937 |
Scope of protection (Art. 4) #
The directive protects not just employees but also contractors, suppliers, shareholders, and other third parties.
EthicsPortal displays clear guidance on the portal that reporting is open to employees, contractors, suppliers, and any other third parties.
Anti-retaliation (Art. 6, 19–21) #
Reporters must be informed that retaliation is prohibited by law.
EthicsPortal displays an anti-retaliation notice on every portal page, citing Directive 2019/1937, before the reporter submits.
Confidentiality of identity (Art. 16) #
| Requirement | How EthicsPortal handles it |
|---|---|
| Identity not disclosed beyond authorized staff | Role-based access control — only admins and the assigned handler can view a report. Non-admin handlers only see cases assigned to them |
| Handler anonymity toward reporter | Whistleblowers see “Case handler” in messages, never the handler’s real name or email |
| Sensitive data encrypted | Reporter names, contact details, report descriptions, and message bodies are encrypted at rest using non-deterministic encryption |
Record-keeping (Art. 17–18) #
| Requirement | How EthicsPortal handles it |
|---|---|
| Maintain records of every report | Complete audit log of all actions: submissions, status changes, messages, assignments, and report views |
| Records stored securely | All sensitive fields encrypted at rest |
| Records retrievable | Full case export to PDF including metadata, message thread, attachments list, and audit trail. Organization-level compliance report PDF available for auditors — includes directive checklist, SLA metrics, and data protection summary without exposing sensitive report data |
| Delete records when no longer necessary | Configurable data retention period (12, 24, 36, or 60 months) with automatic deletion of expired closed reports |
GDPR compliance #
| Requirement | Article | How EthicsPortal handles it |
|---|---|---|
| Lawful basis for processing | Art. 6(1)(c) | Processing is necessary for compliance with EU Directive 2019/1937 |
| Data processing disclosure | Art. 13/14 | Privacy notice displayed on the report submission form before the reporter submits |
| Data minimization | Art. 5(1)(c) | Only essential fields collected; reporter name and contact are optional |
| Storage limitation | Art. 5(1)(e) | Configurable retention period per organization with automatic deletion |
| Integrity and confidentiality | Art. 5(1)(f) | Encryption at rest for all sensitive data; no IP logging on portal routes; file metadata automatically stripped |
| Right to erasure | Art. 17 | Automatic retention-based deletion; manual deletion available to admins |
Security measures #
| Measure | Detail |
|---|---|
| Encryption at rest | All report descriptions, reporter names, contact details, and message bodies are encrypted using non-deterministic encryption |
| No IP logging | Reporter IP addresses are never stored — rate limiting uses irreversible one-way hashes |
| File metadata stripping | EXIF data (GPS coordinates, camera model, author info) is automatically removed from uploaded images before storage |
| Anonymous handler identity | Whistleblowers never see the handler’s real name — messages display “Case handler” |
| Rate limiting | Public portal endpoints are rate-limited to prevent abuse |
| Access control | Role-based permissions ensure only authorized handlers can view reports; non-admin handlers only see cases assigned to them |
| Audit trail | Every action is logged with timestamp, actor, and action type — immutable and always available for regulatory review |
What your organization still needs to do #
EthicsPortal handles the technical requirements. Your organization is responsible for:
- Designating a reporting officer — assign at least one person responsible for handling reports
- Internal policy — adopt a whistleblower protection policy and communicate it to employees
- Training — ensure designated handlers understand confidentiality obligations
- Non-retaliation enforcement — ensure management understands that retaliation is a legal violation
- Identity disclosure consent — if a reporter’s identity must be shared beyond authorized handlers (e.g., with law enforcement), obtain the reporter’s explicit consent first (Art. 16(2))
- Informing workers — share the portal URL with employees (EthicsPortal provides a shareable link and QR code)
Questions? #
Admins can download a compliance report PDF directly from the portal settings page. It includes a full EU Directive 2019/1937 checklist, SLA metrics, data protection measures, and audit trail summary — ready to hand to an auditor without exposing any sensitive report data.
If you need help demonstrating compliance to your legal team or regulator, contact us at [email protected].