Directive 2019/1937 coverage map #
EthicsPortal is built to keep your organization compliant with EU Directive 2019/1937, its national transposition in your country, and GDPR. Every feature maps directly to a legal requirement — no feature bloat, no upsells.
This page is the feature-to-requirement map: each article of the Directive is matched to the specific EthicsPortal capability that addresses it. For how EthicsPortal interprets the ambiguous provisions of those articles — the 50-worker threshold, what counts as “diligent follow-up”, retention justifications, GDPR lawful basis, national-law supremacy — see the separate interpretations .
All 27 EU member states have transposed the Directive into national law. Your organization must comply with the national law in your country of operation — see our whistleblower laws by country reference for specific law names, penalties, and enforcement authorities. Key national laws include Loi Waserman (France), HinSchG (Germany), D.Lgs. 24/2023 (Italy), Ley 2/2023 (Spain), and the Act of 14 June 2024 (Poland).
Last updated: 2026-05-17.
§1. Reporting channels (Art. 8) #
Organizations with 50 or more employees must establish secure internal reporting channels.
| Requirement | How EthicsPortal handles it |
|---|---|
| Secure channel for reporting | Encrypted web portal with unique URL per organization |
| Confidentiality of reporter identity | End-to-end encryption of all personal data, no IP logging, automatic metadata stripping from uploaded files |
| Accessible to all workers | Web-based portal works on any device, no app install or account required |
| Customizable to the organization | Configurable categories, logo, and welcome message |
§2. Reporting procedures (Art. 9) #
| Requirement | Article | How EthicsPortal handles it |
|---|---|---|
| Designate impartial person or department | Art. 9(1)(c) | Case assignment system with role-based access — only authorized handlers see reports |
| Acknowledge receipt within 7 days | Art. 9(1)(b) | Automatic deadline tracking with email notifications to handlers when the 7-day deadline approaches or is missed |
| Diligent follow-up by the designated person | Art. 9(1)(d) | Case management with status workflow (received, acknowledged, investigating, closed), internal notes for handler collaboration, and full audit trail |
| Provide feedback within three months | Art. 9(1)(f) | Automatic 3-month deadline tracking with overdue alerts to all organization admins. Reporters see the timeline on the portal and can check status at any time using their Case ID and passcode |
| Enable oral reporting (telephone, voice messaging, or physical meeting on request) | Art. 9(2) | Configurable phone number displayed on portal; handlers can log phone, in-person, and letter reports directly in the system |
| Inform about external reporting options | Art. 9(1)(g) | Portal displays information about the reporter’s right to contact national competent authorities, citing Directive 2019/1937 |
§3. Scope of protection (Art. 4) #
The directive protects not just employees but also contractors, suppliers, shareholders, and other third parties.
EthicsPortal displays clear guidance on the portal that reporting is open to employees, contractors, suppliers, and any other third parties.
§4. Anti-retaliation (Art. 6, 19–21) #
Reporters must be informed that retaliation is prohibited by law.
EthicsPortal displays an anti-retaliation notice on every portal page, citing Directive 2019/1937, before the reporter submits.
§5. Confidentiality of identity (Art. 16) #
| Requirement | How EthicsPortal handles it |
|---|---|
| Identity not disclosed beyond authorized staff | Role-based access control — only admins, the primary assignee, and explicitly added participants (e.g. legal, HR) can view a report. Non-admin handlers only see cases they are assigned to or added to as a participant |
| Handler anonymity toward reporter | Whistleblowers see “Case handler” in messages, never the handler’s real name or email |
| Sensitive data encrypted | Reporter names, contact details, report descriptions, and message bodies are encrypted at rest using non-deterministic encryption |
No AI processing of report content. Confidentiality under Art. 16 extends to which third parties see the report. EthicsPortal does not transmit report content, reporter identity, or case communications to any large language model or AI inference service — not for categorisation, not for summarisation, not for translation. No AI provider (OpenAI, Anthropic, Google, Mistral, or other) is a sub-processor. This removes a class of sub-processor disclosure from your DPA and removes Art. 22 (automated decision-making) considerations from your DPIA. See the sub-processor list for the corresponding entry.
Two additional reasons this is a confidentiality-grade decision, not a feature preference:
- No hallucination in the compliance evidence chain. Large language models produce probabilistic output. A summary that says “this report does not appear urgent” is a probability, not a fact, and cannot be reproduced or audited. EthicsPortal records actor, action, and timestamp deterministically — the audit log is evidence, not a guess.
- No prompt-injection attack surface on reporter submissions. Reporter input is untrusted by definition. Routing it through an LLM creates a class of attack where instructions embedded in report text can manipulate handler-facing output (suggested replies, summaries, categorisation). EthicsPortal removes the surface entirely by not performing inference on report content.
§6. Record-keeping (Art. 18) #
| Requirement | How EthicsPortal handles it |
|---|---|
| Maintain records of every report | Complete audit log of all actions: submissions, status changes, messages, assignments, and report views |
| Records stored securely | All sensitive fields encrypted at rest |
| Records retrievable | Full case export to PDF including metadata, message thread, attachments list, and audit trail. Organization-level compliance report PDF available for auditors — includes directive checklist, SLA metrics, and data protection summary without exposing sensitive report data |
| Delete records when no longer necessary | Configurable data retention period (12, 24, 36, or 60 months) with automatic deletion of expired closed reports |
§7. GDPR compliance #
| Requirement | Article | How EthicsPortal handles it |
|---|---|---|
| Lawful basis for processing | Art. 6(1)(c) | Processing is necessary for compliance with EU Directive 2019/1937 |
| Data processing disclosure | Art. 13/14 | Privacy notice displayed on the report submission form before the reporter submits |
| Data minimization | Art. 5(1)(c) | Only essential fields collected; reporter name and contact are optional |
| Storage limitation | Art. 5(1)(e) | Configurable retention period per organization with automatic deletion |
| Integrity and confidentiality | Art. 5(1)(f) | Encryption at rest for all sensitive data; no IP logging on portal routes; file metadata automatically stripped |
| Right to erasure | Art. 17 | Automatic retention-based deletion; manual deletion available to admins |
§8. Security measures #
| Measure | Detail |
|---|---|
| Encryption at rest | All report descriptions, reporter names, contact details, and message bodies are encrypted using non-deterministic encryption |
| No IP logging | Reporter IP addresses are never stored — rate limiting uses irreversible one-way hashes |
| File metadata stripping | EXIF data (GPS coordinates, camera model, author info) is automatically removed from uploaded images before storage |
| Anonymous handler identity | Whistleblowers never see the handler’s real name — messages display “Case handler” |
| Rate limiting | Public portal endpoints are rate-limited to prevent abuse |
| Access control | Role-based permissions ensure only authorized handlers can view reports; non-admin handlers only see cases they are assigned to or added to as a participant |
| Audit trail | Every action is logged with timestamp, actor, and action type — append-only and always available for regulatory review |
§9. What your organization still needs to do #
EthicsPortal handles the technical requirements. Your organization is responsible for:
- Designating a reporting officer — assign at least one person responsible for handling reports
- Internal policy — adopt a whistleblower protection policy and communicate it to employees
- Training — ensure designated handlers understand confidentiality obligations
- Non-retaliation enforcement — ensure management understands that retaliation is a legal violation
- Identity disclosure consent — if a reporter’s identity must be shared beyond authorized handlers (e.g., with law enforcement), obtain the reporter’s explicit consent first (Art. 16(2) )
- Informing workers — share the portal URL with employees (EthicsPortal provides a shareable link and QR code)
Questions? #
Admins can download a compliance report PDF directly from the portal settings page. It includes a full EU Directive 2019/1937 checklist, SLA metrics, data protection measures, and audit trail summary — ready to hand to an auditor without exposing any sensitive report data.
For country-specific requirements (penalties, retention periods, enforcement authorities), see our whistleblower laws by country reference.
For how EthicsPortal interprets the ambiguous provisions of the Directive (the 50-worker threshold, what counts as “diligent follow-up”, retention justifications, GDPR lawful basis), see the Directive 2019/1937 interpretations .
If you need help demonstrating compliance to your legal team or regulator, contact us at legal@ethicsportal.eu .
Last updated: