https://ethicsportal.eu/EthicsPortal is a secure, anonymous whistleblower reporting platform that helps organizations comply with EU Directive 2019/1937.enMon, 25 May 2026 01:23:15 +0000https://ethicsportal.eu/images/logo.svghttps://ethicsportal.eu/https://ethicsportal.eu/blog/whistleblower-reports-do-not-belong-inside-an-llm/Sun, 24 May 2026 00:00:00 +0000https://ethicsportal.eu/blog/whistleblower-reports-do-not-belong-inside-an-llm/Seven whistleblower platforms sold into the EU now process report content through large language models. Six of them won't tell you whose. EthicsPortal does neither. Screenshots and sources inside.<h1 id="whistleblower-reports-do-not-belong-inside-an-llm"> Whistleblower reports do not belong inside an LLM <a href="#whistleblower-reports-do-not-belong-inside-an-llm" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Seven whistleblower platforms sold into the EU run report content through large language models. They summarise reports, transcribe voice intake, run AI agents that talk to whistleblowers, and produce “insights” across case archives. Only one of the seven names which AI provider does the work.</p> <p>EthicsPortal does none of this. Our <a href="/dpa/#610-no-ai-or-llm-processing-of-report-content">DPA §6.10</a> and our <a href="/subprocessors/">sub-processor list</a> say so.</p> <p>Every claim below is quoted from the vendor’s own live page or public DPA, captured 24 May 2026. Translation and categorisation can run on-prem, so we did not include vendors whose only AI claim is “AI translation” or “AI categorisation”. The seven below claim more than that.</p> <h2 id="navex--ai-supported-case-briefs-and-suggested-rewrites"> NAVEX — “AI-supported case briefs and suggested rewrites” <a href="#navex--ai-supported-case-briefs-and-suggested-rewrites" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>NAVEX is the largest enterprise whistleblowing vendor in the world. EthicsPoint sits inside most Fortune 500 compliance programs.</p> <p>From the <a href="https://www.navex.com/en-us/platform/whistleblowing-software-solutions/" rel="nofollow">whistleblowing platform page</a> :</p> <blockquote> <p>“Summarize complex cases with <strong>AI-supported case briefs and suggested rewrites</strong>”</p> <p>“Spot recurring themes earlier through higher-level insights and analytics”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/navex-ai-case-briefs-rewrites.png" alt="NAVEX whistleblowing platform — “Summarize complex cases with AI-supported case briefs and suggested rewrites”"></p> <p>To suggest a rewrite, the model has to read the original report. NAVEX does not name the model on any public page.</p> <h2 id="eqs-integrity-line--ai-powered-summaries-and-transcription-in-80-languages"> EQS Integrity Line — “AI-powered summaries and transcription” in 80+ languages <a href="#eqs-integrity-line--ai-powered-summaries-and-transcription-in-80-languages" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EQS Group (Munich-listed) runs the largest whistleblower platform in continental Europe. From their <a href="https://www.eqs.com/en-us/platform-compliance-ethics/integrity-line-whistleblower-software/" rel="nofollow">Integrity Line page</a> :</p> <blockquote> <p>“<strong>AI that works for you.</strong> Handle reports in over 80 languages with AI-powered summaries and transcription, and transform voice recordings into searchable texts. Get helpful insights from past cases for faster resolution including suggestions for case categories and priorities.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/eqs-integrity-line-ai-summaries-transcription.png" alt="EQS Integrity Line — “AI that works for you”: AI-powered summaries, transcription of voice recordings, case-category suggestions"></p> <p>Summaries, voice transcription, and cross-case insights. 4,000+ organisations on the platform. Provider not named.</p> <h2 id="speakup--sienna-ai-a-whole-ai-product-line"> SpeakUp — “Sienna AI”: a whole AI product line <a href="#speakup--sienna-ai-a-whole-ai-product-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>SpeakUp’s <a href="https://www.speakup.com/sienna-ai" rel="nofollow">Sienna AI</a> is not a feature, it is a sub-brand:</p> <blockquote> <p>“<strong>Sienna AI. Compliance reimagined.</strong> The intelligence layer behind the future of compliance and ethics.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/speakup-sienna-ai-compliance-reimagined.png" alt="SpeakUp Sienna AI hero — “Compliance reimagined. The intelligence layer behind the future of compliance and ethics.”"></p> <p>The page markets an <strong>AI Voice Agent</strong> that has reporters “speak freely and safely” through a “guided, conversational intake”, <strong>Sienna Insights</strong> (“AI does the digging. You get the insight.”), and AI translation, transcription, and routing of submissions into the case management system. Reporters in SpeakUp’s flow are talking to a model. Provider not named.</p> <h2 id="whispli--use-ai-to-capture-clearer-more-complete-hotline-reports"> Whispli — “Use AI to capture clearer, more complete hotline reports” <a href="#whispli--use-ai-to-capture-clearer-more-complete-hotline-reports" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>From Whispli’s <a href="https://www.whispli.com/whistleblowing-hotline" rel="nofollow">Voice AI hotline page</a> (the page title is literally “AI Whistleblowing Hotline”):</p> <blockquote> <p>“<strong>Use AI to capture clearer, more complete hotline reports.</strong> Manage global whistleblowing hotline reporting with an AI-powered voice intake agent that captures, structures and routes cases securely across jurisdictions.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/whispli-voice-ai-hotline.png" alt="Whispli hotline hero — “Use AI to capture clearer, more complete hotline reports” with a Voice transcribed / Case created flow"></p> <p>The flow diagram on the page shows it plainly: Incoming Voice Report → Voice transcribed → Case created. The most exposed reporter, the one who picked up a phone, is talking to an AI agent. Provider not named.</p> <h2 id="faceup--voice-based-ai-conducts-natural-conversations-with-whistleblowers"> FaceUp — “Voice-based AI conducts natural conversations” with whistleblowers <a href="#faceup--voice-based-ai-conducts-natural-conversations-with-whistleblowers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>FaceUp is a Czech-EU platform with 3,500+ organisations across 70+ countries. Their <a href="https://www.faceup.com/en/whistleblowing/hotline" rel="nofollow">whistleblower hotline page</a> offers three tiers: a Live Hotline staffed by human agents, an Automated Hotline with a scripted flow, and the new AI-Powered Hotline in the middle:</p> <blockquote> <p>“<strong>Voice-based AI conducts natural conversations, asks follow-ups, and converts calls into structured, actionable reports.</strong> Multilingual, 24/7.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/faceup-ai-powered-hotline.png" alt="FaceUp three-tier hotline comparison — “AI-Powered Hotline” (centre, marked “new”) with “Voice-based AI conducts natural conversations, asks follow-ups, and converts calls into structured, actionable reports”"></p> <blockquote> <p>“The AI agent guides the reporter and follows up where needed to capture complete and accurate information.”</p> </blockquote> <p>FaceUp’s three-card layout is the clearest framing of the choice in the category: a human handles the call, a scripted flow handles the call, or an AI handles the call. They sell all three and mark the AI option “new”. Provider not named.</p> <h2 id="whistlelink--mistral-ai-france-and-deepl-germany-named-in-the-public-dpa"> Whistlelink — Mistral AI (France) and DeepL (Germany) named in the public DPA <a href="#whistlelink--mistral-ai-france-and-deepl-germany-named-in-the-public-dpa" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Whistlelink is the only vendor of the seven that publicly names its AI providers. Their <a href="https://www.whistlelink.com/ro/contract-de-prelucrare-a-datelor/" rel="nofollow">Romanian DPA</a> , Section 5.5:</p> <blockquote> <p>“Sub-Imputerniciți: Swerolab AB (Suedia), SMSAPI (Polonia), Brevo (Franța), OPSWAT (Germania), Glesys (Suedia), T-Systems International (Germania), Friendly Captcha (Germania), <strong>DeepL (Germania), Mistral AI (Franța)</strong>.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/whistlelink-dpa-mistral-deepl.png" alt="Whistlelink DPA Section 5.5 — sub-processor list naming DeepL (Germany) and Mistral AI (France)"></p> <p>The <a href="https://www.whistlelink.com/product/" rel="nofollow">product page</a> explains what the AI Assistant does: “AI Assistant automatically generates concise case summaries.” Mistral is the only LLM provider on the sub-processor list above.</p> <p>The Article 16 confidentiality concern still applies. But an operator signing this DPA knows what they are signing. Operators signing the other six don’t.</p> <h2 id="ethicontrol--ai-intake-agent-on-the-pricing-page"> Ethicontrol — “ai intake agent” on the pricing page <a href="#ethicontrol--ai-intake-agent-on-the-pricing-page" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Ethicontrol’s <a href="https://ethicontrol.com/en/pricing" rel="nofollow">pricing page</a> lists <code>+ ai intake agent for web portal and WhatsApp</code> as a paid feature starting at the Standard tier (€174/month):</p> <p><img src="/images/blog/no-ai-commitment/ethicontrol-pricing-ai-intake-agent.png" alt="Ethicontrol pricing — Standard tier includes “+ ai intake agent for web portal and WhatsApp”"></p> <p>In 2026, an “intake agent” for whistleblower reports is a conversational LLM. The privacy policy and Trust Center do not name the provider.</p> <h2 id="six-of-the-seven-wont-tell-you-whose-ai"> Six of the seven won’t tell you whose AI <a href="#six-of-the-seven-wont-tell-you-whose-ai" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Of the seven above, only Whistlelink names the AI providers (Mistral, DeepL). The other six say “AI”, “AI-powered”, “Sienna AI”, or “Voice-based AI” without naming the model, the provider, the jurisdiction, or whether the inference call leaves the operator’s encryption boundary.</p> <p>We searched every vendor’s privacy policy, DPA, sub-processor page, and trust center we could reach on 24 May 2026. For six, the provider is not disclosed. The feature is in the marketing copy. The disclosure is not in the legal pages.</p> <p>That is the harder problem. An operator running a Data Protection Impact Assessment cannot disclose a sub-processor they cannot name, cannot assess GDPR Chapter V transfer mechanisms for a provider that has not been disclosed to them, and cannot offer the reporter a meaningful privacy notice when the architecture has a box labelled “AI” and no further detail.</p> <h2 id="why-a-whistleblower-reporting-channel-is-the-wrong-place-for-ai"> Why a whistleblower reporting channel is the wrong place for AI <a href="#why-a-whistleblower-reporting-channel-is-the-wrong-place-for-ai" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Article 16 of Directive 2019/1937 says the identity of the reporting person, and information from which it can be deduced, must not be disclosed to anyone beyond authorised case-handling staff. Member-state laws (HinSchG, Sapin II / Loi Waserman, Law 361/2022, the 2024 Polish Act) lift that into criminal or administrative penalties. An LLM API provider is not authorised case-handling staff. Their engineers can read prompts. Their abuse-detection systems are designed to read prompts. The Directive has no “but it was just for a summary” carve-out.</p> <p><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 22</a> of the GDPR sits on top of that. AI categorisation, “suggested rewrites” of a report body, AI case briefs that an investigator reads instead of the original, and “insights” that decide investigative priority are exactly the automated decision-making the article is written about. Disclosure, DPIA, sub-processor listing with notice and objection rights, and reporter-facing transparency all attach.</p> <p>A no-AI commitment removes the entire disclosure tree. The privacy notice is shorter, the DPIA is shorter, the sub-processor list is shorter, and the reporter’s expectation matches the architecture.</p> <h2 id="our-commitment"> Our commitment <a href="#our-commitment" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><a href="/dpa/#610-no-ai-or-llm-processing-of-report-content">DPA §6.10</a> : report content, reporter identity, handler messages, attachments, and audit logs are not transmitted to any large language model, generative AI service, or AI-based classifier, whether operated by us or by a third party. OpenAI, Anthropic, Google, and Mistral are named in the DPA as examples of providers we do not transmit to. A change to this would be a material change to the service, notified 30 days in advance with an objection right.</p> <p>Our <a href="/subprocessors/">sub-processor list</a> has six entries: Hetzner (EU hosting), Cloudflare (marketing-site CDN only), Mailjet (email), Stripe (billing), AppSignal (handler-side error monitoring), Crisp (handler-side chat). No AI sub-processor appears.</p> <h2 id="if-you-are-evaluating-a-vendor"> If you are evaluating a vendor <a href="#if-you-are-evaluating-a-vendor" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Ask in writing: is any large language model, generative AI service, or AI-based classifier — operated by you or by a third party — a sub-processor of report content, reporter identity, handler messages, attachments, or audit logs? Name the provider, the jurisdiction, the function, and whether it is on by default. And will you contractually commit that this answer cannot change without 30 days’ notice and an objection right?</p> <p>We answered both in our DPA before anyone had to ask.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/austria/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/austria/Austria's HinweisgeberInnenschutzgesetz (HSchG): the 50-worker trigger, Austria's designated external reporting offices, and the official BAK and DSB sources.<h1 id="whistleblower-law-in-austria"> Whistleblower law in Austria <a href="#whistleblower-law-in-austria" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Austria implemented Directive (EU) 2019/1937 through the <strong>HinweisgeberInnenschutzgesetz (HSchG)</strong>, promulgated on <strong>24 February 2023</strong> and in force since <strong>25 February 2023</strong>. The Austrian regime is more statute-bound than some broader national systems because the act ties protection and reporting channels to the material scope defined in the HSchG.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20012541" rel="nofollow">HinweisgeberInnenschutzgesetz (HSchG) — official RIS text</a> </li> <li><a href="https://www.bak.gv.at/701/start.aspx" rel="nofollow">BAK overview of Austrian reporting offices</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Many private legal entities with <strong>at least 50 employees</strong> must establish an internal reporting channel. Public legal entities and certain specially regulated bodies are also covered under the act’s own rules.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Austria uses <strong>several designated external reporting offices</strong> rather than one universal national authority. The <a href="https://www.bak.gv.at/701/start.aspx" rel="nofollow">Federal Bureau of Anti-Corruption (BAK)</a> operates an official external reporting office under the HSchG and is the clearest federal reference point for general guidance.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For data-protection complaints relating to the handling of whistleblower reports, the relevant authority is the <a href="https://dsb.gv.at/sites/site0344/media/downloads/beschwerde_an_die_datenschutzbehoerde_complaint_to_the_austrian_data_protection_authority_art15-18_20-22_dsgvo_gdpr.pdf" rel="nofollow">Austrian Data Protection Authority (DSB)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Austria’s whistleblower regime follows the material scope listed in the HSchG, so employers should not market a channel as covering everything unless their own internal policy clearly says so.</li> <li>The official BAK materials stress confidential handling, secure communication and the possibility of anonymous reporting through the external system.</li> <li>In practice, Austrian organisations should point reporters to the correct external office for the relevant subject matter rather than assuming one central state inbox.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20012541" rel="nofollow">HSchG — official RIS text</a> </li> <li><a href="https://www.bak.gv.at/701/start.aspx" rel="nofollow">BAK — reporting offices under the HSchG</a> </li> <li><a href="https://bak.gv.at/en/news.aspx?id=576273413155337839546B3D" rel="nofollow">BAK — newly established reporting offices</a> </li> <li><a href="https://www.bak.gv.at/601/FAQ.aspx" rel="nofollow">BAK — HSchG FAQ</a> </li> <li><a href="https://dsb.gv.at/sites/site0344/media/downloads/beschwerde_an_die_datenschutzbehoerde_complaint_to_the_austrian_data_protection_authority_art15-18_20-22_dsgvo_gdpr.pdf" rel="nofollow">DSB — complaint form</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/belgium/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/belgium/Belgium's whistleblower framework: the private-sector 50-worker rule, the federal ombudsman route, and the official sources that matter.<h1 id="whistleblower-law-in-belgium"> Whistleblower law in Belgium <a href="#whistleblower-law-in-belgium" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Belgium implemented Directive (EU) 2019/1937 through the <strong>Act of 28 November 2022</strong> for the private sector, alongside parallel public-sector and regional arrangements. For private companies, the main business trigger remains <strong>50 workers</strong>, but Belgium’s structure is more fragmented than in unitary systems.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.ejustice.just.fgov.be/cgi/article_body.pl?language=nl&pub_date=2022-12-15&caller=summary&numac=2022042980" rel="nofollow">Act of 28 November 2022 — official text on eJustice</a> </li> <li><a href="https://www.federalombudsman.be/en/leitfaden-fur-hinweisgeber" rel="nofollow">Federal Ombudsman guide for whistleblowers</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private legal entities with <strong>at least 50 workers</strong> must establish an internal reporting channel. Belgium also has public-sector and regional whistleblowing frameworks, so public bodies should check the regime that applies to their level of government.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Belgium does not operate with one single whistleblowing authority for every case. The <a href="https://www.federalombudsman.be/en/contact-us" rel="nofollow">Federal Ombudsman</a> is a key federal external route, while sectoral and regional channels can also be relevant depending on the entity and the subject matter of the report.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For complaints about unlawful processing of whistleblower data, the relevant authority is the <a href="https://www.dataprotectionauthority.be/citizen" rel="nofollow">Belgian Data Protection Authority</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Belgium’s whistleblowing framework is legally fragmented across private-sector, federal public-sector and regional layers, so organisations should be explicit about which regime they are following.</li> <li>The Federal Ombudsman explicitly accepts direct whistleblower reports and retaliation complaints.</li> <li>Internal policies should make clear which external authority is appropriate for the organisation’s sector and constitutional level.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.ejustice.just.fgov.be/cgi/article_body.pl?language=nl&pub_date=2022-12-15&caller=summary&numac=2022042980" rel="nofollow">Act of 28 November 2022 — official private-sector law text</a> </li> <li><a href="https://www.federalombudsman.be/en/contact-us" rel="nofollow">Federal Ombudsman — contact and whistleblower reporting</a> </li> <li><a href="https://www.federalombudsman.be/en/leitfaden-fur-hinweisgeber" rel="nofollow">Federal Ombudsman — guide for whistleblowers</a> </li> <li><a href="https://www.federalombudsman.be/en/should-i-have-reported-the-facts-in-house-first" rel="nofollow">Federal Ombudsman — direct external reporting is possible</a> </li> <li><a href="https://www.dataprotectionauthority.be/citizen" rel="nofollow">Belgian Data Protection Authority — citizen complaints</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/bulgaria/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/bulgaria/Bulgaria's whistleblowing act: the 50-worker rule, CPDP's dual role, and the official implementation guidance for obliged entities.<h1 id="whistleblower-law-in-bulgaria"> Whistleblower law in Bulgaria <a href="#whistleblower-law-in-bulgaria" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Bulgaria implemented Directive (EU) 2019/1937 through the <strong>Act on the Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches</strong>, in force since <strong>4 May 2023</strong>. The Bulgarian system is notable because the CPDP acts both as the central external authority and as the data protection authority.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://cpdp.bg/%D0%BF%D1%80%D0%B0%D0%B2%D0%BD%D0%B0-%D1%80%D0%B0%D0%BC%D0%BA%D0%B0-%D0%BD%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%B0%D0%BB%D0%BD%D0%B0/%D0%B7%D0%B0%D0%BA%D0%BE%D0%BD-%D0%B7%D0%B0-%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B0-%D0%BD%D0%B0-%D0%BB%D0%B8%D1%86%D0%B0%D1%82%D0%B0-%D0%BF%D0%BE%D0%B4%D0%B0%D0%B2%D0%B0%D1%89%D0%B8-%D1%81%D0%B8%D0%B3/?hilite=%D0%B7%D0%B0%D0%BF%D0%BE%D0%B2%D0%B5%D0%B4+%E2%84%960496+04.05.2023" rel="nofollow">Bulgarian whistleblowing act — official CPDP law page</a> </li> <li><a href="https://cpdp.bg/en/whistleblowers-protection/implementation-of-the-system-for-protection-of-persons-reporting-or-publicly-disclosing-information-about-breaches/" rel="nofollow">CPDP implementation guidance</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>50 or more workers</strong> are in scope. The <strong>50-249</strong> band became subject to the internal-channel rules from <strong>17 December 2023</strong>. Public-sector obliged entities were generally in scope from 4 May 2023.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The central external channel is the <a href="https://cpdp.bg/en/whistleblowers-protection/implementation-of-the-system-for-protection-of-persons-reporting-or-publicly-disclosing-information-about-breaches/" rel="nofollow">Commission for Personal Data Protection (CPDP)</a> , which also publishes forms, register guidance and FAQs for obliged entities.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The same <a href="https://cpdp.bg/%D0%BF%D0%BE%D0%B4%D0%B0%D0%B2%D0%B0%D0%BD%D0%B5-%D0%BD%D0%B0-%D0%B6%D0%B0%D0%BB%D0%B1%D0%B8-%D0%B8-%D1%81%D0%B8%D0%B3%D0%BD%D0%B0%D0%BB%D0%B8-%D0%B4%D0%BE-%D0%BA%D0%B7%D0%BB%D0%B4/" rel="nofollow">CPDP</a> is Bulgaria’s GDPR supervisory authority.</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Municipalities with fewer than 10,000 inhabitants or fewer than 50 workers may share resources for intake and follow-up.</li> <li>Private entities with 50-249 workers may also share resources for receiving and handling reports.</li> <li>CPDP’s official materials expect a non-public register of reports and clear public information about how to use the channel.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://cpdp.bg/%D0%BF%D1%80%D0%B0%D0%B2%D0%BD%D0%B0-%D1%80%D0%B0%D0%BC%D0%BA%D0%B0-%D0%BD%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%B0%D0%BB%D0%BD%D0%B0/%D0%B7%D0%B0%D0%BA%D0%BE%D0%BD-%D0%B7%D0%B0-%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B0-%D0%BD%D0%B0-%D0%BB%D0%B8%D1%86%D0%B0%D1%82%D0%B0-%D0%BF%D0%BE%D0%B4%D0%B0%D0%B2%D0%B0%D1%89%D0%B8-%D1%81%D0%B8%D0%B3/?hilite=%D0%B7%D0%B0%D0%BF%D0%BE%D0%B2%D0%B5%D0%B4+%E2%84%960496+04.05.2023" rel="nofollow">Bulgarian whistleblowing act — official CPDP law page</a> </li> <li><a href="https://cpdp.bg/en/whistleblowers-protection/implementation-of-the-system-for-protection-of-persons-reporting-or-publicly-disclosing-information-about-breaches/" rel="nofollow">CPDP — implementation of the protection system</a> </li> <li><a href="https://cpdp.bg/en/frequently-asked-questions-on-the-wpa/" rel="nofollow">CPDP — frequently asked questions</a> </li> <li><a href="https://cpdp.bg/%D0%BF%D0%BE%D0%B4%D0%B0%D0%B2%D0%B0%D0%BD%D0%B5-%D0%BD%D0%B0-%D0%B6%D0%B0%D0%BB%D0%B1%D0%B8-%D0%B8-%D1%81%D0%B8%D0%B3%D0%BD%D0%B0%D0%BB%D0%B8-%D0%B4%D0%BE-%D0%BA%D0%B7%D0%BB%D0%B4/" rel="nofollow">CPDP — complaints and signals</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/croatia/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/croatia/Croatia's Whistleblower Protection Act: the 50-worker rule, the Ombudswoman's role as external authority, and the official Croatian sources.<h1 id="whistleblower-law-in-croatia"> Whistleblower law in Croatia <a href="#whistleblower-law-in-croatia" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Croatia implemented Directive (EU) 2019/1937 through the <strong>Whistleblower Protection Act</strong> published in <strong>Narodne novine 46/2022</strong>. The Croatian framework combines the standard <strong>50-worker</strong> employer trigger with a strong coordinating role for the Ombudswoman.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://narodne-novine.nn.hr/eli/sluzbeni/2022/46/572" rel="nofollow">Whistleblower Protection Act — official text in Narodne novine</a> </li> <li><a href="https://www.ombudsman.hr/en/the-new-act-for-the-protection-of-persons-reporting-irregularities-whistleblowers-key-information-for-reporting-persons-and-confidential-persons/" rel="nofollow">Croatian Ombudswoman key implementation guidance</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>at least 50 workers</strong> must establish an internal reporting channel. Croatian public authorities are also covered by the act’s internal-reporting rules.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The <a href="https://www.ombudsman.hr/en/the-new-act-for-the-protection-of-persons-reporting-irregularities-whistleblowers-key-information-for-reporting-persons-and-confidential-persons/" rel="nofollow">Croatian Ombudswoman</a> is the external reporting authority. The Ombudswoman receives reports, protects the reporting person’s position and forwards the substance of the case to the competent authority where needed.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For complaints about the processing of personal data in the whistleblowing process, the relevant authority is the <a href="https://azop.hr/zahtjev-za-utvrdivanje-povrede-prava-2/" rel="nofollow">Croatian Personal Data Protection Agency (AZOP)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Croatian law requires the employer to appoint a confidential person and a deputy for internal handling.</li> <li>Anonymous reporters can still obtain protection if their identity is later established and retaliation follows.</li> <li>The Ombudswoman’s official guidance emphasizes identity protection, emotional support and timely communication with the reporting person.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://narodne-novine.nn.hr/eli/sluzbeni/2022/46/572" rel="nofollow">Whistleblower Protection Act — official law text</a> </li> <li><a href="https://www.ombudsman.hr/en/the-new-act-for-the-protection-of-persons-reporting-irregularities-whistleblowers-key-information-for-reporting-persons-and-confidential-persons/" rel="nofollow">Ombudswoman — key information for reporting persons and confidential persons</a> </li> <li><a href="https://www.ombudsman.hr/en/public-disclosure-what-it-is-when-it-is-used-and-how-it-supports-the-fight-against-corruption/" rel="nofollow">Ombudswoman — public disclosure guidance</a> </li> <li><a href="https://azop.hr/zahtjev-za-utvrdivanje-povrede-prava-2/" rel="nofollow">AZOP — request to determine infringement of rights</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/cyprus/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/cyprus/Cyprus's Law 6(I)/2022: the 50-worker rule, Cyprus's competent-authority structure, and the official implementation sources.<h1 id="whistleblower-law-in-cyprus"> Whistleblower law in Cyprus <a href="#whistleblower-law-in-cyprus" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Cyprus implemented Directive (EU) 2019/1937 through <strong>Law 6(I)/2022</strong>, published on <strong>4 February 2022</strong>. The basic private-sector trigger is <strong>50 employees</strong>, but Cyprus organises external reporting through a <strong>competent-authority structure</strong> rather than one universal state inbox.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.cylaw.org/nomoi/arith/2022_1_006.pdf" rel="nofollow">Law 6(I)/2022 — official text PDF</a> </li> <li><a href="https://www.gov.cy/moh/en/whistleblowers/" rel="nofollow">Ministry of Health whistleblower explainer</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>at least 50 employees</strong> must establish an internal reporting channel. Public-sector bodies are also covered by the law and usually publish their own internal-channel instructions.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Cyprus uses a list of <strong>competent authorities</strong> for external reporting, depending on the subject matter and sector. The official central guidance is the <a href="https://www.gov.cy/moh/en/whistleblowers/" rel="nofollow">government whistleblower explainer</a> , which points to guides for competent authorities rather than one single cross-sector authority.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For data-protection complaints relating to report handling, the relevant authority is the <a href="https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en%3Fopendocument" rel="nofollow">Office of the Commissioner for Personal Data Protection</a> . The office has also issued a <a href="https://www.dataprotection.gov.cy/DATAPROTECTION/DATAPROTECTION.NSF/All/D174BEEE706A7B67C2258BB1003C4C8B" rel="nofollow">whistleblower-specific announcement</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Cyprus expects obliged entities to publish both worker-facing guidance and internal handling rules.</li> <li>The law also covers anonymous reports where the whistleblower is later identified and suffers retaliation.</li> <li>In practice, Cypriot organisations should tell reporters which external authority fits the topic instead of treating “external reporting” as one generic route.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.cylaw.org/nomoi/arith/2022_1_006.pdf" rel="nofollow">Law 6(I)/2022 — official text PDF</a> </li> <li><a href="https://www.cylaw.org/nomoi/enop/non-ind/2022_1_6/full.html" rel="nofollow">Law 6(I)/2022 — consolidated text</a> </li> <li><a href="https://www.gov.cy/moh/en/whistleblowers/" rel="nofollow">Government whistleblower explainer</a> </li> <li><a href="https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en%3Fopendocument" rel="nofollow">Office of the Commissioner for Personal Data Protection — home page</a> </li> <li><a href="https://www.dataprotection.gov.cy/DATAPROTECTION/DATAPROTECTION.NSF/All/D174BEEE706A7B67C2258BB1003C4C8B" rel="nofollow">Office of the Commissioner for Personal Data Protection — whistleblower announcement</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/czech-republic/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/czech-republic/Czech whistleblower law under Act No. 171/2023: the 50-worker threshold, the Ministry of Justice external system, and the official Czech sources.<h1 id="whistleblower-law-in-czech-republic"> Whistleblower law in Czech Republic <a href="#whistleblower-law-in-czech-republic" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>The Czech Republic implemented Directive (EU) 2019/1937 through <strong>Act No. 171/2023 Coll. on the protection of whistleblowers</strong>, effective from <strong>1 August 2023</strong>. The Czech model gives the Ministry of Justice a visible role through its public <code>Oznamovatel</code> portal and external reporting system.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://oznamovatel.justice.cz/" rel="nofollow">Ministry of Justice whistleblower portal</a> </li> <li><a href="https://oznamovatel.justice.cz/zakon-o-ochrane-oznamovatelu-a-souvisejici-zmenovy-zakon-nabyvaji-ucinnosti/" rel="nofollow">Ministry note on Act No. 171/2023 entering into force</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>at least 50 employees</strong> must establish an internal reporting channel. Public authorities, municipalities with <strong>at least 10,000 inhabitants</strong>, and a range of other public bodies are also covered.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The official external reporting system is operated by the <a href="https://oznamovatel.justice.cz/informace-pro-oznamovatele/" rel="nofollow">Ministry of Justice</a> . Czech official guidance also notes that a whistleblower may report directly to the public authority that is substantively competent to address the unlawful conduct.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For data-protection complaints connected to whistleblower handling, the relevant authority is the <a href="https://www.uoou.cz/" rel="nofollow">Office for Personal Data Protection (UOOU)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Czech law is narrower than a generic ethics hotline because the official ministry guidance ties protection to defined types of unlawful conduct.</li> <li>The Ministry of Justice publishes model forms, methodology and sample internal rules, which makes the Czech market relatively documentation-heavy.</li> <li>Internal systems should clearly explain when a reporter may prefer the ministry’s external route instead of the employer’s own channel.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://oznamovatel.justice.cz/" rel="nofollow">Oznamovatel — Ministry of Justice portal</a> </li> <li><a href="https://oznamovatel.justice.cz/informace-pro-oznamovatele/" rel="nofollow">Ministry of Justice — information for whistleblowers</a> </li> <li><a href="https://oznamovatel.justice.cz/zakon-o-ochrane-oznamovatelu-a-souvisejici-zmenovy-zakon-nabyvaji-ucinnosti/" rel="nofollow">Ministry of Justice — Act No. 171/2023 enters into force</a> </li> <li><a href="https://oznamovatel.justice.cz/vyrocni-zpravy/" rel="nofollow">Ministry of Justice — annual reports and methodology section</a> </li> <li><a href="https://www.uoou.cz/" rel="nofollow">UOOU — Office for Personal Data Protection</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/denmark/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/denmark/Denmark's whistleblower act: the 50-worker rule, the National Whistleblower Scheme, and the official Danish guidance.<h1 id="whistleblower-law-in-denmark"> Whistleblower law in Denmark <a href="#whistleblower-law-in-denmark" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Denmark implemented Directive (EU) 2019/1937 through <strong>Act No. 1436 of 29 June 2021 on the protection of whistleblowers</strong>, in force since <strong>17 December 2021</strong>. Denmark is one of the clearer markets from an implementation perspective because it combines the standard <strong>50-worker</strong> threshold with a well-defined <strong>National Whistleblower Scheme</strong>.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.retsinformation.dk/eli/lta/2021/1436" rel="nofollow">Act No. 1436 of 29 June 2021 — official text</a> </li> <li><a href="https://whistleblower.dk/english" rel="nofollow">National Whistleblower Scheme — English overview</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Public authorities and private employers with <strong>at least 50 workers</strong> must establish an internal whistleblower scheme.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The official external route is the <a href="https://whistleblower.dk/english" rel="nofollow">National Whistleblower Scheme</a> , which is established within Datatilsynet but operates as a separate national external channel.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The GDPR supervisory authority is <a href="https://www.datatilsynet.dk/om-datatilsynet/den-nationale-whistleblowerordning" rel="nofollow">Datatilsynet</a> , which also hosts the National Whistleblower Scheme institutionally.</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Denmark’s national scheme accepts written, oral and in-person reports and explicitly allows anonymous reporting.</li> <li>The national scheme is not limited to GDPR issues; official Danish materials say it also covers serious legal breaches and other serious matters within the law’s scope.</li> <li>Internal procedures should make clear when a worker should use the employer’s channel and when the national external route is more appropriate.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.retsinformation.dk/eli/lta/2021/1436" rel="nofollow">Act No. 1436 of 29 June 2021 — official text</a> </li> <li><a href="https://whistleblower.dk/english" rel="nofollow">National Whistleblower Scheme — English overview</a> </li> <li><a href="https://www.datatilsynet.dk/om-datatilsynet/den-nationale-whistleblowerordning" rel="nofollow">Datatilsynet — National Whistleblower Scheme</a> </li> <li><a href="https://www.justitsministeriet.dk/wp-content/uploads/2021/12/Vejledning-for-whistleblowerordninger-paa-private-arbejdspladser.pdf" rel="nofollow">Justitsministeriet — guidance for private workplaces</a> </li> <li><a href="https://www.justitsministeriet.dk/wp-content/uploads/2022/02/Vejledning-for-whistleblowerordninger-paa-offentlige-arbejdspladser.pdf" rel="nofollow">Justitsministeriet — guidance for public workplaces</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/estonia/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/estonia/Estonia's Rikkumisest teavitaja kaitse seadus (RTKS): the 50-worker rule, Estonia's still-young reporting framework, and the official state sources.<h1 id="whistleblower-law-in-estonia"> Whistleblower law in Estonia <a href="#whistleblower-law-in-estonia" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Estonia implemented Directive (EU) 2019/1937 through the <strong>Rikkumisest teavitaja kaitse seadus (RTKS)</strong>, which entered into force on <strong>1 September 2024</strong>. Estonia’s framework is still relatively new, so the official law text matters more than mature administrative guidance pages.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.riigiteataja.ee/akt/108052024001" rel="nofollow">Rikkumisest teavitaja kaitse seadus (RTKS) — official text</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>at least 50 workers</strong> are the main business group required to establish an internal reporting channel. Public-sector coverage is broader under the act.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Estonia’s act works through <strong>competent authorities</strong> that handle the underlying subject matter of the breach rather than through one highly visible universal whistleblowing portal. In practice, organisations should therefore explain which authority is competent for the issues they cover instead of treating external reporting as a single generic route.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints about the handling of report data, the relevant authority is the <a href="https://www.aki.ee/en" rel="nofollow">Estonian Data Protection Inspectorate (AKI)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Estonia’s law protects work-related reporting of breaches within the statutory scope, so companies should distinguish the legal whistleblowing process from any broader speak-up or HR intake.</li> <li>Because the regime is new, clear published instructions on scope, intake format and follow-up matter more than in older whistleblowing markets.</li> <li>Organisations handling sensitive reports should also pay attention to AKI guidance and breach-reporting expectations.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.riigiteataja.ee/akt/108052024001" rel="nofollow">RTKS — official text</a> </li> <li><a href="https://www.oiguskantsler.ee/en/contacts/application-chancellor-justice" rel="nofollow">Chancellor of Justice — application page</a> </li> <li><a href="https://www.aki.ee/en" rel="nofollow">AKI — Estonian Data Protection Inspectorate</a> </li> <li><a href="https://www.aki.ee/vota-uhendust" rel="nofollow">AKI — contact page</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/finland/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/finland/Finland's Whistleblower Protection Act: the 50-worker rule, the centralised external reporting channel, and the official Finnish sources.<h1 id="whistleblower-law-in-finland"> Whistleblower law in Finland <a href="#whistleblower-law-in-finland" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Finland implemented Directive (EU) 2019/1937 through <strong>Act 1171/2022 on the protection of persons reporting breaches of European Union and national law</strong>, in force since <strong>1 January 2023</strong>. Finland combines the standard <strong>50-worker</strong> threshold with a clearly identified <strong>centralised external reporting channel</strong> at the Office of the Chancellor of Justice.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.finlex.fi/en/legislation/2022/1171" rel="nofollow">Act 1171/2022 — official text on Finlex</a> </li> <li><a href="https://oikeuskansleri.fi/en/whistleblower-protection" rel="nofollow">Office of the Chancellor of Justice — whistleblower protection</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>at least 50 employees</strong> must establish an internal reporting channel. Public authorities and certain specifically regulated entities are also covered under the act.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The official external route is the <a href="https://oikeuskansleri.fi/en/centralised-external-reporting-channel" rel="nofollow">centralised external reporting channel of the Office of the Chancellor of Justice</a> . The Chancellor of Justice receives the report and forwards it to the competent authority for follow-up.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints about how whistleblower data are processed, the relevant authority is the <a href="https://tietosuoja.fi/en/home" rel="nofollow">Office of the Data Protection Ombudsman</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Finnish organisations must inform potential reporters not only about the internal process, but also about the external reporting procedure and the conditions for obtaining statutory protection.</li> <li>Finland’s law is narrower than a generic ethics line, so companies should separate statutory whistleblowing from broader misconduct intake if they choose to cover both.</li> <li>The Chancellor of Justice model makes Finland one of the clearer countries for explaining the external route to reporters.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.finlex.fi/en/legislation/2022/1171" rel="nofollow">Act 1171/2022 — official Finlex text</a> </li> <li><a href="https://oikeuskansleri.fi/en/whistleblower-protection" rel="nofollow">Office of the Chancellor of Justice — whistleblower protection</a> </li> <li><a href="https://oikeuskansleri.fi/en/centralised-external-reporting-channel" rel="nofollow">Office of the Chancellor of Justice — centralised external reporting channel</a> </li> <li><a href="https://tietosuoja.fi/en/home" rel="nofollow">Office of the Data Protection Ombudsman</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/france/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/france/France's whistleblower framework under Loi Waserman: who needs an internal channel, how external reporting works, and which official authorities matter.<h1 id="whistleblower-law-in-france"> Whistleblower law in France <a href="#whistleblower-law-in-france" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>France implemented Directive (EU) 2019/1937 through <strong>Loi n° 2022-401 du 21 mars 2022</strong> (“Loi Waserman”), with the October 2022 decree setting the practical framework for internal and external reporting procedures. For most employers, the central threshold remains <strong>50 employees</strong>.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi n° 2022-401 du 21 mars 2022 (Loi Waserman)</a> </li> <li><a href="https://www.service-public.gouv.fr/particuliers/vosdroits/F32031" rel="nofollow">Service Public explainer for whistleblowers</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>50 or more employees</strong> must establish an internal reporting procedure. The French public-service guidance also notes that public employers with at least 50 agents are in scope, and that some entities with fewer than 250 workers may pool the collection and processing arrangement.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>France does not rely on one universal whistleblowing authority. The <a href="https://www.defenseurdesdroits.fr/orienter-et-proteger-les-lanceurs-dalerte-180" rel="nofollow">Défenseur des droits</a> helps orient and protect whistleblowers, while competent sectoral authorities may receive external reports in their own remit.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For concerns about unlawful processing of personal data or confidentiality failures in the reporting process, the relevant authority is the <a href="https://www.cnil.fr/fr/saisir-la-cnil/lanceurs-dalerte-adresser-une-alerte-la-cnil" rel="nofollow">CNIL</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>France no longer requires whistleblowers to report internally before using an external channel.</li> <li>The procedure must keep the identity of the reporting person, the person concerned, and named third parties confidential.</li> <li>French official guidance points to acknowledgment within 7 working days and feedback within 3 months as the standard operating timeline.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi Waserman — official text</a> </li> <li><a href="https://www.service-public.gouv.fr/particuliers/vosdroits/F32031" rel="nofollow">Service Public — lancer une alerte</a> </li> <li><a href="https://www.defenseurdesdroits.fr/orienter-et-proteger-les-lanceurs-dalerte-180" rel="nofollow">Défenseur des droits — orienter et protéger les lanceurs d’alerte</a> </li> <li><a href="https://www.cnil.fr/fr/saisir-la-cnil/lanceurs-dalerte-adresser-une-alerte-la-cnil" rel="nofollow">CNIL — adresser une alerte</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/germany/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/germany/Germany's Hinweisgeberschutzgesetz (HinSchG): private-sector threshold, shared internal offices, and the official external and data protection authorities.<h1 id="whistleblower-law-in-germany"> Whistleblower law in Germany <a href="#whistleblower-law-in-germany" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Germany implemented Directive (EU) 2019/1937 through the <strong>Hinweisgeberschutzgesetz (HinSchG)</strong>, in force since 2 July 2023. For most private employers, the decisive trigger is <strong>50 employees</strong>, with a specific allowance for shared internal offices in the 50-249 band.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.gesetze-im-internet.de/hinschg/BJNR08C0B0023.html" rel="nofollow">Hinweisgeberschutzgesetz (HinSchG)</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>50 or more employees</strong> must establish at least one internal reporting office. The act also allows private employers with <strong>50 to 249 employees</strong> to establish and operate a joint internal reporting office.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The federal external channel is the <a href="https://formulare.bfj.bund.de/ffw/action/invoke.do?id=externeMeldestelle" rel="nofollow">external reporting office of the Federal Office of Justice</a> . Germany also maintains specialised external channels in regulated sectors such as financial services and competition law.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For private-sector GDPR complaints, the competent authority is usually the state-level data protection authority of the relevant Bundesland. The federal <a href="https://www.bfdi.bund.de/DE/Buerger/Inhalte/Allgemein/Datenschutz/BeschwerdeBeiDatenschutzbehoereden.html" rel="nofollow">BfDI complaints guidance</a> explains this split.</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Internal offices must provide clear information about external reporting procedures and competent authorities.</li> <li>Germany requires written and oral intake and an in-person meeting option on request.</li> <li>Anonymous reports are not uniformly mandatory across all regimes, but the federal law strongly encourages handlers to process them.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.gesetze-im-internet.de/hinschg/BJNR08C0B0023.html" rel="nofollow">HinSchG — official text</a> </li> <li><a href="https://formulare.bfj.bund.de/ffw/action/invoke.do?id=externeMeldestelle" rel="nofollow">Federal Office of Justice — external reporting office</a> </li> <li><a href="https://www.bfdi.bund.de/DE/Buerger/Inhalte/Allgemein/Datenschutz/BeschwerdeBeiDatenschutzbehoereden.html" rel="nofollow">BfDI — complaints about data protection authorities</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/greece/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/greece/Greece's Law 4990/2022: who needs an internal channel, the role of the National Transparency Authority, and the official Greek compliance framework.<h1 id="whistleblower-law-in-greece"> Whistleblower law in Greece <a href="#whistleblower-law-in-greece" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Greece implemented Directive (EU) 2019/1937 through <strong>Law 4990/2022</strong>. The Greek framework combines the standard private-sector threshold with a named internal reporting officer and an external channel operated by the National Transparency Authority.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.et.gr/api/DownloadFeksApi/?fek_pdf=20220100206" rel="nofollow">Law 4990/2022 — official gazette PDF</a> </li> <li><a href="https://aead.gr/images/imerides/2023/87TIF_10-9-23/Karapidakis_87TIF_1.pdf" rel="nofollow">National Transparency Authority presentation on Law 4990/2022</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private-sector entities with <strong>more than 50 workers</strong> must establish an internal channel and appoint a reporting officer. Public bodies are also in scope under the Greek framework.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The official external channel is the <a href="https://aead.gr/submit-complaint" rel="nofollow">National Transparency Authority</a> , which receives reports under Law 4990/2022 and publishes implementation material for obliged entities.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For complaints about unlawful handling of personal data or confidentiality issues, the relevant authority is the <a href="https://www.dpa.gr/el/syndesi/polites/kataggelia/general" rel="nofollow">Hellenic Data Protection Authority</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Greek implementation material expects written, oral and meeting-based intake options.</li> <li>The reporting officer is a named compliance role, not just a generic mailbox.</li> <li>Official Greek guidance states that private entities in the 50-249 band may use shared reporting officers for intake.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.et.gr/api/DownloadFeksApi/?fek_pdf=20220100206" rel="nofollow">Law 4990/2022 — official gazette PDF</a> </li> <li><a href="https://aead.gr/submit-complaint" rel="nofollow">National Transparency Authority — submit a complaint</a> </li> <li><a href="https://aead.gr/images/imerides/2023/87TIF_10-9-23/Karapidakis_87TIF_1.pdf" rel="nofollow">National Transparency Authority — implementation material</a> </li> <li><a href="https://www.dpa.gr/el/syndesi/polites/kataggelia/general" rel="nofollow">Hellenic Data Protection Authority — complaints</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/hungary/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/hungary/Hungary's whistleblowing framework under Act XXV of 2023: the 50-worker rule, the Commissioner for Fundamental Rights system, and the official sources.<h1 id="whistleblower-law-in-hungary"> Whistleblower law in Hungary <a href="#whistleblower-law-in-hungary" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Hungary implemented Directive (EU) 2019/1937 through <strong>Act XXV of 2023</strong> on complaints, public interest disclosures and rules related to reporting abuses, in force since <strong>24 July 2023</strong>. The Hungarian framework places the official external channel with the <strong>Commissioner for Fundamental Rights</strong>.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://njt.hu/jogszabaly/2023-25-00-00" rel="nofollow">Act XXV of 2023 — official text</a> </li> <li><a href="https://www.ajbh.hu/en/web/ajbh-en/public-interest-disclosure-whistleblower-report" rel="nofollow">Commissioner for Fundamental Rights — public interest disclosure / whistleblower report</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>at least 50 employees</strong> must establish an internal reporting system. Public-sector bodies and certain specifically regulated entities also follow the act’s whistleblowing rules.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The official external reporting system is operated by the <a href="https://www.ajbh.hu/web/ajbh-en/submitting-public-interest-disclosure-whistleblower-report" rel="nofollow">Commissioner for Fundamental Rights</a> , which accepts public interest disclosures and whistleblower reports through its dedicated system.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints relating to the handling of report data, the relevant authority is the <a href="https://www.naih.hu/" rel="nofollow">Hungarian National Authority for Data Protection and Freedom of Information (NAIH)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Hungary’s official terminology still strongly links whistleblowing to the public-interest disclosure framework.</li> <li>The official external system accepts reports with or without identification, but the handling consequences differ depending on whether the reporter identifies themselves.</li> <li>Organisations entering Hungary should be careful to separate statutory whistleblower handling from any broader ethics or grievance channel.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://njt.hu/jogszabaly/2023-25-00-00" rel="nofollow">Act XXV of 2023 — official text</a> </li> <li><a href="https://www.ajbh.hu/en/web/ajbh-en/public-interest-disclosure-whistleblower-report" rel="nofollow">Commissioner for Fundamental Rights — public interest disclosure / whistleblower report</a> </li> <li><a href="https://www.ajbh.hu/web/ajbh-en/submitting-public-interest-disclosure-whistleblower-report" rel="nofollow">Commissioner for Fundamental Rights — submitting a report</a> </li> <li><a href="https://www.naih.hu/" rel="nofollow">NAIH — Hungarian data protection authority</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/ireland/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/ireland/Ireland's protected disclosures framework: the 50-worker rule, the Protected Disclosures Commissioner, and the official Irish sources.<h1 id="whistleblower-law-in-ireland"> Whistleblower law in Ireland <a href="#whistleblower-law-in-ireland" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Ireland implemented Directive (EU) 2019/1937 through the <strong>Protected Disclosures (Amendment) Act 2022</strong>, building on the older Irish protected disclosures regime. For most private organisations, the main trigger is <strong>50 workers</strong>, while Ireland’s external reporting structure combines a <strong>Protected Disclosures Commissioner</strong> with a long list of sectoral <strong>prescribed persons</strong>.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.irishstatutebook.ie/eli/2022/act/27/enacted/en/html" rel="nofollow">Protected Disclosures (Amendment) Act 2022 — official Irish Statute Book text</a> </li> <li><a href="https://www.gov.ie/en/department-of-justice-home-affairs-and-migration/organisation-information/department-of-justice-protected-disclosures/" rel="nofollow">Department of Justice — protected disclosures guidance</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private organisations with <strong>at least 50 workers</strong> must establish an internal reporting channel. Public bodies are also covered under the Irish protected disclosures framework.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Ireland does not rely on a single universal subject-matter authority. The <a href="https://www.gov.ie/en/department-of-justice-home-affairs-and-migration/organisation-information/department-of-justice-protected-disclosures/" rel="nofollow">Office of the Protected Disclosures Commissioner</a> acts as a routing channel when the worker is unsure of the correct recipient, while many sectoral <strong>prescribed persons</strong> also receive external disclosures directly.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For complaints about the processing of whistleblower data, the relevant authority is the <a href="https://www.dataprotection.ie/en/faqs/initial-contact-dpc/making-complaint-dpc" rel="nofollow">Data Protection Commission</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Irish law still uses the “protected disclosures” terminology rather than “whistleblowing” as the primary legal label.</li> <li>The external-reporting map is broad, so internal procedures should tell workers whether they should go to a prescribed person, the Commissioner, or another route set out in the Act.</li> <li>The Data Protection Commission expects complainants to first raise the data issue with the organisation where appropriate before escalating.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.irishstatutebook.ie/eli/2022/act/27/enacted/en/html" rel="nofollow">Protected Disclosures (Amendment) Act 2022 — official law text</a> </li> <li><a href="https://www.gov.ie/en/department-of-justice-home-affairs-and-migration/organisation-information/department-of-justice-protected-disclosures/" rel="nofollow">Department of Justice — protected disclosures</a> </li> <li><a href="https://www.gov.ie/en/department-of-public-expenditure-infrastructure-public-service-reform-and-digitalisation/collections/protected-disclosures-whistleblowing-list-of-prescribed-persons/" rel="nofollow">Government list of prescribed persons</a> </li> <li><a href="https://www.dataprotection.ie/en/faqs/initial-contact-dpc/making-complaint-dpc" rel="nofollow">Data Protection Commission — making a complaint</a> </li> <li><a href="https://www.dataprotection.ie/en/individuals/exercising-your-rights/complaints-handling-investigations-and-enforcement-individuals" rel="nofollow">Data Protection Commission — complaint handling</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/italy/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/italy/Italy's whistleblower framework under Legislative Decree 24/2023: the 50-worker rule, the Model 231 carve-in, and the official ANAC sources.<h1 id="whistleblower-law-in-italy"> Whistleblower law in Italy <a href="#whistleblower-law-in-italy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Italy implemented Directive (EU) 2019/1937 through <strong>Legislative Decree No. 24 of 10 March 2023</strong>. Italy’s framework is commercially important because it combines the standard <strong>50-worker</strong> threshold with a separate rule for organisations that have adopted a <strong>Model 231</strong> compliance model.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">Legislative Decree No. 24 of 10 March 2023 — official text</a> </li> <li><a href="https://www.anticorruzione.it/en/-/whistleblowing" rel="nofollow">ANAC whistleblowing page</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private entities with <strong>at least 50 workers</strong> must establish an internal reporting channel. Italy also requires channels for entities that have adopted a <strong>Model 231</strong> organisational and management model, even where they are smaller.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The official external authority is <a href="https://www.anticorruzione.it/en/-/whistleblowing" rel="nofollow">ANAC</a> , which provides external reporting procedures and public guidance on the Italian whistleblowing regime.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints relating to the handling of whistleblower data, the relevant authority is the <a href="https://www.garanteprivacy.it/" rel="nofollow">Garante per la protezione dei dati personali</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Italy’s Model 231 overlap means the market expects precise legal positioning rather than a generic “50-plus employees” message.</li> <li>The Italian regime is documentation-heavy: companies need a clear internal procedure, a designated handler setup and compliant privacy information.</li> <li>ANAC remains the central official reference point even when the report concerns a private entity.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">Legislative Decree No. 24 of 10 March 2023 — official text</a> </li> <li><a href="https://www.normattiva.it/" rel="nofollow">Normattiva — Italian legal text database</a> </li> <li><a href="https://www.anticorruzione.it/en/-/whistleblowing" rel="nofollow">ANAC — whistleblowing</a> </li> <li><a href="https://www.garanteprivacy.it/" rel="nofollow">Garante privacy</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/latvia/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/latvia/Latvia's Whistleblowing Law: the 50-worker rule, KNAB's contact-point role, and the official Latvian sources.<h1 id="whistleblower-law-in-latvia"> Whistleblower law in Latvia <a href="#whistleblower-law-in-latvia" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Latvia implemented Directive (EU) 2019/1937 through the <strong>Trauksmes celšanas likums</strong> (Whistleblowing Law), effective from <strong>4 February 2022</strong>. The Latvian framework combines the familiar <strong>50-worker</strong> trigger with a visible anti-corruption and public-guidance role for KNAB.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://likumi.lv/ta/id/329680-trauksmes-celsanas-likums" rel="nofollow">Trauksmes celšanas likums — official text</a> </li> <li><a href="https://www.knab.gov.lv/en/whistleblowing" rel="nofollow">KNAB whistleblowing overview</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private legal entities with <strong>at least 50 employees</strong> are the main business group required to establish an internal reporting channel. Public-sector entities are also covered by the law.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Latvia’s official whistleblowing landscape is coordinated through <a href="https://www.knab.gov.lv/en/whistleblowing" rel="nofollow">KNAB</a> . Official Latvian materials also describe KNAB as the <strong>contact point</strong> for whistleblowers and a training / guidance body for the system.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For complaints about the processing of whistleblower data, the relevant authority is the <a href="https://www.dvi.gov.lv/en/services/complaint-concerning-processing-personal-data" rel="nofollow">State Data Inspectorate (DVI)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Latvian official materials emphasise the public-interest nature of whistleblowing and the need to submit reports in the work-related context.</li> <li>KNAB and DVI both publish whistleblowing-related guidance, so Latvian implementation often has a visibly anti-corruption as well as privacy angle.</li> <li>Internal policies should explain when a report belongs in the statutory whistleblowing process and when it should go through another grievance route.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://likumi.lv/ta/id/329680-trauksmes-celsanas-likums" rel="nofollow">Trauksmes celšanas likums — official text</a> </li> <li><a href="https://www.knab.gov.lv/en/whistleblowing" rel="nofollow">KNAB — whistleblowing</a> </li> <li><a href="https://www.dvi.gov.lv/en/whistleblowing" rel="nofollow">DVI — whistleblowing</a> </li> <li><a href="https://www.dvi.gov.lv/en/services/complaint-concerning-processing-personal-data" rel="nofollow">DVI — complaint concerning processing of personal data</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/lithuania/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/lithuania/Lithuania's whistleblower law: the 50-worker rule, the central role of the Public Prosecutor's Office, and the official Lithuanian sources.<h1 id="whistleblower-law-in-lithuania"> Whistleblower law in Lithuania <a href="#whistleblower-law-in-lithuania" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Lithuania adopted whistleblower legislation before many other EU states and later aligned it with Directive (EU) 2019/1937. The framework is built around the <strong>Pranešėjų apsaugos įstatymas</strong> and gives the <strong>Public Prosecutor’s Office of the Republic of Lithuania</strong> a central role.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/3832a712149511eab9d9cd0c85e0b745" rel="nofollow">Law on the Protection of Whistleblowers — official text</a> </li> <li><a href="https://www.prokuraturos.lt/data/public/uploads/2020/02/1.9-225-praneseju-apsaugos-istatymas-eng.pdf" rel="nofollow">Official English translation of the law</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private organisations with <strong>at least 50 workers</strong> are the main business group expected to maintain an internal reporting channel. Public-sector bodies are also part of the statutory framework.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Lithuania’s whistleblower system gives a central role to the <strong>Public Prosecutor’s Office of the Republic of Lithuania</strong>, as reflected in the official English translation of the law.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints about the handling of report data, the relevant authority is the <a href="https://vdai.lrv.lt/en/services/" rel="nofollow">State Data Protection Inspectorate (VDAI)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Lithuania’s legal framework is older and more institutionally embedded than the late-transposition countries, which makes legal terminology and scope especially important.</li> <li>The official English translation of the law remains one of the clearest primary sources for understanding Lithuania’s whistleblower framework.</li> <li>Organisations operating in Lithuania should not blur statutory whistleblowing with wider ethics intake unless the policy clearly separates them.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/3832a712149511eab9d9cd0c85e0b745" rel="nofollow">Pranešėjų apsaugos įstatymas — official law text</a> </li> <li><a href="https://www.prokuraturos.lt/data/public/uploads/2020/02/1.9-225-praneseju-apsaugos-istatymas-eng.pdf" rel="nofollow">Official English translation of the law</a> </li> <li><a href="https://vdai.lrv.lt/en/services/" rel="nofollow">State Data Protection Inspectorate — services</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/luxembourg/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/luxembourg/Luxembourg's whistleblower law: the 50-worker rule, the 22-authority structure, and the official CNPD and reporting-office sources.<h1 id="whistleblower-law-in-luxembourg"> Whistleblower law in Luxembourg <a href="#whistleblower-law-in-luxembourg" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Luxembourg implemented Directive (EU) 2019/1937 through the <strong>Loi du 16 mai 2023 relative aux lanceurs d’alerte</strong>. The Luxembourg system is notable because it uses <strong>22 competent authorities</strong> plus a central <strong>Reporting Office</strong> that helps identify the correct authority.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://legilux.public.lu/eli/etat/leg/loi/2023/05/16/a243/jo" rel="nofollow">Loi du 16 mai 2023 — official text on Legilux</a> </li> <li><a href="https://cnpd.public.lu/en/support/lanceurs-alerte.html" rel="nofollow">CNPD whistleblower guidance</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private and public legal entities with <strong>at least 50 workers</strong> must establish an internal reporting channel, subject to the law’s own structure and exceptions.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Luxembourg does not rely on one universal authority. The <a href="https://cnpd.public.lu/en/support/lanceurs-alerte.html" rel="nofollow">CNPD guidance</a> explains that there are <strong>22 competent authorities</strong> and that anyone can contact the <strong>Reporting Office</strong> of the Ministry of Justice to identify the correct authority for a given type of report.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For data-protection matters, the relevant authority is the <a href="https://cnpd.public.lu/en.html/" rel="nofollow">CNPD</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Luxembourg is one of the clearest examples of why country-law pages matter: there is no single obvious external authority unless the organisation explains the competent-authority model.</li> <li>The CNPD itself is one of the competent whistleblowing authorities for data-protection matters, which makes the privacy angle unusually visible.</li> <li>Internal policies should make it easy for reporters to identify the correct external authority or the ministry reporting office.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://legilux.public.lu/eli/etat/leg/loi/2023/05/16/a243/jo" rel="nofollow">Loi du 16 mai 2023 — official law text</a> </li> <li><a href="https://cnpd.public.lu/en/support/lanceurs-alerte.html" rel="nofollow">CNPD — whistleblowers</a> </li> <li><a href="https://cnpd.public.lu/en/support/lanceurs-alerte/signalements-externes.html" rel="nofollow">CNPD — external reporting</a> </li> <li><a href="https://cnpd.public.lu/en.html/" rel="nofollow">CNPD — home page</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/malta/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/malta/Malta's Protection of the Whistleblower Act: the 50-worker rule, Malta's reporting-officer model, and the official sources.<h1 id="whistleblower-law-in-malta"> Whistleblower law in Malta <a href="#whistleblower-law-in-malta" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Malta implemented Directive (EU) 2019/1937 by amending the <strong>Protection of the Whistleblower Act (Cap. 527)</strong>. Malta’s framework combines the usual <strong>50-worker</strong> private-sector trigger with a visible public-service reporting-officer model.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://legislation.mt/eli/cap/527/eng/pdf" rel="nofollow">Protection of the Whistleblower Act (Cap. 527) — official text</a> </li> <li><a href="https://whistleblower.gov.mt/" rel="nofollow">Government whistleblower portal</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private employers with <strong>at least 50 workers</strong> must establish an internal reporting procedure. Malta’s public-service framework also requires whistleblowing reporting officers across ministries and public entities.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Malta uses <strong>competent authorities</strong> and reporting officers rather than one single universal external authority. The official <a href="https://whistleblower.gov.mt/" rel="nofollow">whistleblower.gov.mt</a> portal and its guidance pages explain the Maltese reporting-officer model for the public service.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For complaints about the handling of whistleblower data, the relevant authority is the <a href="https://idpc.org.mt/file-a-complaint/" rel="nofollow">Information and Data Protection Commissioner (IDPC)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Malta’s public-service model is operationally visible: each ministry has a whistleblowing reporting officer and public-facing procedures.</li> <li>The public guidance stresses that identified reporting is important to obtain formal whistleblower status and protection, even though anonymous submissions may still surface concerns.</li> <li>Organisations operating in Malta should explain clearly whether they are describing the statutory whistleblowing process or a broader grievance / speak-up workflow.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://legislation.mt/eli/cap/527/eng/pdf" rel="nofollow">Protection of the Whistleblower Act (Cap. 527) — official text</a> </li> <li><a href="https://whistleblower.gov.mt/" rel="nofollow">Government whistleblower portal</a> </li> <li><a href="https://whistleblower.gov.mt/about-us/" rel="nofollow">Government whistleblower guidance</a> </li> <li><a href="https://whistleblower.gov.mt/questions-and-answers/" rel="nofollow">Government whistleblower questions and answers</a> </li> <li><a href="https://idpc.org.mt/file-a-complaint/" rel="nofollow">IDPC — file a complaint</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/poland/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/poland/Poland's 2024 whistleblower act: the broader 50-person threshold, the Ombudsman's external channel, and the official Polish rollout dates.<h1 id="whistleblower-law-in-poland"> Whistleblower law in Poland <a href="#whistleblower-law-in-poland" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Poland implemented Directive (EU) 2019/1937 through the <strong>Act of 14 June 2024 on the Protection of Whistleblowers</strong>. The Polish regime uses a broader <strong>50-person</strong> threshold based on gainful work, not just standard employees.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20240000928/O/D20240928.pdf" rel="nofollow">Act of 14 June 2024 on the Protection of Whistleblowers — official text PDF</a> </li> <li><a href="https://bip.brpo.gov.pl/pl/sygnalisci" rel="nofollow">Ombudsman information for external reports</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Internal reporting procedures are mandatory for legal entities for which gainful work is performed by <strong>at least 50 persons</strong>. This threshold is broader than a simple employee headcount. Internal obligations started on <strong>25 September 2024</strong>.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The <a href="https://bip.brpo.gov.pl/pl/sygnalisci" rel="nofollow">Rzecznik Praw Obywatelskich (Ombudsman)</a> receives external reports and routes them to the competent public authority where required. External reporting started on <strong>25 December 2024</strong>.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints about how whistleblowing data is processed, the relevant authority is the <a href="https://uodo.gov.pl/pl/501/3485" rel="nofollow">Urząd Ochrony Danych Osobowych (UODO)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Poland’s threshold counts persons performing gainful work, not only standard employees.</li> <li>Local governments may organise joint internal procedures through shared-service arrangements.</li> <li>The rollout is split: internal reporting from 25 September 2024, external reporting from 25 December 2024.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20240000928/O/D20240928.pdf" rel="nofollow">Act of 14 June 2024 on the Protection of Whistleblowers — official text PDF</a> </li> <li><a href="https://bip.brpo.gov.pl/pl/sygnalisci" rel="nofollow">Ombudsman — whistleblowers page</a> </li> <li><a href="https://bip.brpo.gov.pl/pl/content/ustawa-o-ochronie-sygnalistow-wchodzi-w-zycie" rel="nofollow">Ombudsman — act enters into force notice</a> </li> <li><a href="https://uodo.gov.pl/pl/501/3485" rel="nofollow">UODO — whistleblowing and data protection</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/portugal/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/portugal/Portugal's Lei 93/2021: the 50-worker trigger, authority-specific external reporting, and the official Portuguese sources that matter.<h1 id="whistleblower-law-in-portugal"> Whistleblower law in Portugal <a href="#whistleblower-law-in-portugal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Portugal implemented Directive (EU) 2019/1937 through <strong>Lei n.º 93/2021, de 20 de dezembro</strong>. The core private-sector trigger follows the familiar <strong>50-worker</strong> line, but external reporting remains authority-specific rather than centralized around one universal whistleblowing office.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://files.diariodarepublica.pt/gratuitos/1s/2021/12/24400.pdf" rel="nofollow">Lei n.º 93/2021 — official text</a> </li> <li><a href="https://justica.gov.pt/Regime-Geral-de-Protecao-de-Denunciantes-de-Infracoes" rel="nofollow">Ministry of Justice explainer</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Legal entities with <strong>50 or more workers</strong> must establish internal reporting channels. Certain EU-regulated sectors remain in scope regardless of size. The Portuguese State and other public legal persons are also in scope.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Portugal does not use one single catch-all external whistleblowing authority. The <a href="https://justica.gov.pt/Regime-Geral-de-Protecao-de-Denunciantes-de-Infracoes" rel="nofollow">Ministry of Justice guidance</a> directs reporters to the competent authority for the subject matter.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR and confidentiality complaints, the relevant authority is the <a href="https://www.cnpd.pt/cidadaos/participacoes/" rel="nofollow">Comissão Nacional de Proteção de Dados (CNPD)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Portuguese official guidance treats external reporting as authority-specific, so the correct regulator depends on the subject matter.</li> <li>The law is framed around secure, confidential intake and protection against retaliation.</li> <li>For most private employers, the practical deployment question is still whether the organization has reached the 50-worker threshold.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://files.diariodarepublica.pt/gratuitos/1s/2021/12/24400.pdf" rel="nofollow">Lei 93/2021 — official text</a> </li> <li><a href="https://justica.gov.pt/Regime-Geral-de-Protecao-de-Denunciantes-de-Infracoes" rel="nofollow">Ministry of Justice — general regime for whistleblower protection</a> </li> <li><a href="https://www.cnpd.pt/cidadaos/participacoes/" rel="nofollow">CNPD — complaints and participations</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/romania/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/romania/Romania's Legea 361/2022: who needs an internal channel, ANI's role as the external authority, and the official Romanian compliance sources.<h1 id="whistleblower-law-in-romania"> Whistleblower law in Romania <a href="#whistleblower-law-in-romania" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Romania implemented Directive (EU) 2019/1937 through <strong>Legea nr. 361/2022 privind protecția avertizorilor în interes public</strong>. The Romanian framework pairs the standard <strong>50-employee</strong> private-sector trigger with a visible role for ANI as both external authority and practical guidance body.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.ancpi.ro/ocpi/if/wp-content/uploads/2023/05/Lege361_2022_ProtectiaAvertizorilor_Interes_Public.pdf" rel="nofollow">Legea nr. 361/2022 — official text PDF</a> </li> <li><a href="https://avertizori.integritate.eu/intrebari-frecvente/" rel="nofollow">ANI FAQ for whistleblowers</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private legal entities with <strong>at least 50 employees</strong> must establish an internal reporting channel. Public authorities and institutions with at least 50 employees are also in scope, and Romanian official guidance goes further for certain public legal entities.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The official external channel is the <a href="https://integritate.eu/competente/avertizori-in-interes-public/" rel="nofollow">Agenția Națională de Integritate (ANI)</a> . ANI receives reports, can redirect them to the competent authority where needed, and publishes practical guidance for both reporters and employers.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints about the handling of report data, the relevant authority is the <a href="https://www.dataprotection.ro/?lang=ro&page=Transmiterea_plangerilor_catre_ANSPDCP" rel="nofollow">ANSPDCP</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>If a private entity has fewer than 50 workers and no internal channel, the practical route is often the external channel.</li> <li>Anonymous reports may be examined if they contain sufficient indications of a breach, but identified reporters have fuller procedural rights.</li> <li>ANI explicitly positions itself as both an intake authority and a guidance body for implementation questions.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.ancpi.ro/ocpi/if/wp-content/uploads/2023/05/Lege361_2022_ProtectiaAvertizorilor_Interes_Public.pdf" rel="nofollow">Legea nr. 361/2022 — official text PDF</a> </li> <li><a href="https://integritate.eu/competente/avertizori-in-interes-public/" rel="nofollow">ANI — whistleblower competence page</a> </li> <li><a href="https://avertizori.integritate.eu/intrebari-frecvente/" rel="nofollow">ANI — frequently asked questions</a> </li> <li><a href="https://www.dataprotection.ro/?lang=ro&page=Transmiterea_plangerilor_catre_ANSPDCP" rel="nofollow">ANSPDCP — complaints submission</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/slovakia/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/slovakia/Slovakia's whistleblower law: the 50-worker rule, the Whistleblower Protection Office, and the official Slovak sources.<h1 id="whistleblower-law-in-slovakia"> Whistleblower law in Slovakia <a href="#whistleblower-law-in-slovakia" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Slovakia implemented Directive (EU) 2019/1937 by amending <strong>Act No. 54/2019 Coll. on the Protection of Whistleblowers of Anti-Social Activities</strong>. Slovakia stands out because it has a visible and specialised <strong>Whistleblower Protection Office</strong> rather than a low-profile distributed model.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2019/54/" rel="nofollow">Act No. 54/2019 Coll. — official text on Slov-Lex</a> </li> <li><a href="https://www.oznamovatelia.sk/en/" rel="nofollow">Whistleblower Protection Office</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Employers with <strong>at least 50 workers</strong> must establish an internal reporting channel under the Slovak whistleblower framework.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The specialised external authority is the <a href="https://www.oznamovatelia.sk/en/" rel="nofollow">Whistleblower Protection Office</a> , which protects whistleblowers, supervises the law’s application and provides guidance to both workers and employers.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints relating to report handling, the relevant authority is the <a href="https://www.dataprotection.gov.sk/en/rights-data-subjects/proceedings-on-protection-personal-data/" rel="nofollow">Office for Personal Data Protection of the Slovak Republic</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Slovakia has one of the more visible dedicated whistleblowing institutions in CEE, which means buyers often expect a more formal legal framing.</li> <li>The Whistleblower Protection Office can intervene in retaliation-related employment measures, which gives the Slovak regime a strong protection profile.</li> <li>Slovak official materials distinguish between the employer’s internal process and the office’s own protection and reporting functions, so product copy should do the same.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2019/54/" rel="nofollow">Act No. 54/2019 Coll. — official text</a> </li> <li><a href="https://www.oznamovatelia.sk/en/" rel="nofollow">Whistleblower Protection Office</a> </li> <li><a href="https://www.oznamovatelia.sk/en/nase-cinnosti/ochrana-oznamovatelov/" rel="nofollow">Whistleblower Protection Office — protection activity</a> </li> <li><a href="https://www.oznamovatelia.sk/en/povinne-zverejnovane-informacie/" rel="nofollow">Whistleblower Protection Office — compulsory information</a> </li> <li><a href="https://www.dataprotection.gov.sk/en/rights-data-subjects/proceedings-on-protection-personal-data/" rel="nofollow">Office for Personal Data Protection — proceedings</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/slovenia/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/slovenia/Slovenia's Reporting Persons Protection Act (ZZPri): the 50-worker rule, the KPK protection role, and the official Slovenian sources.<h1 id="whistleblower-law-in-slovenia"> Whistleblower law in Slovenia <a href="#whistleblower-law-in-slovenia" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Slovenia implemented Directive (EU) 2019/1937 through the <strong>Zakon o zaščiti prijaviteljev (ZZPri)</strong>, in force since <strong>22 February 2023</strong>. Slovenia gives a visible role to the <strong>Commission for the Prevention of Corruption (KPK)</strong> for protection and reporting oversight.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.uradni-list.si/glasilo-uradni-list-rs/vsebina/2023-01-0471" rel="nofollow">ZZPri — official text in Uradni list</a> </li> <li><a href="https://www.kpk-rs.si/en/commissions-activities/protection-of-reporting-persons" rel="nofollow">KPK — protection of reporting persons</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Employers with <strong>at least 50 workers</strong> must establish an internal reporting channel under the Slovenian act.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The central official institution in the Slovenian system is the <a href="https://www.kpk-rs.si/en/commissions-activities/protection-of-reporting-persons" rel="nofollow">Commission for the Prevention of Corruption (KPK)</a> , which provides guidance on protection measures and reporting-person status.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints about whistleblower data handling, the relevant authority is the <a href="https://www.ip-rs.si/en/" rel="nofollow">Information Commissioner of the Republic of Slovenia</a> and its <a href="https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/vlo%C5%BEitev-prijave" rel="nofollow">complaint filing page</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>The KPK can issue a certificate of eligibility for protection, which makes the Slovenian framework more institutionally concrete than a generic hotline model.</li> <li>Slovenia also expects annual reporting statistics from obliged persons and external reporting authorities to the KPK.</li> <li>Internal procedures should make clear that the statutory system is for legally defined reporting-person protection, not just any workplace complaint.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.uradni-list.si/glasilo-uradni-list-rs/vsebina/2023-01-0471" rel="nofollow">ZZPri — official law text</a> </li> <li><a href="https://www.kpk-rs.si/en/commissions-activities/protection-of-reporting-persons" rel="nofollow">KPK — protection of reporting persons</a> </li> <li><a href="https://www.kpk-rs.si/en/kpk-applications/reporting-on-whistleblowing" rel="nofollow">KPK — reporting on whistleblowing</a> </li> <li><a href="https://www.ip-rs.si/en/" rel="nofollow">Information Commissioner of the Republic of Slovenia</a> </li> <li><a href="https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/vlo%C5%BEitev-prijave" rel="nofollow">Information Commissioner — complaint filing</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/spain/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/spain/Spain's Ley 2/2023: the private-sector threshold, public-sector scope, regional authority nuance, and the official Spanish reporting authorities.<h1 id="whistleblower-law-in-spain"> Whistleblower law in Spain <a href="#whistleblower-law-in-spain" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Spain implemented Directive (EU) 2019/1937 through <strong>Ley 2/2023, de 20 de febrero</strong>. The Spanish framework combines the standard <strong>50-worker</strong> private-sector trigger with a broad public-sector obligation and a meaningful regional-authority layer.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Ley 2/2023 — official BOE text</a> </li> <li><a href="https://www.proteccioninformante.gob.es/sistema-de-informacion-canal-externo" rel="nofollow">AIPI — external information channel</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Private-sector entities with <strong>50 or more workers</strong> must maintain an internal information system. All public-sector entities are in scope. Municipalities below 10,000 inhabitants may share means, and private entities with 50-249 workers may share resources for the system.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The national external channel is run by the <a href="https://www.proteccioninformante.gob.es/sistema-de-informacion-canal-externo" rel="nofollow">Autoridad Independiente de Protección del Informante</a> . Autonomous community authorities may handle regional and local matters within their territory unless a convention assigns them to the national authority.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints and privacy guidance, the competent authority is the <a href="https://www.aepd.es/" rel="nofollow">Agencia Española de Protección de Datos (AEPD)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Spain’s public-sector obligation is broader than the simple private-sector 50-worker rule.</li> <li>The national external system expressly supports written and verbal submissions.</li> <li>The regional-authority layer matters in practice, especially for local or single-region cases.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Ley 2/2023 — official BOE text</a> </li> <li><a href="https://www.proteccioninformante.gob.es/sistema-de-informacion-canal-externo" rel="nofollow">AIPI — external information channel</a> </li> <li><a href="https://www.proteccioninformante.gob.es/quienes-somos" rel="nofollow">AIPI — who we are</a> </li> <li><a href="https://www.aepd.es/" rel="nofollow">AEPD</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/sweden/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/sweden/Sweden's whistleblower act: the 50-worker rule, Sweden's sectoral external-authority model, and the official Swedish sources.<h1 id="whistleblower-law-in-sweden"> Whistleblower law in Sweden <a href="#whistleblower-law-in-sweden" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Sweden implemented Directive (EU) 2019/1937 through <strong>Lag (2021:890) om skydd för personer som rapporterar om missförhållanden</strong>, in force since <strong>17 December 2021</strong>. Sweden combines the standard <strong>50-worker</strong> trigger with a <strong>sectoral external-authority model</strong> and supervision of internal-channel obligations by the Swedish Work Environment Authority.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/lag-2021890-om-skydd-for-personer-som_sfs-2021-890/" rel="nofollow">Lag (2021:890) om skydd för personer som rapporterar om missförhållanden — official Riksdag text</a> </li> <li><a href="https://www.government.se/government-policy/labour-law-and-work-environment/2021890-act-on-the-protection-of-persons-reporting-irregularities-2021890/" rel="nofollow">Government English translation of the Act</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Public and private organisations with <strong>at least 50 workers</strong> must establish internal reporting channels under the Swedish act.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Sweden does not rely on one universal whistleblowing authority. The <a href="https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/forordning-2021949-om-skydd-for-personer-som_sfs-2021-949/" rel="nofollow">Ordinance (2021:949)</a> designates multiple competent external authorities depending on the sector. The <a href="https://www.av.se/en/about-us/contact-us/" rel="nofollow">Swedish Work Environment Authority</a> also receives reports that an employer has failed to maintain internal channels and procedures.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints relating to whistleblower data handling, the relevant authority is the <a href="https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/" rel="nofollow">Swedish Authority for Privacy Protection (IMY)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Swedish law is structurally clear but operationally decentralised, so country-specific legal content matters more than generic “EU-compliant” messaging.</li> <li>Employers should tell users which external authority is relevant for the kind of breach being reported, not just that an “external authority” exists.</li> <li>The Work Environment Authority is the clearest official supervisory body if the issue is the employer’s failure to operate a compliant internal channel.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/lag-2021890-om-skydd-for-personer-som_sfs-2021-890/" rel="nofollow">Lag (2021:890) — official Riksdag text</a> </li> <li><a href="https://www.government.se/government-policy/labour-law-and-work-environment/2021890-act-on-the-protection-of-persons-reporting-irregularities-2021890/" rel="nofollow">Government — English translation of the Act</a> </li> <li><a href="https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/forordning-2021949-om-skydd-for-personer-som_sfs-2021-949/" rel="nofollow">Ordinance (2021:949) — designated competent authorities</a> </li> <li><a href="https://www.av.se/en/about-us/contact-us/" rel="nofollow">Swedish Work Environment Authority — contact and internal-channel supervision</a> </li> <li><a href="https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/" rel="nofollow">IMY — file a GDPR complaint</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/whistleblower-laws/netherlands/Fri, 24 Apr 2026 00:00:00 +0000https://ethicsportal.eu/whistleblower-laws/netherlands/The Dutch Whistleblower Protection Act: the 50-worker rule, the Dutch Whistleblowers Authority, and the official Dutch sources.<h1 id="whistleblower-law-in-the-netherlands"> Whistleblower law in the Netherlands <a href="#whistleblower-law-in-the-netherlands" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>The Netherlands implemented Directive (EU) 2019/1937 through the <strong>Wet bescherming klokkenluiders (Wbk)</strong>, in force since <strong>18 February 2023</strong>. The Dutch regime is institutionally visible because it sits alongside the <strong>Dutch Whistleblowers Authority</strong> and a dedicated government information site for employers.</p> <h2 id="applicable-law"> Applicable law <a href="#applicable-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://wetten.overheid.nl/BWBR0033585/2023-02-18" rel="nofollow">Wet bescherming klokkenluiders — official text</a> </li> <li><a href="https://www.wetbeschermingklokkenluiders.nl/service/english" rel="nofollow">Official English version of the Dutch Whistleblower Protection Act</a> </li> </ul> <h2 id="who-must-establish-an-internal-channel"> Who must establish an internal channel <a href="#who-must-establish-an-internal-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Employers with <strong>at least 50 workers</strong> must establish an internal reporting channel. This applies across the Dutch public and private sectors, subject to the statutory framework.</p> <h2 id="external-reporting-authority"> External reporting authority <a href="#external-reporting-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The key official body is the <a href="https://www.huisvoorklokkenluiders.nl/english" rel="nofollow">Dutch Whistleblowers Authority</a> . The government employer-facing site also points organisations to the authority as the core institutional reference point.</p> <h2 id="data-protection-authority"> Data protection authority <a href="#data-protection-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For GDPR complaints relating to whistleblower data handling, the relevant authority is the <a href="https://autoriteitpersoonsgegevens.nl/en/submitting-a-tip-off-or-a-complaint-to-the-dutch-dpa" rel="nofollow">Autoriteit Persoonsgegevens (AP)</a> .</p> <h2 id="key-compliance-points"> Key compliance points <a href="#key-compliance-points" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>The Dutch government maintains a dedicated site explaining the act to employers, which makes the market relatively transparent on basic legal positioning.</li> <li>Internal procedures should clearly explain when workers can use the Dutch Whistleblowers Authority and when another competent authority is more appropriate.</li> <li>The AP expects complainants to first raise the matter with the organisation where possible before escalating a data-protection complaint.</li> </ul> <h2 id="official-sources"> Official sources <a href="#official-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://wetten.overheid.nl/BWBR0033585/2023-02-18" rel="nofollow">Wet bescherming klokkenluiders — official text</a> </li> <li><a href="https://www.wetbeschermingklokkenluiders.nl/service/english" rel="nofollow">Government site — official English version of the Act</a> </li> <li><a href="https://www.wetbeschermingklokkenluiders.nl/service/contact" rel="nofollow">Government site — contact / service page</a> </li> <li><a href="https://www.huisvoorklokkenluiders.nl/english" rel="nofollow">Dutch Whistleblowers Authority</a> </li> <li><a href="https://autoriteitpersoonsgegevens.nl/en/submitting-a-tip-off-or-a-complaint-to-the-dutch-dpa" rel="nofollow">Autoriteit Persoonsgegevens — submitting a complaint</a> </li> </ul> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/best-whistleblower-software/Tue, 14 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/best-whistleblower-software/An independent comparison of the top whistleblower reporting platforms in 2026, including pricing, features, and who each tool is best for.<h1 id="best-whistleblower-software-in-2026-an-honest-comparison"> Best whistleblower software in 2026: an honest comparison <a href="#best-whistleblower-software-in-2026-an-honest-comparison" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>If you are looking for whistleblower software to comply with EU Directive 2019/1937, you have probably noticed that every vendor publishes a “best whistleblower software” article — and ranks themselves first. We are not going to do that. This is an honest, side-by-side comparison of the platforms we evaluated before building EthicsPortal, plus EthicsPortal itself.</p> <p>We looked at pricing transparency, setup speed, EU hosting, feature depth, and how well each tool serves small-to-mid-sized companies versus enterprises.</p> <hr> <h2 id="quick-comparison-table"> Quick comparison table <a href="#quick-comparison-table" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Platform</th> <th>Starting price</th> <th>Free trial</th> <th>EU hosting</th> <th>Setup time</th> <th>Best for</th> </tr> </thead> <tbody> <tr> <td>EthicsPortal</td> <td>€49/mo flat</td> <td>No</td> <td>Yes (Germany)</td> <td>Minutes</td> <td>SMEs, fast compliance</td> </tr> <tr> <td>Hintbox</td> <td>€49–€149+/mo (+VAT)</td> <td>Yes</td> <td>Yes (Germany)</td> <td>Days</td> <td>German-speaking markets</td> </tr> <tr> <td>LegalTegrity</td> <td>€49–€166/mo</td> <td>No</td> <td>Yes (Germany)</td> <td>Days</td> <td>German SMEs, phone included</td> </tr> <tr> <td>Vispato</td> <td>€79/mo flat</td> <td>No</td> <td>Yes (Germany)</td> <td>Days</td> <td>DACH flat-rate alternative</td> </tr> <tr> <td>DigitalPA (Legality Whistleblowing)</td> <td>From €29/mo</td> <td>No</td> <td>Yes (Italy)</td> <td>Days</td> <td>Italian market, ISO 37001/37002</td> </tr> <tr> <td>ithikios</td> <td>From €29/mo</td> <td>Yes</td> <td>Yes (Spain)</td> <td>Hours</td> <td>Spanish SMEs, modular compliance</td> </tr> <tr> <td>Canal Etico App</td> <td>€96/mo flat</td> <td>No</td> <td>Yes (Spain)</td> <td>Days</td> <td>Spanish Ley 2/2023 compliance</td> </tr> <tr> <td>Whistlelink</td> <td>€79–€299/mo</td> <td>Yes (30 days)</td> <td>Yes (Sweden)</td> <td>Days</td> <td>Nordic companies, mid-market</td> </tr> <tr> <td>Sygnanet</td> <td>4,000–10,000 zł/yr</td> <td>Yes</td> <td>Yes (Poland)</td> <td>Hours</td> <td>Polish market</td> </tr> <tr> <td>Trusty Compliance</td> <td>Credit-based</td> <td>Yes (7 days)</td> <td>Yes (Switzerland)</td> <td>Hours</td> <td>Swiss/DACH, broader compliance</td> </tr> <tr> <td>Formalize (whistleblowersoftware.com)</td> <td>Custom (request quote)</td> <td>Yes (14 days)</td> <td>Yes (Denmark)</td> <td>Days</td> <td>Mid-market EU companies</td> </tr> <tr> <td>FaceUp</td> <td>Custom (request quote)</td> <td>No</td> <td>Yes (Czech Republic)</td> <td>Hours</td> <td>Schools, multilingual orgs</td> </tr> <tr> <td>Whispli</td> <td>Custom (~€3,000+/yr)</td> <td>No</td> <td>Yes (optional)</td> <td>Weeks</td> <td>Enterprises, complex workflows</td> </tr> <tr> <td>SpeakUp (People Intouch)</td> <td>~€3,000/yr</td> <td>No</td> <td>Yes (Netherlands)</td> <td>Days</td> <td>Mid-to-large EU companies</td> </tr> <tr> <td>EQS Integrity Line</td> <td>Custom (~€3,000+/yr)</td> <td>Yes (Essential)</td> <td>Yes</td> <td>Weeks</td> <td>Large enterprises</td> </tr> <tr> <td>NAVEX Global</td> <td>Custom (€5,000+/yr)</td> <td>No</td> <td>Yes (optional)</td> <td>Weeks</td> <td>Large US/EU enterprises</td> </tr> </tbody> </table> <hr> <h2 id="detailed-reviews"> Detailed reviews <a href="#detailed-reviews" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="eqs-integrity-line"> EQS Integrity Line <a href="#eqs-integrity-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EQS is the heavyweight of European compliance software. Their Integrity Line is used by banks, insurers, and listed companies across the EU.</p> <p><strong>Strengths:</strong> Deep integration with broader GRC (governance, risk, compliance) suites. Excellent audit trails. Strong brand recognition among enterprise compliance teams. Supports 70+ languages.</p> <p><strong>Weaknesses:</strong> Pricing is opaque — you will not find a number on their website. Expect to spend several thousand euros per year, and you will need to go through a sales process. Implementation typically takes weeks with dedicated onboarding. Overkill for a 50-person company.</p> <p><strong>Best for:</strong> Large enterprises (500+ employees) in heavily regulated sectors that need a full GRC ecosystem.</p> <h3 id="formalize-whistleblowersoftwarecom"> Formalize (whistleblowersoftware.com) <a href="#formalize-whistleblowersoftwarecom" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Formalize, marketed as WhistleblowerSoftware.com, is a Danish platform backed by a €15M Series A with 500+ consultancy partners including PwC and Baker McKenzie. They have rebranded and expanded into broader compliance (NIS2, DORA, ISO 27001).</p> <p><strong>Strengths:</strong> 80+ languages. ISO 27001 and ISAE 3000 certified. Strong partner ecosystem. 14-day free trial.</p> <p><strong>Weaknesses:</strong> No longer publishes pricing — requires requesting a custom quote. Expanding beyond whistleblowing into NIS2/DORA compliance may dilute focus. Setup involves a demo/sales process, not instant self-serve.</p> <p><strong>Best for:</strong> Mid-sized EU companies (50–500 employees) that want a polished product and do not mind per-employee pricing.</p> <h3 id="whistlelink"> Whistlelink <a href="#whistlelink" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Swedish platform with a strong presence in the Nordics. Whistlelink positions itself as easy to use and EU-compliant.</p> <p><strong>Strengths:</strong> Available in 50+ languages. Good case management. Hosted in Sweden. Straightforward UI for reporters. All pricing tiers include the same feature set. 30-day free trial.</p> <p><strong>Weaknesses:</strong> Starting at €79/month (billed annually) is reasonable but still above the flat-rate options. Per-employee pricing scales to €299/month for larger organizations. Scaling past 1,000 employees requires contacting sales.</p> <p><strong>Best for:</strong> Nordic and Northern European companies looking for a regional vendor with solid language support.</p> <h3 id="faceup"> FaceUp <a href="#faceup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>FaceUp is a Czech-founded whistleblower platform that has expanded from its original focus on schools into corporate compliance, now serving organizations across 70+ countries. They support 113 languages and offer a mobile app for reporters.</p> <p><strong>Strengths:</strong> Available in 113 languages — among the highest in the market. Mobile app for reporters. ISO 27001 certified. Strong presence in the education sector alongside corporate compliance.</p> <p><strong>Weaknesses:</strong> Pricing is not published — all plans show “Get a Quote” buttons despite listing tier names (Starter, Professional, Enterprise). Pricing is in US dollars, which adds currency risk for European companies. The school-oriented origin shows in some of the UX.</p> <p><strong>Best for:</strong> Organizations that need 113 languages, want a mobile reporting app, or operate in both education and corporate sectors.</p> <h3 id="navex-global"> NAVEX Global <a href="#navex-global" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>NAVEX is the 800-pound gorilla of ethics and compliance, primarily in North America but increasingly in Europe. Their EthicsPoint product has been around for decades.</p> <p><strong>Strengths:</strong> Massive feature set. Benchmarking data from thousands of clients. Hotline services (phone-based reporting). Strong analytics.</p> <p><strong>Weaknesses:</strong> Enterprise pricing — expect custom quotes well above €5,000/year. Long implementation cycles. The platform can feel dated compared to newer entrants. North American DNA means EU-specific requirements sometimes feel bolted on rather than native.</p> <p><strong>Best for:</strong> Large multinationals (1,000+ employees) that want a single vendor for their entire ethics and compliance program, including hotlines.</p> <h3 id="whispli"> Whispli <a href="#whispli" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>An Australian-founded company that has expanded into Europe. Whispli emphasizes anonymous two-way communication.</p> <p><strong>Strengths:</strong> Strong anonymous messaging system. Good mobile experience. Supports voice and video reporting. Flexible workflow builder.</p> <p><strong>Weaknesses:</strong> Custom pricing with no public numbers — reports suggest starting around €3,000/year. Implementation involves onboarding calls and configuration. Smaller European presence compared to EU-native vendors.</p> <p><strong>Best for:</strong> Organizations that prioritize anonymous two-way communication and need multimedia reporting (voice, video).</p> <h3 id="speakup-people-intouch"> SpeakUp (People Intouch) <a href="#speakup-people-intouch" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Dutch platform that has been in the whistleblower space since before the EU Directive made it mandatory. SpeakUp offers both software and managed services (outsourced case handling).</p> <p><strong>Strengths:</strong> Long track record. Option to outsource case handling entirely. Hosted in the Netherlands. Phone reporting included.</p> <p><strong>Weaknesses:</strong> Pricing starts at €3,000/year for companies under 1,000 employees, custom for larger. The managed services model means you are paying for humans, not just software. Interface is functional but not modern.</p> <p><strong>Best for:</strong> Mid-to-large EU companies that want the option to outsource report handling to a third party.</p> <h3 id="hintbox"> Hintbox <a href="#hintbox" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A German platform (part of lawcode Suite) with 1,000+ customers including Rewe, s.Oliver, and FC Bayern. ISO 27001 certified, hosted on Hetzner in Germany. Expanding into LkSG (Supply Chain Act) and CSRD compliance beyond whistleblowing.</p> <p><strong>Strengths:</strong> Mature product with large customer base. ISO 27001 certified. 30+ languages with AI translation. 2FA, metadata stripping, virus scanning all included. Starting at €49/month — the cheapest tier alongside EthicsPortal. Free trial available.</p> <p><strong>Weaknesses:</strong> Per-employee pricing scales to €149+/month for larger companies. Add-on costs pile up: voice bot (+€49/mo), email integration (+€29/mo), custom domain (+€29/mo). DACH-centric — limited presence outside German-speaking markets. Expanding into multiple compliance frameworks may dilute whistleblower focus.</p> <p><strong>Best for:</strong> German, Austrian, and Swiss companies that want a local vendor with ISO 27001, deep HinSchG expertise, and a proven track record.</p> <h3 id="legaltegrity"> LegalTegrity <a href="#legaltegrity" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Frankfurt-based platform founded by Dr. Thomas Altenbach, hosted on Deutsche Telekom’s Open Telekom Cloud. Positioned for German SMEs with transparent tiered pricing.</p> <p><strong>Strengths:</strong> Phone reporting channel included on every plan — even the €49/month Essential tier. 40+ languages available. Hosted on Deutsche Telekom Open Telekom Cloud (ISO 27001-certified infrastructure). 3-month money-back guarantee. OmbuTegrity add-on offers an external ombudsperson service for companies that need an independent reporting office.</p> <p><strong>Weaknesses:</strong> Essential tier limits customization (standard form, LegalTegrity branding, 2 admin accounts). Additional languages cost €29/month each beyond the 2 included. No public API. Primarily German-market focused.</p> <p><strong>Best for:</strong> German and DACH-region SMEs (under 1,000 employees) that want phone reporting included at a competitive price.</p> <h3 id="vispato"> Vispato <a href="#vispato" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A German whistleblowing platform from the HR WORKS group, hosted on DATEV-managed servers. Vispato is notable for its flat-rate pricing regardless of company size.</p> <p><strong>Strengths:</strong> Flat €79/month with unlimited users, cases, and storage — no per-employee scaling. 18 languages. ISO 27001-certified hosting (DATEV). WCAG 2.1 AA accessibility compliance. No setup costs, no consulting upsells. 12-month minimum term.</p> <p><strong>Weaknesses:</strong> No free trial — demo required before signup. No public API. 18 languages is fewer than most mid-market competitors. Enterprise features (SSO, custom domain, custom branding) require a custom-quote Enterprise plan.</p> <p><strong>Best for:</strong> DACH-region companies of any size that want predictable flat pricing without employee-count tiers or add-on fees.</p> <h3 id="digitalpa-legality-whistleblowing"> DigitalPA (Legality Whistleblowing) <a href="#digitalpa-legality-whistleblowing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>An Italian platform operated by DigitalPA with offices in Cagliari, Milan, Rome, and Barcelona. Holds four ISO certifications (27001, 37001, 37002, 37301) — more than any other platform in this comparison.</p> <p><strong>Strengths:</strong> Starting at €29/month — the cheapest published price in this comparison. ISO 27001, 37001 (anti-bribery), 37002 (whistleblowing management), and 37301 (compliance management) certified. Multi-channel intake including phone reports and in-person meeting requests. Mobile app. AI translation between handler and reporter. 1,000+ customers.</p> <p><strong>Weaknesses:</strong> Pricing beyond the €29 small-business tier requires a custom quote. Annual billing only. Italian-market focused. No public API.</p> <p><strong>Best for:</strong> Italian companies and organizations that need a locally certified platform, especially public sector entities required to comply with D.Lgs. 24/2023.</p> <h3 id="ithikios"> ithikios <a href="#ithikios" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Spanish modular compliance suite from Digital Products Development SL. Whistleblowing is one of six modules alongside policy, incident, rights, third-party, and trust-center management.</p> <p><strong>Strengths:</strong> Starting at €29/month. ISO 27001 certified. 1,000+ companies across 10 countries. Free trial available. 7 interface languages (ES, EN, FR, DE, IT, PT, CA). Modular: buy the whistleblowing channel, add NIS2/DORA/policy modules later. Partner program for lawyers and consultants.</p> <p><strong>Weaknesses:</strong> Primarily Spanish-market focused. Limited to 7 languages — the fewest among multi-market vendors. No public API.</p> <p><strong>Best for:</strong> Spanish SMEs that need Ley 2/2023 compliance and may want to add policy management, incident management, or third-party risk modules over time.</p> <h3 id="canal-etico-app"> Canal Etico App <a href="#canal-etico-app" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Spanish platform from Smart Dev Technology with flat €96/month pricing.</p> <p><strong>Strengths:</strong> Flat pricing regardless of company size. Unlimited reports. Written and voice reporting channels. Anonymous bidirectional communication. No IP storage, encrypted content. Implementation in 1–2 business days.</p> <p><strong>Weaknesses:</strong> No ISO 27001 certification published. Spanish-language support only. No public API. Higher price point than ithikios and DigitalPA for the same Spanish market.</p> <p><strong>Best for:</strong> Spanish companies that want simple flat pricing for Ley 2/2023 compliance without per-employee scaling.</p> <h3 id="sygnanet"> Sygnanet <a href="#sygnanet" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Polish platform from SpecFile Project Sp. z o.o. Built specifically for the Polish Act on Protection of Whistleblowers (in force 25 September 2024).</p> <p><strong>Strengths:</strong> End-to-end encryption with zero vendor access to report content. 12-language reporting form. Free trial. Pricing in Polish zloty (4,000–10,000 zł/year). Public bodies buying the internal-reporting licence get an external-reporting channel bundled free. Periodic penetration testing.</p> <p><strong>Weaknesses:</strong> Polish-market focused. Pricing in PLN only. No ISO 27001 certification published. No public API. Admin panel limited to 4 languages (PL, EN, DE, FR).</p> <p><strong>Best for:</strong> Polish organizations that need a local vendor compliant with the Act of 14 June 2024.</p> <h3 id="trusty-compliance"> Trusty Compliance <a href="#trusty-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Swiss platform (Trusty AG, Hünenberg, Zug) offering whistleblowing as one module in a broader compliance suite covering risk screening, EUDR, policy management, and training.</p> <p><strong>Strengths:</strong> 4,000+ companies. 7-day free trial. Credit-based pricing — buy credits and allocate them across any Trusty product. Quick setup (vendor claims under 5 minutes). 6 interface languages. Broader compliance coverage (EUDR, NIS2, third-party risk, training) in addition to whistleblowing.</p> <p><strong>Weaknesses:</strong> No ISO 27001 certification published. Credit-based pricing makes cost comparison difficult. Whistleblowing is one module of many — breadth may come at the expense of depth. No public API.</p> <p><strong>Best for:</strong> Swiss and DACH companies that want a single platform covering whistleblowing, risk screening, EUDR, and compliance training.</p> <h3 id="ethicsportal"> EthicsPortal <a href="#ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal is our product. We designed it to deliver full EU Directive 2019/1937 compliance with transparent pricing and immediate deployment.</p> <p><strong>Strengths:</strong> Flat €49/month pricing regardless of employee count. No sales calls — sign up and configure your portal in minutes. EU-hosted. Covers the core Directive requirements: encrypted anonymous reporting, two-way messaging via access codes, case management, 7-day acknowledgment and 3-month feedback tracking, QR code generation, and multilingual portals. Open, transparent pricing.</p> <p><strong>Weaknesses:</strong> No phone hotline. No outsourced case handling. Limited integrations (no HRIS connectors yet). Not suitable for organizations that need a full GRC suite.</p> <p><strong>Best for:</strong> SMEs, startups, and mid-sized companies (50–1,000 employees) that need Directive compliance without enterprise complexity or pricing.</p> <hr> <h2 id="how-we-chose"> How we chose <a href="#how-we-chose" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We evaluated each platform across five criteria:</p> <ol> <li><strong>Pricing transparency.</strong> Can you find the price on the website without requesting a demo? Bonus points for flat-rate pricing.</li> <li><strong>Setup speed.</strong> How quickly can a non-technical compliance officer get from sign-up to a working reporting channel?</li> <li><strong>EU Directive coverage.</strong> Does the platform natively support the key requirements of Directive 2019/1937 — anonymous reporting, two-way communication, acknowledgment deadlines, confidentiality?</li> <li><strong>Data residency.</strong> Is data hosted in the EU by default, or is it an add-on?</li> <li><strong>Target audience fit.</strong> Is the platform designed for your company size, or are you paying for features built for organizations ten times larger?</li> </ol> <p>We used publicly available pricing where possible and contacted sales teams where pricing was not published. Prices cited are as of Q1 2026 and may vary by region, contract length, and negotiation.</p> <p>No affiliate links. No sponsorships. We built EthicsPortal because we saw a gap — this article explains where that gap is, and where other tools may be the better choice for your situation.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/top-whistleblower-software-eu-directive-2019-1937/Tue, 14 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/top-whistleblower-software-eu-directive-2019-1937/A ranked comparison of whistleblower platforms that meet the requirements of EU Directive 2019/1937. Evaluated on Article 8–16 coverage, pricing, EU hosting, and setup speed.<h1 id="top-whistleblower-software-for-eu-directive-20191937-compliance"> Top whistleblower software for EU Directive 2019/1937 compliance <a href="#top-whistleblower-software-for-eu-directive-20191937-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EU Directive 2019/1937, now transposed into national law in all 27 member states (e.g., <a href="/whistleblower-laws/france/">Loi Waserman</a> in France, <a href="/whistleblower-laws/germany/">HinSchG</a> in Germany, <a href="/whistleblower-laws/spain/">Ley 2/2023</a> in Spain), requires every organization with 50 or more employees to operate a secure internal reporting channel. The law is specific about what that channel must do: accept written and oral reports, protect reporter confidentiality, acknowledge receipt within 7 days, provide feedback within 3 months, and maintain records without exposing the reporter’s identity.</p> <p>Here is what is strange about this market: whistleblower reporting is a simple tool. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and keeps an audit trail. That is the entire product.</p> <p>Yet most vendors hide their pricing behind “contact us for a demo” forms, require weeks-long sales processes, and pad their feature lists with AI-powered analytics, sentiment analysis, and other additions that have nothing to do with what the Directive actually requires. The result is that a compliance officer at a 100-person company ends up on a sales call for a tool that should take ten minutes to set up.</p> <p>This article ranks the top whistleblower software specifically by how well each platform meets the Directive’s legal requirements — not by brand recognition, AI feature count, or how impressive the sales deck looks.</p> <hr> <h2 id="how-we-scored"> How we scored <a href="#how-we-scored" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every platform was evaluated against the six core requirements of Directive 2019/1937:</p> <table> <thead> <tr> <th>Requirement</th> <th>Directive articles</th> <th>What the law demands</th> </tr> </thead> <tbody> <tr> <td>Secure reporting channel</td> <td>Art. 8</td> <td>Encrypted, accessible to all workers, no account required</td> </tr> <tr> <td>Reporter confidentiality</td> <td>Art. 16</td> <td>Identity not disclosed without consent, access restricted to authorized staff</td> </tr> <tr> <td>Receipt acknowledgment</td> <td>Art. 9(1)(b)</td> <td>Written confirmation within 7 days</td> </tr> <tr> <td>Feedback deadline</td> <td>Art. 9(1)(f)</td> <td>Substantive feedback within 3 months</td> </tr> <tr> <td>Two-way communication</td> <td>Art. 9(1)(b)</td> <td>Ability to communicate with the reporter, including anonymous reporters</td> </tr> <tr> <td>Record-keeping</td> <td>Art. 18</td> <td>Reports stored securely, retained per legal requirements, deletable when no longer needed</td> </tr> </tbody> </table> <p>We also considered practical factors: pricing transparency, EU data residency, setup speed, and whether the platform requires a sales call to get started.</p> <hr> <h2 id="the-ranking"> The ranking <a href="#the-ranking" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="1-ethicsportal--best-for-smes-that-need-fast-affordable-compliance"> 1. EthicsPortal — best for SMEs that need fast, affordable compliance <a href="#1-ethicsportal--best-for-smes-that-need-fast-affordable-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> EthicsPortal was built specifically for EU Directive 2019/1937. Every feature maps to an article.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>How EthicsPortal handles it</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Encrypted web portal, unique URL per organization, no app required</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>No IP logging, file metadata stripping (EXIF, GPS, author), encrypted data at rest</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Automatic deadline tracking with handler notifications</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Automatic deadline tracking with overdue alerts</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Anonymous message thread via access code — handler names never revealed</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Append-only audit trail, PDF export for auditors</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> €49/month flat. No per-employee fees, no add-ons. <strong>EU hosting:</strong> Yes — Hetzner, Nuremberg, Germany. <strong>Setup time:</strong> Minutes. Self-serve signup, no sales call.</p> <p><strong>Why it ranks first:</strong> Whistleblower reporting is not a complex problem. The Directive tells you exactly what the tool needs to do, and EthicsPortal does exactly that — nothing more, nothing less. No AI sentiment analysis, no “risk scoring,” no features that exist to justify a higher price tag. Full Art. 8–18 compliance at €49/month, visible on the website, no sales call required.</p> <p>The trade-off is that EthicsPortal is newer and does not yet have ISO 27001 certification or phone hotline services.</p> <p>EthicsPortal is our product. We designed it to deliver full Directive compliance with transparent pricing and immediate deployment.</p> <hr> <h3 id="2-formalize-whistleblowersoftwarecom--best-for-mid-market-companies-wanting-a-polished-product"> 2. Formalize (WhistleblowerSoftware.com) — best for mid-market companies wanting a polished product <a href="#2-formalize-whistleblowersoftwarecom--best-for-mid-market-companies-wanting-a-polished-product" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Built in Denmark with the EU Directive as the primary design driver.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web portal with encryption</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — access controls, data encryption</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — automated tracking</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — automated tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Custom quote required. Previously published per-employee pricing; no longer public. <strong>EU hosting:</strong> Yes — Denmark. <strong>Setup time:</strong> Days — involves a demo/sales process.</p> <p><strong>Why it ranks here:</strong> Strong Directive compliance, ISO 27001 and ISAE 3000 certified, and 80+ languages. Formalize used to publish pricing on their website — they no longer do, which tells you something about the direction they are heading. You now need to request a quote and go through a sales process to learn what it costs. If you need certifications and a partner ecosystem (PwC, Baker McKenzie), Formalize is a strong choice — but be prepared to negotiate pricing you cannot see upfront.</p> <hr> <h3 id="3-hintbox--best-for-german-speaking-markets"> 3. Hintbox — best for German-speaking markets <a href="#3-hintbox--best-for-german-speaking-markets" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> German platform with 1,000+ customers. Part of the lawcode suite.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted portal, hosted on Hetzner (Germany)</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — metadata stripping, 2FA, virus scanning</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging, optional voice bot (+€49/mo)</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Starting at €49/month. Scales to €149+/month with employee count. Add-ons: voice bot (+€49/mo), email integration (+€29/mo), custom domain (+€29/mo). <strong>EU hosting:</strong> Yes — Hetzner, Germany. ISO 27001 certified. <strong>Setup time:</strong> Days.</p> <p><strong>Why it ranks here:</strong> Mature product, large customer base (Rewe, s.Oliver, FC Bayern), ISO 27001 certified. The per-employee pricing and add-on costs mean the effective price is significantly higher than the €49 starting point for most organizations. DACH-focused — limited presence outside German-speaking markets.</p> <hr> <h3 id="4-legaltegrity--best-for-german-smes-that-want-phone-reporting-included"> 4. LegalTegrity — best for German SMEs that want phone reporting included <a href="#4-legaltegrity--best-for-german-smes-that-want-phone-reporting-included" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Frankfurt-based, hosted on Deutsche Telekom Open Telekom Cloud.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted portal, Deutsche Telekom hosting (Germany)</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — role-based access</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — deadline tracking with reminders</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging, phone channel on all plans</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail, reporting</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Essential €49/month (<50 employees), Professional €99/month (<250), Professional €166/month (<1,000), Enterprise on request. Annual billing. <strong>EU hosting:</strong> Yes — Deutsche Telekom Open Telekom Cloud, Germany. ISO 27001-certified hosting. <strong>Setup time:</strong> Days. 3-month money-back guarantee.</p> <p><strong>Why it ranks here:</strong> LegalTegrity includes a phone reporting channel on every plan, including the €49 Essential tier. That is unusual — most competitors charge extra for phone intake or do not offer it at all. 40+ languages available. The trade-off: per-employee tiered pricing means costs rise as your organisation grows, and additional languages cost €29/month each beyond the two included.</p> <hr> <h3 id="5-vispato--best-flat-rate-alternative-in-dach"> 5. Vispato — best flat-rate alternative in DACH <a href="#5-vispato--best-flat-rate-alternative-in-dach" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> German platform, part of the HR WORKS group.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted portal, DATEV-hosted (Germany)</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — role-based access, ISO 27001 hosting</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> €79/month flat. Unlimited users, cases, and storage. Enterprise tier with SSO and custom domain is quote-based. <strong>EU hosting:</strong> Yes — DATEV-managed servers, Germany. <strong>Setup time:</strong> Days. No free trial, demo required.</p> <p><strong>Why it ranks here:</strong> Flat €79/month regardless of company size, with no add-on fees. 18 languages. WCAG 2.1 AA accessibility. For DACH-region companies that want predictable costs without employee-count tiers, Vispato is the cleanest alternative. The trade-off: fewer languages than competitors (18 vs. 30–80), and no free trial.</p> <hr> <h3 id="6-digitalpa-legality-whistleblowing--best-for-italy"> 6. DigitalPA (Legality Whistleblowing) — best for Italy <a href="#6-digitalpa-legality-whistleblowing--best-for-italy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Italian platform with four ISO certifications.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web, voice, phone, and in-person intake</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — 2FA, anonymous and confidential modes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging with AI translation</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail, investigation reports</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Standard from €29/month (<50 employees). Premium from €41/month. Medium/Large/Enterprise tiers require a quote. Annual billing only. <strong>EU hosting:</strong> Yes — Italy. <strong>Setup time:</strong> Days.</p> <p><strong>Why it ranks here:</strong> The cheapest starting price in this comparison (€29/month) and the most ISO certifications (27001, 37001, 37002, 37301). Multi-channel intake including phone and in-person meeting requests. 1,000+ customers. The trade-off: pricing beyond the small-business tier is quote-based, and the platform is Italian-market focused.</p> <hr> <h3 id="7-ithikios--best-for-spanish-smes"> 7. ithikios — best for Spanish SMEs <a href="#7-ithikios--best-for-spanish-smes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Spanish modular compliance suite.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted cloud portal, ISO 27001 servers</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — anonymous and confidential modes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — case management with documentation</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> From €29/month. Free trial available. <strong>EU hosting:</strong> Yes — Spain. ISO 27001 certified. <strong>Setup time:</strong> Hours.</p> <p><strong>Why it ranks here:</strong> Budget-friendly at €29/month with ISO 27001 and a free trial. 1,000+ companies across 10 countries. Modular platform: buy the whistleblower channel now, add policy management or NIS2 modules later. 7 interface languages. The trade-off: primarily Spanish-focused, and 7 languages is limited for cross-border organisations.</p> <hr> <h3 id="8-faceup--best-for-multilingual-organizations-113-languages"> 8. FaceUp — best for multilingual organizations (113 languages) <a href="#8-faceup--best-for-multilingual-organizations-113-languages" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong></p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — access controls</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — automated</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — automated</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Not public. Three tiers (Starter, Professional, Enterprise) but all require “Get a Quote” — no prices shown on the website. Priced in USD. <strong>EU hosting:</strong> Yes — Czech Republic. <strong>Setup time:</strong> Hours.</p> <p><strong>Why it ranks here:</strong> FaceUp supports 113 languages — among the highest in the market — and offers a mobile app for reporters. Originally built for schools in the Czech Republic, they have expanded into corporate compliance across 70+ countries. Pricing is in US dollars and not publicly displayed — all three tiers (Starter, Professional, Enterprise) show “Get a Quote” buttons rather than prices, making it impossible to budget without a sales conversation.</p> <hr> <h3 id="9-whistlelink--best-for-nordic-companies"> 9. Whistlelink — best for Nordic companies <a href="#9-whistlelink--best-for-nordic-companies" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong></p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Starting at €79/month (billed annually). Scales by employee count: €79 → €99 → €149 → €199 → €299/month. 1,000+ employees: contact sales. <strong>EU hosting:</strong> Yes — Sweden. <strong>Setup time:</strong> Days. 30-day free trial available.</p> <p><strong>Why it ranks here:</strong> Solid Directive compliance with 50+ languages and good case management. All pricing tiers include the same feature set — no feature gating. Starting at €79/month, pricing is higher than the cheapest options but transparent. Strong regional presence in the Nordics.</p> <hr> <h3 id="10-speakup-people-intouch--best-for-outsourced-case-handling"> 10. SpeakUp (People Intouch) — best for outsourced case handling <a href="#10-speakup-people-intouch--best-for-outsourced-case-handling" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> One of the longest-running European whistleblower platforms (Netherlands).</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web + phone reporting</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Starting at ~€3,000/year for companies under 1,000 employees. Custom for larger. <strong>EU hosting:</strong> Yes — Netherlands. <strong>Setup time:</strong> Days.</p> <p><strong>Why it ranks here:</strong> Unique value proposition: outsourced case handling by trained professionals. If your organization does not have internal resources to manage reports, SpeakUp handles it for you. The trade-off is price — you are paying for human operators, not just software.</p> <hr> <h3 id="11-eqs-integrity-line--best-for-large-enterprises"> 11. EQS Integrity Line — best for large enterprises <a href="#11-eqs-integrity-line--best-for-large-enterprises" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> The European enterprise standard.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — 70+ languages</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — enterprise-grade access controls</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — integrates with GRC suites</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Not published. Estimated €2,000+/month. Requires sales process. <strong>EU hosting:</strong> Yes. <strong>Setup time:</strong> Weeks.</p> <p><strong>Why it ranks here:</strong> If you are a bank, insurer, or listed company with 5,000+ employees, EQS is the safe enterprise choice. For everyone else, you are paying for features and scale you do not need. Implementation takes weeks, not minutes.</p> <hr> <h3 id="12-navex-global--best-for-us-multinationals-with-eu-operations"> 12. NAVEX Global — best for US multinationals with EU operations <a href="#12-navex-global--best-for-us-multinationals-with-eu-operations" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete, but EU compliance feels bolted on.</strong></p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web + phone hotline</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — strong analytics</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Custom. Typically €5,000+/year. Requires sales process. <strong>EU hosting:</strong> Available as an option, not default. <strong>Setup time:</strong> Weeks.</p> <p><strong>Why it ranks here:</strong> NAVEX is the dominant US compliance platform with decades of history and thousands of clients. Their EthicsPoint product covers the Directive, but the platform was designed for US regulatory frameworks first. EU hosting is available but not the default. Enterprise pricing and long implementation cycles put it out of reach for SMEs.</p> <hr> <h2 id="which-platform-should-you-choose"> Which platform should you choose? <a href="#which-platform-should-you-choose" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Your situation</th> <th>Best choice</th> </tr> </thead> <tbody> <tr> <td>SME or startup, need compliance fast, budget-conscious</td> <td><strong>EthicsPortal</strong> (€49/mo, minutes to set up)</td> </tr> <tr> <td>German SME, want phone reporting included</td> <td><strong>LegalTegrity</strong> (€49+/mo, phone on all plans)</td> </tr> <tr> <td>DACH region, want flat pricing with no add-ons</td> <td><strong>Vispato</strong> (€79/mo flat)</td> </tr> <tr> <td>Italian company, need local certifications</td> <td><strong>DigitalPA</strong> (from €29/mo, ISO 27001/37001/37002)</td> </tr> <tr> <td>Spanish company, need Ley 2/2023 compliance</td> <td><strong>ithikios</strong> (from €29/mo, ISO 27001)</td> </tr> <tr> <td>Mid-market, want certifications and partner ecosystem</td> <td><strong>Formalize</strong> (custom pricing, ISO certified)</td> </tr> <tr> <td>German-speaking market, need ISO 27001 at scale</td> <td><strong>Hintbox</strong> (€49+/mo, ISO 27001)</td> </tr> <tr> <td>Need 113 languages or mobile reporting app</td> <td><strong>FaceUp</strong> (custom quote)</td> </tr> <tr> <td>Nordic company, prefer regional vendor</td> <td><strong>Whistlelink</strong> (€79+/mo)</td> </tr> <tr> <td>Need outsourced case handling</td> <td><strong>SpeakUp</strong> (~€3,000/yr)</td> </tr> <tr> <td>Large enterprise (500+ employees), full GRC suite</td> <td><strong>EQS Integrity Line</strong> (custom pricing)</td> </tr> <tr> <td>US multinational with EU subsidiary</td> <td><strong>NAVEX Global</strong> (custom pricing)</td> </tr> </tbody> </table> <hr> <h2 id="why-most-platforms-are-overpriced-for-what-they-do"> Why most platforms are overpriced for what they do <a href="#why-most-platforms-are-overpriced-for-what-they-do" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every platform on this list covers the core requirements of Directive 2019/1937. That is worth repeating: the basic compliance functionality is the same across all of them. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and logs an audit trail.</p> <p>The price difference between €49/month and €5,000+/year is not explained by the Directive’s requirements. It is explained by sales teams, enterprise packaging, AI features that no compliance officer asked for, and the assumption that “compliance software” can be priced like enterprise SaaS.</p> <p>Many platforms on this list do not publish their pricing. You have to fill out a form, get on a call, sit through a demo, and then — maybe — receive a quote. For a tool that does what a spreadsheet could do (badly), this is absurd.</p> <p>If you are evaluating platforms, focus on three things:</p> <ol> <li><strong>Does it cover Art. 8–18?</strong> All platforms above do, at their paid tiers.</li> <li><strong>Is data hosted in the EU?</strong> Non-negotiable for GDPR and Directive compliance.</li> <li><strong>Can you see the price and sign up today?</strong> If a vendor will not show you the price, ask yourself what they are optimizing for.</li> </ol> <p>No whistleblower platform can make your organization compliant by itself. Compliance also requires internal policies, designated handlers, training, and documented procedures. The software is the reporting channel — one piece of a larger compliance framework. It should not be the most expensive or time-consuming piece.</p> <p>For a detailed article-by-article breakdown of how EthicsPortal meets each requirement, see our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/whistleblower-software-is-a-form-and-a-database/Sun, 05 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/whistleblower-software-is-a-form-and-a-database/What a whistleblower reporting tool actually needs to do under EU Directive 2019/1937 — and what features matter vs. what's just marketing.<h1 id="what-to-look-for-in-whistleblower-compliance-software"> What to look for in whistleblower compliance software <a href="#what-to-look-for-in-whistleblower-compliance-software" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>The EU Whistleblower Protection Directive requires your organization to operate a secure internal reporting channel. But not all tools that claim Directive compliance actually deliver it.</p> <p>Here’s how to evaluate what matters.</p> <hr> <h2 id="what-a-whistleblower-reporting-tool-actually-needs-to-do"> What a whistleblower reporting tool actually needs to do <a href="#what-a-whistleblower-reporting-tool-actually-needs-to-do" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive’s requirements translate into five core functions:</p> <ol> <li>A reporter submits a report through a secure channel.</li> <li>The report is stored confidentially in an encrypted system.</li> <li>A designated case handler reviews it and responds.</li> <li>The system tracks the 7-day acknowledgment and 3-month feedback deadlines.</li> <li>Every action is recorded in an append-only audit trail.</li> </ol> <p>These five functions are the compliance baseline. Any tool you evaluate should demonstrate how it handles each one.</p> <hr> <h2 id="features-that-matter-for-compliance"> Features that matter for compliance <a href="#features-that-matter-for-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>When evaluating platforms, focus on what the Directive actually requires:</p> <ul> <li><strong>Anonymous reporting</strong> — Article 6(1) requires confidentiality. The strongest implementation means no IP logging, no tracking, and automatic stripping of file metadata (EXIF, GPS, author info) that could reveal identity.</li> <li><strong>Two-way communication</strong> — Article 9(1)(b) requires follow-up with the reporter. This means secure messaging without requiring the reporter to create an account or reveal their identity.</li> <li><strong>Deadline tracking</strong> — Articles 9(1)(b) and 9(1)(f) set the 7-day acknowledgment and 3-month feedback deadlines. Automated tracking with notifications prevents compliance failures.</li> <li><strong>Audit trail</strong> — Article 18 requires documentation. An append-only log of all actions provides the evidence regulators and auditors expect.</li> <li><strong>EU data residency</strong> — GDPR applies to all report data. Hosting within the EU simplifies compliance and avoids cross-border transfer questions.</li> <li><strong>Data retention controls</strong> — Article 17(1)(d) requires defined retention periods. Configurable auto-deletion ensures data isn’t kept longer than necessary.</li> </ul> <hr> <h2 id="features-that-sound-impressive-but-arent-in-the-directive"> Features that sound impressive but aren’t in the Directive <a href="#features-that-sound-impressive-but-arent-in-the-directive" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Some platforms emphasize capabilities that go beyond what compliance requires:</p> <ul> <li>“AI-powered risk scoring”</li> <li>“Sentiment analysis”</li> <li>“Predictive analytics dashboards”</li> <li>“Benchmarking against 10,000+ organizations”</li> </ul> <p>These features may serve larger organizations with mature compliance programs. But they are not Directive requirements, and their presence doesn’t make a tool more compliant. Evaluate whether they serve your actual needs before paying for them.</p> <hr> <h2 id="pricing-transparency-as-a-signal"> Pricing transparency as a signal <a href="#pricing-transparency-as-a-signal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive applies to organizations of very different sizes — from 50-person companies to multinational enterprises. The tool you choose should match your scale.</p> <p>Some platforms publish their pricing openly. Others require a sales process to learn the cost. Neither approach is inherently better, but transparent pricing lets you evaluate fit faster and avoids committing time to demos before knowing whether the budget works.</p> <hr> <h2 id="what-to-ask-during-evaluation"> What to ask during evaluation <a href="#what-to-ask-during-evaluation" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>When reviewing any whistleblower platform, ask:</p> <ol> <li><strong>Where is data stored?</strong> Confirm EU hosting and data residency.</li> <li><strong>How are reporters protected?</strong> Verify IP anonymization and metadata stripping.</li> <li><strong>How are deadlines tracked?</strong> Confirm automatic 7-day and 3-month tracking with notifications.</li> <li><strong>Is the audit trail append-only?</strong> Ensure entries cannot be edited after creation.</li> <li><strong>What happens when we cancel?</strong> Understand data export and deletion policies.</li> <li><strong>Is a DPA available?</strong> Required for GDPR compliance as a data processor relationship.</li> </ol> <hr> <h2 id="how-ethicsportal-addresses-these-requirements"> How EthicsPortal addresses these requirements <a href="#how-ethicsportal-addresses-these-requirements" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><a href="https://ethicsportal.eu">EthicsPortal</a> is built specifically for EU Directive 2019/1937 compliance:</p> <ul> <li>€49/month, all features included</li> <li>Anonymous reporting with IP anonymization and file metadata stripping</li> <li>Secure two-way messaging via access code</li> <li>Automatic deadline tracking with overdue notifications</li> <li>Append-only audit trail and PDF case export</li> <li>Hosted on Hetzner in Nuremberg, Germany — all data stays in the EU</li> </ul> <p>See our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> for an article-by-article breakdown of how each requirement is met.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/if-employees-have-to-ask-you-dont-have-a-channel/Sat, 04 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/if-employees-have-to-ask-you-dont-have-a-channel/EU law requires employers to inform workers about their reporting channel. But if finding it requires asking someone, the channel is already compromised.<h1 id="if-employees-have-to-ask-where-the-whistleblowing-channel-is-you-dont-have-one"> If employees have to ask where the whistleblowing channel is, you don’t have one <a href="#if-employees-have-to-ask-where-the-whistleblowing-channel-is-you-dont-have-one" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>An employee suspects fraud. They want to report it. Their first step should not be walking up to HR and asking “do we have a whistleblowing channel?”</p> <p>The act of asking is itself a signal. In the exact kind of workplace the Directive exists to address — where misconduct is happening and someone wants to report it — asking around about a reporting channel tells people that you are thinking about reporting something. Before you have typed a single word, you are exposed.</p> <hr> <h2 id="the-law-is-clear-you-must-inform-employees"> The law is clear: you must inform employees <a href="#the-law-is-clear-you-must-inform-employees" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EU Directive 2019/1937 and its national transpositions (<a href="/whistleblower-laws/france/">Loi Waserman</a> in France, <a href="/whistleblower-laws/germany/">HinSchG</a> in Germany, the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> in Poland, and others) do not just require organizations to set up a reporting channel. They require them to make sure workers know about it.</p> <p><strong>Article 9(1)(g)</strong> mandates “clear and easily accessible information” about reporting procedures — both internal and external. This is not optional. If you have a reporting channel but your employees do not know it exists, you are not compliant with your national law.</p> <p>National transpositions go further:</p> <ul> <li><strong><a href="/whistleblower-laws/germany/">Germany</a> (<a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">HinSchG</a> §7(3), §13(2)):</strong> Employers must provide “clear and easily accessible information” about both internal reporting procedures (§7(3)) and external reporting options (§13(2)).</li> <li><strong><a href="/whistleblower-laws/france/">France</a> (<a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi Waserman, 2022-401</a> ):</strong> Companies must inform employees about reporting procedures and publish this information via accessible means.</li> <li><strong><a href="/whistleblower-laws/poland/">Poland</a> (<a href="https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20240000928" rel="nofollow">Ustawa o ochronie sygnalistów</a> ):</strong> Employers must establish internal reporting procedures and publish them to all employees. The procedure takes effect 7 days after publication.</li> </ul> <p>The pattern is the same everywhere: setting up the channel is half the job. Making employees aware of it is the other half.</p> <hr> <h2 id="the-design-problem-nobody-talks-about"> The design problem nobody talks about <a href="#the-design-problem-nobody-talks-about" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Most compliance discussions stop at “inform employees” and assume a company-wide email or an intranet page solves it. It does not.</p> <p>Think about what actually happens:</p> <p><strong>Scenario 1: The channel is on the company intranet.</strong> The employee has to use their work computer, log into the corporate network, navigate to the compliance section, and click through to the reporting portal. Every step leaves a digital trail on a device their employer controls. The IT department can see what pages you visit on the intranet.</p> <p><strong>Scenario 2: The channel requires a company app.</strong> The employee has to download an app, possibly through a corporate MDM (mobile device management) system, and create an account. The act of installing a whistleblower app on your work phone is itself a statement.</p> <p><strong>Scenario 3: The channel is mentioned once in the employee handbook.</strong> Page 47, section 12.3, between the parking policy and the dress code. Nobody remembers it exists. When someone needs it, they have to ask. And asking is the problem.</p> <hr> <h2 id="what-easily-accessible-actually-means"> What “easily accessible” actually means <a href="#what-easily-accessible-actually-means" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you take the Directive’s intent seriously — protecting people who report wrongdoing — then “easily accessible” means:</p> <p><strong>The employee should be able to access the channel without:</strong></p> <ul> <li>Using a company device</li> <li>Being on the company network</li> <li>Installing an app</li> <li>Creating an account</li> <li>Asking anyone where to find it</li> <li>Leaving any trace that they looked for it</li> </ul> <p>This narrows the options considerably. The channel needs to be a <strong>public URL</strong> that works in any browser on any device — including a personal phone on mobile data, completely outside the employer’s infrastructure.</p> <hr> <h2 id="how-to-make-the-channel-truly-accessible"> How to make the channel truly accessible <a href="#how-to-make-the-channel-truly-accessible" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>1. A public URL, not an intranet page.</strong> The reporting portal should be accessible from any browser, on any device, without authentication. An employee at home, on their personal phone, at 11pm, should be able to type in a URL and start a report. No VPN, no login, no company email required.</p> <p><strong>2. QR codes in private spaces.</strong> Print the QR code and put it where people can scan it without being watched: bathroom stalls, break rooms, locker rooms, the back of elevator doors. An employee scanning a QR code on a bathroom wall leaves no digital trail and draws no attention.</p> <p><strong>3. Physical posters, not just emails.</strong> A company-wide email about the whistleblowing channel is easily missed and hard to find six months later. A poster on the wall of every office kitchen with a QR code and a URL is always there when someone needs it.</p> <p><strong>4. Mention it during onboarding — every time.</strong> New employee orientation should include the reporting channel URL and a printed card with the QR code. Not buried in a handbook. Handed to them directly.</p> <p><strong>5. No account required.</strong> If the reporting tool requires the employee to create an account with their email address to file a report, it is not anonymous and it is not safe. The reporter should be able to submit without providing any identifying information and receive an access code to check back later.</p> <hr> <h2 id="this-is-how-ethicsportal-works"> This is how EthicsPortal works <a href="#this-is-how-ethicsportal-works" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every EthicsPortal organization gets a public reporting URL. It works on any browser, any device. No app, no account, no company network.</p> <p>The portal generates a <strong>QR code</strong> that can be printed and posted anywhere. Scan it, and you are on the reporting page. No login, no trail.</p> <p>Reporters submit anonymously — no name, no email, no IP logging. They receive an access code to check back for updates. The entire interaction happens in a browser window that can be closed and leaves nothing behind.</p> <p>The handler never sees the reporter’s identity. The reporter never sees the handler’s name. The system counts to 7 days, counts to 3 months, and logs everything.</p> <p>That is what “easily accessible” looks like when you take the Directive seriously.</p> <hr> <p><em>If your organization’s whistleblowing channel requires employees to ask someone where to find it, you have a compliance checkbox. You do not have a reporting channel. <a href="https://secure.ethicsportal.eu/session/new" rel="nofollow">Set up a real one in ten minutes.</a> </em></p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/gdpr-and-whistleblower-reporting/Fri, 20 Mar 2026 00:00:00 +0000https://ethicsportal.eu/blog/gdpr-and-whistleblower-reporting/How GDPR applies to whistleblower reports. Legal basis for processing, anonymous vs. pseudonymous data, retention periods, and the right to erasure.<h1 id="gdpr-and-whistleblower-reporting-what-you-need-to-know"> GDPR and whistleblower reporting: what you need to know <a href="#gdpr-and-whistleblower-reporting-what-you-need-to-know" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Every whistleblower report contains personal data. The reporter may include their name. The report will likely name the person accused of wrongdoing. The handler’s actions are logged. All of this is personal data under GDPR.</p> <p>This creates a tension that compliance officers deal with every day: the Whistleblower Directive (2019/1937) requires you to collect and store reports, and GDPR requires you to have a lawful basis for doing so, minimize what you collect, and delete it when you no longer need it.</p> <p>Here is how the two frameworks interact, and what it means in practice.</p> <hr> <h2 id="what-personal-data-does-a-whistleblower-report-contain"> What personal data does a whistleblower report contain? <a href="#what-personal-data-does-a-whistleblower-report-contain" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>More than you might think:</p> <table> <thead> <tr> <th>Data</th> <th>Source</th> <th>GDPR category</th> </tr> </thead> <tbody> <tr> <td>Reporter’s name (if provided)</td> <td>Voluntary</td> <td>Personal data</td> </tr> <tr> <td>Reporter’s contact details (if provided)</td> <td>Voluntary</td> <td>Personal data</td> </tr> <tr> <td>Name of the accused person</td> <td>Report content</td> <td>Personal data (third party)</td> </tr> <tr> <td>Details of the alleged misconduct</td> <td>Report content</td> <td>May include special category data (Art. 9) or criminal offence data (Art. 10)</td> </tr> <tr> <td>Uploaded files (documents, photos)</td> <td>Reporter</td> <td>May contain metadata (GPS, author, timestamps)</td> </tr> <tr> <td>Handler actions and notes</td> <td>Case management</td> <td>Personal data (handler)</td> </tr> <tr> <td>Timestamps and audit trail</td> <td>System</td> <td>Personal data</td> </tr> </tbody> </table> <p>If a report describes harassment, discrimination, or health issues, it may contain <strong>special category data</strong> under GDPR Article 9 — which triggers stricter processing conditions. Reports involving criminal allegations fall under <strong>Article 10</strong> (criminal convictions and offences), which has its own restrictions.</p> <hr> <h2 id="what-is-the-legal-basis-for-processing"> What is the legal basis for processing? <a href="#what-is-the-legal-basis-for-processing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>You need a lawful basis under GDPR Article 6 to process personal data in whistleblower reports. The most commonly used bases:</p> <h3 id="article-61c--legal-obligation"> Article 6(1)(c) — Legal obligation <a href="#article-61c--legal-obligation" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>This is the primary basis. EU Directive 2019/1937 and its national transpositions impose a legal obligation to operate a reporting channel. Processing personal data is necessary to comply with that obligation.</p> <p>This covers:</p> <ul> <li>Receiving the report</li> <li>Storing it securely</li> <li>Investigating the allegations</li> <li>Communicating with the reporter</li> <li>Maintaining an audit trail</li> </ul> <h3 id="article-61f--legitimate-interest"> Article 6(1)(f) — Legitimate interest <a href="#article-61f--legitimate-interest" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Some organizations use legitimate interest as a secondary basis, particularly for processing that goes beyond the Directive’s minimum requirements (e.g., internal analysis, trend reporting). This requires a legitimate interest assessment (LIA) and balancing test.</p> <h3 id="article-61e--public-interest-public-sector"> Article 6(1)(e) — Public interest (public sector) <a href="#article-61e--public-interest-public-sector" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Public sector organizations may rely on the public interest basis, particularly where national law explicitly authorizes processing for whistleblower protection.</p> <h3 id="what-about-consent"> What about consent? <a href="#what-about-consent" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Do not rely on consent.</strong> The reporter-employer power imbalance means consent is unlikely to be freely given (GDPR Recital 43). A reporter cannot meaningfully consent when their job may depend on the outcome. Use legal obligation (Art. 6(1)(c)) instead.</p> <hr> <h2 id="anonymous-reports-and-gdpr"> Anonymous reports and GDPR <a href="#anonymous-reports-and-gdpr" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This is the question compliance officers ask most: if a report is truly anonymous, does GDPR apply?</p> <h3 id="if-the-reporter-is-unidentifiable-gdpr-does-not-apply-to-them"> If the reporter is unidentifiable: GDPR does not apply to them <a href="#if-the-reporter-is-unidentifiable-gdpr-does-not-apply-to-them" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>GDPR applies to personal data relating to an identified or identifiable person (Art. 4(1)). If a reporter submits without providing a name, email, or any identifying information — and the system does not log their IP address or any other identifier — the report content is not personal data <em>with respect to the reporter</em>.</p> <p>However:</p> <ul> <li>The <strong>accused person</strong> named in the report is still identifiable. GDPR fully applies to their data.</li> <li>If the report content contains details that could indirectly identify the reporter (“I am the only woman on the third floor”), it may still constitute personal data.</li> </ul> <h3 id="what-anonymous-requires-technically"> What “anonymous” requires technically <a href="#what-anonymous-requires-technically" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>For anonymity to hold up under GDPR scrutiny, your reporting tool must:</p> <ul> <li><strong>Not log IP addresses.</strong> Any IP logging makes the reporter pseudonymous, not anonymous.</li> <li><strong>Not require an account or email.</strong> If the reporter authenticates, they are identifiable.</li> <li><strong>Strip file metadata.</strong> Uploaded photos and documents contain EXIF data (GPS coordinates, author name, device information) that can identify the reporter.</li> <li><strong>Not use analytics or tracking cookies</strong> on the reporting portal.</li> </ul> <p>If your tool does any of these things, you are collecting pseudonymous data, not anonymous data, and GDPR applies in full.</p> <hr> <h2 id="data-minimization-art-51c"> Data minimization (Art. 5(1)(c)) <a href="#data-minimization-art-51c" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive requires a reporting channel. It does not require collecting more data than necessary.</p> <p>In practice:</p> <ul> <li><strong>Reporter identity must be optional.</strong> The reporter should be able to submit without providing their name or contact details.</li> <li><strong>Intake forms should collect only what is needed.</strong> A description of the misconduct, the category, and optional supporting files. Do not require department, employee ID, or other identifiers unless the reporter chooses to provide them.</li> <li><strong>Handler notes should be relevant to the investigation.</strong> Do not log extraneous personal details about the reporter or accused.</li> </ul> <hr> <h2 id="the-accused-persons-rights"> The accused person’s rights <a href="#the-accused-persons-rights" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This is where it gets complicated. The person accused in a whistleblower report has GDPR rights — including the right to be informed (Art. 14), the right of access (Art. 15), and the right to erasure (Art. 17).</p> <p>But exercising those rights cannot compromise the reporter’s confidentiality (Directive Art. 16).</p> <h3 id="right-to-be-informed-art-14"> Right to be informed (Art. 14) <a href="#right-to-be-informed-art-14" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Under GDPR, you must inform people when you process their data. But Directive Art. 16(1) requires protecting the reporter’s identity. The solution:</p> <ul> <li>You <strong>may</strong> inform the accused person that a report has been made — but only when doing so does not risk identifying the reporter.</li> <li><strong>Timing matters.</strong> Many member states allow delaying notification until it would no longer jeopardize the investigation. Germany’s HinSchG explicitly restricts disclosure during the investigation period.</li> <li>National data protection authorities generally accept that the Directive’s confidentiality requirements override the immediate notification obligation.</li> </ul> <h3 id="right-of-access-art-15"> Right of access (Art. 15) <a href="#right-of-access-art-15" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The accused person can request access to data held about them. You must provide it — but you must redact any information that would identify the reporter. This includes the reporter’s name, but also contextual details that could reveal them indirectly.</p> <h3 id="right-to-erasure-art-17"> Right to erasure (Art. 17) <a href="#right-to-erasure-art-17" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The accused person cannot demand deletion of a report that is part of an ongoing investigation or that must be retained under legal obligations. GDPR Art. 17(3)(b) and (e) provide exceptions for legal obligations and legal claims.</p> <hr> <h2 id="retention-periods"> Retention periods <a href="#retention-periods" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive (Art. 18) requires maintaining records of reports. GDPR (Art. 5(1)(e)) requires not keeping personal data longer than necessary.</p> <h3 id="how-long-should-you-retain-reports"> How long should you retain reports? <a href="#how-long-should-you-retain-reports" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Directive does not prescribe a specific retention period. National transpositions vary:</p> <table> <thead> <tr> <th>Country</th> <th>Retention period</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td><a href="/whistleblower-laws/france/">France</a> </td> <td>5 years after case closure</td> <td><a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046357368" rel="nofollow">Decree 2022-1284</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/italy/">Italy</a> </td> <td>5 years from date of report</td> <td><a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">D.Lgs. 24/2023, Art. 14</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/germany/">Germany</a> </td> <td>3 years after case closure (unless ongoing proceedings)</td> <td><a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">HinSchG §11</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/spain/">Spain</a> </td> <td>Not specified (general GDPR minimization applies)</td> <td><a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Law 2/2023</a> </td> </tr> </tbody> </table> <h3 id="best-practice"> Best practice <a href="#best-practice" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <ul> <li>Set a configurable retention period (e.g., 12, 24, 36, or 60 months after case closure).</li> <li>Automatically delete closed cases when the retention period expires.</li> <li>Allow manual deletion by admins for cases where retention is no longer necessary.</li> <li>Document your retention policy and be prepared to justify it to a regulator.</li> </ul> <hr> <h2 id="international-data-transfers"> International data transfers <a href="#international-data-transfers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Whistleblower data must stay in the EU unless you have a valid transfer mechanism under GDPR Chapter V.</p> <p>This matters when choosing a reporting tool:</p> <ul> <li><strong>EU-hosted platforms</strong> (data stored in Germany, France, Netherlands, etc.): no transfer issue.</li> <li><strong>US-hosted platforms</strong> or platforms using US cloud providers (AWS US, Azure US, Google Cloud US): require reliance on Standard Contractual Clauses (SCCs) or the <a href="https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en" rel="nofollow">EU-US Data Privacy Framework</a> — both of which have been <a href="https://curia.europa.eu/juris/liste.jsf?num=C-311/18" rel="nofollow">legally challenged</a> .</li> </ul> <p>The simplest path: choose a platform that hosts all data in the EU. This eliminates the transfer question entirely.</p> <hr> <h2 id="data-protection-impact-assessment-dpia"> Data Protection Impact Assessment (DPIA) <a href="#data-protection-impact-assessment-dpia" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>GDPR Article 35 requires a DPIA when processing is “likely to result in a high risk to the rights and freedoms of natural persons.”</p> <p>Whistleblower reporting likely qualifies because:</p> <ul> <li>It involves sensitive allegations about identified individuals</li> <li>Reports may contain special category data (Art. 9)</li> <li>There is an inherent power imbalance between reporter and organization</li> <li>Confidentiality failures could lead to retaliation</li> </ul> <p>Most data protection authorities recommend conducting a DPIA before implementing a whistleblower reporting system.</p> <hr> <h2 id="what-your-reporting-tool-must-do"> What your reporting tool must do <a href="#what-your-reporting-tool-must-do" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Based on the GDPR requirements above, your whistleblower software should:</p> <table> <thead> <tr> <th>Requirement</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>Optional reporter identity</td> <td>Data minimization (Art. 5(1)(c))</td> </tr> <tr> <td>No IP logging</td> <td>Preserve anonymity, avoid creating pseudonymous data</td> </tr> <tr> <td>File metadata stripping</td> <td>Prevent accidental identification via EXIF/GPS data</td> </tr> <tr> <td>Encryption at rest</td> <td>Integrity and confidentiality (Art. 5(1)(f))</td> </tr> <tr> <td>Configurable retention periods</td> <td>Storage limitation (Art. 5(1)(e))</td> </tr> <tr> <td>Automatic deletion of expired cases</td> <td>Storage limitation enforcement</td> </tr> <tr> <td>Role-based access controls</td> <td>Confidentiality (Directive Art. 16)</td> </tr> <tr> <td>Append-only audit trail</td> <td>Accountability (Art. 5(2))</td> </tr> <tr> <td>EU data hosting</td> <td>Avoid international transfer complications (Chapter V)</td> </tr> <tr> <td>Privacy notice on the reporting form</td> <td>Transparency (Art. 13/14)</td> </tr> </tbody> </table> <hr> <h2 id="how-ethicsportal-handles-gdpr"> How EthicsPortal handles GDPR <a href="#how-ethicsportal-handles-gdpr" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal was designed with both the Directive and GDPR as constraints from day one:</p> <ul> <li><strong>Legal basis:</strong> Processing is based on legal obligation (Art. 6(1)(c)) — compliance with EU Directive 2019/1937.</li> <li><strong>Anonymity by default:</strong> No IP logging, no accounts, no tracking. File metadata (EXIF, GPS, author) stripped automatically.</li> <li><strong>Data minimization:</strong> Reporter name and contact are optional fields. Only essential data is collected.</li> <li><strong>Encryption at rest:</strong> All report descriptions, names, contact details, and messages encrypted in the database.</li> <li><strong>Configurable retention:</strong> Organizations set their own retention period (12, 24, 36, or 60 months). Expired closed cases are deleted automatically.</li> <li><strong>EU hosting for core report data:</strong> Report content and attachments are stored on Hetzner servers in Nuremberg, Germany. The marketing site is delivered via Cloudflare (CDN, United States); the reporting and handler portals are not. Transfer safeguards for the marketing site are documented in the published subprocessor list and DPA.</li> <li><strong>Access controls:</strong> Only admins and assigned handlers can view reports. Handler names are never revealed to reporters.</li> <li><strong>Audit trail:</strong> Append-only log of every action for accountability and regulatory review.</li> <li><strong>DPA available:</strong> GDPR Article 28 <a href="/dpa/">Data Processing Agreement</a> available for all customers.</li> </ul> <p>For the full article-by-article breakdown, see our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/whistleblower-policy-template/Sun, 15 Mar 2026 00:00:00 +0000https://ethicsportal.eu/blog/whistleblower-policy-template/A ready-to-use whistleblower policy template that meets EU Directive 2019/1937 requirements. Copy, adapt, and implement in your organization.<h1 id="free-whistleblower-policy-template-for-eu-directive-20191937"> Free whistleblower policy template for EU Directive 2019/1937 <a href="#free-whistleblower-policy-template-for-eu-directive-20191937" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Every organization with 50 or more employees in the EU needs a written whistleblower policy. This is not optional — it is required under national transposition laws like <a href="/whistleblower-laws/france/">Loi Waserman</a> (France), <a href="/whistleblower-laws/germany/">HinSchG</a> (Germany), <a href="/whistleblower-laws/spain/">Ley 2/2023</a> (Spain), and the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> (Poland), all implementing EU Directive 2019/1937. Penalties for non-compliance vary by country — see our <a href="/penalties/">penalties page</a> for details.</p> <p>A whistleblower policy does two things: it tells employees how to report wrongdoing, and it tells your organization how to handle those reports. Without a clear policy, reports fall through the cracks, handlers improvise, and your organization risks both legal exposure and reputational damage.</p> <p>Below is a complete policy template you can copy and adapt. Replace the bracketed placeholders with your organization’s details. The template covers every element the Directive requires.</p> <hr> <h2 id="whistleblower-policy-template"> Whistleblower policy template <a href="#whistleblower-policy-template" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <hr> <p><strong>[ORGANIZATION NAME]</strong></p> <p><strong>Whistleblower protection policy</strong></p> <p><strong>Effective date:</strong> [DATE]</p> <p><strong>Approved by:</strong> [NAME / TITLE]</p> <p><strong>Version:</strong> 1.0</p> <hr> <h3 id="1-purpose-and-scope"> 1. Purpose and scope <a href="#1-purpose-and-scope" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>This policy establishes a framework for reporting suspected breaches of law, regulation, or internal rules within [ORGANIZATION NAME]. It implements the requirements of EU Directive 2019/1937 on the protection of persons who report breaches of Union law, as transposed into [MEMBER STATE] national law.</p> <p>This policy applies to all operations, subsidiaries, and business units of [ORGANIZATION NAME] within the European Union.</p> <h3 id="2-who-can-report"> 2. Who can report <a href="#2-who-can-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>In accordance with Article 4 of the Directive, the following persons may submit a report through the channels described in this policy:</p> <ul> <li>Current and former employees, including those on probation or notice periods</li> <li>Job applicants who obtained information during the recruitment process</li> <li>Contractors, subcontractors, and suppliers</li> <li>Shareholders and members of the administrative, management, or supervisory body</li> <li>Volunteers and trainees, whether paid or unpaid</li> <li>Any person working under the supervision and direction of contractors, subcontractors, or suppliers</li> <li>Persons whose work-based relationship has not yet begun, where information on breaches was acquired during the recruitment process or pre-contractual negotiations</li> </ul> <p>Protection also extends to facilitators, third persons connected with the reporting person (such as colleagues or relatives), and legal entities that the reporting person owns, works for, or is otherwise connected with in a work-related context (Article 4(4)).</p> <h3 id="3-what-can-be-reported"> 3. What can be reported <a href="#3-what-can-be-reported" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Reports may concern breaches of Union law in the areas covered by the Directive (Article 2), including but not limited to:</p> <ul> <li>Public procurement irregularities</li> <li>Financial services, anti-money laundering, and counter-terrorist financing violations</li> <li>Product safety and compliance breaches</li> <li>Transport safety violations</li> <li>Environmental protection breaches</li> <li>Radiation protection and nuclear safety issues</li> <li>Food and feed safety, animal health and welfare concerns</li> <li>Public health violations</li> <li>Consumer protection breaches</li> <li>Privacy and personal data protection violations</li> <li>Security of network and information systems</li> <li>Competition and state aid rule breaches</li> <li>Corporate tax arrangements that undermine the object or purpose of applicable tax law</li> <li>Fraud, corruption, or other criminal offenses affecting the financial interests of the EU</li> </ul> <p>Reports may also concern breaches of internal company policies, codes of conduct, and applicable national law, provided [MEMBER STATE] national transposition law extends protection to such reports.</p> <h3 id="4-how-to-report"> 4. How to report <a href="#4-how-to-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <h4 id="internal-reporting-channel"> Internal reporting channel <a href="#internal-reporting-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h4> <p>[ORGANIZATION NAME] provides a secure, confidential internal reporting channel:</p> <ul> <li><strong>Online portal:</strong> [URL OF REPORTING PORTAL]</li> <li><strong>Designated person:</strong> [NAME / TITLE OF DESIGNATED PERSON OR DEPARTMENT]</li> <li><strong>Alternative methods:</strong> [POSTAL ADDRESS / EMAIL / IN-PERSON MEETING REQUEST PROCESS, as applicable]</li> </ul> <p>Reports can be submitted anonymously. Reporters who choose to remain anonymous will receive an access code to check the status of their report and communicate securely with the case handler.</p> <p>[ORGANIZATION NAME] encourages the use of the internal reporting channel as a first step, as this allows the organization to investigate and address breaches promptly.</p> <h4 id="external-reporting-to-competent-authorities"> External reporting to competent authorities <a href="#external-reporting-to-competent-authorities" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h4> <p>Reporting persons have the right to report externally to the relevant competent authority at any time, as provided under Article 10 of the Directive. Reporting persons are not required to use the internal channel before reporting externally.</p> <p>The competent authority in [MEMBER STATE] is: [NAME AND CONTACT DETAILS OF NATIONAL AUTHORITY].</p> <h4 id="public-disclosure"> Public disclosure <a href="#public-disclosure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h4> <p>In exceptional circumstances defined in Article 15 of the Directive, reporting persons may make a public disclosure and still receive protection — for example, where they have reasonable grounds to believe that the breach constitutes an imminent or manifest danger to the public interest, or where there is a risk of retaliation.</p> <h3 id="5-confidentiality"> 5. Confidentiality <a href="#5-confidentiality" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The identity of the reporting person will not be disclosed to anyone beyond the authorized staff members competent to receive or follow up on reports, without the explicit consent of the reporting person (Article 16).</p> <p>This confidentiality obligation applies to all information from which the identity of the reporting person may be directly or indirectly deduced.</p> <p>The identity of the reporting person may only be disclosed where this is a necessary and proportionate obligation imposed under Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defense of the person concerned.</p> <p>Any person who discloses the identity of a reporting person in violation of this policy will be subject to disciplinary action.</p> <h3 id="6-prohibition-of-retaliation"> 6. Prohibition of retaliation <a href="#6-prohibition-of-retaliation" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>[ORGANIZATION NAME] strictly prohibits any form of retaliation against reporting persons, in accordance with Articles 19 to 21 of the Directive. Retaliation includes, but is not limited to:</p> <ul> <li>Suspension, dismissal, or equivalent measures</li> <li>Demotion, withholding of promotion, or change of duties or work location</li> <li>Reduction of wages or changes to working hours</li> <li>Withholding of training</li> <li>Negative performance assessment or employment reference</li> <li>Coercion, intimidation, harassment, or ostracism</li> <li>Discrimination or unfavorable treatment</li> <li>Failure to convert a temporary employment contract into a permanent one</li> <li>Non-renewal or early termination of a temporary employment contract</li> <li>Harm, including to reputation or financial loss</li> <li>Blacklisting</li> <li>Early termination or cancellation of a contract for goods or services</li> <li>Cancellation of a license or permit</li> <li>Psychiatric or medical referrals</li> </ul> <p>The burden of proof in retaliation proceedings is reversed: where a reporting person establishes that they made a report and subsequently suffered a detriment, it is presumed that the detriment was made in retaliation. The person who took the detrimental action must prove it was based on duly justified grounds unrelated to the report (Article 21(5)).</p> <p>Any employee found to have engaged in retaliation will be subject to disciplinary action, up to and including termination.</p> <h3 id="7-investigation-process"> 7. Investigation process <a href="#7-investigation-process" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Upon receipt of a report, [ORGANIZATION NAME] will:</p> <ol> <li><strong>Acknowledge receipt</strong> within seven calendar days of receiving the report (Article 9(1)(b)).</li> <li><strong>Assess the report</strong> to determine whether it falls within the scope of this policy and warrants investigation.</li> <li><strong>Investigate diligently</strong> by gathering relevant information, interviewing witnesses as necessary, and reviewing documents, while maintaining confidentiality throughout.</li> <li><strong>Provide feedback</strong> to the reporting person within three months of acknowledgment. Feedback will include information on the status of the investigation and, where possible, the outcome and any measures taken or envisaged (Article 9(1)(f)).</li> <li><strong>Close the case</strong> with documented findings and, where appropriate, recommend corrective actions, disciplinary measures, or referral to competent authorities.</li> </ol> <p>Where a report is assessed as falling outside the scope of this policy, the reporting person will be informed and, where appropriate, redirected to the relevant procedure.</p> <h3 id="8-data-protection"> 8. Data protection <a href="#8-data-protection" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Reports and all related data will be processed in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law.</p> <p>Personal data that is manifestly not relevant to the handling of a specific report will not be collected or, if accidentally collected, will be deleted without undue delay (Article 17(3)).</p> <p>Report data will be retained for no longer than is necessary and proportionate to comply with the requirements of this policy and applicable law. [ORGANIZATION NAME] will define and document specific retention periods in accordance with national transposition law.</p> <h3 id="9-training-and-awareness"> 9. Training and awareness <a href="#9-training-and-awareness" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>[ORGANIZATION NAME] will:</p> <ul> <li>Train all designated case handlers on their obligations under this policy and applicable law</li> <li>Inform all employees and other persons covered by Section 2 about the availability and use of the internal reporting channel</li> <li>Make this policy easily accessible, including on the company intranet and as part of the onboarding process for new employees</li> </ul> <h3 id="10-review"> 10. Review <a href="#10-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>This policy will be reviewed at least annually and updated as necessary to reflect changes in applicable law, organizational structure, or best practices.</p> <h3 id="11-contact"> 11. Contact <a href="#11-contact" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>For questions about this policy or the reporting channel:</p> <ul> <li><strong>Designated person:</strong> [NAME / TITLE]</li> <li><strong>Email:</strong> [EMAIL ADDRESS]</li> <li><strong>Reporting portal:</strong> [URL]</li> </ul> <hr> <p><em>End of policy document.</em></p> <hr> <h2 id="using-this-template"> Using this template <a href="#using-this-template" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Copy the text above into your company’s document format, replace every bracketed placeholder, and have it reviewed by your legal team. The template covers the requirements of Directive 2019/1937, but national transposition laws in your member state may impose additional obligations — check with local counsel.</p> <p>Once your policy is in place, you need a technical channel to receive reports. <a href="/">EthicsPortal</a> provides a secure, anonymous reporting portal that meets the Directive’s requirements for internal channels — set up in minutes, starting at €49/month.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/who-must-comply-eu-whistleblower-directive/Sun, 15 Mar 2026 00:00:00 +0000https://ethicsportal.eu/blog/who-must-comply-eu-whistleblower-directive/Which companies need a whistleblowing channel under EU Directive 2019/1937? The 50-employee threshold, who counts as a worker, deadlines, and what "comply" actually means in practice.<h1 id="who-must-comply-with-the-eu-whistleblower-directive"> Who must comply with the EU Whistleblower Directive? <a href="#who-must-comply-with-the-eu-whistleblower-directive" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Short answer: if your organization has 50 or more employees and operates in the EU, you almost certainly need an internal whistleblower reporting channel. This is not optional. It is law in all 27 EU member states.</p> <p>Here is everything you need to know to determine whether you must comply, what compliance actually requires, and what happens if you do not.</p> <hr> <h2 id="the-threshold-50-employees"> The threshold: 50 employees <a href="#the-threshold-50-employees" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EU Directive 2019/1937, Article 8(3)-(4), establishes the obligation:</p> <ul> <li><strong>250+ employees:</strong> Must have had an internal reporting channel since December 17, 2021 (the original transposition deadline per <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019L1937" rel="nofollow">Art. 26(1)</a> ).</li> <li><strong>50–249 employees:</strong> Must have had an internal reporting channel since December 17, 2023 (extended deadline per <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019L1937" rel="nofollow">Art. 26(2)</a> ).</li> </ul> <p>If you have 50 or more employees in the EU, the deadline has already passed. You should have a channel in place now.</p> <h3 id="how-employees-are-counted"> How employees are counted <a href="#how-employees-are-counted" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Directive does not define “employee” narrowly. Member states count:</p> <ul> <li>Full-time and part-time employees (part-time may be counted proportionally in some countries)</li> <li>Fixed-term and temporary workers</li> <li>In some member states: posted workers, trainees, and apprentices</li> </ul> <p>The count is based on your legal entity, not your group. If you are part of a corporate group, each entity with 50+ employees needs its own channel — though entities of 50–249 employees may share resources for receiving and investigating reports (Art. 8(6)).</p> <hr> <h2 id="who-is-covered-beyond-headcount"> Who is covered beyond headcount <a href="#who-is-covered-beyond-headcount" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Several categories of organizations must comply regardless of employee count:</p> <h3 id="financial-services-art-84"> <a href="/industries/financial-services/">Financial services</a> (Art. 8(4)) <a href="#financial-services-art-84" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>All entities operating in financial services — banks, investment firms, insurance companies, payment institutions, crypto-asset providers — must have a reporting channel irrespective of size. This applies even if you have 5 employees. The Directive defers to the sector-specific EU legislation listed in Part I.B and Part II of the Annex.</p> <h3 id="public-sector-art-89"> <a href="/industries/public-sector/">Public sector</a> (Art. 8(9)) <a href="#public-sector-art-89" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Member states may require municipalities and other public bodies to establish internal channels. Many have done so, often with lower thresholds or no threshold at all.</p> <h3 id="national-extensions"> National extensions <a href="#national-extensions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Some member states go beyond the Directive’s minimum:</p> <ul> <li><strong><a href="/whistleblower-laws/italy/">Italy</a> :</strong> Organizations with a “Model 231” compliance program must comply regardless of size. <a href="https://www.nortonrosefulbright.com/en-it/knowledge/publications/5ff4d59b/whistleblowing-i-nuovi-obblighi-per-le-imprese" rel="nofollow">Source: Norton Rose Fulbright</a> </li> <li><strong><a href="/whistleblower-laws/belgium/">Belgium</a> :</strong> Companies with 250+ employees must accept anonymous reports (stricter than the Directive’s baseline). <a href="https://www.vow.be/en/node/358" rel="nofollow">Source: Van Olmen & Wynant</a> </li> <li><strong><a href="/whistleblower-laws/france/">France</a> :</strong> The <a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi Waserman (2022-401)</a> transposing the Directive removed the requirement to use internal channels before going to external authorities — reporters can now choose either path. <a href="https://www.legifrance.gouv.fr/loda/id/JORFTEXT000033558528" rel="nofollow">Sapin II’s</a> broader anti-corruption compliance obligations (separate from the whistleblower channel) still apply to companies with 500+ employees and €100M+ revenue.</li> </ul> <hr> <h2 id="who-can-report"> Who can report <a href="#who-can-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive protects a broad category of “reporting persons” — not just employees. Under Article 4, the following people are protected when they report through your channel:</p> <ul> <li><strong>Workers</strong> (employees, civil servants, interns, trainees)</li> <li><strong>Self-employed persons</strong> (contractors, freelancers)</li> <li><strong>Shareholders and board members</strong></li> <li><strong>Volunteers</strong></li> <li><strong>Suppliers and their workers</strong> (anyone in your supply chain)</li> <li><strong>Job applicants</strong> (people who learned of wrongdoing during the recruitment process)</li> <li><strong>Former workers</strong> (people who learned of wrongdoing during a previous employment)</li> </ul> <p>Your reporting channel must be accessible to all of these groups, not just current employees.</p> <hr> <h2 id="what-compliance-actually-requires"> What compliance actually requires <a href="#what-compliance-actually-requires" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Having a channel means meeting the requirements in Articles 8, 9, and 16 of the Directive. Here is the minimum:</p> <h3 id="1-a-secure-reporting-channel-art-8"> 1. A secure reporting channel (Art. 8) <a href="#1-a-secure-reporting-channel-art-8" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>An internal channel that allows reporting in writing (and optionally orally). It must:</p> <ul> <li>Be accessible to all persons covered by the Directive (employees, contractors, suppliers, etc.)</li> <li>Protect the confidentiality of the reporter’s identity</li> <li>Not require the reporter to identify themselves (anonymous reporting is permitted in most member states)</li> </ul> <h3 id="2-a-documented-procedure-art-9"> 2. A documented procedure (Art. 9) <a href="#2-a-documented-procedure-art-9" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The channel must follow a defined procedure:</p> <table> <thead> <tr> <th>Requirement</th> <th>Deadline</th> <th>Article</th> </tr> </thead> <tbody> <tr> <td>Acknowledge receipt of the report</td> <td>Within 7 days</td> <td>Art. 9(1)(b)</td> </tr> <tr> <td>Assign an impartial person or department to handle it</td> <td>Upon receipt</td> <td>Art. 9(1)(a)</td> </tr> <tr> <td>Follow up diligently</td> <td>Ongoing</td> <td>Art. 9(1)(c)</td> </tr> <tr> <td>Provide feedback to the reporter</td> <td>Within 3 months</td> <td>Art. 9(1)(f)</td> </tr> <tr> <td>Inform the reporter of external reporting options</td> <td>At submission</td> <td>Art. 9(1)(g)</td> </tr> </tbody> </table> <h3 id="3-confidentiality-protections-art-16"> 3. Confidentiality protections (Art. 16) <a href="#3-confidentiality-protections-art-16" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The reporter’s identity must not be disclosed to anyone beyond the staff handling the report, without the reporter’s explicit consent. This means:</p> <ul> <li>Access controls: only authorized handlers see reports</li> <li>No IP logging or tracking that could identify anonymous reporters</li> <li>Data encrypted at rest</li> </ul> <h3 id="4-record-keeping-art-18"> 4. Record-keeping (Art. 18) <a href="#4-record-keeping-art-18" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Reports must be stored securely and retained in compliance with national law. You need an audit trail that can demonstrate compliance to regulators.</p> <h3 id="5-anti-retaliation-measures-art-1921"> 5. Anti-retaliation measures (Art. 19–21) <a href="#5-anti-retaliation-measures-art-1921" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>You must not retaliate against reporters. This includes dismissal, demotion, withholding promotion, changing duties, or any other form of disadvantage. Reporters must be informed of this protection.</p> <hr> <h2 id="what-does-not-count-as-compliance"> What does NOT count as compliance <a href="#what-does-not-count-as-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Some things organizations try that do not meet the Directive’s requirements:</p> <ul> <li><strong>A generic email address</strong> (e.g., <a href="mailto:compliance@company.com">compliance@company.com</a> ). This does not protect confidentiality, does not track deadlines, and does not create an audit trail.</li> <li><strong>An anonymous suggestion box.</strong> No two-way communication, no acknowledgment, no feedback mechanism.</li> <li><strong>A page in the employee handbook.</strong> The channel must be operational, not just documented.</li> <li><strong>A third-party hotline with no case management.</strong> If reports come in by phone but are not tracked through a system with deadlines and audit trails, you are not compliant with Art. 9.</li> </ul> <hr> <h2 id="what-happens-if-you-do-not-comply"> What happens if you do not comply <a href="#what-happens-if-you-do-not-comply" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every member state has defined penalties. They vary widely:</p> <table> <thead> <tr> <th>Country</th> <th>Penalty for no reporting channel</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td>Spain</td> <td>Up to €1,000,000</td> <td><a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Law 2/2023</a> </td> </tr> <tr> <td>Belgium</td> <td>€24,000–€576,000 + up to 3 years prison</td> <td><a href="https://cms.law/en/int/expert-guides/whistleblower-protection-and-reporting-channels/belgium" rel="nofollow">CMS Expert Guide</a> </td> </tr> <tr> <td>Germany</td> <td>€20,000–€500,000 (legal entities)</td> <td><a href="https://www.gesetze-im-internet.de/hinschg/" rel="nofollow">HinSchG §40</a> </td> </tr> <tr> <td>Italy</td> <td>€10,000–€50,000</td> <td><a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">D.Lgs. 24/2023</a> </td> </tr> <tr> <td>Poland</td> <td>Up to PLN 1,080,000 (~€250,000)</td> <td><a href="https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20240000928" rel="nofollow">Act of 14 June 2024</a> </td> </tr> </tbody> </table> <p>Enforcement is not theoretical. In March 2025, the <a href="https://eucrim.eu/news/ecj-ordered-several-member-states-to-financial-penalties-for-failing-to-transpose-whistleblowers-directive/" rel="nofollow">EU Court of Justice fined five member states a combined €39 million</a> for being late to transpose the Directive. National enforcement authorities are now operational in most countries and actively issuing fines.</p> <p>See our full <a href="/penalties/">penalties by country</a> page for all 27 member states.</p> <hr> <h2 id="the-fastest-path-to-compliance"> The fastest path to compliance <a href="#the-fastest-path-to-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If your organization has 50+ employees, the deadline has passed. Here is how to get compliant:</p> <ol> <li><strong>Set up a reporting channel.</strong> <a href="https://secure.ethicsportal.eu/session/new" rel="nofollow">EthicsPortal</a> takes minutes — sign up, configure your portal, share the link. €49/month, everything included.</li> <li><strong>Designate a handler.</strong> Assign at least one impartial person to receive and investigate reports.</li> <li><strong>Inform employees.</strong> Share the portal URL and QR code via posters, onboarding materials, and internal communications.</li> <li><strong>Document your procedure.</strong> Adopt an internal whistleblower protection policy that describes the process, deadlines, and anti-retaliation protections.</li> </ol> <p>The software is the easy part. The entire setup — channel, configuration, QR code — can be done in a lunch break. The organizational steps (handler designation, policy, training) take longer but are straightforward.</p> <p>For an article-by-article breakdown of how EthicsPortal meets the Directive’s requirements, see our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/anonymous-vs-confidential-reporting/Sun, 15 Feb 2026 00:00:00 +0000https://ethicsportal.eu/blog/anonymous-vs-confidential-reporting/Understand the difference between anonymous and confidential whistleblower reporting, what the EU Directive requires, and how to support both.<h1 id="anonymous-vs-confidential-whistleblower-reporting-whats-the-difference"> Anonymous vs. confidential whistleblower reporting: what’s the difference? <a href="#anonymous-vs-confidential-whistleblower-reporting-whats-the-difference" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Compliance officers frequently use “anonymous” and “confidential” interchangeably when discussing whistleblower reporting. They are not the same thing, and the distinction matters — both legally and practically.</p> <p>Getting this wrong can undermine trust in your reporting channel, expose your organization to liability, or make investigations harder than they need to be. Here is what each term means, what the EU Directive says, and how to handle both in practice.</p> <hr> <h2 id="definitions"> Definitions <a href="#definitions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="anonymous-reporting"> Anonymous reporting <a href="#anonymous-reporting" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The reporter’s identity is unknown to everyone, including the case handler. The organization receives the report but has no way to determine who submitted it. The reporter does not provide their name, email, or any identifying information.</p> <p>True anonymity means that even if the organization wanted to identify the reporter, it could not — the system is designed to prevent it.</p> <h3 id="confidential-reporting"> Confidential reporting <a href="#confidential-reporting" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The reporter’s identity is known to the case handler (or a limited number of authorized persons), but it is protected from disclosure to anyone else. The handler knows who made the report but is legally and organizationally obligated not to reveal that identity.</p> <p>Confidentiality is a promise backed by legal protections. Anonymous reporting removes the need for that promise entirely.</p> <hr> <h2 id="what-the-eu-directive-says"> What the EU Directive says <a href="#what-the-eu-directive-says" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EU Directive 2019/1937 addresses both concepts, though it gives member states flexibility on anonymous reporting.</p> <p><strong>Confidentiality (Article 16):</strong> The Directive is unambiguous here. The identity of the reporting person must not be disclosed to anyone beyond authorized staff without the reporter’s explicit consent. This applies to all reports, whether the reporter identifies themselves or not. Confidentiality is mandatory.</p> <p><strong>Anonymous reporting (Article 6(2–3), Recital 34):</strong> The Directive does not require member states to accept anonymous reports through internal channels. However, it explicitly states that member states <em>may</em> decide to allow or require anonymous reporting. Where anonymous reports are accepted, they must be handled with the same diligence as identified reports.</p> <p>In practice, the majority of member states that have transposed the Directive now require or strongly encourage anonymous reporting. <a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">France</a> , <a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">Germany</a> , <a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">Italy</a> , and several others mandate it. Even where it is not legally required, allowing anonymity is considered best practice because it increases reporting rates.</p> <p><strong>Two-way communication (Article 9(1)(b)):</strong> The Directive requires that reporting channels allow communication with the reporter, including providing acknowledgment and feedback. For anonymous reporters, this means the channel must support two-way messaging without requiring identity disclosure — typically through an access code or case reference number.</p> <hr> <h2 id="pros-and-cons"> Pros and cons <a href="#pros-and-cons" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="anonymous-reporting-1"> Anonymous reporting <a href="#anonymous-reporting-1" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Pros:</strong></p> <ul> <li>Removes the fear barrier entirely — reporters do not risk being identified</li> <li>Higher reporting rates, especially for sensitive issues like fraud by senior management</li> <li>Protects reporters even if the organization’s confidentiality measures fail</li> <li>Builds trust in the reporting channel</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>Follow-up is harder — the handler cannot call the reporter for clarification unless two-way messaging is available</li> <li>Risk of lower-quality reports if the reporter knows they cannot be contacted</li> <li>Some organizations worry about frivolous or malicious reports (in practice, the <a href="https://www.acfe.com/report-to-the-nations/2024/" rel="nofollow">ACFE Report to the Nations</a> and <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2018:0116:FIN" rel="nofollow">EU Commission impact assessment</a> found this is rare)</li> <li>Investigation may be more difficult without knowing the reporter’s vantage point</li> </ul> <h3 id="confidential-reporting-1"> Confidential reporting <a href="#confidential-reporting-1" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Pros:</strong></p> <ul> <li>Easier follow-up — the handler can contact the reporter directly for additional information</li> <li>The reporter’s perspective and role can help focus the investigation</li> <li>Reports tend to be more detailed when the reporter knows they can be contacted</li> <li>The handler can assess credibility more easily</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>Requires the reporter to trust that confidentiality will be maintained</li> <li>A single data breach, careless email, or unauthorized access can expose the reporter</li> <li>Some reporters will not use the channel if identification is required</li> <li>The organization bears the legal risk of maintaining confidentiality</li> </ul> <hr> <h2 id="how-anonymous-reporting-works-in-practice"> How anonymous reporting works in practice <a href="#how-anonymous-reporting-works-in-practice" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Anonymous reporting does not mean the reporter submits a message into a void and never hears back. Modern whistleblower platforms solve the communication problem with access codes.</p> <p>Here is how it typically works:</p> <ol> <li><strong>The reporter submits a report</strong> through the portal without entering any personal information.</li> <li><strong>The system generates a unique access code</strong> (or case reference number) and displays it to the reporter.</li> <li><strong>The reporter saves the access code.</strong> This is their key to the case.</li> <li><strong>The case handler reviews the report</strong> and can post follow-up questions or status updates to the case.</li> <li><strong>The reporter returns to the portal</strong>, enters the access code, and sees any messages from the handler. They can reply, provide additional documents, or answer questions — all without revealing who they are.</li> </ol> <p>This approach satisfies the Directive’s two-way communication requirement while preserving anonymity. The handler gets the information they need for the investigation; the reporter stays protected.</p> <p>The access code model also supports the seven-day acknowledgment and three-month feedback requirements, because the reporter can check the portal at any time to see if acknowledgment or feedback has been provided.</p> <hr> <h2 id="why-offering-both-options-is-the-right-approach"> Why offering both options is the right approach <a href="#why-offering-both-options-is-the-right-approach" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The strongest reporting channels give reporters the choice: submit anonymously, or provide your identity with the assurance of confidentiality.</p> <p>Here is why:</p> <ul> <li><strong>Different situations call for different approaches.</strong> A junior employee reporting a senior executive’s fraud may choose anonymity. A department head flagging a safety issue may prefer to identify themselves so the investigation can move faster.</li> <li><strong>Choice builds trust.</strong> When reporters see that anonymity is genuinely available, they trust the channel more — even the ones who ultimately choose to identify themselves.</li> <li><strong>Legal coverage.</strong> In member states that require anonymous reporting, you are compliant. In those that do not, you exceed the minimum standard.</li> <li><strong>Better reporting rates.</strong> The <a href="https://www.acfe.com/report-to-the-nations/2024/" rel="nofollow">ACFE Report to the Nations (2024)</a> found that tips are the most common fraud detection method (43% of cases), and anonymous hotlines significantly increase tip volume.</li> </ul> <p>The EU Directive’s own recitals acknowledge this: allowing anonymous reporting <em>encourages</em> reporting and makes channels more effective.</p> <hr> <h2 id="how-ethicsportal-handles-this"> How EthicsPortal handles this <a href="#how-ethicsportal-handles-this" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal supports both anonymous and confidential reporting:</p> <ul> <li><strong>Anonymous by default.</strong> Reporters are never required to provide their identity. No name, no email, no account.</li> <li><strong>Optional identity disclosure.</strong> Reporters can choose to share their name or contact information if they want to. This is entirely voluntary.</li> <li><strong>Access code messaging.</strong> Every report generates a unique access code. The reporter uses it to check for updates and communicate with the case handler, without revealing who they are.</li> <li><strong>Confidentiality enforced.</strong> When a reporter does share their identity, access controls ensure only designated case handlers can see it.</li> </ul> <p>This gives reporters full control over their level of exposure, while giving case handlers the tools they need to investigate effectively.</p> <hr> <h2 id="the-bottom-line"> The bottom line <a href="#the-bottom-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Anonymous means the handler does not know who you are. Confidential means the handler knows but is legally bound not to tell anyone else. Both serve the goal of protecting reporters, but they do so differently.</p> <p>The EU Directive mandates confidentiality. It leaves anonymous reporting to member states, most of which now require or recommend it. The safest approach — for your reporters and your compliance posture — is to offer both.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/how-to-implement-whistleblower-channel/Sun, 01 Feb 2026 00:00:00 +0000https://ethicsportal.eu/blog/how-to-implement-whistleblower-channel/A step-by-step guide to setting up a compliant whistleblower reporting channel quickly, without weeks of onboarding or enterprise sales calls.<h1 id="how-to-set-up-a-whistleblower-reporting-channel-in-5-minutes"> How to set up a whistleblower reporting channel in 5 minutes <a href="#how-to-set-up-a-whistleblower-reporting-channel-in-5-minutes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Every EU member state now requires organizations with 50 or more employees to operate an internal whistleblower reporting channel — through national laws like <a href="/whistleblower-laws/france/">Loi Waserman</a> (France), <a href="/whistleblower-laws/germany/">HinSchG</a> (Germany), <a href="/whistleblower-laws/spain/">Ley 2/2023</a> (Spain), and the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> (Poland), all transposing EU Directive 2019/1937. The requirement is clear, but most implementations take far longer than they should.</p> <p>This guide explains what the law actually requires from the channel itself, why enterprise tools make the process unnecessarily slow, and how to get a working channel live in minutes.</p> <hr> <h2 id="what-the-directive-requires"> What the Directive requires <a href="#what-the-directive-requires" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Article 8 and Article 9 specify what an internal reporting channel must do:</p> <ul> <li>Accept reports in writing or orally</li> <li>Allow anonymous reporting (required in some member states, strongly recommended everywhere)</li> <li>Enable two-way communication with the reporter, even if they are anonymous</li> <li>Ensure only authorized persons can access reports</li> <li>Acknowledge receipt within seven calendar days</li> <li>Provide feedback within three months</li> </ul> <p>That is the legal minimum. No specific technology is mandated — the Directive is technology-neutral. A web portal, a phone line, or even a locked physical mailbox can qualify, as long as the requirements above are met.</p> <hr> <h2 id="why-most-implementations-take-weeks"> Why most implementations take weeks <a href="#why-most-implementations-take-weeks" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Enterprise whistleblower platforms are designed for large organizations with complex procurement processes. A typical implementation looks like this:</p> <ol> <li><strong>Request a demo</strong> — fill out a form, wait for a sales rep to call you back</li> <li><strong>Attend the demo</strong> — a 30–60 minute call where the vendor walks you through features you may not need</li> <li><strong>Receive a proposal</strong> — custom pricing based on employee count, modules, and add-ons</li> <li><strong>Negotiate the contract</strong> — legal review, DPA signing, procurement approval</li> <li><strong>Onboarding kickoff</strong> — a project manager is assigned, another call is scheduled</li> <li><strong>Configuration</strong> — the vendor configures your portal, categories, and branding (or trains you to do it)</li> <li><strong>Testing and launch</strong> — review, approve, and go live</li> </ol> <p>For a 100-person company that just needs a compliant channel, this process is weeks of elapsed time and hours of meetings. It is designed for enterprises where a six-week procurement cycle is normal. For an SME, it is friction that delays compliance.</p> <hr> <h2 id="the-5-minute-setup-with-ethicsportal"> The 5-minute setup with EthicsPortal <a href="#the-5-minute-setup-with-ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is built for the opposite scenario: you need a compliant channel, and you need it today.</p> <h3 id="step-1-sign-up-1-minute"> Step 1: Sign up (1 minute) <a href="#step-1-sign-up-1-minute" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Go to <a href="/">ethicsportal.eu</a> and create an account. No demo request, no sales call, no “contact us for pricing.” You enter your email, set a password, and you are in.</p> <h3 id="step-2-configure-your-portal-2-minutes"> Step 2: Configure your portal (2 minutes) <a href="#step-2-configure-your-portal-2-minutes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>From the dashboard, set up your reporting portal:</p> <ul> <li><strong>Organization name</strong> — appears on the portal so reporters know they are in the right place</li> <li><strong>Report categories</strong> — define what types of issues can be reported (fraud, harassment, safety violations, etc.). Sensible defaults are provided.</li> <li><strong>Welcome text</strong> — the message reporters see when they land on the portal. A clear, reassuring default is pre-filled.</li> <li><strong>Logo</strong> — match your organization’s visual identity</li> <li><strong>Language</strong> — choose the portal language for your reporters</li> </ul> <p>The portal is live at a unique URL as soon as you save. No deployment, no waiting.</p> <h3 id="step-3-share-the-portal-with-employees-1-minute"> Step 3: Share the portal with employees (1 minute) <a href="#step-3-share-the-portal-with-employees-1-minute" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Every portal gets a shareable link and a QR code. You can:</p> <ul> <li>Email the link to all employees</li> <li>Print the QR code and post it in break rooms, offices, or common areas</li> <li>Add the link to your intranet or employee handbook</li> <li>Include it in your written whistleblower policy</li> </ul> <h3 id="step-4-start-receiving-and-managing-reports-1-minute"> Step 4: Start receiving and managing reports (1 minute) <a href="#step-4-start-receiving-and-managing-reports-1-minute" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>When someone submits a report through the portal, you receive a notification. From the dashboard, you can:</p> <ul> <li>Read the report</li> <li>Communicate with the reporter via secure two-way messaging (even if they are anonymous — they use an access code)</li> <li>Track the seven-day acknowledgment deadline</li> <li>Track the three-month feedback deadline</li> <li>Update the case status and add internal notes</li> <li>Close the case with a documented outcome</li> </ul> <p>That is it. Your channel is live, compliant, and ready to receive reports.</p> <hr> <h2 id="what-to-do-after-setup"> What to do after setup <a href="#what-to-do-after-setup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>A reporting channel is the technical foundation, but compliance requires organizational steps too:</p> <h3 id="designate-a-case-handler"> Designate a case handler <a href="#designate-a-case-handler" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Appoint one or more persons to receive and investigate reports. This person should be impartial and not likely to be the subject of reports. A compliance officer, legal counsel, or senior HR person typically fills this role. For small organizations, the managing director can serve as handler.</p> <h3 id="train-your-handlers"> Train your handlers <a href="#train-your-handlers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Case handlers need to understand: how to use the platform, confidentiality obligations, the seven-day and three-month deadlines, basics of conducting an internal investigation, and anti-retaliation rules.</p> <h3 id="write-a-whistleblower-policy"> Write a whistleblower policy <a href="#write-a-whistleblower-policy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Document how your organization handles reports. Cover scope, who can report, confidentiality, anti-retaliation, and the investigation process. See our <a href="/blog/whistleblower-policy-template/">free policy template</a> for a ready-to-use document.</p> <h3 id="inform-employees"> Inform employees <a href="#inform-employees" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Directive requires you to proactively tell employees about the channel. Send an email, post on the intranet, mention it in team meetings, and include it in onboarding. The QR code makes this easy — print it and put it where people will see it.</p> <hr> <h2 id="common-mistakes-to-avoid"> Common mistakes to avoid <a href="#common-mistakes-to-avoid" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>Using a generic email address.</strong> An email like <a href="mailto:compliance@company.com">compliance@company.com</a> does not meet the Directive’s requirements in most cases. Email lacks encryption, does not support anonymous reporting, and does not provide two-way communication with anonymous reporters.</p> <p><strong>Requiring reporters to identify themselves.</strong> While the Directive does not uniformly require anonymous reporting, several national laws do (e.g., <a href="/whistleblower-laws/belgium/">Belgium</a> mandates anonymous reporting for companies with 250+ employees). Making identification mandatory discourages reporting. Allow anonymity by default.</p> <p><strong>Forgetting the deadlines.</strong> Seven days for acknowledgment, three months for feedback. These are not suggestions — they are legal requirements. Missing them is a compliance failure. Use a system that tracks these deadlines automatically.</p> <p><strong>Not designating a handler.</strong> The channel is a mailbox. Someone needs to open it, read the reports, and act on them. If no one is designated, reports go unanswered and deadlines pass.</p> <p><strong>Over-engineering the setup.</strong> You do not need a full GRC suite, custom integrations, or a six-month rollout to comply. A working channel with anonymous reporting, two-way communication, and deadline tracking covers the legal requirements. Start simple, add complexity only if you need it.</p> <hr> <h2 id="get-started"> Get started <a href="#get-started" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><a href="/">EthicsPortal</a> is €49/month flat — no per-employee pricing, no annual contracts, no sales calls. Set up your compliant reporting channel in minutes and focus on what matters: protecting the people who speak up.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/compliance-checklist/Thu, 15 Jan 2026 00:00:00 +0000https://ethicsportal.eu/blog/compliance-checklist/A practical 12-step checklist to comply with EU Directive 2019/1937 and national transposition laws, with article references, tips, and implementation guidance.<h1 id="eu-whistleblower-directive-compliance-checklist-for-companies"> EU whistleblower directive compliance checklist for companies <a href="#eu-whistleblower-directive-compliance-checklist-for-companies" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>All 27 EU member states have transposed EU Directive 2019/1937 into national law — including <a href="/whistleblower-laws/france/">Loi Waserman</a> (France), <a href="/whistleblower-laws/germany/">HinSchG</a> (Germany), <a href="/whistleblower-laws/spain/">Ley 2/2023</a> (Spain), <a href="/whistleblower-laws/italy/">D.Lgs. 24/2023</a> (Italy), and the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> (Poland). Your organization must comply with the national law in your country of operation, and enforcement is active.</p> <p>This checklist walks you through the twelve steps to full compliance. For each item, we cite the relevant Directive article, share practical tips, and note where tooling can help. See our <a href="/whistleblower-laws/">whistleblower laws by country</a> reference for your country’s specific requirements.</p> <hr> <h2 id="the-checklist"> The checklist <a href="#the-checklist" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="1-determine-if-your-organization-is-in-scope"> 1. Determine if your organization is in scope <a href="#1-determine-if-your-organization-is-in-scope" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 8(3–4)</p> <p>All legal entities in the private sector with 50 or more workers must establish internal reporting channels. <a href="/industries/public-sector/">Public sector</a> entities, municipalities, and entities in certain regulated sectors (<a href="/industries/financial-services/">financial services</a> , aviation safety, maritime, etc.) are in scope regardless of size.</p> <p><strong>Practical tip:</strong> Count all workers, not just full-time employees. Part-time staff, contractors working on-site, and temporary agency workers may count toward the threshold depending on your national law. Some countries go further — <a href="/whistleblower-laws/italy/">Italy</a> requires a channel for all companies with a Model 231 compliance program regardless of size, and <a href="/whistleblower-laws/spain/">Spain</a> covers all public entities.</p> <hr> <h3 id="2-establish-an-internal-reporting-channel"> 2. Establish an internal reporting channel <a href="#2-establish-an-internal-reporting-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 8(1), Article 9(1)(a)</p> <p>The channel must allow reporting in writing (online form, email, postal) or orally (phone, voice messaging system), or both. On request, it must also allow in-person meetings within a reasonable timeframe.</p> <p><strong>Practical tip:</strong> A web-based portal is the most practical option — it is accessible 24/7, creates an automatic record, and supports anonymous two-way communication. Avoid using generic email addresses; they lack encryption, anonymity, and audit trails.</p> <p><strong>How EthicsPortal helps:</strong> Provides a branded web portal with encrypted anonymous reporting and two-way messaging, ready in minutes.</p> <hr> <h3 id="3-designate-an-impartial-person-or-department-to-handle-reports"> 3. Designate an impartial person or department to handle reports <a href="#3-designate-an-impartial-person-or-department-to-handle-reports" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(c)</p> <p>You must designate a person or department competent to follow up on reports. This person must be impartial — they should not have a conflict of interest with the subject matter of reports.</p> <p><strong>Practical tip:</strong> Common choices include a compliance officer, a legal counsel, an HR director, or an external ombudsperson. For smaller organizations, the managing director can serve this role if they are not likely to be the subject of reports. Consider designating a backup handler.</p> <hr> <h3 id="4-set-up-the-acknowledgment-process-7-day-deadline"> 4. Set up the acknowledgment process (7-day deadline) <a href="#4-set-up-the-acknowledgment-process-7-day-deadline" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(b)</p> <p>You must acknowledge receipt of a report within seven calendar days. This applies to all reports, including anonymous ones.</p> <p><strong>Practical tip:</strong> Automate this. A manual process risks missing the seven-day window during holidays or absences.</p> <p><strong>How EthicsPortal helps:</strong> Tracks the acknowledgment deadline for each report and shows case handlers which reports need attention.</p> <hr> <h3 id="5-define-the-feedback-process-3-month-deadline"> 5. Define the feedback process (3-month deadline) <a href="#5-define-the-feedback-process-3-month-deadline" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(f)</p> <p>You must provide feedback to the reporting person within three months of the acknowledgment. Feedback includes: whether the report is being assessed, is under investigation, or has been closed, and the outcome of any investigation.</p> <p><strong>Practical tip:</strong> “Feedback” does not require disclosing the full investigation outcome. Informing the reporter that the matter was investigated and appropriate action was taken is sufficient. For anonymous reporters, feedback must be available through the reporting channel (for example, via an access code).</p> <p><strong>How EthicsPortal helps:</strong> Tracks the three-month feedback deadline per case and supports two-way messaging with anonymous reporters via access codes.</p> <hr> <h3 id="6-implement-confidentiality-measures"> 6. Implement confidentiality measures <a href="#6-implement-confidentiality-measures" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 16</p> <p>The identity of the reporting person must not be disclosed to anyone beyond authorized case handlers without the reporter’s explicit consent. This also covers information from which the reporter’s identity could be indirectly deduced.</p> <p><strong>Practical tip:</strong> Limit access to reports strictly. Do not share report details in meetings where unauthorized persons are present. When referring cases internally, redact identifying information about the reporter. Ensure your IT systems enforce access controls.</p> <p><strong>How EthicsPortal helps:</strong> Role-based access ensures only designated case handlers can view reports. Reporter identity is never exposed unless the reporter voluntarily shares it.</p> <hr> <h3 id="7-establish-anti-retaliation-protections"> 7. Establish anti-retaliation protections <a href="#7-establish-anti-retaliation-protections" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Articles 19, 20, 21</p> <p>Reporting persons, facilitators, and connected third parties must be protected from retaliation. The Directive defines retaliation broadly: dismissal, demotion, intimidation, blacklisting, and more. The burden of proof is reversed — if a reporter suffers a detriment after reporting, the employer must prove the detriment was unrelated to the report.</p> <p><strong>Practical tip:</strong> Document this protection in your whistleblower policy. Train managers on what constitutes retaliation. Track personnel actions involving anyone who has made a report, so you can demonstrate that decisions were made on legitimate grounds.</p> <hr> <h3 id="8-train-case-handlers"> 8. Train case handlers <a href="#8-train-case-handlers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(c–f) (implied)</p> <p>The Directive does not prescribe specific training, but case handlers must be competent to fulfill the obligations it creates: maintaining confidentiality, providing acknowledgment within seven days, conducting diligent follow-up, and providing feedback within three months.</p> <p><strong>Practical tip:</strong> At a minimum, train case handlers on: how to use the reporting channel, confidentiality obligations, investigation basics, anti-retaliation rules, and data protection. Document the training. Refresh annually.</p> <hr> <h3 id="9-inform-employees-about-the-reporting-channel"> 9. Inform employees about the reporting channel <a href="#9-inform-employees-about-the-reporting-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(g)</p> <p>You must provide clear and easily accessible information about how to use the internal reporting channel. You must also inform employees about their right to report externally to competent authorities.</p> <p><strong>Practical tip:</strong> Publish the information on your intranet, include it in onboarding materials, and display it in common areas. A QR code linking to the reporting portal is an effective way to make the channel discoverable.</p> <p><strong>How EthicsPortal helps:</strong> Generates a QR code and shareable link for your portal that you can print and distribute.</p> <hr> <h3 id="10-set-up-data-retention-and-deletion"> 10. Set up data retention and deletion <a href="#10-set-up-data-retention-and-deletion" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 17(1–3)</p> <p>Personal data in reports must not be kept longer than necessary. Data that is manifestly not relevant must be deleted promptly. Specific retention periods depend on your member state’s law, but the principle is: retain as long as needed for the investigation and any resulting proceedings, then delete.</p> <p><strong>Practical tip:</strong> Define a retention period in your policy. National laws vary — for example, <a href="/whistleblower-laws/france/">France</a> <a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046357368" rel="nofollow">requires 5 years</a> , <a href="/whistleblower-laws/germany/">Germany</a> <a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">requires 3 years</a> (HinSchG §11), and <a href="/whistleblower-laws/italy/">Italy</a> <a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">requires 5 years</a> (D.Lgs. 24/2023). See our <a href="/blog/gdpr-and-whistleblower-reporting/">GDPR and whistleblower reporting guide</a> for a full comparison. Set calendar reminders to review and delete closed cases.</p> <hr> <h3 id="11-prepare-a-written-whistleblower-policy"> 11. Prepare a written whistleblower policy <a href="#11-prepare-a-written-whistleblower-policy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Articles 8, 9 (implied), plus most national transposition laws</p> <p>While the Directive does not explicitly mandate a standalone policy document, most national transposition laws do, and it is practically necessary to fulfill the information obligations in Article 9(1)(g).</p> <p><strong>Practical tip:</strong> Your policy should cover: scope, who can report, what can be reported, how to report, confidentiality, anti-retaliation, investigation process, feedback timelines, and data protection. See our <a href="/blog/whistleblower-policy-template/">free whistleblower policy template</a> for a ready-to-use document.</p> <hr> <h3 id="12-document-compliance-for-regulatory-review"> 12. Document compliance for regulatory review <a href="#12-document-compliance-for-regulatory-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 11(2) (external channels), national transposition laws (internal)</p> <p>Several member states require organizations to document that they have fulfilled their obligations and to make this documentation available to regulators on request.</p> <p><strong>Practical tip:</strong> Keep records of: when the reporting channel was established, who the designated case handlers are, training records, the whistleblower policy (with version history), and aggregate statistics on reports received and handled. Do not store individual case details longer than your retention period allows.</p> <hr> <h2 id="next-steps"> Next steps <a href="#next-steps" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you have checked every box above, your organization is compliant with the core requirements of the Directive and its national transposition. Compliance is not a one-time event — review your setup annually, retrain handlers, and update your policy as national law evolves. Check our <a href="/whistleblower-laws/">whistleblower laws by country</a> reference for country-specific requirements that may go beyond the Directive’s baseline.</p> <p>Need a reporting channel? <a href="/">EthicsPortal</a> gives you a compliant, anonymous reporting portal in minutes — €49/month flat, no per-employee pricing, no sales calls. <a href="/">Get started today</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/eu-whistleblower-directive-2019-1937-adopted/Wed, 23 Oct 2019 00:00:00 +0000https://ethicsportal.eu/blog/eu-whistleblower-directive-2019-1937-adopted/The European Parliament and the Council formally adopt Directive (EU) 2019/1937, establishing EU-wide protection for persons who report breaches of Union law.<h1 id="eu-directive-20191937-on-whistleblower-protection-adopted"> EU Directive 2019/1937 on whistleblower protection adopted <a href="#eu-directive-20191937-on-whistleblower-protection-adopted" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>On 23 October 2019, the European Parliament and the Council formally adopted <a href="https://eur-lex.europa.eu/eli/dir/2019/1937/oj/eng" rel="nofollow">Directive (EU) 2019/1937</a> on the protection of persons who report breaches of Union law. The plenary vote passed with 591 votes in favour, 29 against, and 33 abstentions.</p> <p>The Directive requires every organization with 50 or more employees to establish secure internal reporting channels, protect reporters from retaliation, and provide feedback within three months. Member states had until 17 December 2021 to transpose it into national law.</p> <a href="https://multimedia.europarl.europa.eu/en/video/protecting-democracy-by-protecting-whistleblowers_N01-PUB-190408-BLOW" style="display: block; padding: 1.5rem; border: 1px solid #ddd; border-radius: 0.5rem; text-decoration: none; color: inherit; margin: 2rem 0;"> <strong>▶ Watch: Protecting democracy by protecting whistleblowers</strong><br> <span style="color: #666; font-size: 0.875rem;">European Parliament Multimedia Centre · 1:28</span> </a> <h2 id="what-the-directive-requires"> What the directive requires <a href="#what-the-directive-requires" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Internal reporting channels</strong> (Art. 8) — secure, confidential channels accessible to all workers, including contractors and suppliers</li> <li><strong>7-day acknowledgment</strong> (Art. 9) — organizations must confirm receipt of a report within seven calendar days</li> <li><strong>3-month feedback deadline</strong> (Art. 9) — reporters must receive feedback on actions taken within three months</li> <li><strong>Anti-retaliation protection</strong> (Art. 19–21) — dismissal, demotion, intimidation, and other forms of retaliation are prohibited</li> <li><strong>Reversed burden of proof</strong> (Art. 21(5)) — once a reporter shows they made a report and suffered a detriment, the employer must prove the measure was unrelated</li> <li><strong>External and public reporting</strong> (Art. 10, 15) — reporters retain protection when reporting to competent authorities or, as a last resort, making public disclosures</li> </ul> <hr> <h2 id="plenary-debate"> Plenary debate <a href="#plenary-debate" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The European Parliament debated the directive during its plenary session in Strasbourg. Extracts from the debate are available on the European Parliament Multimedia Centre:</p> <p><a href="https://multimedia.europarl.europa.eu/en/video/protection-of-whistle-blowers-extracts-from-the-debate_I123987" rel="nofollow">Watch the plenary debate on whistleblower protection</a> </p> <hr> <h2 id="official-resources"> Official resources <a href="#official-resources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://eur-lex.europa.eu/eli/dir/2019/1937/oj/eng" rel="nofollow">Full text of Directive (EU) 2019/1937</a> — EUR-Lex</li> <li><a href="https://commission.europa.eu/aid-development-cooperation-fundamental-rights/your-fundamental-rights-eu/protection-whistleblowers_en" rel="nofollow">Protection for whistleblowers</a> — European Commission</li> <li><a href="https://www.europarl.europa.eu/news/en/press-room/20190410IPR37529/protecting-whistle-blowers-new-eu-wide-rules-approved" rel="nofollow">New EU-wide rules approved</a> — European Parliament press release</li> <li><a href="https://multimedia.europarl.europa.eu/en/topic/protection-of-whistleblowers-8th-parliamentary-term_9901" rel="nofollow">All whistleblower protection multimedia</a> — European Parliament Multimedia Centre</li> <li><a href="https://www.europarl.europa.eu/legislative-train/theme-area-of-justice-and-fundamental-rights/file-whistle-blower-protection-proposal" rel="nofollow">Legislative train schedule</a> — European Parliament</li> </ul>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/about/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/about/EthicsPortal is EU whistleblower compliance infrastructure, built in Europe, hosted in Germany, designed for Directive 2019/1937.<h1 id="the-reporting-channel-the-eu-directive-requires"> The reporting channel the EU Directive requires <a href="#the-reporting-channel-the-eu-directive-requires" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Last updated: 2026-05-24.</p> <p>EU Directive 2019/1937 requires every organization with 50+ employees to operate a secure, confidential reporting channel. EthicsPortal is that channel.</p> <p>EthicsPortal is EU whistleblower compliance infrastructure for organizations that need a reporting channel they can deploy quickly and review properly.</p> <hr> <h2 id="what-we-provide"> What we provide <a href="#what-we-provide" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Anonymous and confidential reporting that meets every article of the Directive</li> <li>Encrypted data storage, hosted on Hetzner in Nuremberg, Germany</li> <li>Automatic tracking of 7-day acknowledgment and 3-month feedback deadlines</li> <li>Append-only audit trail for regulatory review</li> <li>Secure two-way communication between reporters and case handlers</li> <li>Multi-language support for cross-border organizations</li> <li>PDF case export for auditors and legal review</li> </ul> <hr> <h2 id="built-in-europe-for-europe"> Built in Europe, for Europe <a href="#built-in-europe-for-europe" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is operated from Poland, and core report data is hosted within the EU. Full <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> , <a href="/security/">security architecture</a> , <a href="/subprocessors/">subprocessor list</a> , <a href="/dpa/">data processing agreement</a> , and <a href="/trust/">trust</a> page are published and available for review.</p> <ul> <li>No third-party analytics or tracking cookies on the reporting portal</li> <li>Full data export anytime (PDF + CSV)</li> <li><a href="https://secure.ethicsportal.eu /up">Service status</a> </li> <li><a href="https://secure.ethicsportal.eu/p/BiPdmk" rel="nofollow">Internal reporting channel</a> for raising concerns about EthicsPortal under Directive 2019/1937</li> </ul> <hr> <h2 id="contact"> Contact <a href="#contact" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>Email:</strong> <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> . We typically respond within one business day.</p> <p><a href="https://secure.ethicsportal.eu /session/new" class="btn btn-primary btn-lg">Deploy your reporting channel →</a></p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/accessibility/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/accessibility/EthicsPortal's commitment to accessibility and conformance with EN 301 549 and WCAG 2.2 Level AA.<h1 id="accessibility-statement"> Accessibility statement <a href="#accessibility-statement" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Last updated: 2026-05-24.</p> <p>EthicsPortal is committed to making its whistleblower reporting platform accessible to all users, in line with the <strong>European accessibility standard EN 301 549 V3.2.3</strong> and the <strong>Web Content Accessibility Guidelines (WCAG) 2.2 Level AA</strong>. EN 301 549 V3.2.1 remains the version cited by the harmonized standards list under the Web Accessibility Directive; we report against the newer V3.2.3 because it is the current published version of the standard and supersedes V3.2.1 in technical scope.</p> <p>This statement applies to:</p> <ul> <li>The EthicsPortal web application at <a href="https://secure.ethicsportal.eu" rel="nofollow">secure.ethicsportal.eu</a> </li> <li>Public whistleblower portals hosted under <code>*.ethicsportal.eu</code></li> <li>The marketing website at <a href="https://ethicsportal.eu">ethicsportal.eu</a> </li> </ul> <h2 id="conformance-status"> Conformance status <a href="#conformance-status" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is <strong>partially conformant</strong> with EN 301 549 V3.2.3 and WCAG 2.2 Level AA. “Partially conformant” means that some parts of the content do not yet fully conform to the accessibility standard. The non-conformances and available alternatives are listed below.</p> <p>A clause-by-clause self-assessment is published as the <a href="/en-301-549-conformance/">EN 301 549 conformance report</a> and can be supplied as a PDF on procurement request.</p> <h2 id="how-ethicsportal-supports-accessibility"> How EthicsPortal supports accessibility <a href="#how-ethicsportal-supports-accessibility" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The product is built and tested against the requirements:</p> <ul> <li><strong>Keyboard-only operation</strong> across the application and public reporting portal — every interactive element is reachable and operable without a mouse</li> <li><strong>Screen reader support</strong> verified with VoiceOver (macOS, Safari) and NVDA (Windows, Firefox)</li> <li><strong>Passwordless authentication</strong> by magic link or one-time code, with optional TOTP — removes the cognitive barrier of password memorization (WCAG 2.2 §3.3.8 Accessible Authentication)</li> <li><strong>Reduced-motion support</strong> — animations and transitions are disabled when the operating system requests it</li> <li><strong>Zoom and reflow</strong> — layouts reflow at 200 % browser zoom without horizontal scrolling, except for tables and code blocks</li> <li><strong>Pinch-to-zoom is enabled</strong> on every page</li> <li><strong>Touch targets</strong> of at least 24×24 CSS pixels, raised to 44×44 on coarse pointers where layout permits (WCAG 2.2 §2.5.8)</li> <li><strong>High-contrast text</strong> — body text uses near-black on white (≈21:1) on the light theme and the equivalent on the dark theme</li> <li><strong>Localised</strong> in eight active website locales (English, Bulgarian, French, Polish, German, Greek, Luxembourgish, and Romanian), with the language attribute set on every page</li> </ul> <h2 id="non-accessible-content"> Non-accessible content <a href="#non-accessible-content" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The following content is not fully accessible. We are working to address each item.</p> <h3 id="non-compliance-with-the-accessibility-standard"> Non-compliance with the accessibility standard <a href="#non-compliance-with-the-accessibility-standard" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <ul> <li><strong>Generated PDF documents</strong> — compliance reports, compliance certificates, whistleblower policy templates, privacy notices, posters, the case-handler manual and case exports are produced as untagged PDFs. They do not meet EN 301 549 §10.1 (tagged structure, reading order, alternative text). Users who need an accessible version of any document can request an HTML alternative by contacting <a href="mailto:accessibility@ethicsportal.eu">accessibility@ethicsportal.eu</a> — see <a href="#feedback">Feedback</a> below. We are migrating these documents to a tagged-PDF pipeline; HTML alternatives served from within the application are the planned interim solution.</li> <li><strong>Static error pages (HTTP 400, 404, 422, 500 and the unsupported-browser fallback)</strong> — these pages are served in English regardless of the user’s locale (EN 301 549 §9.3.1.1 / WCAG 3.1.1 Language of Page). They are encountered rarely; the same information is presented in the user’s language inside the application. The pages themselves use semantic HTML and meet the other §9 web requirements.</li> </ul> <h3 id="content-exempt-from-the-accessibility-requirements"> Content exempt from the accessibility requirements <a href="#content-exempt-from-the-accessibility-requirements" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <ul> <li>Third-party content embedded in the product — for example the Crisp live chat widget and Stripe-hosted payment pages — is not under EthicsPortal’s direct control. We have selected providers that publish accessibility documentation and review these choices each year.</li> <li>User-generated content uploaded by case handlers (notes, attached files) is not within the product’s direct authoring control. The handler UI prompts for descriptions and accessible alternatives where applicable, per EN 301 549 §11.8 / <a href="https://www.w3.org/TR/ATAG20/" rel="nofollow">ATAG 2.0</a> .</li> </ul> <h2 id="preparation-of-this-statement"> Preparation of this statement <a href="#preparation-of-this-statement" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This statement was prepared on <strong>14 May 2026</strong> based on a self-assessment conducted by EthicsPortal against <strong>EN 301 549 V3.2.3</strong> and <strong>WCAG 2.2 Level AA</strong>. The assessment combined:</p> <ul> <li>Automated checks in CI via <code>axe-core-capybara</code> on the public whistleblower portal flows (home, report submission, lookup)</li> <li>Manual keyboard, VoiceOver, and 200 % zoom testing across the portal report submission flow, case-handler workflow, authentication, and account management</li> <li>Code review against the internal accessibility checklist documented in our engineering repository</li> </ul> <p>The statement will be reviewed at least quarterly and after any significant platform change.</p> <h2 id="feedback"> Feedback <a href="#feedback" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We welcome your feedback on the accessibility of EthicsPortal. If you encounter an accessibility barrier, cannot access content, or need information in an alternative format:</p> <ul> <li><strong>Email:</strong> <a href="mailto:accessibility@ethicsportal.eu">accessibility@ethicsportal.eu</a> </li> <li><strong>Also accepted:</strong> <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> — please include “accessibility” in the subject line</li> <li>We aim to acknowledge accessibility requests within <strong>2 working days</strong> and provide an alternative format or substantive response within <strong>5 working days</strong></li> </ul> <h2 id="enforcement-procedure"> Enforcement procedure <a href="#enforcement-procedure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you are not satisfied with our response, you can refer the matter to the accessibility enforcement body in your country:</p> <ul> <li><strong>France:</strong> Défenseur des droits — <a href="https://www.defenseurdesdroits.fr" rel="nofollow">defenseurdesdroits.fr</a> </li> <li><strong>Poland:</strong> Minister właściwy do spraw informatyzacji — via <a href="https://www.gov.pl/" rel="nofollow">gov.pl</a> , with the Rzecznik Praw Obywatelskich as the secondary recourse for unresolved complaints</li> <li><strong>Germany:</strong> Überwachungsstelle des Bundes für Barrierefreiheit von Informationstechnik — <a href="https://www.bfit-bund.de/" rel="nofollow">bfit-bund.de</a> </li> <li><strong>Other EU Member States:</strong> see the list maintained by the European Commission at <a href="https://digital-strategy.ec.europa.eu/en/policies/web-accessibility" rel="nofollow">digital-strategy.ec.europa.eu</a> </li> </ul> <h2 id="standards-and-references"> Standards and references <a href="#standards-and-references" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This statement is prepared with reference to:</p> <ul> <li><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016L2102" rel="nofollow">Directive (EU) 2016/2102</a> — accessibility of websites and mobile applications of public sector bodies</li> <li><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L0882" rel="nofollow">Directive (EU) 2019/882</a> — European Accessibility Act</li> <li><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018D1523" rel="nofollow">Implementing Decision (EU) 2018/1523</a> — model accessibility statement</li> <li><a href="https://www.etsi.org/deliver/etsi_en/301500_301599/301549/03.02.03_60/en_301549v030203p.pdf" rel="nofollow">EN 301 549 V3.2.3</a> — Accessibility requirements for ICT products and services (published version we report against)</li> <li><a href="https://www.etsi.org/deliver/etsi_en/301500_301599/301549/03.02.01_60/en_301549v030201p.pdf" rel="nofollow">EN 301 549 V3.2.1</a> — version listed in the harmonized standards under the Web Accessibility Directive</li> <li><a href="https://www.w3.org/TR/WCAG22/" rel="nofollow">WCAG 2.2 Level AA</a> </li> </ul>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/policies/business-continuity/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/policies/business-continuity/How EthicsPortal responds to outages, sub-processor failures, restore events, and operator incapacity. Activation triggers, decision authority, and customer-communication protocol.<h1 id="business-continuity-plan"> Business continuity plan <a href="#business-continuity-plan" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p><strong>Effective date:</strong> 2026-05-21 <strong>Last reviewed:</strong> 2026-05-21 <strong>Next review:</strong> 2027-05-21 <strong>Owner:</strong> Yaroslav Shmarov, operator <strong>Version:</strong> 1.0</p> <p>This document states what EthicsPortal does when the Service, a sub-processor, or the operator themselves becomes unable to deliver the Service at the level customers depend on. It is the named plan referenced by the <a href="/policies/information-security/">Information security policy</a> §6 and by the <a href="/iso-27001/">ISO/IEC 27001:2022 Annex A control map</a> for controls A.5.29–A.5.30.</p> <p>The recovery <em>outcomes</em> this plan produces (recovery point objective, recovery time objective, monthly availability target) are stated in the <a href="/sla/">Service level agreement</a> . This page states the <em>process</em> that produces them.</p> <hr> <h2 id="1-scope-and-objectives"> 1. Scope and objectives <a href="#1-scope-and-objectives" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This plan covers continuity of the EthicsPortal Service in the event of:</p> <ul> <li>An infrastructure failure affecting the application host, database, file storage, or transactional email pipeline</li> <li>A sub-processor outage that degrades a covered surface (<a href="/subprocessors/">Subprocessors</a> )</li> <li>A security incident requiring a covered surface to be taken offline</li> <li>Operator incapacity, prolonged unavailability, or business cessation</li> </ul> <p>The continuity objectives, in order of priority, are:</p> <ol> <li>Preserve the confidentiality and integrity of personal data already in the system. The reporter portal will be taken offline rather than continue to operate in a degraded confidentiality state.</li> <li>Restore reporter access to existing cases (status, messaging, follow-up) so that protected reporting under EU Directive 2019/1937 is not silently interrupted.</li> <li>Restore handler and admin access to case management.</li> <li>Restore the marketing site and documentation surfaces.</li> </ol> <hr> <h2 id="2-recovery-objectives"> 2. Recovery objectives <a href="#2-recovery-objectives" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Objective</th> <th>Target</th> <th>Surface</th> </tr> </thead> <tbody> <tr> <td>Recovery point objective (RPO)</td> <td>24 hours</td> <td>Reporter portal, handler portal</td> </tr> <tr> <td>Recovery time objective (RTO)</td> <td>4 hours</td> <td>Reporter portal, handler portal</td> </tr> <tr> <td>Monthly availability target</td> <td>99.5%</td> <td>Reporter portal, handler portal</td> </tr> </tbody> </table> <p>Marketing and documentation surfaces are best-effort and are not covered by an availability target.</p> <p>Backup mechanism, storage location, retention, and restore-testing cadence are documented at <a href="/security/#backups-and-restore">Security#backups-and-restore</a> . The most recent restore drill date is published on the same page.</p> <hr> <h2 id="3-activation-triggers"> 3. Activation triggers <a href="#3-activation-triggers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The continuity process is activated when any of the following is observed:</p> <ul> <li>The reporter portal or handler portal is unreachable for more than 15 minutes, confirmed by external monitoring</li> <li>A sub-processor reports an outage that affects a covered surface</li> <li>A security incident is suspected or confirmed, including a credible report from external researchers</li> <li>A personal data breach is suspected (<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 4(12)</a> GDPR definition)</li> <li>The operator becomes unable to access production systems for any reason exceeding 4 hours</li> </ul> <p>Activation does not require a formal declaration — the trigger conditions automatically open the response process.</p> <hr> <h2 id="4-decision-authority"> 4. Decision authority <a href="#4-decision-authority" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The operator (Yaroslav Shmarov) is the sole decision authority for:</p> <ul> <li>Taking a covered surface offline</li> <li>Initiating a restore from backup</li> <li>Notifying affected controllers of a personal data breach under <a href="/dpa/">DPA §6.6</a> </li> <li>Creating an entry in the <a href="/incidents/">incident register</a> </li> <li>Engaging additional sub-processors or alternative infrastructure on an emergency basis</li> </ul> <p>Decisions are recorded in a written incident log retained for audit purposes.</p> <hr> <h2 id="5-customer-communication"> 5. Customer communication <a href="#5-customer-communication" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Event</th> <th>Channel</th> <th>Timing</th> </tr> </thead> <tbody> <tr> <td>Active outage on a covered surface</td> <td>Live status indicator at <a href="https://secure.ethicsportal.eu/up" rel="nofollow">secure.ethicsportal.eu/up</a> ; email to organization admins for material outages</td> <td>Within 60 minutes of detection</td> </tr> <tr> <td>Personal data breach</td> <td>Direct email to affected controllers</td> <td>Within 72 hours of awareness, per <a href="/dpa/">DPA §6.6</a> </td> </tr> <tr> <td>Material incident (post-containment)</td> <td>Preliminary entry in <a href="/incidents/">incident register</a> </td> <td>Within 7 days of containment</td> </tr> <tr> <td>Material incident (final disclosure)</td> <td>Final entry in <a href="/incidents/">incident register</a> </td> <td>Within 30 days of containment</td> </tr> <tr> <td>Planned maintenance</td> <td>Status page and (where it affects business hours) admin email</td> <td>At least 48 hours in advance</td> </tr> </tbody> </table> <p>Communications go to the organization-administrator contact on file. Controllers are responsible for keeping their administrator contact information current.</p> <hr> <h2 id="6-restore-procedure-summary"> 6. Restore procedure (summary) <a href="#6-restore-procedure-summary" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>When a database or full-system restore is required:</p> <ol> <li>The operator declares the incident, takes the covered surface offline if not already down, and freezes write traffic.</li> <li>The most recent encrypted database dump is retrieved from Hetzner Object Storage (Nuremberg, EU; 7-day retention).</li> <li>The dump is restored into a fresh database instance and integrity-checked.</li> <li>The application host is rebuilt from a current Kamal deployment configuration; if the host itself is lost, a Hetzner server-level snapshot (7-day retention) is the fallback.</li> <li>The covered surfaces are brought back online incrementally, with the reporter portal restored before the handler portal where they are independently recoverable.</li> <li>The event is logged to the <a href="/incidents/">incident register</a> if it meets the register’s scope criteria.</li> </ol> <p>The full restore mechanism, storage locations, retention, and drill cadence are documented at <a href="/security/#backups-and-restore">Security#backups-and-restore</a> . A restore drill is executed into a disposable environment at least quarterly.</p> <hr> <h2 id="7-sub-processor-failure"> 7. Sub-processor failure <a href="#7-sub-processor-failure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Service depends on the sub-processors listed on the <a href="/subprocessors/">Subprocessors</a> page. Continuity posture for each:</p> <table> <thead> <tr> <th>Sub-processor</th> <th>Function</th> <th>Continuity response</th> </tr> </thead> <tbody> <tr> <td>Hetzner (DE)</td> <td>Application host, database, file storage</td> <td>Restore from off-host backup (database dump in Hetzner Object Storage; server-level snapshots). For prolonged Hetzner outage, the application is portable to another EU-based provider; cutover would be coordinated with affected controllers and disclosed in the <a href="/incidents/">incident register</a> .</td> </tr> <tr> <td>Mailjet (FR)</td> <td>Transactional email</td> <td>Handler notifications are delayed during a Mailjet outage; the in-app surface remains functional. No data is lost.</td> </tr> <tr> <td>Stripe (IE)</td> <td>Subscription billing</td> <td>Billing functions are interrupted; the Service itself continues to operate.</td> </tr> <tr> <td>Cloudflare (US)</td> <td>Marketing-site CDN</td> <td>Marketing site degrades to direct origin or is unreachable; reporter and handler portals are not affected (they do not load Cloudflare).</td> </tr> <tr> <td>AppSignal (NL)</td> <td>Error and performance monitoring</td> <td>Loss of telemetry; no customer-facing impact.</td> </tr> <tr> <td>Crisp (FR)</td> <td>Handler-portal chat</td> <td>Loss of in-app chat for handlers; not present on reporter portal, no reporter-side impact.</td> </tr> </tbody> </table> <p>Sub-processor outage affecting a covered surface counts against the <a href="/sla/">SLA</a> target.</p> <hr> <h2 id="8-operator-incapacity-protocol"> 8. Operator-incapacity protocol <a href="#8-operator-incapacity-protocol" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>Current state.</strong> A formal operator-incapacity protocol — a named legal contact holding emergency credentials with authority to notify customers and execute a controlled wind-down — is <strong>in treatment</strong> (see <a href="/policies/risk-register/">Risk register R-01</a> ). This section states what is in place today, openly, so that controllers can assess the risk and plan accordingly.</p> <p><strong>What is in place today:</strong></p> <ul> <li><strong>Self-service data export.</strong> Every organization admin can produce a full PDF case export from within the Service for any case at any time. This does not require operator intervention and continues to function for as long as the Service is reachable. Self-service export is the primary continuity guarantee against operator unavailability.</li> <li><strong>Customer rights under the DPA.</strong> <a href="/dpa/">DPA §6.8</a> gives the controller the right to receive or delete all personal data on subscription termination. These rights are enforceable independent of the operator’s availability.</li> <li><strong>Cloud-hosted infrastructure on standard providers.</strong> The Service runs on Hetzner using Kamal deployment configuration that is portable to an alternative operator. A third party with access to the deployment configuration and customer authorization could, in principle, take over operation.</li> </ul> <p><strong>What is not yet in place:</strong></p> <ul> <li>A named legal contact or law firm holding emergency credentials and notification authority</li> <li>A pre-arranged escrow of deployment credentials with a third party</li> <li>A pre-arranged customer-notification mechanism that operates without the operator</li> </ul> <p><strong>Planned addition.</strong> A formal protocol with a named legal contact and pre-arranged customer-notification authority is on the operator’s roadmap. When in place, this section will be updated to name the contact, the trigger conditions, and the authority granted. The change will be reflected in this plan’s version number and effective date.</p> <p><strong>Controllers concerned about this gap</strong> are encouraged to:</p> <ul> <li>Take regular self-service exports of active cases for local archival</li> <li>Configure organization-admin contacts redundantly (more than one admin per organization)</li> <li>Raise the question during procurement review; bespoke arrangements may be available on enterprise terms</li> </ul> <p>This honest disclosure is itself a control: a controller that knows the limit can plan around it. A controller that assumes a protocol exists and discovers later that it does not is materially worse off.</p> <hr> <h2 id="9-plan-testing"> 9. Plan testing <a href="#9-plan-testing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Test</th> <th>Cadence</th> <th>Last performed</th> </tr> </thead> <tbody> <tr> <td>Database restore drill into disposable environment</td> <td>Quarterly</td> <td>See <a href="/security/#backups-and-restore">Security#backups-and-restore</a> </td> </tr> <tr> <td>Failover walk-through (paper exercise)</td> <td>Annual</td> <td>2026-05</td> </tr> <tr> <td>Sub-processor outage tabletop</td> <td>Annual</td> <td>2026-05</td> </tr> <tr> <td>Operator-incapacity tabletop</td> <td>Deferred pending formal protocol</td> <td>—</td> </tr> </tbody> </table> <p>Test results inform the <a href="/policies/risk-register/">risk register</a> and any required updates to this plan.</p> <hr> <h2 id="10-document-control"> 10. Document control <a href="#10-document-control" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Document title</td> <td>EthicsPortal Business Continuity Plan</td> </tr> <tr> <td>Version</td> <td>1.0</td> </tr> <tr> <td>Effective date</td> <td>2026-05-21</td> </tr> <tr> <td>Last reviewed</td> <td>2026-05-21</td> </tr> <tr> <td>Next scheduled review</td> <td>2027-05-21</td> </tr> <tr> <td>Review trigger (interim)</td> <td>Formalization of the operator-incapacity protocol, addition or change of a sub-processor that affects continuity, material restore-drill outcome, material change to the <a href="/policies/risk-register/">risk register</a> </td> </tr> <tr> <td>Owner</td> <td>Yaroslav Shmarov, operator</td> </tr> <tr> <td>Distribution</td> <td>Published on <a href="/policies/">ethicsportal.eu/policies/</a> </td> </tr> </tbody> </table> <p>Signed: Yaroslav Shmarov, on behalf of EthicsPortal — 2026-05-21.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/caiq/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/caiq/Pre-filled answers to common vendor-security-assessment questions, structured against the CSA CAIQ v4 domain taxonomy. EthicsPortal's positions on the questions procurement teams most often ask.<h1 id="caiq-aligned-vendor-security-questionnaire"> CAIQ-aligned vendor security questionnaire <a href="#caiq-aligned-vendor-security-questionnaire" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EthicsPortal publishes pre-filled answers to the questions procurement teams most often ask. The questionnaire is structured against the Cloud Security Alliance’s <a href="https://cloudsecurityalliance.org/research/cloud-controls-matrix/" rel="nofollow">CAIQ v4</a> domain taxonomy — the framework most EU enterprise procurement teams use — so an evaluator can map this page directly into their existing assessment template.</p> <p>This is a vendor-authored answer set, not an attestation by the CSA. The substance is what an external auditor would evaluate; the structure makes it easy to compare against vendors who have been audited.</p> <p>A downloadable CSV is published at <strong><a href="/caiq-ethicsportal.csv">caiq-ethicsportal.csv</a> </strong> for ingestion into procurement tools.</p> <p>Last updated: 2026-05-21.</p> <hr> <h2 id="how-to-read-this-page"> How to read this page <a href="#how-to-read-this-page" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Field</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>Question</td> <td>EthicsPortal’s restatement of the question in the CAIQ domain</td> </tr> <tr> <td>Answer</td> <td><strong>Yes</strong>, <strong>No</strong>, or <strong>N/A</strong>, with qualifiers where the substance is more useful than a binary — for example <strong>No (in treatment)</strong> when a control is on the operator’s roadmap, <strong>Yes (inherited)</strong> when a sub-processor’s certification carries the control, <strong>Yes (negative)</strong> when the affirmative answer to a “does the Service do X?” question is “no, by design”, or a specific value (24 hours, 99.5% monthly, Nuremberg) where one applies</td> </tr> <tr> <td>Evidence</td> <td>Link to the page or document that contains the substantive answer</td> </tr> </tbody> </table> <p>Where a question’s answer is operationally sensitive (privileged-access mechanics, incident-response escalation contacts, infrastructure detail beyond what is on <a href="/security/">/security/</a> ), the answer here is <strong>Available under NDA</strong> and is shared during procurement review. This mirrors the posture published on <a href="/trust/#available-during-procurement-review">/trust/</a> .</p> <hr> <h2 id="aa--audit--assurance"> A&A — Audit & Assurance <a href="#aa--audit--assurance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>A&A-01</td> <td>Are independent audit or assurance assessments performed on the Service?</td> <td>No (in treatment)</td> <td><a href="/iso-27001/">ISO 27001 self-assessment</a> is published. External audit and penetration test are planned post-revenue and disclosed openly on <a href="/trust/#certification-status">/trust/</a> </td> </tr> <tr> <td>A&A-02</td> <td>Are audit reports available to customers?</td> <td>No (in treatment)</td> <td>When an independent audit or pen test is on record, scope, date, and remediation summary will be published on <a href="/trust/#certification-status">/trust/</a> </td> </tr> <tr> <td>A&A-03</td> <td>Does the organization conduct internal information security reviews?</td> <td>Yes</td> <td><a href="/iso-27001/">ISO 27001 Annex A control map</a> maintained as the structured self-assessment; reviewed annually</td> </tr> <tr> <td>A&A-04</td> <td>Are compliance certifications listed publicly?</td> <td>Yes</td> <td>Certification status disclosed on <a href="/trust/#certification-status">/trust/</a> (none currently held; structured self-assessment in place)</td> </tr> </tbody> </table> <hr> <h2 id="ais--application--interface-security"> AIS — Application & Interface Security <a href="#ais--application--interface-security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>AIS-01</td> <td>Is application security testing performed?</td> <td>Yes</td> <td>Brakeman, bundler-audit, importmap audit on every change (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>AIS-02</td> <td>Is input validation enforced on all external inputs?</td> <td>Yes</td> <td>Rails framework defaults (strong parameters, output escaping); application-level checks at every controller boundary (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>AIS-03</td> <td>Is encryption applied to sensitive data at rest?</td> <td>Yes</td> <td>Non-deterministic Rails ActiveRecord Encryption on report content, reporter identity, communications, and attachments (<a href="/security/#data-encryption">Security#data-encryption</a> )</td> </tr> <tr> <td>AIS-04</td> <td>Is encryption applied to data in transit?</td> <td>Yes</td> <td>HTTPS/TLS for all connections; unencrypted HTTP redirected (<a href="/security/#data-encryption">Security#data-encryption</a> )</td> </tr> <tr> <td>AIS-05</td> <td>Is the application protected against OWASP Top 10 risks?</td> <td>Yes</td> <td>Framework-level defenses (parameterized queries, CSRF, output escaping, strong parameters, encrypted attributes); static analysis (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> </tbody> </table> <hr> <h2 id="bcr--business-continuity--operational-resilience"> BCR — Business Continuity & Operational Resilience <a href="#bcr--business-continuity--operational-resilience" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>BCR-01</td> <td>Is a documented business continuity plan in place?</td> <td>Yes</td> <td><a href="/policies/business-continuity/">Business continuity plan</a> </td> </tr> <tr> <td>BCR-02</td> <td>Are backups encrypted?</td> <td>Yes</td> <td>Encrypted database dumps stored in Hetzner Object Storage; application-layer field encryption persists through the backup (<a href="/security/#backups-and-restore">Security#backups-and-restore</a> )</td> </tr> <tr> <td>BCR-03</td> <td>Are backup restores tested?</td> <td>Yes</td> <td>Quarterly restore drill into a disposable environment. Last drill date published on <a href="/security/#backups-and-restore">Security#backups-and-restore</a> </td> </tr> <tr> <td>BCR-04</td> <td>What is the recovery point objective (RPO)?</td> <td>24 hours</td> <td><a href="/sla/#recovery-objectives">SLA#recovery-objectives</a> </td> </tr> <tr> <td>BCR-05</td> <td>What is the recovery time objective (RTO)?</td> <td>4 hours</td> <td><a href="/sla/#recovery-objectives">SLA#recovery-objectives</a> </td> </tr> <tr> <td>BCR-06</td> <td>Is an availability target published?</td> <td>Yes</td> <td>99.5% monthly for covered surfaces (<a href="/sla/">SLA</a> )</td> </tr> <tr> <td>BCR-07</td> <td>Is geographic redundancy in place across providers?</td> <td>No</td> <td>Backups are stored separately from compute within Hetzner; cross-provider redundancy not in place. Trade-off stated in <a href="/policies/risk-register/">Risk register R-02</a> </td> </tr> </tbody> </table> <hr> <h2 id="ccc--change-control--configuration-management"> CCC — Change Control & Configuration Management <a href="#ccc--change-control--configuration-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>CCC-01</td> <td>Are changes managed through a documented process?</td> <td>Yes</td> <td><a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> — code review against security checklist plus CI-enforced static analysis before deploy</td> </tr> <tr> <td>CCC-02</td> <td>Is infrastructure managed as code?</td> <td>Yes</td> <td>Kamal deployment configuration version-controlled; no out-of-band production changes</td> </tr> <tr> <td>CCC-03</td> <td>Are production and non-production environments separated?</td> <td>Yes</td> <td>Production is isolated; non-production environments use synthetic fixtures only (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>CCC-04</td> <td>Is there a documented vulnerability response timeline?</td> <td>Yes</td> <td>Critical 7 days, high 30 days, medium 90 days (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> </tbody> </table> <hr> <h2 id="cek--cryptography-encryption--key-management"> CEK — Cryptography, Encryption & Key Management <a href="#cek--cryptography-encryption--key-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>CEK-01</td> <td>Is data at rest encrypted?</td> <td>Yes</td> <td>Non-deterministic Rails ActiveRecord Encryption on all sensitive fields (<a href="/security/#data-encryption">Security#data-encryption</a> )</td> </tr> <tr> <td>CEK-02</td> <td>Is data in transit encrypted?</td> <td>Yes</td> <td>HTTPS/TLS; HTTP redirected</td> </tr> <tr> <td>CEK-03</td> <td>Are customer-managed encryption keys (BYOK) supported?</td> <td>No</td> <td>Deliberate architectural choice; reporter–handler key boundary and end-to-end deletion guarantees require processor-managed keys (<a href="/dpa/">DPA §6.11</a> )</td> </tr> <tr> <td>CEK-04</td> <td>Are passwords stored using a one-way hash?</td> <td>Yes</td> <td>Reporter passcodes bcrypt-hashed and non-recoverable; handler/admin authentication via magic-link plus TOTP, no plaintext password storage</td> </tr> <tr> <td>CEK-05</td> <td>Is encryption key management documented?</td> <td>Yes</td> <td>Key management follows the established Rails ActiveRecord Encryption lifecycle; keys are processor-managed and isolated from sub-processors (<a href="/security/#data-encryption">Security#data-encryption</a> )</td> </tr> </tbody> </table> <hr> <h2 id="dcs--datacenter-security"> DCS — Datacenter Security <a href="#dcs--datacenter-security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>DCS-01</td> <td>Where are data centers located?</td> <td>Nuremberg, Germany (EU)</td> <td><a href="/security/#infrastructure">Security#infrastructure</a> </td> </tr> <tr> <td>DCS-02</td> <td>Are data centers under recognized physical-security certification?</td> <td>Yes (inherited)</td> <td>Hetzner data centers under Hetzner’s certification scope (<a href="/iso-27001/#a7-physical-controls">ISO 27001 control map A.7</a> )</td> </tr> <tr> <td>DCS-03</td> <td>Is data residency limited to the EU/EEA?</td> <td>Yes (core data)</td> <td>Core application data, database, and file storage in Germany. One named non-EU sub-processor (Cloudflare, marketing-site CDN only) listed on <a href="/subprocessors/">Subprocessors</a> </td> </tr> </tbody> </table> <hr> <h2 id="dsp--data-security--privacy"> DSP — Data Security & Privacy <a href="#dsp--data-security--privacy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>DSP-01</td> <td>Is a Data Processing Agreement (DPA) available?</td> <td>Yes</td> <td><a href="/dpa/">DPA</a> ; signed countersigned copy on request to <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> </td> </tr> <tr> <td>DSP-02</td> <td>Is the Service GDPR-compliant?</td> <td>Yes</td> <td>Processor under GDPR Art. 28; full coverage on <a href="/directive-coverage/">/directive-coverage/</a> and <a href="/dpa/">/dpa/</a> </td> </tr> <tr> <td>DSP-03</td> <td>Are sub-processors publicly disclosed?</td> <td>Yes</td> <td><a href="/subprocessors/">Subprocessors</a> page lists each, with jurisdiction, purpose, and data categories</td> </tr> <tr> <td>DSP-04</td> <td>How long is personal data retained?</td> <td>Customer-configurable</td> <td>12, 24, 36, or 60 months after report closure, with automatic deletion (<a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> )</td> </tr> <tr> <td>DSP-05</td> <td>Is personal data deleted on customer request?</td> <td>Yes</td> <td>Within 30 days of subscription termination on written request (<a href="/dpa/">DPA §6.8</a> )</td> </tr> <tr> <td>DSP-06</td> <td>Is personal data minimization practiced?</td> <td>Yes</td> <td>Only essential fields are collected; reporter name and contact are optional. <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 5(1)(c)</a> GDPR (<a href="/directive-coverage/#7-gdpr-compliance">Coverage map §7</a> )</td> </tr> <tr> <td>DSP-07</td> <td>Is PII transmitted to any third party for processing?</td> <td>Only to disclosed sub-processors</td> <td><a href="/subprocessors/">Subprocessors</a> lists every recipient with the data category. No LLM or AI service is a sub-processor (<a href="/dpa/">DPA §6.10</a> )</td> </tr> <tr> <td>DSP-08</td> <td>Are data subjects’ rights supported?</td> <td>Yes</td> <td>Access, rectification, erasure, restriction, portability, objection (<a href="/dpa/">DPA §6.5</a> )</td> </tr> </tbody> </table> <hr> <h2 id="grc--governance-risk--compliance"> GRC — Governance, Risk & Compliance <a href="#grc--governance-risk--compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>GRC-01</td> <td>Is there a published information security policy?</td> <td>Yes</td> <td><a href="/policies/information-security/">Information security policy</a> </td> </tr> <tr> <td>GRC-02</td> <td>Is there a documented risk register?</td> <td>Yes</td> <td><a href="/policies/risk-register/">Risk register</a> </td> </tr> <tr> <td>GRC-03</td> <td>Is risk assessed periodically?</td> <td>Yes</td> <td>Annually and on material change (<a href="/policies/risk-register/">Risk register §Review-cadence</a> )</td> </tr> <tr> <td>GRC-04</td> <td>Who owns information security at the organization?</td> <td>Operator (named individual)</td> <td><a href="/policies/information-security/">IS policy §4</a> , <a href="/trust/#contracting-party">Trust#contracting-party</a> </td> </tr> <tr> <td>GRC-05</td> <td>Is regulatory compliance tracked?</td> <td>Yes</td> <td>GDPR, Directive 2019/1937, EAA / EN 301 549 (<a href="/directive-coverage/">Directive coverage map</a> , <a href="/directive-interpretations/">Directive interpretations</a> , <a href="/accessibility/">Accessibility</a> )</td> </tr> </tbody> </table> <hr> <h2 id="hrs--human-resources-security"> HRS — Human Resources Security <a href="#hrs--human-resources-security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal has no employees or contractors. Personnel controls below are answered <strong>N/A</strong> with the compensating arrangements — privileged-access summary available during procurement review, operator self-directed security awareness via subscribed feeds — documented on <a href="/trust/#continuity-and-personnel">/trust/</a> and in <a href="/iso-27001/#a6-people-controls">ISO 27001 control map A.6</a> .</p> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>HRS-01</td> <td>Are background checks performed on personnel with access to customer data?</td> <td>N/A</td> <td>No employees. Operator screening is verifiable through published registry information (<a href="/trust/#contracting-party">Trust#contracting-party</a> )</td> </tr> <tr> <td>HRS-02</td> <td>Is security awareness training provided to personnel?</td> <td>N/A</td> <td>No employees. Operator self-directed via Rails security mailing list, CVE feeds, advisory subscriptions</td> </tr> <tr> <td>HRS-03</td> <td>Are confidentiality agreements in place for personnel?</td> <td>N/A</td> <td>No employees. Customer-side confidentiality is in <a href="/dpa/">DPA §6.2</a> </td> </tr> <tr> <td>HRS-04</td> <td>Is there a documented offboarding procedure for personnel with system access?</td> <td>N/A</td> <td>No employees. Customer offboarding is governed by <a href="/dpa/">DPA §6.8</a> </td> </tr> </tbody> </table> <hr> <h2 id="iam--identity--access-management"> IAM — Identity & Access Management <a href="#iam--identity--access-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>IAM-01</td> <td>Is multi-factor authentication available for customer accounts?</td> <td>Yes</td> <td>TOTP-based 2FA for handler/admin accounts; reporter accounts use Case ID + bcrypt passcode (two-factor by construction) (<a href="/security/#access-control">Security#access-control</a> )</td> </tr> <tr> <td>IAM-02</td> <td>Is multi-factor authentication enforced on operator accounts with production access?</td> <td>Yes</td> <td>Hardware-key 2FA on all operator accounts with production access (<a href="/iso-27001/#a8-technological-controls">ISO 27001 A.8.2</a> )</td> </tr> <tr> <td>IAM-03</td> <td>Is role-based access control enforced?</td> <td>Yes</td> <td>Pundit policies enforced at every controller action; least-privilege defaults (<a href="/security/#access-control">Security#access-control</a> )</td> </tr> <tr> <td>IAM-04</td> <td>Are access rights reviewed periodically?</td> <td>Yes</td> <td>Member-deactivation lifecycle and audit-log review (<a href="/security/#member-access-and-offboarding">Security#member-access-and-offboarding</a> )</td> </tr> <tr> <td>IAM-05</td> <td>Is session management documented?</td> <td>Yes</td> <td>14-day idle timeout; nightly sweep; per-session revocation (<a href="/security/#session-lifecycle">Security#session-lifecycle</a> )</td> </tr> <tr> <td>IAM-06</td> <td>Are passwords stored in plaintext?</td> <td>No</td> <td>Bcrypt for reporter passcodes; magic-link primary for handlers (<a href="/security/#access-control">Security#access-control</a> )</td> </tr> </tbody> </table> <hr> <h2 id="ipy--interoperability--portability"> IPY — Interoperability & Portability <a href="#ipy--interoperability--portability" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>IPY-01</td> <td>Can customers export their data?</td> <td>Yes</td> <td>Self-service PDF case export in-product; machine-readable bulk export on request during exit (<a href="/dpa/">DPA §6.8</a> )</td> </tr> <tr> <td>IPY-02</td> <td>Are open data formats used for export?</td> <td>Yes</td> <td>PDF for case exports; machine-readable formats for bulk export under <a href="/dpa/">DPA §6.8</a> </td> </tr> <tr> <td>IPY-03</td> <td>Is API access available for portability?</td> <td>No</td> <td>Self-service PDF and bulk export are the documented portability surfaces</td> </tr> </tbody> </table> <hr> <h2 id="ivs--infrastructure--virtualization-security"> IVS — Infrastructure & Virtualization Security <a href="#ivs--infrastructure--virtualization-security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>IVS-01</td> <td>Is the Service multi-tenant?</td> <td>Yes</td> <td>Multi-tenant at the application layer; isolation enforced by Pundit policies and per-organization scoping at every controller action (<a href="/security/#access-control">Security#access-control</a> )</td> </tr> <tr> <td>IVS-02</td> <td>Is network segmentation in place?</td> <td>Yes</td> <td>Production isolated from operator workstation by network boundary; non-production environments hold no production personal data (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>IVS-03</td> <td>Is malware protection in place for uploaded content?</td> <td>Yes</td> <td>ClamAV virus scanning on all uploads before delivery (<a href="/security/#virus-scanning">Security#virus-scanning</a> )</td> </tr> </tbody> </table> <hr> <h2 id="log--logging-and-monitoring"> LOG — Logging and Monitoring <a href="#log--logging-and-monitoring" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>LOG-01</td> <td>Are user actions logged?</td> <td>Yes</td> <td>Append-only audit trail with timestamp, actor, and action type (<a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> )</td> </tr> <tr> <td>LOG-02</td> <td>Are logs tamper-evident?</td> <td>Yes</td> <td>Append-only; cannot be edited or deleted by any user, including organization admins</td> </tr> <tr> <td>LOG-03</td> <td>How long are audit logs retained?</td> <td>Customer-configurable</td> <td>Matches case retention (12/24/36/60 months); included in PDF case exports for regulatory review</td> </tr> <tr> <td>LOG-04</td> <td>Is application monitoring in place?</td> <td>Yes (handler portal)</td> <td>AppSignal on the handler portal; deliberately not present on the reporter portal to preserve reporter anonymity (<a href="/subprocessors/">Subprocessors</a> )</td> </tr> <tr> <td>LOG-05</td> <td>Are clocks synchronized?</td> <td>Yes</td> <td>NTP via host OS; all timestamps recorded in UTC</td> </tr> </tbody> </table> <hr> <h2 id="sef--security-incident-management"> SEF — Security Incident Management <a href="#sef--security-incident-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>SEF-01</td> <td>Is a documented incident response plan in place?</td> <td>Yes</td> <td><a href="/policies/business-continuity/">Business continuity plan §3–5</a> and the <a href="/incidents/">Incident register</a> disclosure timeline</td> </tr> <tr> <td>SEF-02</td> <td>Are customers notified of personal data breaches?</td> <td>Yes</td> <td>Without undue delay, in any case within 72 hours of awareness (<a href="/dpa/">DPA §6.6</a> )</td> </tr> <tr> <td>SEF-03</td> <td>Is a public incident register maintained?</td> <td>Yes</td> <td><a href="/incidents/">Incident register</a> </td> </tr> <tr> <td>SEF-04</td> <td>What is the timeline for incident disclosure?</td> <td>Tiered</td> <td>Customers: 72h of awareness; preliminary register entry: 7d post-containment; final entry: 30d post-containment (<a href="/incidents/">Incident register</a> )</td> </tr> <tr> <td>SEF-05</td> <td>Is there a responsible-disclosure inbox?</td> <td>Yes</td> <td><a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> (<a href="/security/#responsible-disclosure">Security#responsible-disclosure</a> )</td> </tr> </tbody> </table> <hr> <h2 id="sta--supply-chain-management-transparency--accountability"> STA — Supply Chain Management, Transparency & Accountability <a href="#sta--supply-chain-management-transparency--accountability" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>STA-01</td> <td>Is a sub-processor list published?</td> <td>Yes</td> <td><a href="/subprocessors/">Subprocessors</a> with per-row data category, jurisdiction, purpose</td> </tr> <tr> <td>STA-02</td> <td>Are customers notified before sub-processors are added or replaced?</td> <td>Yes</td> <td>At least 30 days advance notice (<a href="/dpa/">DPA §6.4</a> )</td> </tr> <tr> <td>STA-03</td> <td>Can customers object to a sub-processor change?</td> <td>Yes</td> <td>Right to terminate if no resolution is reached (<a href="/dpa/">DPA §6.4</a> )</td> </tr> <tr> <td>STA-04</td> <td>Are sub-processors bound by data-protection agreements?</td> <td>Yes</td> <td>Written DPA in place with each sub-processor under GDPR Art. 28</td> </tr> <tr> <td>STA-05</td> <td>Is AI or LLM processing of customer data disclosed?</td> <td>Yes (negative)</td> <td>No LLM, generative-AI, or AI-classifier service is engaged as a sub-processor or used to process report content (<a href="/dpa/">DPA §6.10</a> , <a href="/directive-coverage/#5-confidentiality-of-identity-art-16">Coverage map §5</a> )</td> </tr> <tr> <td>STA-06</td> <td>Are international data transfers documented?</td> <td>Yes</td> <td>Standard Contractual Clauses + safeguards for the single named non-EU sub-processor (<a href="/subprocessors/">Subprocessors</a> , <a href="/dpa/">DPA §7</a> )</td> </tr> </tbody> </table> <hr> <h2 id="tvm--threat--vulnerability-management"> TVM — Threat & Vulnerability Management <a href="#tvm--threat--vulnerability-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>TVM-01</td> <td>Are dependencies scanned for vulnerabilities?</td> <td>Yes</td> <td>Brakeman (Rails), bundler-audit (Ruby), importmap audit (JavaScript) on every change (<a href="/security/#dependency-and-patch-management">Security#dependency-and-patch-management</a> )</td> </tr> <tr> <td>TVM-02</td> <td>Is a vulnerability disclosure program in place?</td> <td>Yes</td> <td><a href="/security/#responsible-disclosure">Responsible disclosure</a> with documented acknowledgement and remediation SLAs</td> </tr> <tr> <td>TVM-03</td> <td>What is the remediation SLA for vulnerabilities?</td> <td>Tiered</td> <td>Critical 7 days, high 30 days, medium 90 days (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>TVM-04</td> <td>Are penetration tests performed?</td> <td>No (in treatment)</td> <td>None currently on record; planned post-revenue (<a href="/trust/#certification-status">Trust#certification-status</a> , <a href="/iso-27001/#a5-organizational-controls">ISO 27001 A.5.35</a> )</td> </tr> </tbody> </table> <hr> <h2 id="uem--universal-endpoint-management"> UEM — Universal Endpoint Management <a href="#uem--universal-endpoint-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>ID</th> <th>Question</th> <th>Answer</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>UEM-01</td> <td>Are operator endpoints hardened?</td> <td>Yes</td> <td>Operator workstation: full-disk encryption, screen-lock, OS auto-update, hardware-key 2FA on production-access accounts (<a href="/iso-27001/#a8-technological-controls">ISO 27001 A.8.1</a> )</td> </tr> <tr> <td>UEM-02</td> <td>Are mobile devices used for production access?</td> <td>No</td> <td>Production access is restricted to the operator’s primary workstation</td> </tr> <tr> <td>UEM-03</td> <td>Is a clear-desk and clear-screen policy in place?</td> <td>Self-assessed</td> <td>Operator workstation has automatic screen-lock; clear-desk practice for any printed materials (<a href="/iso-27001/#a7-physical-controls">ISO 27001 A.7.7</a> )</td> </tr> </tbody> </table> <hr> <h2 id="available-under-nda-during-procurement-review"> Available under NDA during procurement review <a href="#available-under-nda-during-procurement-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The following operational topics are not in this public questionnaire because they contain infrastructure and response detail that is more appropriate for controlled disclosure. They are shared on request during procurement review:</p> <ul> <li>Privileged production-access mechanics (specific accounts, hardware-key type, escalation paths)</li> <li>Incident-response escalation contacts and on-call rotation</li> <li>Business-continuity contact tree</li> <li>Internal vulnerability-response tracker contents</li> <li>Restore-drill artefacts and timing detail beyond the date</li> </ul> <p>To request these materials, contact <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> .</p> <hr> <h2 id="document-control"> Document control <a href="#document-control" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Document title</td> <td>EthicsPortal CAIQ-aligned vendor security questionnaire</td> </tr> <tr> <td>Structure</td> <td>CSA CAIQ v4 domain taxonomy (Audit & Assurance through Universal Endpoint Management)</td> </tr> <tr> <td>Version</td> <td>1.0</td> </tr> <tr> <td>Effective date</td> <td>2026-05-21</td> </tr> <tr> <td>Last reviewed</td> <td>2026-05-21</td> </tr> <tr> <td>Next scheduled review</td> <td>2027-05-21</td> </tr> <tr> <td>Owner</td> <td>Yaroslav Shmarov, operator</td> </tr> <tr> <td>Machine-readable copy</td> <td><a href="/caiq-ethicsportal.csv">caiq-ethicsportal.csv</a> </td> </tr> </tbody> </table>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/contact/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/contact/Contact the EthicsPortal team for questions about EU whistleblower compliance.<h1 id="contact"> Contact <a href="#contact" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Questions about EthicsPortal or EU whistleblower compliance? Email us directly.</p> <hr> <p><strong>General:</strong> <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> <strong>Privacy / GDPR rights:</strong> <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> <strong>Data Protection Officer:</strong> <a href="mailto:dpo@ethicsportal.eu">dpo@ethicsportal.eu</a> <strong>Security disclosures:</strong> <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> <strong>Legal / DPA:</strong> <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> <strong>Accessibility:</strong> <a href="mailto:accessibility@ethicsportal.eu">accessibility@ethicsportal.eu</a> </p> <p>We typically respond within one business day.</p> <hr> <h2 id="common-questions"> Common questions <a href="#common-questions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>“How much does it cost?”</strong> €49/month. Everything included. See <a href="/pricing/">pricing</a> .</p> <p><strong>“Can I try it first?”</strong> Yes. Sign up at <a href="https://secure.ethicsportal.eu/session/new" rel="nofollow">ethicsportal.eu</a> and explore the platform immediately.</p> <p><strong>“Is it compliant with EU Directive 2019/1937?”</strong> Yes. See our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> for an article-by-article breakdown.</p> <p><strong>“Where is my data stored?”</strong> Core whistleblower report data is hosted on Hetzner infrastructure in Nuremberg, Germany. The marketing site is delivered via Cloudflare (United States); the reporting and handler portals are not. See our <a href="/dpa/">DPA</a> and <a href="/subprocessors/">subprocessors</a> pages.</p> <p><strong>“Do you offer a DPA?”</strong> Yes. See our <a href="/dpa/">Data Processing Agreement</a> or email for a countersigned PDF.</p> <p><strong>“Who is the contracting party?”</strong> See our <a href="/trust/">trust</a> page for contracting-party and procurement details.</p> <p><strong>“Can you support procurement review?”</strong> Yes. Signed DPA, registry evidence, and additional procurement-review materials are available on request. See <a href="/trust/">trust</a> .</p> <hr> <p><strong>LinkedIn:</strong> <a href="https://www.linkedin.com/company/ethicsportal" rel="nofollow">linkedin.com/company/ethicsportal</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/dpa/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/dpa/GDPR Article 28 Data Processing Agreement for EthicsPortal customers. Covers scope, security measures, sub-processors, and international transfers.<h1 id="data-processing-agreement"> Data Processing Agreement <a href="#data-processing-agreement" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p><strong>Effective date:</strong> April 22, 2026</p> <p>This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and EthicsPortal (“Processor”) for the provision of the EthicsPortal whistleblower reporting platform (“Service”).</p> <blockquote> <p><strong>Need a signed copy?</strong> Contact <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> to request a countersigned PDF version of this DPA for your records.</p> </blockquote> <hr> <h2 id="1-parties"> 1. Parties <a href="#1-parties" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>Controller:</strong> The organization that subscribes to EthicsPortal and determines the purposes and means of processing personal data through the Service.</p> <p><strong>Processor:</strong> EthicsPortal, operated by Yaroslav Shmarov, registered at ul. Obrzeżna 1A, 02-691 Warsaw, Poland. Contact: <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> .</p> <hr> <h2 id="2-scope-and-purpose-of-processing"> 2. Scope and purpose of processing <a href="#2-scope-and-purpose-of-processing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Processor processes personal data on behalf of the Controller solely to provide the Service, which includes:</p> <ul> <li>Receiving and storing whistleblower reports</li> <li>Enabling secure communication between reporters and case handlers</li> <li>Managing case workflows (assignment, status tracking, resolution)</li> <li>Generating audit logs and compliance records</li> <li>Sending transactional email notifications to case handlers and organization administrators</li> <li>Processing payments for the Service</li> </ul> <p>The Processor does not process personal data for any purpose other than providing the Service as instructed by the Controller.</p> <hr> <h2 id="3-types-of-personal-data-processed"> 3. Types of personal data processed <a href="#3-types-of-personal-data-processed" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Data category</th> <th>Examples</th> <th>Encrypted at rest</th> </tr> </thead> <tbody> <tr> <td>Reporter identity (optional)</td> <td>Name, email address, phone number</td> <td>Yes (non-deterministic)</td> </tr> <tr> <td>Report content</td> <td>Description of the reported concern</td> <td>Yes (non-deterministic)</td> </tr> <tr> <td>Communication content</td> <td>Messages between reporter and case handler</td> <td>Yes (non-deterministic)</td> </tr> <tr> <td>File attachments</td> <td>Documents, images, audio, video uploaded by reporters</td> <td>Stored with metadata stripped</td> </tr> <tr> <td>Access codes</td> <td>Unique codes used by reporters to access their reports</td> <td>Yes</td> </tr> <tr> <td>Handler and admin data</td> <td>Name, email address, role, organization membership</td> <td>No (operational data)</td> </tr> <tr> <td>Audit log entries</td> <td>Timestamps, actor identity, action type</td> <td>No (integrity-critical records)</td> </tr> <tr> <td>Technical data</td> <td>One-way hashed IP addresses (not reversible) for rate limiting only</td> <td>Not applicable (hash, not personal data)</td> </tr> </tbody> </table> <hr> <h2 id="4-categories-of-data-subjects"> 4. Categories of data subjects <a href="#4-categories-of-data-subjects" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Whistleblowers / reporters</strong> — individuals who submit reports through the portal (may be anonymous)</li> <li><strong>Case handlers</strong> — individuals designated by the Controller to receive and manage reports</li> <li><strong>Organization administrators</strong> — individuals who manage the Controller’s EthicsPortal account and settings</li> </ul> <hr> <h2 id="5-duration-of-processing"> 5. Duration of processing <a href="#5-duration-of-processing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Processor processes personal data for the duration of the Controller’s subscription to the Service. Upon termination:</p> <ul> <li>The Controller may export their data before the subscription ends.</li> <li>Report data is retained according to the Controller’s configured retention period (12, 24, 36, or 60 months after report closure) and then permanently deleted.</li> <li>Upon written request, the Processor will delete all remaining Controller data within 30 days of subscription termination, unless retention is required by applicable law.</li> </ul> <hr> <h2 id="6-obligations-of-the-processor"> 6. Obligations of the Processor <a href="#6-obligations-of-the-processor" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="61-processing-instructions"> 6.1 Processing instructions <a href="#61-processing-instructions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Processor processes personal data only on documented instructions from the Controller, unless required to do so by EU or member state law. If such a legal requirement arises, the Processor will inform the Controller before processing, unless the law prohibits such notification.</p> <h3 id="62-confidentiality"> 6.2 Confidentiality <a href="#62-confidentiality" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>All persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.</p> <h3 id="63-security-measures"> 6.3 Security measures <a href="#63-security-measures" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Processor implements and maintains the technical and organizational measures described on the <a href="/security/">Security</a> page, including:</p> <ul> <li>Non-deterministic encryption at rest for all sensitive report data</li> <li>No storage of raw reporter IP addresses in the database (one-way hashing for rate limiting only)</li> <li>Automatic file metadata stripping (EXIF, GPS, author data)</li> <li>Role-based access control with Pundit authorization policies</li> <li>Append-only audit trail for all actions</li> <li>Rate limiting on all public portal endpoints</li> <li>HTTPS/TLS for all connections</li> <li>CSRF protection</li> </ul> <p>Security vulnerabilities and incident reports may be sent to <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> . Data subject and DPO-style inquiries may be sent to <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> or <a href="mailto:dpo@ethicsportal.eu">dpo@ethicsportal.eu</a> .</p> <h3 id="64-sub-processors"> 6.4 Sub-processors <a href="#64-sub-processors" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Processor uses the sub-processors listed in Section 8. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to the change; if no resolution is reached, the Controller may terminate the agreement.</p> <h3 id="65-data-subject-rights"> 6.5 Data subject rights <a href="#65-data-subject-rights" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Processor assists the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection) by providing the necessary technical capabilities within the Service.</p> <h3 id="66-data-breach-notification"> 6.6 Data breach notification <a href="#66-data-breach-notification" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case <strong>within 72 hours</strong> of becoming aware of the breach. The notification will include:</p> <ul> <li>A description of the nature of the breach</li> <li>The categories and approximate number of data subjects affected</li> <li>The likely consequences of the breach</li> <li>The measures taken or proposed to address the breach</li> </ul> <h3 id="67-data-protection-impact-assessments"> 6.7 Data Protection Impact Assessments <a href="#67-data-protection-impact-assessments" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Processor assists the Controller with Data Protection Impact Assessments and prior consultations with supervisory authorities, to the extent that the Processor’s processing activities require such assistance.</p> <h3 id="68-deletion-and-return-of-data"> 6.8 Deletion and return of data <a href="#68-deletion-and-return-of-data" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Upon termination of the Service, the Processor will, at the Controller’s choice:</p> <ul> <li>Return all personal data to the Controller in the export formats made available by the Service at the time of termination, including PDF case exports and associated attachments, or</li> <li>Delete all personal data and confirm deletion in writing</li> </ul> <p>unless EU or member state law requires continued storage.</p> <p>If the Controller reasonably requires an additional portability format for migration or regulatory review, the Processor will assess the request in good faith and, where technically feasible, provide it under a separate written request.</p> <h3 id="69-audit-rights"> 6.9 Audit rights <a href="#69-audit-rights" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Processor makes available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations. The Controller may conduct audits, including inspections, either directly or through a mandated auditor, subject to reasonable advance notice (at least 30 days) and during normal business hours. The Processor will cooperate with such audits.</p> <h3 id="610-no-ai-or-llm-processing-of-report-content"> 6.10 No AI or LLM processing of report content <a href="#610-no-ai-or-llm-processing-of-report-content" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Processor commits that personal data processed under this DPA — including report content, reporter identity, handler messages, file attachments, and audit log entries — is <strong>not transmitted to any large language model, generative AI service, or AI-based classifier</strong>, whether operated by the Processor or by a third party (including but not limited to OpenAI, Anthropic, Google, and Mistral). The Service does not perform AI-driven categorisation, triage, summarisation, translation, or suggested replies on personal data. The Controller may rely on this commitment when assessing automated decision-making obligations under <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 22</a> GDPR and when scoping sub-processor disclosure in its own privacy notices and Data Protection Impact Assessments. Any change to this commitment would be a material change to the Service and would be notified to the Controller under Section 6.4 (Sub-processors) and Section 11 (Term and termination).</p> <p>Self-hosted statistical machine translation that runs entirely on Processor-controlled infrastructure (no data leaves Processor infrastructure, no external inference call) is not within the scope of this restriction and may be used to translate reporter or handler messages where the Controller has enabled it.</p> <p>This commitment is reviewed annually. The “Last updated” date at the top of this DPA reflects the most recent affirmation. If the Processor at any point intends to introduce AI or LLM processing of personal data covered by this DPA, the Processor will notify the Controller in accordance with Section 6.4 and the change will take effect no earlier than the notice period stated there.</p> <h3 id="611-customer-managed-encryption-keys-byok"> 6.11 Customer-managed encryption keys (BYOK) <a href="#611-customer-managed-encryption-keys-byok" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Service does not support customer-managed encryption keys — whether described as bring-your-own-key (BYOK), hold-your-own-key (HYOK), or external key management service (KMS) integration. This is a deliberate architectural choice, not an operational limitation, and is grounded in two confidentiality and lifecycle guarantees the Processor makes elsewhere in this DPA:</p> <ul> <li><strong>Reporter–handler key boundary.</strong> Personal data covered by this DPA is encrypted at rest under Processor-managed keys held inside the Service. The encryption boundary that protects reporter identity and report content from external parties is the same boundary that protects it from the Controller’s own IT administrators. Routing key custody to the Controller would relocate that boundary into the Controller’s environment, where Controller-side administrators would, in principle, become capable of decrypting reporter identity — inverting the confidentiality model required by <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 16</a> of Directive 2019/1937.</li> <li><strong>End-to-end deletion guarantee.</strong> Retention-based deletion (<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 5(1)(e)</a> GDPR) and contractual deletion on termination (Section 6.8 above) rely on the Processor’s ability to cryptographically and physically destroy keyed data independently of the Controller. A Controller-held key would create a class of failure where the Processor cannot, on its own, guarantee complete deletion within the contractual window.</li> </ul> <p>The Processor’s encryption-at-rest scheme, non-deterministic encryption properties, and key isolation are documented on the <a href="/security/#data-encryption">Security</a> page. A change to this position would be a material change to the Service and would be notified to the Controller under Section 6.4 (Sub-processors) and Section 11 (Term and termination).</p> <hr> <h2 id="7-obligations-of-the-controller"> 7. Obligations of the Controller <a href="#7-obligations-of-the-controller" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Controller is responsible for:</p> <ul> <li>Ensuring a lawful basis for processing personal data through the Service</li> <li>Providing required privacy notices to data subjects (EthicsPortal displays a privacy notice on the portal submission form)</li> <li>Configuring appropriate data retention periods within the Service</li> <li>Designating authorized handlers and administrators</li> <li>Responding to data subject requests, with assistance from the Processor as described above</li> </ul> <hr> <h2 id="8-sub-processors"> 8. Sub-processors <a href="#8-sub-processors" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The following sub-processors are authorized as of the effective date of this DPA:</p> <table> <thead> <tr> <th>Sub-processor</th> <th>Purpose</th> <th>Location</th> <th>Safeguards</th> </tr> </thead> <tbody> <tr> <td><a href="https://www.hetzner.com" rel="nofollow">Hetzner Online GmbH</a> </td> <td>Application hosting, database, and file attachment storage</td> <td>Nuremberg, Germany (EU)</td> <td>Data processed entirely within EU</td> </tr> <tr> <td><a href="https://stripe.com" rel="nofollow">Stripe Payments Europe, Ltd</a> </td> <td>Payment processing</td> <td>Ireland (EU)</td> <td>No payment credentials stored by Processor; Stripe is PCI DSS Level 1 certified</td> </tr> <tr> <td><a href="https://www.mailjet.com" rel="nofollow">Mailjet (Sinch)</a> </td> <td>Transactional email delivery</td> <td>France (EU)</td> <td>Data processed entirely within EU</td> </tr> <tr> <td><a href="https://www.cloudflare.com" rel="nofollow">Cloudflare, Inc.</a> </td> <td>CDN and edge delivery for the marketing website</td> <td>United States</td> <td>Transfers, where personal data is involved, rely on Standard Contractual Clauses and supplementary safeguards</td> </tr> <tr> <td><a href="https://www.appsignal.com" rel="nofollow">AppSignal B.V.</a> </td> <td>Error monitoring and application performance monitoring for admin and handler interfaces</td> <td>Netherlands (EU)</td> <td>Data processed entirely within EU; reporter IP addresses are never logged</td> </tr> <tr> <td><a href="https://crisp.chat" rel="nofollow">Crisp IM SARL</a> </td> <td>In-app handler chat and identity verification support</td> <td>France (EU)</td> <td>Loaded only in the handler portal; not loaded on the marketing site or reporter-facing pages</td> </tr> </tbody> </table> <p>Marketing analytics (Cloudflare Web Analytics) are cookie-free and do not process personal data.</p> <p><strong>No AI or LLM sub-processor.</strong> No large language model, generative AI service, or AI-based classifier is a sub-processor of the Processor. Personal data processed under this DPA is not transmitted to OpenAI, Anthropic, Google, Mistral, or any other AI inference provider. See Section 6.10.</p> <hr> <h2 id="9-international-data-transfers"> 9. International data transfers <a href="#9-international-data-transfers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Core whistleblower report data, including report content and file attachment storage, is hosted within the <strong>European Union</strong> (Hetzner, Germany). Payment processing occurs within the EU (Stripe), and transactional email is delivered from the EU (Mailjet, France).</p> <p>Marketing-site requests are routed through Cloudflare (CDN, United States), which processes network metadata (visitor IP addresses and request headers) for content delivery and DDoS protection. No reports, handler data, or account data are shared with Cloudflare. Transfers rely on Standard Contractual Clauses and supplementary safeguards. The reporting portal and handler portal do not load Cloudflare. AppSignal (Netherlands) and Crisp (France) are EU-based; Crisp is loaded only in the handler portal.</p> <hr> <h2 id="10-liability"> 10. Liability <a href="#10-liability" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Each party’s liability under this DPA is subject to the limitations of liability set out in the main service agreement between the parties. To the maximum extent permitted by law, claims arising out of or relating to this DPA form part of the same aggregate liability cap that applies to the Service.</p> <hr> <h2 id="11-term-and-termination"> 11. Term and termination <a href="#11-term-and-termination" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This DPA takes effect when the Controller begins using the Service and remains in effect for as long as the Processor processes personal data on behalf of the Controller. The obligations in this DPA survive termination to the extent necessary to complete the deletion or return of personal data.</p> <hr> <h2 id="12-governing-law"> 12. Governing law <a href="#12-governing-law" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This DPA is governed by the laws of the Republic of Poland, without regard to conflict of laws principles. The competent courts of Warsaw, Poland have exclusive jurisdiction over disputes arising from this DPA.</p> <hr> <h2 id="contact"> Contact <a href="#contact" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For questions about this DPA or to request a signed copy:</p> <p><strong>EthicsPortal</strong> Yaroslav Shmarov ul. Obrzeżna 1A, 02-691 Warsaw, Poland <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/directive-coverage/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/directive-coverage/Article-by-article map of how EthicsPortal meets every requirement of EU Directive 2019/1937 and GDPR for whistleblower protection.<h1 id="directive-20191937-coverage-map"> Directive 2019/1937 coverage map <a href="#directive-20191937-coverage-map" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EthicsPortal is built to keep your organization compliant with EU Directive 2019/1937, its national transposition in your country, and GDPR. Every feature maps directly to a legal requirement — no feature bloat, no upsells.</p> <p>This page is the feature-to-requirement map: each article of the Directive is matched to the specific EthicsPortal capability that addresses it. For how EthicsPortal interprets the ambiguous provisions of those articles — the 50-worker threshold, what counts as “diligent follow-up”, retention justifications, GDPR lawful basis, national-law supremacy — see the separate <a href="/directive-interpretations/">interpretations</a> .</p> <p>All 27 EU member states have transposed the Directive into national law. Your organization must comply with the national law in your country of operation — see our <a href="/whistleblower-laws/">whistleblower laws by country</a> reference for specific law names, penalties, and enforcement authorities. Key national laws include <a href="/whistleblower-laws/france/">Loi Waserman</a> (France), <a href="/whistleblower-laws/germany/">HinSchG</a> (Germany), <a href="/whistleblower-laws/italy/">D.Lgs. 24/2023</a> (Italy), <a href="/whistleblower-laws/spain/">Ley 2/2023</a> (Spain), and the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> (Poland).</p> <p>Last updated: 2026-05-17.</p> <hr> <h2 id="1-reporting-channels-art-8"> §1. Reporting channels (Art. 8) <a href="#1-reporting-channels-art-8" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Organizations with 50 or more employees must establish secure internal reporting channels.</p> <table> <thead> <tr> <th>Requirement</th> <th>How EthicsPortal handles it</th> </tr> </thead> <tbody> <tr> <td>Secure channel for reporting</td> <td>Encrypted web portal with unique URL per organization</td> </tr> <tr> <td>Confidentiality of reporter identity</td> <td>End-to-end encryption of all personal data, no IP logging, automatic metadata stripping from uploaded files</td> </tr> <tr> <td>Accessible to all workers</td> <td>Web-based portal works on any device, no app install or account required</td> </tr> <tr> <td>Customizable to the organization</td> <td>Configurable categories, logo, and welcome message</td> </tr> </tbody> </table> <hr> <h2 id="2-reporting-procedures-art-9"> §2. Reporting procedures (Art. 9) <a href="#2-reporting-procedures-art-9" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Requirement</th> <th>Article</th> <th>How EthicsPortal handles it</th> </tr> </thead> <tbody> <tr> <td>Designate impartial person or department</td> <td><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 9(1)(c)</a> </td> <td>Case assignment system with role-based access — only authorized handlers see reports</td> </tr> <tr> <td>Acknowledge receipt within 7 days</td> <td><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 9(1)(b)</a> </td> <td>Automatic deadline tracking with email notifications to handlers when the 7-day deadline approaches or is missed</td> </tr> <tr> <td>Diligent follow-up by the designated person</td> <td><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 9(1)(d)</a> </td> <td>Case management with status workflow (received, acknowledged, investigating, closed), internal notes for handler collaboration, and full audit trail</td> </tr> <tr> <td>Provide feedback within three months</td> <td><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 9(1)(f)</a> </td> <td>Automatic 3-month deadline tracking with overdue alerts to all organization admins. Reporters see the timeline on the portal and can check status at any time using their Case ID and passcode</td> </tr> <tr> <td>Enable oral reporting (telephone, voice messaging, or physical meeting on request)</td> <td><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 9(2)</a> </td> <td>Configurable phone number displayed on portal; handlers can log phone, in-person, and letter reports directly in the system</td> </tr> <tr> <td>Inform about external reporting options</td> <td><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 9(1)(g)</a> </td> <td>Portal displays information about the reporter’s right to contact national competent authorities, citing Directive 2019/1937</td> </tr> </tbody> </table> <hr> <h2 id="3-scope-of-protection-art-4"> §3. Scope of protection (Art. 4) <a href="#3-scope-of-protection-art-4" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The directive protects not just employees but also contractors, suppliers, shareholders, and other third parties.</p> <p>EthicsPortal displays clear guidance on the portal that reporting is open to employees, contractors, suppliers, and any other third parties.</p> <hr> <h2 id="4-anti-retaliation-art-6-1921"> §4. Anti-retaliation (Art. 6, 19–21) <a href="#4-anti-retaliation-art-6-1921" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Reporters must be informed that retaliation is prohibited by law.</p> <p>EthicsPortal displays an anti-retaliation notice on every portal page, citing Directive 2019/1937, before the reporter submits.</p> <hr> <h2 id="5-confidentiality-of-identity-art-16"> §5. Confidentiality of identity (Art. 16) <a href="#5-confidentiality-of-identity-art-16" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Requirement</th> <th>How EthicsPortal handles it</th> </tr> </thead> <tbody> <tr> <td>Identity not disclosed beyond authorized staff</td> <td>Role-based access control — only admins, the primary assignee, and explicitly added participants (e.g. legal, HR) can view a report. Non-admin handlers only see cases they are assigned to or added to as a participant</td> </tr> <tr> <td>Handler anonymity toward reporter</td> <td>Whistleblowers see “Case handler” in messages, never the handler’s real name or email</td> </tr> <tr> <td>Sensitive data encrypted</td> <td>Reporter names, contact details, report descriptions, and message bodies are encrypted at rest using non-deterministic encryption</td> </tr> </tbody> </table> <p><strong>No AI processing of report content.</strong> Confidentiality under <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 16</a> extends to <em>which third parties</em> see the report. EthicsPortal does not transmit report content, reporter identity, or case communications to any large language model or AI inference service — not for categorisation, not for summarisation, not for translation. No AI provider (OpenAI, Anthropic, Google, Mistral, or other) is a sub-processor. This removes a class of sub-processor disclosure from your DPA and removes <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 22</a> (automated decision-making) considerations from your DPIA. See the <a href="/subprocessors/">sub-processor list</a> for the corresponding entry.</p> <p>Two additional reasons this is a confidentiality-grade decision, not a feature preference:</p> <ul> <li><strong>No hallucination in the compliance evidence chain.</strong> Large language models produce probabilistic output. A summary that says “this report does not appear urgent” is a probability, not a fact, and cannot be reproduced or audited. EthicsPortal records actor, action, and timestamp deterministically — the audit log is evidence, not a guess.</li> <li><strong>No prompt-injection attack surface on reporter submissions.</strong> Reporter input is untrusted by definition. Routing it through an LLM creates a class of attack where instructions embedded in report text can manipulate handler-facing output (suggested replies, summaries, categorisation). EthicsPortal removes the surface entirely by not performing inference on report content.</li> </ul> <hr> <h2 id="6-record-keeping-art-18"> §6. Record-keeping (Art. 18) <a href="#6-record-keeping-art-18" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Requirement</th> <th>How EthicsPortal handles it</th> </tr> </thead> <tbody> <tr> <td>Maintain records of every report</td> <td>Complete audit log of all actions: submissions, status changes, messages, assignments, and report views</td> </tr> <tr> <td>Records stored securely</td> <td>All sensitive fields encrypted at rest</td> </tr> <tr> <td>Records retrievable</td> <td>Full case export to PDF including metadata, message thread, attachments list, and audit trail. Organization-level compliance report PDF available for auditors — includes directive checklist, SLA metrics, and data protection summary without exposing sensitive report data</td> </tr> <tr> <td>Delete records when no longer necessary</td> <td>Configurable data retention period (12, 24, 36, or 60 months) with automatic deletion of expired closed reports</td> </tr> </tbody> </table> <hr> <h2 id="7-gdpr-compliance"> §7. GDPR compliance <a href="#7-gdpr-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Requirement</th> <th>Article</th> <th>How EthicsPortal handles it</th> </tr> </thead> <tbody> <tr> <td>Lawful basis for processing</td> <td>Art. 6(1)(c)</td> <td>Processing is necessary for compliance with EU Directive 2019/1937</td> </tr> <tr> <td>Data processing disclosure</td> <td>Art. 13/14</td> <td>Privacy notice displayed on the report submission form before the reporter submits</td> </tr> <tr> <td>Data minimization</td> <td>Art. 5(1)(c)</td> <td>Only essential fields collected; reporter name and contact are optional</td> </tr> <tr> <td>Storage limitation</td> <td>Art. 5(1)(e)</td> <td>Configurable retention period per organization with automatic deletion</td> </tr> <tr> <td>Integrity and confidentiality</td> <td>Art. 5(1)(f)</td> <td>Encryption at rest for all sensitive data; no IP logging on portal routes; file metadata automatically stripped</td> </tr> <tr> <td>Right to erasure</td> <td>Art. 17</td> <td>Automatic retention-based deletion; manual deletion available to admins</td> </tr> </tbody> </table> <hr> <h2 id="8-security-measures"> §8. Security measures <a href="#8-security-measures" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Measure</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td>Encryption at rest</td> <td>All report descriptions, reporter names, contact details, and message bodies are encrypted using non-deterministic encryption</td> </tr> <tr> <td>No IP logging</td> <td>Reporter IP addresses are never stored — rate limiting uses irreversible one-way hashes</td> </tr> <tr> <td>File metadata stripping</td> <td>EXIF data (GPS coordinates, camera model, author info) is automatically removed from uploaded images before storage</td> </tr> <tr> <td>Anonymous handler identity</td> <td>Whistleblowers never see the handler’s real name — messages display “Case handler”</td> </tr> <tr> <td>Rate limiting</td> <td>Public portal endpoints are rate-limited to prevent abuse</td> </tr> <tr> <td>Access control</td> <td>Role-based permissions ensure only authorized handlers can view reports; non-admin handlers only see cases they are assigned to or added to as a participant</td> </tr> <tr> <td>Audit trail</td> <td>Every action is logged with timestamp, actor, and action type — append-only and always available for regulatory review</td> </tr> </tbody> </table> <hr> <h2 id="9-what-your-organization-still-needs-to-do"> §9. What your organization still needs to do <a href="#9-what-your-organization-still-needs-to-do" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal handles the technical requirements. Your organization is responsible for:</p> <ul> <li><strong>Designating a reporting officer</strong> — assign at least one person responsible for handling reports</li> <li><strong>Internal policy</strong> — adopt a whistleblower protection policy and communicate it to employees</li> <li><strong>Training</strong> — ensure designated handlers understand confidentiality obligations</li> <li><strong>Non-retaliation enforcement</strong> — ensure management understands that retaliation is a legal violation</li> <li><strong>Identity disclosure consent</strong> — if a reporter’s identity must be shared beyond authorized handlers (e.g., with law enforcement), obtain the reporter’s explicit consent first (<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 16(2)</a> )</li> <li><strong>Informing workers</strong> — share the portal URL with employees (EthicsPortal provides a shareable link and QR code)</li> </ul> <hr> <h2 id="questions"> Questions? <a href="#questions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Admins can download a <strong>compliance report PDF</strong> directly from the portal settings page. It includes a full EU Directive 2019/1937 checklist, SLA metrics, data protection measures, and audit trail summary — ready to hand to an auditor without exposing any sensitive report data.</p> <p>For country-specific requirements (penalties, retention periods, enforcement authorities), see our <a href="/whistleblower-laws/">whistleblower laws by country</a> reference.</p> <p>For how EthicsPortal interprets the ambiguous provisions of the Directive (the 50-worker threshold, what counts as “diligent follow-up”, retention justifications, GDPR lawful basis), see the <a href="/directive-interpretations/">Directive 2019/1937 interpretations</a> .</p> <p>If you need help demonstrating compliance to your legal team or regulator, contact us at <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/directive-interpretations/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/directive-interpretations/How EthicsPortal interprets the ambiguous provisions of EU Directive 2019/1937. A reference document for compliance officers, data protection officers, and legal counsel.<h1 id="directive-20191937-interpretations"> Directive 2019/1937 interpretations <a href="#directive-20191937-interpretations" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>This document records how EthicsPortal interprets provisions of EU Directive 2019/1937 that admit more than one reasonable reading. It is written for compliance officers, data protection officers, and legal counsel who must make defensible operational decisions in the absence of authoritative interpretive guidance from the European Commission or the Court of Justice.</p> <p>It is a living document. Where the Court of Justice, the European Data Protection Board, or a competent national authority issues binding interpretation that differs from the positions below, this document is revised and the prior position is preserved in the revision log.</p> <p>For the feature-to-requirement map — which EthicsPortal capability satisfies each provision of the Directive — see the <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> . The two documents are complementary: the coverage map documents what the product does; this document documents how we read the law.</p> <p>Last updated: April 2026.</p> <hr> <h2 id="1-scope-and-sources"> §1. Scope and sources <a href="#1-scope-and-sources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This methodology addresses Directive 2019/1937 as transposed into the national law of the 27 EU member states. Where national transposition is stricter than the Directive, the national rule governs for organizations operating in that jurisdiction (see §9).</p> <p>Authoritative sources, in order of precedence:</p> <ol> <li><strong>The Directive text itself</strong> — Directive (EU) 2019/1937 of 23 October 2019, including its recitals.</li> <li><strong>National transposition laws</strong> — binding within each member state. See <a href="/whistleblower-laws/">whistleblower laws by country</a> for specific law names and enforcement authorities.</li> <li><strong>Court of Justice of the European Union rulings</strong> — binding across the Union.</li> <li><strong>European Data Protection Board guidance</strong> — for data protection aspects (Articles 17, GDPR overlay).</li> <li><strong>National competent authority guidance</strong> — persuasive within the issuing state.</li> </ol> <p>This document is operational methodology. It is not legal advice. Organizations should validate interpretations with competent legal counsel in their jurisdiction before relying on them in audit or litigation.</p> <hr> <h2 id="2-conventions"> §2. Conventions <a href="#2-conventions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The Directive provides</strong> introduces a statement of what the Directive text requires.</p> <p><strong>In practice, this means</strong> introduces EthicsPortal’s interpretation where the text permits more than one reading.</p> <p><strong>EthicsPortal implements this by</strong> introduces how the interpretation manifests in the product. Operators choosing a different interpretation may need to adjust configuration or procedures accordingly.</p> <p>All Article references are to Directive 2019/1937 unless otherwise noted.</p> <hr> <h2 id="3-the-50-worker-threshold-art-8"> §3. The 50-worker threshold (Art. 8) <a href="#3-the-50-worker-threshold-art-8" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 8(3) requires entities with “50 or more workers” to establish internal reporting channels. The Directive does not define how the headcount is calculated, how part-time and temporary workers count, or whether the threshold applies per legal entity or per corporate group.</p> <p><strong>The Directive provides</strong> that “legal entities in the private sector with 50 or more workers” must comply (Art. 8(3)). Recital 48 clarifies that the threshold is calculated “in accordance with national law transposing the relevant Union law.”</p> <p><strong>In practice, this means</strong> the calculation follows each member state’s existing workforce-counting rules for employment and social-security purposes. These rules vary:</p> <ul> <li><strong>Germany</strong> (HinSchG §12): headcount based on the number of persons regularly employed, counted per legal entity.</li> <li><strong>France</strong> (Loi Waserman, Art. 8): 50 workers calculated as the average monthly headcount over the preceding 12 months.</li> <li><strong>Italy</strong> (D.Lgs. 24/2023): average employment over the preceding year.</li> <li><strong>Spain</strong> (Ley 2/2023): 50 workers per entity, with group-level channels permitted under conditions.</li> </ul> <p><strong>The threshold is calculated per legal entity</strong>, not per corporate group. A parent and a subsidiary are separate entities for Article 8 purposes unless national law provides otherwise. Article 8(6) permits shared resources within a group of up to 249 workers — but the obligation to establish a channel is still triggered per entity above the 50-worker threshold.</p> <p><strong>Contractors, temporary agency workers, and interns</strong> generally count toward the threshold when they fall within the national definition of “worker” — which is broader than “employee” under EU law. The Court of Justice has consistently held that the EU-law concept of “worker” includes any person who performs services for and under the direction of another in return for remuneration (see <em>Lawrie-Blum</em>, C-66/85).</p> <p><strong>EthicsPortal implements this by</strong> not gating access by headcount. Any organization may deploy a portal regardless of size. Organizations below the 50-worker threshold frequently operate portals voluntarily — for risk management, because national law applies a lower threshold to their sector (e.g., financial services), or because group policy mandates it.</p> <hr> <h2 id="4-the-acknowledgment-timeline-art-91b"> §4. The acknowledgment timeline (Art. 9(1)(b)) <a href="#4-the-acknowledgment-timeline-art-91b" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 9(1)(b) requires acknowledgment of receipt “within seven days of that receipt.” The Directive does not specify calendar days or business days, nor when the clock starts for reports received outside business hours.</p> <p><strong>The Directive provides</strong> for acknowledgment “within seven days of receipt.” No further qualification is given.</p> <p><strong>In practice, this means</strong> seven <strong>calendar</strong> days, counted from the moment the report enters the channel. This follows the general principle that Union-law time limits run in calendar days unless expressly stated otherwise (Regulation (EEC, Euratom) No 1182/71, Art. 3). Member states that have transposed the Directive have consistently treated the seven-day limit as calendar days (HinSchG §17(1)2; D.Lgs. 24/2023 Art. 5(1)(d); Loi Waserman Art. 8).</p> <p>A report submitted at 23:59 on a Sunday is a report received on that Sunday. The seven-day clock starts on the following day (day 1 = Monday) and expires at the end of the seventh day. This follows Regulation 1182/71 Article 3(1), which provides that where a period is expressed in days, the day of the triggering event does not count.</p> <p><strong>Acknowledgment is not the same as substantive response.</strong> Acknowledgment is a confirmation that the report has been received and registered. It need not contain any assessment of the report’s merits, nor the name of the person handling it.</p> <p><strong>EthicsPortal implements this by</strong> sending an automatic acknowledgment to the reporter at the moment of submission, displayed on the portal and (where contact details are provided) by email. The acknowledgment includes the case reference and the statutory three-month feedback deadline. Organizations configured for manual acknowledgment receive deadline alerts at 48 hours before the seven-day mark and on the day of expiry.</p> <hr> <h2 id="5-the-feedback-timeline-art-91f"> §5. The feedback timeline (Art. 9(1)(f)) <a href="#5-the-feedback-timeline-art-91f" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 9(1)(f) requires feedback “not exceeding three months from the acknowledgment of receipt or, if no acknowledgment was sent to the reporting person, three months from the expiry of the seven-day period after the report was made.” The Directive does not define what qualifies as “feedback.”</p> <p><strong>The Directive provides</strong> that “feedback” means “the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up” (Art. 5(13)).</p> <p><strong>In practice, this means</strong> feedback is substantive. A further acknowledgment or a statement that the report is “under review” is not feedback for the purposes of Article 9(1)(f). The reporter is entitled to know, by the three-month mark, what action the organization intends to take (or has taken) and the reasoning behind it.</p> <p>Feedback need not be a final determination. An organization may state that the matter is still under investigation, provided it also states what has been done so far, what further steps are planned, and when a further update can be expected. What is required is information sufficient for the reporter to evaluate whether the organization is handling the report seriously.</p> <p><strong>The three-month clock runs from the date of acknowledgment</strong>, not from the date of report submission. Where acknowledgment is delayed, the feedback window shortens accordingly — the latest permissible feedback date is three months and seven days after the report was made.</p> <p><strong>EthicsPortal implements this by</strong> tracking both deadlines (7-day acknowledgment, 3-month feedback) per case and surfacing overdue alerts to all organization admins. Feedback to the reporter is delivered through the portal’s two-way messaging channel, which preserves the reporter’s anonymity where they have not disclosed their identity.</p> <hr> <h2 id="6-diligent-follow-up-art-91d"> §6. Diligent follow-up (Art. 9(1)(d)) <a href="#6-diligent-follow-up-art-91d" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 9(1)(d) requires a “diligent follow-up by the designated person or department referred to in point (c).” “Diligent” is not defined.</p> <p><strong>The Directive provides</strong> that follow-up means “any action taken by the recipient of a report or any competent authority, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported” (Art. 5(12)).</p> <p><strong>In practice, this means</strong> diligent follow-up has three minimum operational components:</p> <ol> <li><strong>Assessment.</strong> A documented evaluation of whether the allegations, if true, would constitute a breach within the material scope of the Directive (Art. 2) or national transposition.</li> <li><strong>Investigation proportionate to the allegation.</strong> Investigation steps commensurate with the seriousness of the alleged breach, the strength of the evidence, and the potential harm. Not every report warrants a full investigation; a report unsupported by any concrete detail may be assessed and closed with a documented rationale. A report with specific, corroborated detail warrants more.</li> <li><strong>Contemporaneous record.</strong> Actions taken, decisions made, and their reasoning must be recorded at the time they occur. A diligent follow-up that leaves no trail is indistinguishable from no follow-up at all.</li> </ol> <p>“Diligent” is an objective standard. It is not satisfied by subjective good faith alone. An organization that routinely closes reports without assessment, or that takes months to open a file, is not diligent even if it believes itself to be.</p> <p><strong>EthicsPortal implements this by</strong> providing a case management workflow with status transitions (received, acknowledged, under investigation, closed), internal notes for handler collaboration, and an append-only audit trail that records every action with timestamp and actor. The audit trail is the primary evidence of diligence in an audit or regulatory review.</p> <hr> <h2 id="7-confidentiality-of-identity-art-16"> §7. Confidentiality of identity (Art. 16) <a href="#7-confidentiality-of-identity-art-16" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 16(1) requires that the identity of the reporting person not be disclosed to anyone beyond authorized staff members. The Directive does not specify whether “identity” extends to metadata that could identify the reporter (IP addresses, browser fingerprints, file authorship metadata, timestamps patterns).</p> <p><strong>The Directive provides</strong> that “the identity of the reporting person is not disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person” (Art. 16(1)).</p> <p><strong>In practice, this means</strong> “identity” is read functionally: it includes any information that, alone or in combination, permits identification of the reporter. This reading aligns with the GDPR definition of personal data (Regulation (EU) 2016/679, Art. 4(1)) and with the European Data Protection Board’s consistent position that identifiability is context-dependent.</p> <p>The following are treated as identity information:</p> <ul> <li>The reporter’s name, contact details, and any information they provide about themselves.</li> <li>The <strong>IP address</strong> from which the report was submitted.</li> <li><strong>File metadata</strong> embedded in uploaded documents (author name, GPS coordinates in photos, device identifiers, revision history in office documents).</li> <li>Patterns of timestamps or access that could uniquely identify one person (e.g., a report submitted at a time only one employee could plausibly have submitted it).</li> </ul> <p>Organizations that retain reporter IP addresses, or that accept uploaded files without stripping metadata, are exposed to a confidentiality failure that is technically a breach of Article 16 even if the reporter’s name is never disclosed.</p> <p><strong>EthicsPortal implements this by</strong> never storing reporter IP addresses (rate limiting uses irreversible one-way hashes), stripping EXIF and document metadata from all uploaded files before storage, and encrypting reporter identity fields at rest with non-deterministic encryption (so that even full database access does not permit bulk lookup by name).</p> <hr> <h2 id="8-retention-period-art-18"> §8. Retention period (Art. 18) <a href="#8-retention-period-art-18" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 18(1) requires that records of reports be kept “for no longer than it is necessary and proportionate in order to comply with the requirements imposed by this Directive, or other requirements imposed by Union or national law.” The Directive does not specify a maximum period.</p> <p><strong>The Directive provides</strong> a “necessary and proportionate” standard, anchored to compliance purposes.</p> <p><strong>In practice, this means</strong> retention must be justified by reference to a concrete legal or operational purpose, time-limited, and documented in the organization’s data protection records (GDPR Art. 30). In the absence of an ongoing investigation, litigation, or specific statutory requirement, retention beyond the close of the case becomes progressively harder to justify.</p> <p>Common justifications and their typical durations:</p> <table> <thead> <tr> <th>Purpose</th> <th>Typical retention</th> </tr> </thead> <tbody> <tr> <td>Active case (received to closure)</td> <td>Duration of case</td> </tr> <tr> <td>Subsequent investigation or litigation</td> <td>Until final resolution</td> </tr> <tr> <td>Regulatory audit trail</td> <td>Period set by sector regulation (commonly 5 years for financial services)</td> </tr> <tr> <td>Retaliation claim protection (Art. 21)</td> <td>National limitation period for employment claims (typically 2–5 years)</td> </tr> <tr> <td>Statistical reporting under Art. 27(2)</td> <td>Anonymized data only; personal data to be minimized or deleted</td> </tr> </tbody> </table> <p>National transposition may set specific periods. Examples:</p> <ul> <li><strong>Germany</strong> (HinSchG §11(5)): documentation deleted three years after closure of the procedure, longer only where required by other laws.</li> <li><strong>France</strong> (CNIL guidance on Loi Waserman): retention periods calibrated per case type, with routine cases deleted within two months of closure if no follow-up is pursued.</li> <li><strong>Italy</strong> (D.Lgs. 24/2023 Art. 14): five years from closure of the report, subject to GDPR minimization.</li> </ul> <p>A blanket retention period chosen for convenience (“we keep everything for 10 years”) is not compliant with either Article 18 or GDPR Article 5(1)(e). Retention must be tied to purpose.</p> <p><strong>EthicsPortal implements this by</strong> providing configurable retention periods (12, 24, 36, 60 months) with automatic deletion of closed reports at the end of the configured period. The default setting is the shortest period that satisfies the most common national transposition requirements. Operators in sectors with longer statutory retention obligations configure the period to match.</p> <hr> <h2 id="9-lawful-basis-for-processing-gdpr-interaction"> §9. Lawful basis for processing (GDPR interaction) <a href="#9-lawful-basis-for-processing-gdpr-interaction" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 17 of the Directive requires that personal data processing comply with GDPR. The Directive itself is not a lawful basis under GDPR Article 6 — a controller must identify which specific basis applies.</p> <p><strong>The Directive provides</strong> that processing “shall be carried out in accordance with Regulation (EU) 2016/679” (Art. 17).</p> <p><strong>In practice, this means</strong> the lawful basis is <strong>Article 6(1)(c) GDPR — legal obligation</strong>, where the organization is subject to a legal obligation to establish and operate a reporting channel. For organizations above the 50-worker threshold (or below it where sector-specific law imposes the obligation), Article 6(1)(c) is the correct and sufficient basis. No consent from the reporter is required, and none should be sought — treating the processing as consent-based would be misleading and would create a theoretical right to withdraw that the controller cannot honor.</p> <p>For organizations operating a reporting channel <strong>voluntarily</strong> (below the 50-worker threshold and not subject to sector-specific mandate), the lawful basis is <strong>Article 6(1)(f) — legitimate interest</strong>, subject to a documented balancing test. The legitimate interest in preventing and detecting wrongdoing within the organization is well-established and has been recognized in national guidance across member states.</p> <p>Special categories of personal data (GDPR Art. 9) may appear incidentally in reports — a report of discrimination may reveal health information or ethnic origin. The lawful basis for Article 9 data is typically Article 9(2)(g) — substantial public interest, provided the processing is proportionate and accompanied by specific safeguards. Reports revealing criminal offences (GDPR Art. 10) are processed under the corresponding Article 10 basis in national law.</p> <p><strong>EthicsPortal implements this by</strong> documenting Article 6(1)(c) as the default lawful basis in the Data Processing Agreement and privacy notice. Operators below the statutory threshold adjust the privacy notice to reflect Article 6(1)(f) and record their balancing test separately.</p> <hr> <h2 id="10-national-law-supremacy-art-25"> §10. National law supremacy (Art. 25) <a href="#10-national-law-supremacy-art-25" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Article 25(1) provides that member states may introduce or retain provisions “more favourable to the rights of reporting persons” than those set out in the Directive. The Directive does not address how operators should resolve conflicts when national law is stricter.</p> <p><strong>The Directive provides</strong> in Article 25(1) that “Member States may introduce or retain provisions more favourable to the rights of reporting persons than those set out in this Directive, without prejudice to Article 22 [rights of persons concerned] and Article 23(2) [penalties for knowingly false reports].”</p> <p><strong>In practice, this means</strong> where national transposition is stricter than the Directive, <strong>national law governs</strong> for organizations operating in that jurisdiction. There is no option to rely on the Directive minimum where the local rule is stricter. The Directive sets a floor, not a ceiling.</p> <p>Practical examples of stricter national rules:</p> <ul> <li><strong>France</strong> requires acknowledgment of external reports within seven working days and a feedback period that may be shorter than the Directive minimum for certain sectors (AMF, ACPR).</li> <li><strong>Germany</strong> explicitly extends protection to reports about certain categories of legal violations beyond the material scope of the Directive (HinSchG §2).</li> <li><strong>Italy</strong> imposes a lower worker threshold (50, but with specific sectors at any headcount for certain entities) and specific record-keeping formalities.</li> <li><strong>Poland</strong> imposes specific requirements on the form of the reporting channel policy that are not in the Directive text.</li> </ul> <p><strong>For multi-country operators</strong>, the operating rule is: in each jurisdiction, apply the stricter of (Directive, national law). This sometimes means that a group policy sets a uniform high standard matching the strictest national rule in any country of operation. This is generally preferable to maintaining parallel policies per jurisdiction, which increases administrative burden and the risk of applying the wrong rule.</p> <p><strong>EthicsPortal implements this by</strong> defaulting to the strictest common denominator across the 27 member states: shortest acknowledgment and feedback windows, narrowest retention period, fullest anti-retaliation notice. Operators in a single jurisdiction may relax specific defaults to match national rules, but the baseline is calibrated above the Directive minimum in every article where national transposition laws exceed it.</p> <hr> <h2 id="11-anonymous-reporting-art-62-art-91e"> §11. Anonymous reporting (Art. 6(2), Art. 9(1)(e)) <a href="#11-anonymous-reporting-art-62-art-91e" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>The question.</strong> Must an organization accept anonymous reports?</p> <p><strong>The Directive provides</strong> in Article 6(2) that it “does not affect the power of Member States to decide whether or not to require legal entities […] to accept and follow up on anonymous reports.” Article 9(1)(e) requires “diligent follow-up, where provided for in national law, as regards anonymous reporting.”</p> <p><strong>In practice, this means</strong> national law decides. Two postures:</p> <ul> <li><strong>Required</strong> in some jurisdictions or sectors (e.g., French financial-services regulation).</li> <li><strong>Permitted</strong> in most Member States — Germany (HinSchG), Italy (D.Lgs. 24/2023, with mandated diligent follow-up once a report is accepted), Poland (Ustawa o ochronie sygnalistów), and others.</li> </ul> <p>Three consequences.</p> <p><strong>Once accepted, binding.</strong> An organization that publishes “we accept anonymous reports” has triggered Article 9(1)(e). The obligation attaches to the policy, not the individual report.</p> <p><strong>Anti-retaliation applies only from identification.</strong> Article 21 cannot protect an unknown person. Actions taken during the anonymous period are not retroactively covered.</p> <p><strong>Anonymity is a technical standard, not a promise.</strong> A form that collects an email is not anonymous. A channel that logs IP addresses is not anonymous. Article 16 confidentiality protects a known identity from disclosure; anonymity prevents identification.</p> <p><strong>EthicsPortal implements this by</strong> accepting anonymous reports by default. No contact details are required. IP addresses are never stored (rate limiting uses irreversible one-way hashes). File metadata is stripped before storage. Operators may configure the portal to require contact details where national law mandates identified reports. Accepted anonymous reports follow the same case workflow, deadlines, and diligent-follow-up standard as identified ones.</p> <hr> <h2 id="revision-log"> Revision log <a href="#revision-log" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>April 2026</strong> — §11 added on anonymous reporting (Art. 6(2), Art. 9(1)(e)).</li> <li><strong>April 2026</strong> — Initial publication.</li> </ul> <hr> <h2 id="corrections-and-inquiries"> Corrections and inquiries <a href="#corrections-and-inquiries" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This document is intended to be cited and relied upon. If you identify an error, a position that conflicts with a Court of Justice ruling, a European Data Protection Board opinion, or binding national guidance, contact <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> . Corrections are published in the revision log with date and summary of change.</p> <p>For questions about how a specific interpretation applies to your organization’s circumstances, this document is not a substitute for legal advice. Contact competent legal counsel in your jurisdiction.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/en-301-549-conformance/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/en-301-549-conformance/Clause-by-clause conformance self-assessment for EthicsPortal against EN 301 549 V3.2.3 and WCAG 2.2 Level AA.<h1 id="en-301-549-conformance-report"> EN 301 549 conformance report <a href="#en-301-549-conformance-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Last updated: 2026-05-24.</p> <p>This report is a structured self-assessment of EthicsPortal against the accessibility requirements in <strong>EN 301 549 V3.2.3</strong> (and, transitively, <strong>WCAG 2.2 Level AA</strong>). It is intended for procurement reviewers who need a clause-by-clause answer beyond the <a href="/accessibility/">accessibility statement</a> .</p> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Product</td> <td>EthicsPortal — EU whistleblower compliance platform</td> </tr> <tr> <td>Product version</td> <td>Continuously deployed; this report describes the state as of the preparation date</td> </tr> <tr> <td>Standard</td> <td>EN 301 549 V3.2.3 (incorporating WCAG 2.2 Level AA)</td> </tr> <tr> <td>Conformance approach</td> <td>Self-assessment</td> </tr> <tr> <td>Preparation date</td> <td>14 May 2026</td> </tr> <tr> <td>Next review</td> <td>August 2026 (quarterly)</td> </tr> <tr> <td>Contact</td> <td><a href="mailto:accessibility@ethicsportal.eu">accessibility@ethicsportal.eu</a> </td> </tr> </tbody> </table> <p>A PDF copy of this report can be supplied for procurement on request.</p> <h2 id="scope"> Scope <a href="#scope" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This report covers three deployment surfaces:</p> <ol> <li><strong>Web application</strong> — <code>secure.ethicsportal.eu</code>, the authenticated case-handler interface</li> <li><strong>Public reporting portals</strong> — <code>*.ethicsportal.eu</code>, the whistleblower-facing report submission and case tracking</li> <li><strong>Marketing website</strong> — <code>ethicsportal.eu</code>, the Hugo-rendered public site (this page included)</li> </ol> <p>It also covers downloadable documents and support services delivered through these surfaces.</p> <p>EthicsPortal is a web-based SaaS product. It does not provide native mobile apps, kiosk hardware, two-way voice ICT, video output for media, or real-time text. Clauses 6, 7, 8, and 13 of EN 301 549 are therefore largely <strong>not applicable</strong>.</p> <h2 id="summary"> Summary <a href="#summary" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Clause area</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>§5 Generic requirements</td> <td>Conforms, with exceptions noted in §5.4</td> </tr> <tr> <td>§6 ICT with two-way voice communication</td> <td>Not applicable</td> </tr> <tr> <td>§7 ICT with video capabilities</td> <td>Not applicable</td> </tr> <tr> <td>§8 Hardware</td> <td>Not applicable</td> </tr> <tr> <td>§9 Web</td> <td>Partially conforms (see §9 details)</td> </tr> <tr> <td>§10 Non-web documents</td> <td>Does not conform — see §10.1</td> </tr> <tr> <td>§11 Software</td> <td>Partially conforms (see §11 details)</td> </tr> <tr> <td>§12 Documentation and support services</td> <td>Conforms</td> </tr> <tr> <td>§13 ICT providing relay or emergency service access</td> <td>Not applicable</td> </tr> </tbody> </table> <h2 id="clause-by-clause-assessment"> Clause-by-clause assessment <a href="#clause-by-clause-assessment" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="5-generic-requirements"> §5 Generic requirements <a href="#5-generic-requirements" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Clause</th> <th>Requirement</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>5.1.2.2 / 5.1.3</td> <td>Activation of accessibility features</td> <td>Conforms</td> <td>The platform exposes accessibility features through standard HTML and ARIA. No proprietary activation step is required</td> </tr> <tr> <td>5.2</td> <td>Activation of accessibility features</td> <td>Conforms</td> <td>Browser- and OS-level accessibility settings (zoom, contrast, reduced motion, screen reader) are respected</td> </tr> <tr> <td>5.3</td> <td>Biometrics</td> <td>Not applicable</td> <td>Authentication is by magic link or one-time code with optional TOTP; no biometric input is required</td> </tr> <tr> <td>5.4</td> <td>Preservation of accessibility information during conversion</td> <td>Partially conforms</td> <td>Application content preserves accessibility information; PDF exports do not (see §10.1)</td> </tr> <tr> <td>5.5</td> <td>Operable parts</td> <td>Conforms</td> <td>All interactive elements are operable by keyboard and pointer; target size meets §2.5.8</td> </tr> <tr> <td>5.6</td> <td>Locking or toggle status</td> <td>Conforms</td> <td>Toggle states are exposed via <code>aria-pressed</code> / <code>aria-expanded</code></td> </tr> <tr> <td>5.7</td> <td>Key repeat</td> <td>Not applicable</td> <td>Software does not configure system key-repeat</td> </tr> <tr> <td>5.8</td> <td>Double-strike key acceptance</td> <td>Not applicable</td> <td>Software does not configure system key-acceptance</td> </tr> <tr> <td>5.9</td> <td>Simultaneous user actions</td> <td>Conforms</td> <td>No interaction requires simultaneous user actions</td> </tr> </tbody> </table> <h3 id="9-web-incorporates-wcag-22-level-a-and-aa"> §9 Web (incorporates WCAG 2.2 Level A and AA) <a href="#9-web-incorporates-wcag-22-level-a-and-aa" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal targets WCAG 2.2 Level AA. The new criteria added in WCAG 2.2 are reported individually so reviewers can confirm coverage beyond WCAG 2.1.</p> <p><strong>Principle 1 — Perceivable</strong></p> <table> <thead> <tr> <th>SC</th> <th>Title</th> <th>Level</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>1.1.1</td> <td>Non-text Content</td> <td>A</td> <td>Conforms</td> <td>Images and SVG icons have alt text or are marked decorative. Icon-only buttons carry <code>aria-label</code>. Status indicated by icon alone has an <code>sr-only</code> text equivalent</td> </tr> <tr> <td>1.2.x</td> <td>Time-based Media</td> <td>A/AA</td> <td>Not applicable</td> <td>No audio or video content</td> </tr> <tr> <td>1.3.1</td> <td>Info and Relationships</td> <td>A</td> <td>Conforms</td> <td>Semantic HTML; tables use <code><th scope></code>; forms use <code><label></code></td> </tr> <tr> <td>1.3.2</td> <td>Meaningful Sequence</td> <td>A</td> <td>Conforms</td> <td>DOM order matches visual order</td> </tr> <tr> <td>1.3.3</td> <td>Sensory Characteristics</td> <td>A</td> <td>Conforms</td> <td>Instructions do not rely on shape, size, or location alone</td> </tr> <tr> <td>1.3.4</td> <td>Orientation</td> <td>AA</td> <td>Conforms</td> <td>Layout works in portrait and landscape</td> </tr> <tr> <td>1.3.5</td> <td>Identify Input Purpose</td> <td>AA</td> <td>Conforms</td> <td>Inputs that match WCAG input purposes use <code>autocomplete</code></td> </tr> <tr> <td>1.4.1</td> <td>Use of Color</td> <td>A</td> <td>Conforms</td> <td>Color is never the only signal — paired with text or icons</td> </tr> <tr> <td>1.4.3</td> <td>Contrast (Minimum)</td> <td>AA</td> <td>Conforms</td> <td>Body text ≥ 4.5:1, large text ≥ 3:1, audited internally</td> </tr> <tr> <td>1.4.4</td> <td>Resize Text</td> <td>AA</td> <td>Conforms</td> <td>Layout reflows at 200 % zoom without loss of content</td> </tr> <tr> <td>1.4.5</td> <td>Images of Text</td> <td>AA</td> <td>Conforms</td> <td>Brand logo is the only image of text; all UI labels are HTML</td> </tr> <tr> <td>1.4.10</td> <td>Reflow</td> <td>AA</td> <td>Conforms</td> <td>Reflows at 320 CSS pixels wide (tables and code blocks excepted as permitted)</td> </tr> <tr> <td>1.4.11</td> <td>Non-text Contrast</td> <td>AA</td> <td>Conforms</td> <td>UI components and graphical objects meet 3:1</td> </tr> <tr> <td>1.4.12</td> <td>Text Spacing</td> <td>AA</td> <td>Conforms</td> <td>User text-spacing overrides do not break layout</td> </tr> <tr> <td>1.4.13</td> <td>Content on Hover or Focus</td> <td>AA</td> <td>Conforms</td> <td>Tooltips dismissible (Escape), hoverable, and persistent until trigger loses focus</td> </tr> </tbody> </table> <p><strong>Principle 2 — Operable</strong></p> <table> <thead> <tr> <th>SC</th> <th>Title</th> <th>Level</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>2.1.1</td> <td>Keyboard</td> <td>A</td> <td>Conforms</td> <td>All functionality is keyboard-operable</td> </tr> <tr> <td>2.1.2</td> <td>No Keyboard Trap</td> <td>A</td> <td>Conforms</td> <td>Modals trap focus only while open and restore it on close</td> </tr> <tr> <td>2.1.4</td> <td>Character Key Shortcuts</td> <td>A</td> <td>Not applicable</td> <td>No single-character shortcuts implemented</td> </tr> <tr> <td>2.2.1</td> <td>Timing Adjustable</td> <td>A</td> <td>Conforms</td> <td>Session inactivity timeout is 30 days, satisfying the 20-hour exception</td> </tr> <tr> <td>2.2.2</td> <td>Pause, Stop, Hide</td> <td>A</td> <td>Conforms</td> <td>No auto-updating content moves, blinks, or scrolls for more than 5 seconds without a control to pause</td> </tr> <tr> <td>2.3.1</td> <td>Three Flashes or Below</td> <td>A</td> <td>Conforms</td> <td>No flashing content</td> </tr> <tr> <td>2.4.1</td> <td>Bypass Blocks</td> <td>A</td> <td>Conforms</td> <td>Skip-link to main content present on every layout</td> </tr> <tr> <td>2.4.2</td> <td>Page Titled</td> <td>A</td> <td>Conforms</td> <td>Every page has a localised, descriptive <code><title></code></td> </tr> <tr> <td>2.4.3</td> <td>Focus Order</td> <td>A</td> <td>Conforms</td> <td>Focus follows DOM order</td> </tr> <tr> <td>2.4.4</td> <td>Link Purpose (In Context)</td> <td>A</td> <td>Conforms</td> <td>Link text describes the destination</td> </tr> <tr> <td>2.4.5</td> <td>Multiple Ways</td> <td>AA</td> <td>Conforms</td> <td>Site search, navigation, and breadcrumbs are available</td> </tr> <tr> <td>2.4.6</td> <td>Headings and Labels</td> <td>AA</td> <td>Conforms</td> <td>One <code><h1></code> per page; headings descend without skipping</td> </tr> <tr> <td>2.4.7</td> <td>Focus Visible</td> <td>AA</td> <td>Conforms</td> <td><code>:focus-visible</code> is enabled globally; focus rings are not disabled</td> </tr> <tr> <td>2.4.11</td> <td>Focus Not Obscured (Minimum)</td> <td>AA <em>(new in 2.2)</em></td> <td>Conforms</td> <td>Focused elements are not entirely covered by sticky headers or other author content</td> </tr> <tr> <td>2.5.1</td> <td>Pointer Gestures</td> <td>A</td> <td>Conforms</td> <td>No multi-point or path-based gestures are required</td> </tr> <tr> <td>2.5.2</td> <td>Pointer Cancellation</td> <td>A</td> <td>Conforms</td> <td>All click actions complete on <code>up-event</code></td> </tr> <tr> <td>2.5.3</td> <td>Label in Name</td> <td>A</td> <td>Conforms</td> <td>Accessible names contain the visible label</td> </tr> <tr> <td>2.5.4</td> <td>Motion Actuation</td> <td>A</td> <td>Not applicable</td> <td>No device-motion inputs</td> </tr> <tr> <td>2.5.7</td> <td>Dragging Movements</td> <td>AA <em>(new in 2.2)</em></td> <td>Conforms</td> <td>No drag-only flows; uploads accept click and keyboard alternatives</td> </tr> <tr> <td>2.5.8</td> <td>Target Size (Minimum)</td> <td>AA <em>(new in 2.2)</em></td> <td>Conforms</td> <td>Interactive targets ≥ 24×24 CSS px</td> </tr> </tbody> </table> <p><strong>Principle 3 — Understandable</strong></p> <table> <thead> <tr> <th>SC</th> <th>Title</th> <th>Level</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>3.1.1</td> <td>Language of Page</td> <td>A</td> <td>Partially conforms</td> <td>Application and portal pages set <code><html lang></code> to the active locale. Static fallback error pages are English-only — see <a href="/accessibility/#non-accessible-content">accessibility statement</a> </td> </tr> <tr> <td>3.1.2</td> <td>Language of Parts</td> <td>AA</td> <td>Conforms</td> <td>Inline foreign-language strings use <code>lang</code> attributes where required</td> </tr> <tr> <td>3.2.1</td> <td>On Focus</td> <td>A</td> <td>Conforms</td> <td>Focus does not trigger a context change</td> </tr> <tr> <td>3.2.2</td> <td>On Input</td> <td>A</td> <td>Conforms</td> <td>Input does not trigger a context change without warning</td> </tr> <tr> <td>3.2.3</td> <td>Consistent Navigation</td> <td>AA</td> <td>Conforms</td> <td>Navigation order is consistent across the application</td> </tr> <tr> <td>3.2.4</td> <td>Consistent Identification</td> <td>AA</td> <td>Conforms</td> <td>Icons and components are used consistently</td> </tr> <tr> <td>3.2.6</td> <td>Consistent Help</td> <td>A <em>(new in 2.2)</em></td> <td>Conforms</td> <td>Support contact and help links appear in the same location on every authenticated page (sidebar footer area) and in the portal footer</td> </tr> <tr> <td>3.3.1</td> <td>Error Identification</td> <td>A</td> <td>Conforms</td> <td>Errors are surfaced via <code>role="alert"</code> and described to the user</td> </tr> <tr> <td>3.3.2</td> <td>Labels or Instructions</td> <td>A</td> <td>Conforms</td> <td>Inputs are labelled; hints use <code>aria-describedby</code></td> </tr> <tr> <td>3.3.3</td> <td>Error Suggestion</td> <td>AA</td> <td>Conforms</td> <td>Errors say what is wrong and how to fix it</td> </tr> <tr> <td>3.3.4</td> <td>Error Prevention (Legal, Financial, Data)</td> <td>AA</td> <td>Conforms</td> <td>Reversible operations or explicit confirmation for destructive actions</td> </tr> <tr> <td>3.3.7</td> <td>Redundant Entry</td> <td>A <em>(new in 2.2)</em></td> <td>Conforms</td> <td>Information previously entered (email, organization) is auto-filled where re-required in the same session</td> </tr> <tr> <td>3.3.8</td> <td>Accessible Authentication (Minimum)</td> <td>AA <em>(new in 2.2)</em></td> <td>Conforms</td> <td>Authentication uses magic links and one-time codes that can be pasted; no cognitive function tests are required</td> </tr> </tbody> </table> <p><strong>Principle 4 — Robust</strong></p> <table> <thead> <tr> <th>SC</th> <th>Title</th> <th>Level</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>4.1.2</td> <td>Name, Role, Value</td> <td>A</td> <td>Conforms</td> <td>Controls expose name, role, and state</td> </tr> <tr> <td>4.1.3</td> <td>Status Messages</td> <td>AA</td> <td>Conforms</td> <td>Flash messages, notifications, and async results use <code>aria-live</code> regions</td> </tr> </tbody> </table> <h3 id="10-non-web-documents"> §10 Non-web documents <a href="#10-non-web-documents" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Clause</th> <th>Requirement</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>10.1</td> <td>Non-web documents (PDFs)</td> <td>Does not conform</td> <td>Compliance reports, certificates, policy templates, posters, the case-handler manual, and case exports are produced as untagged PDFs. Accessible HTML alternatives are available on request via <a href="mailto:accessibility@ethicsportal.eu">accessibility@ethicsportal.eu</a> . A tagged-PDF pipeline is on the roadmap.</td> </tr> <tr> <td>10.2</td> <td>DOCX policy templates</td> <td>Partially conforms</td> <td>Generated DOCX files (whistleblower policy, privacy notice) carry their structure but have not been audited against PDF/UA-equivalent expectations for editable documents. HTML alternatives are available on request.</td> </tr> </tbody> </table> <h3 id="11-software"> §11 Software <a href="#11-software" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The web application qualifies as software under §11. §11 incorporates WCAG (assessed above under §9) plus software-specific clauses:</p> <table> <thead> <tr> <th>Clause</th> <th>Requirement</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>11.5</td> <td>Interoperability with assistive technology</td> <td>Conforms</td> <td>Built on semantic HTML and ARIA; tested with VoiceOver, NVDA, and platform keyboard navigation</td> </tr> <tr> <td>11.6</td> <td>Documented accessibility usage</td> <td>Conforms</td> <td>This page and the <a href="/accessibility/">accessibility statement</a> document accessibility features and known limitations</td> </tr> <tr> <td>11.7</td> <td>User preferences</td> <td>Conforms</td> <td>OS-level preferences (reduced motion, color scheme, text scaling) are respected</td> </tr> <tr> <td>11.8</td> <td>Authoring tools</td> <td>Partially conforms</td> <td>Case-handler UI is an authoring tool under §11.8 because handlers create content consumed by whistleblowers. Attachment uploads accept descriptions; rich-text features (when introduced) will be assessed against <a href="https://www.w3.org/TR/ATAG20/" rel="nofollow">ATAG 2.0</a> </td> </tr> </tbody> </table> <h3 id="12-documentation-and-support-services"> §12 Documentation and support services <a href="#12-documentation-and-support-services" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Clause</th> <th>Requirement</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>12.1.1</td> <td>Accessibility and compatibility features</td> <td>Conforms</td> <td>This report and the <a href="/accessibility/">accessibility statement</a> describe the supported assistive technologies and platform combinations</td> </tr> <tr> <td>12.1.2</td> <td>Accessible documentation</td> <td>Conforms</td> <td>Documentation is delivered as semantic HTML on the marketing site and through in-app help</td> </tr> <tr> <td>12.2.2</td> <td>Information on accessibility features</td> <td>Conforms</td> <td>Support staff and the published statement can answer accessibility queries</td> </tr> <tr> <td>12.2.3</td> <td>Effective communication</td> <td>Conforms</td> <td>Accessibility feedback channel is monitored each working day; acknowledgement within 2 working days</td> </tr> <tr> <td>12.2.4</td> <td>Accessible documentation (support)</td> <td>Partially conforms</td> <td>Documents delivered in response to support requests inherit the same status as the underlying artifacts — PDFs are flagged; HTML alternatives are available</td> </tr> </tbody> </table> <h2 id="known-limitations"> Known limitations <a href="#known-limitations" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The items below are tracked, not hidden:</p> <ol> <li><strong>Untagged PDFs.</strong> Largest gap. Mitigated today by accessible HTML alternatives on request; planned to be replaced by a tagged-PDF or HTML-canonical pipeline.</li> <li><strong>Static error pages in English only.</strong> Encountered rarely; the same information is presented in the user’s language inside the application.</li> <li><strong>Third-party embeds (Crisp, Stripe-hosted pages)</strong> sit outside our direct control; provider accessibility documentation is reviewed annually.</li> </ol> <h2 id="test-methodology"> Test methodology <a href="#test-methodology" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The self-assessment combined:</p> <ul> <li><strong>Automated</strong>: <code>axe-core-capybara</code> runs against the public whistleblower portal flows (home, report submission, lookup) in CI via <code>test/system/portal_accessibility_system_test.rb</code>; any violation fails the build. Extending automated coverage to the authenticated case-handler flows is on the roadmap</li> <li><strong>Manual keyboard testing</strong> across the portal report submission flow, the case-handler workflow, account management, and authentication</li> <li><strong>VoiceOver (macOS, Safari)</strong> and <strong>NVDA (Windows, Firefox)</strong> screen-reader passes on the same flows</li> <li><strong>200 % zoom</strong> reflow check on every layout at 1280×800</li> <li><strong>Reduced motion</strong> verified by enabling the OS preference</li> <li><strong>Color blindness simulation</strong> using Coblis</li> <li><strong>Code review</strong> against the internal <a href="https://github.com/yshmarov/ethicsportal.eu/blob/main/docs/accessibility.md" rel="nofollow">accessibility engineering guide</a> </li> </ul> <h2 id="contact-and-feedback"> Contact and feedback <a href="#contact-and-feedback" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Accessibility concerns, requests for alternative formats, and procurement queries:</p> <ul> <li><a href="mailto:accessibility@ethicsportal.eu">accessibility@ethicsportal.eu</a> — monitored each working day</li> <li>See the <a href="/accessibility/">accessibility statement</a> for the full feedback and enforcement procedure</li> </ul> <h2 id="standards-and-references"> Standards and references <a href="#standards-and-references" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://www.etsi.org/deliver/etsi_en/301500_301599/301549/03.02.03_60/en_301549v030203p.pdf" rel="nofollow">EN 301 549 V3.2.3</a> </li> <li><a href="https://www.etsi.org/deliver/etsi_en/301500_301599/301549/03.02.01_60/en_301549v030201p.pdf" rel="nofollow">EN 301 549 V3.2.1</a> (harmonized version)</li> <li><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016L2102" rel="nofollow">Directive (EU) 2016/2102</a> </li> <li><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L0882" rel="nofollow">Directive (EU) 2019/882</a> — European Accessibility Act</li> <li><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018D1523" rel="nofollow">Implementing Decision (EU) 2018/1523</a> </li> <li><a href="https://www.w3.org/TR/WCAG22/" rel="nofollow">WCAG 2.2 Level AA</a> </li> <li><a href="https://www.w3.org/TR/ATAG20/" rel="nofollow">ATAG 2.0</a> </li> </ul>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/compare/eqs-integrity-line/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/compare/eqs-integrity-line/Compare EthicsPortal and EQS Integrity Line for EU whistleblower compliance. See how the enterprise incumbent compares to a modern, affordable alternative.<h1 id="ethicsportal-vs-eqs-integrity-line"> EthicsPortal vs. EQS Integrity Line <a href="#ethicsportal-vs-eqs-integrity-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EQS Integrity Line is the whistleblower reporting product from EQS Group, a Munich-based compliance technology company with roughly 640 employees and €81M in revenue (2024). Acquired by private equity firm Thoma Bravo, EQS serves over 1,200 companies across 165+ countries. They are firmly positioned as an enterprise solution — pricing is not published and requires a sales conversation.</p> <h2 id="quick-comparison"> Quick comparison <a href="#quick-comparison" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Feature</th> <th>EthicsPortal</th> <th>EQS Integrity Line</th> </tr> </thead> <tbody> <tr> <td><strong>Pricing</strong></td> <td>€49/month flat</td> <td>Not public — estimated €2,000+/month, requires sales call</td> </tr> <tr> <td><strong>Self-serve signup</strong></td> <td>Yes, instant</td> <td>No — sales process required</td> </tr> <tr> <td><strong>Encryption</strong></td> <td>Yes (non-deterministic ActiveRecord Encryption)</td> <td>Yes</td> </tr> <tr> <td><strong>EU hosting</strong></td> <td>Yes (Hetzner, Germany)</td> <td>Yes (EU)</td> </tr> <tr> <td><strong>File metadata stripping</strong></td> <td>Yes (EXIF, GPS, author info)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>IP anonymization</strong></td> <td>Yes (one-way hash, no storage)</td> <td>Yes</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Yes, append-only</td> <td>Yes</td> </tr> <tr> <td><strong>Deadline tracking</strong></td> <td>Yes (7-day and 3-month with notifications)</td> <td>Yes</td> </tr> <tr> <td><strong>PDF export</strong></td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td><strong>Languages</strong></td> <td>EN, FR, PL (more coming)</td> <td>70+ languages with AI translation</td> </tr> </tbody> </table> <h2 id="where-eqs-integrity-line-is-strong"> Where EQS Integrity Line is strong <a href="#where-eqs-integrity-line-is-strong" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Enterprise scale and brand.</strong> EQS serves 1,200+ companies across 165+ countries. For large enterprises that need a vendor with proven scale, that track record matters.</li> <li><strong>AI-powered translation.</strong> Their 70+ language support includes AI translation, which can be valuable for organizations receiving reports in unexpected languages.</li> </ul> <h2 id="where-ethicsportal-is-different"> Where EthicsPortal is different <a href="#where-ethicsportal-is-different" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Transparent pricing you can budget for.</strong> EthicsPortal is €49/month. Period. EQS requires a sales conversation, and estimated pricing starts around €2,000/month — roughly 40x more expensive. For an SME, that difference funds an entire year of compliance versus a single month.</li> <li><strong>Self-serve from start to finish.</strong> Sign up, configure your portal, share the link. No sales calls, no procurement process, no weeks of back-and-forth. EQS is built for enterprise buying cycles; EthicsPortal is built for teams that need compliance now.</li> <li><strong>Privacy features as standard.</strong> File metadata stripping and IP anonymization are built into every EthicsPortal account. No negotiation, no enterprise add-on.</li> <li><strong>Simpler, faster product.</strong> EthicsPortal is a focused tool — fast to load, fast to learn, fast to use.</li> </ul> <h2 id="who-should-choose-eqs-integrity-line"> Who should choose EQS Integrity Line <a href="#who-should-choose-eqs-integrity-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EQS Integrity Line makes sense for large enterprises (1,000+ employees) operating across many countries that need 70+ languages, 24/7 support, and a vendor with a long enterprise track record. If your organization has a dedicated compliance team and procurement process, and budget is not the primary concern, EQS is a proven choice.</p> <h2 id="who-should-choose-ethicsportal"> Who should choose EthicsPortal <a href="#who-should-choose-ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is for SMEs that need EU Directive 2019/1937 compliance without spending enterprise budgets or waiting weeks for a sales process to conclude. If you need to be compliant this week — not this quarter — and you would rather spend €49/month than €2,000+/month for features you will never use, EthicsPortal is the practical choice.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/compare/faceup/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/compare/faceup/Compare EthicsPortal and FaceUp for EU whistleblower compliance. Pricing, features, and privacy compared side by side for businesses.<h1 id="ethicsportal-vs-faceup"> EthicsPortal vs. FaceUp <a href="#ethicsportal-vs-faceup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>FaceUp is a whistleblower platform used by over 3,500 organizations across 60 countries. Originally built with a strong focus on schools and education, FaceUp has expanded into corporate compliance. They support an impressive 113 languages and run an aggressive affiliate program. Their pricing is in US dollars, which can make budgeting less predictable for European businesses.</p> <h2 id="quick-comparison"> Quick comparison <a href="#quick-comparison" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Feature</th> <th>EthicsPortal</th> <th>FaceUp</th> </tr> </thead> <tbody> <tr> <td><strong>Pricing</strong></td> <td>€49/month flat (EUR)</td> <td>Not public — “Get a Quote” on all tiers (USD)</td> </tr> <tr> <td><strong>Self-serve signup</strong></td> <td>Yes, instant</td> <td>No — quote required</td> </tr> <tr> <td><strong>Encryption</strong></td> <td>Yes (non-deterministic ActiveRecord Encryption)</td> <td>Yes</td> </tr> <tr> <td><strong>EU hosting</strong></td> <td>Yes (Hetzner, Germany)</td> <td>Yes (EU)</td> </tr> <tr> <td><strong>File metadata stripping</strong></td> <td>Yes (EXIF, GPS, author info)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>IP anonymization</strong></td> <td>Yes (one-way hash, no storage)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Yes, append-only</td> <td>Yes</td> </tr> <tr> <td><strong>Deadline tracking</strong></td> <td>Yes (7-day and 3-month with notifications)</td> <td>Yes</td> </tr> <tr> <td><strong>PDF export</strong></td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td><strong>Languages</strong></td> <td>EN, FR, PL (more coming)</td> <td>113 languages</td> </tr> </tbody> </table> <h2 id="where-faceup-is-strong"> Where FaceUp is strong <a href="#where-faceup-is-strong" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Language support.</strong> 113 languages is among the highest in the market. If your organization operates in countries with less common languages, FaceUp likely has you covered.</li> <li><strong>Education market.</strong> FaceUp has a unique position in schools and universities. If you need a reporting tool for an educational institution, they have purpose-built features for that context.</li> <li><strong>Mobile app.</strong> FaceUp offers a mobile application, which EthicsPortal does not currently have.</li> </ul> <h2 id="where-ethicsportal-is-different"> Where EthicsPortal is different <a href="#where-ethicsportal-is-different" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Euro pricing, transparent.</strong> EthicsPortal is €49/month flat — visible on the website, no sales call needed. FaceUp does not publish prices: all three tiers (Starter, Professional, Enterprise) show “Get a Quote” buttons. Pricing is in US dollars, which means European businesses deal with currency fluctuation on top of opaque pricing. With EthicsPortal, there is one plan at one price.</li> <li><strong>Privacy protections built in.</strong> File metadata stripping (EXIF, GPS, author data) and IP anonymization (one-way hash) are standard on every EthicsPortal account. These are not upsell features.</li> <li><strong>Focused on business compliance.</strong> EthicsPortal is built specifically for EU Directive 2019/1937 compliance. FaceUp’s dual focus on schools and businesses means the product serves two different audiences, which can dilute the compliance experience for corporate users.</li> <li><strong>EU-hosted on Hetzner in Germany.</strong> Your data is stored on specific, verifiable German infrastructure — important for organizations that need to demonstrate GDPR-compliant data residency.</li> </ul> <h2 id="who-should-choose-faceup"> Who should choose FaceUp <a href="#who-should-choose-faceup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>FaceUp is a good fit for organizations that need 113 languages, want a mobile app for reporters, or operate in the education sector. If you are a school, university, or multi-national enterprise where USD pricing is not a concern, FaceUp offers broad coverage.</p> <h2 id="who-should-choose-ethicsportal"> Who should choose EthicsPortal <a href="#who-should-choose-ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is built for European SMEs that want straightforward EU Directive compliance in euros, without navigating multiple pricing tiers or wondering which features require an upgrade. If you value built-in privacy protections and a product laser-focused on whistleblower compliance rather than split between schools and businesses, EthicsPortal is the cleaner choice.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/compare/navex/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/compare/navex/Compare EthicsPortal and NAVEX for EU whistleblower compliance. See how the US enterprise giant stacks up against a focused, affordable EU alternative.<h1 id="ethicsportal-vs-navex"> EthicsPortal vs. NAVEX <a href="#ethicsportal-vs-navex" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>NAVEX Global is a US-based governance, risk, and compliance (GRC) platform backed by Goldman Sachs and Blackstone. With 1,000-5,000 employees, $293M in revenue, and 13,000 organizations on their platform — including 75% of the Fortune 100 — NAVEX is the largest player in the compliance software space. Their whistleblower hotline is one piece of a much broader GRC suite covering policy management, third-party risk, and ethics training.</p> <h2 id="quick-comparison"> Quick comparison <a href="#quick-comparison" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Feature</th> <th>EthicsPortal</th> <th>NAVEX</th> </tr> </thead> <tbody> <tr> <td><strong>Pricing</strong></td> <td>€49/month flat</td> <td>Not public — estimated €25,000+/year, enterprise custom</td> </tr> <tr> <td><strong>Self-serve signup</strong></td> <td>Yes, instant</td> <td>No — enterprise sales process</td> </tr> <tr> <td><strong>Encryption</strong></td> <td>Yes (non-deterministic ActiveRecord Encryption)</td> <td>Yes</td> </tr> <tr> <td><strong>EU hosting</strong></td> <td>Yes (Hetzner, Germany)</td> <td>US-based (EU hosting unclear)</td> </tr> <tr> <td><strong>File metadata stripping</strong></td> <td>Yes (EXIF, GPS, author info)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>IP anonymization</strong></td> <td>Yes (one-way hash, no storage)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Yes, append-only</td> <td>Yes</td> </tr> <tr> <td><strong>Deadline tracking</strong></td> <td>Yes (7-day and 3-month with notifications)</td> <td>Yes</td> </tr> <tr> <td><strong>PDF export</strong></td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td><strong>Languages</strong></td> <td>EN, FR, PL (more coming)</td> <td>150+ languages</td> </tr> </tbody> </table> <h2 id="where-navex-is-strong"> Where NAVEX is strong <a href="#where-navex-is-strong" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Market dominance.</strong> 75% of the Fortune 100 use NAVEX. That level of adoption means deep enterprise integrations, extensive case law coverage, and a vendor that procurement teams already know.</li> <li><strong>150+ languages.</strong> The broadest language support in the market, critical for truly global enterprises with operations in every region.</li> <li><strong>Comprehensive GRC platform.</strong> If you need whistleblowing, policy management, ethics training, and third-party risk in a single vendor, NAVEX covers it all.</li> </ul> <h2 id="where-ethicsportal-is-different"> Where EthicsPortal is different <a href="#where-ethicsportal-is-different" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Affordable and transparent.</strong> EthicsPortal is €49/month. NAVEX contracts are estimated at €25,000+/year — roughly 40x more. For an SME, NAVEX pricing alone can exceed the entire annual compliance budget.</li> <li><strong>EU-hosted, EU-focused.</strong> EthicsPortal is hosted on Hetzner in Germany, built specifically for EU Directive 2019/1937 compliance. NAVEX is a US-based company with US-centric infrastructure, which raises data residency questions for EU organizations.</li> <li><strong>Privacy by default.</strong> File metadata stripping and IP anonymization are built into every account. No enterprise contract negotiation required to get privacy features that should be standard.</li> <li><strong>Modern UX.</strong> NAVEX reviews consistently mention dated interfaces and slow performance. EthicsPortal is a modern application — fast, clean, and built with current web standards.</li> </ul> <h2 id="who-should-choose-navex"> Who should choose NAVEX <a href="#who-should-choose-navex" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>NAVEX is the right choice for Fortune 500 companies that need a comprehensive GRC platform spanning whistleblowing, policy management, and third-party risk. If your organization operates in 100+ countries, needs 150+ languages, has a dedicated compliance department, and has the budget for enterprise software, NAVEX has the scale to match.</p> <h2 id="who-should-choose-ethicsportal"> Who should choose EthicsPortal <a href="#who-should-choose-ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is for European SMEs that need EU whistleblower compliance, not a full GRC suite. If you want to be compliant with EU Directive 2019/1937 without signing a €25,000/year contract, sitting through enterprise demos, or deploying a platform that was built for Fortune 100 companies, EthicsPortal gives you exactly what you need at a price that makes sense.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/compare/speakup/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/compare/speakup/Compare EthicsPortal and SpeakUp for EU whistleblower compliance. Pricing, privacy features, and setup compared side by side.<h1 id="ethicsportal-vs-speakup"> EthicsPortal vs. SpeakUp <a href="#ethicsportal-vs-speakup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>SpeakUp is an EU-based ethics and compliance platform serving over 2,000 organizations. Originally focused on whistleblower reporting, SpeakUp has expanded into a broader all-in-one compliance suite. They hold ISO 27001, ISO 27701, and ISAE 3000 Type II certifications — among the strongest in the market. Their pricing starts at €3,000/year for small businesses and moves to custom pricing for organizations with 1,000+ employees.</p> <h2 id="quick-comparison"> Quick comparison <a href="#quick-comparison" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Feature</th> <th>EthicsPortal</th> <th>SpeakUp</th> </tr> </thead> <tbody> <tr> <td><strong>Pricing</strong></td> <td>€49/month flat</td> <td>€3,000/year for <1,000 employees, custom for larger</td> </tr> <tr> <td><strong>Self-serve signup</strong></td> <td>Yes, instant</td> <td>Partial</td> </tr> <tr> <td><strong>Encryption</strong></td> <td>Yes (non-deterministic ActiveRecord Encryption)</td> <td>Yes</td> </tr> <tr> <td><strong>EU hosting</strong></td> <td>Yes (Hetzner, Germany)</td> <td>Yes (EU)</td> </tr> <tr> <td><strong>File metadata stripping</strong></td> <td>Yes (EXIF, GPS, author info)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>IP anonymization</strong></td> <td>Yes (one-way hash, no storage)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Yes, append-only</td> <td>Yes</td> </tr> <tr> <td><strong>Deadline tracking</strong></td> <td>Yes (7-day and 3-month with notifications)</td> <td>Yes</td> </tr> <tr> <td><strong>PDF export</strong></td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td><strong>Languages</strong></td> <td>EN, FR, PL (more coming)</td> <td>Multiple (exact count not published)</td> </tr> </tbody> </table> <h2 id="where-speakup-is-strong"> Where SpeakUp is strong <a href="#where-speakup-is-strong" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Certifications.</strong> ISO 27001, ISO 27701, and ISAE 3000 Type II is a strong combination. For organizations where vendor certifications are a procurement requirement, SpeakUp checks every box.</li> <li><strong>Broad compliance platform.</strong> SpeakUp covers ethics, compliance, and whistleblowing in a single platform. If your compliance needs go beyond whistleblower reporting, their broader suite may be relevant.</li> <li><strong>EU-based.</strong> As a European company serving 2,000+ organizations, SpeakUp understands EU regulatory requirements and data sovereignty expectations.</li> </ul> <h2 id="where-ethicsportal-is-different"> Where EthicsPortal is different <a href="#where-ethicsportal-is-different" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Predictable, flat pricing.</strong> EthicsPortal is €49/month — that is €588/year. SpeakUp starts at €3,000/year for companies under 1,000 employees, roughly 5x more. With EthicsPortal, you know your cost today and in two years.</li> <li><strong>Privacy features as standard.</strong> EthicsPortal strips file metadata (EXIF, GPS coordinates, author information) before storage and anonymizes IP addresses using a one-way hash. These protections run automatically on every account — they are not premium features.</li> <li><strong>Instant self-serve setup.</strong> Sign up, configure your portal, and start receiving reports in minutes. No sales conversations, no waiting for provisioning.</li> <li><strong>Focused on whistleblowing.</strong> EthicsPortal does one thing well: EU Directive 2019/1937 compliant whistleblower reporting. SpeakUp is moving upmarket into broader compliance, which means more complexity and features you may never use.</li> </ul> <h2 id="who-should-choose-speakup"> Who should choose SpeakUp <a href="#who-should-choose-speakup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>SpeakUp is a good choice for mid-size organizations that need a vendor with strong certifications (ISO 27001, ISO 27701, ISAE 3000 Type II) to satisfy procurement requirements, or that want a single platform covering ethics and compliance beyond just whistleblowing. If your compliance team needs a broader toolset and is comfortable with scaling pricing, SpeakUp delivers.</p> <h2 id="who-should-choose-ethicsportal"> Who should choose EthicsPortal <a href="#who-should-choose-ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is for SMEs that need whistleblower compliance without buying an entire compliance suite. If you want EU Directive 2019/1937 compliance at a flat €49/month, with built-in privacy protections and no sales process, EthicsPortal gets you compliant faster and at a lower cost. When you need ISO certifications from your vendor, EthicsPortal is not there yet — but if you need to be compliant today at a price that makes sense, it is.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/compare/whispli/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/compare/whispli/Compare EthicsPortal and Whispli for EU whistleblower compliance. SME flat pricing vs. enterprise case management compared side by side.<h1 id="ethicsportal-vs-whispli"> EthicsPortal vs. Whispli <a href="#ethicsportal-vs-whispli" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Whispli is an enterprise whistleblowing and case management platform headquartered in Sydney, Australia with a Paris office. They serve 300+ organisations across 60+ countries and hold ISO 27001 certification at the system level. Whispli offers regional EU hosting, 70+ languages, a Voice AI phone hotline, and a mobile app. Pricing is not published — enterprise sales engagement is required, with reports suggesting starting around €3,000/year.</p> <h2 id="quick-comparison"> Quick comparison <a href="#quick-comparison" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Feature</th> <th>EthicsPortal</th> <th>Whispli</th> </tr> </thead> <tbody> <tr> <td><strong>Pricing</strong></td> <td>€49/month flat</td> <td>Custom (~€3,000+/year, sales required)</td> </tr> <tr> <td><strong>Self-serve signup</strong></td> <td>Yes, instant</td> <td>No — sales engagement required</td> </tr> <tr> <td><strong>Encryption</strong></td> <td>Yes (non-deterministic ActiveRecord Encryption)</td> <td>Yes (customer-managed encryption keys available)</td> </tr> <tr> <td><strong>EU hosting</strong></td> <td>Yes (Hetzner, Germany)</td> <td>Yes (optional EU region)</td> </tr> <tr> <td><strong>File metadata stripping</strong></td> <td>Yes (EXIF, GPS, author info)</td> <td>Not publicly documented</td> </tr> <tr> <td><strong>IP anonymization</strong></td> <td>Yes (one-way hash, no storage)</td> <td>Yes (no IP/device identifiers collected)</td> </tr> <tr> <td><strong>Voice AI hotline</strong></td> <td>No</td> <td>Yes</td> </tr> <tr> <td><strong>Mobile app</strong></td> <td>No</td> <td>Yes (iOS and Android)</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Yes, append-only</td> <td>Yes, immutable</td> </tr> <tr> <td><strong>Deadline tracking</strong></td> <td>Yes (7-day and 3-month with notifications)</td> <td>Yes</td> </tr> <tr> <td><strong>Languages</strong></td> <td>EN, FR, PL (more coming)</td> <td>70+</td> </tr> <tr> <td><strong>ISO 27001</strong></td> <td>No</td> <td>Yes (system-level)</td> </tr> <tr> <td><strong>Conflicts of interest module</strong></td> <td>No</td> <td>Yes (Whispli Disclosures)</td> </tr> </tbody> </table> <h2 id="where-whispli-is-strong"> Where Whispli is strong <a href="#where-whispli-is-strong" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Enterprise-grade security.</strong> ISO 27001 certified at the system level (not just hosting) and customer-managed encryption keys. This is a higher bar than most competitors.</li> <li><strong>Voice AI hotline.</strong> AI-powered voice intake that transcribes verbal disclosures into structured cases with anonymity protections. Useful for distributed workforces where written reporting is impractical.</li> <li><strong>Mobile apps.</strong> Native iOS and Android apps for secure reporting from anywhere with real-time notifications.</li> <li><strong>70+ languages.</strong> Covers virtually every EU language plus global deployment.</li> <li><strong>Beyond whistleblowing.</strong> Separate modules for conflicts of interest, gifts and hospitality, and employee relations (Pulse surveys).</li> </ul> <h2 id="where-ethicsportal-is-different"> Where EthicsPortal is different <a href="#where-ethicsportal-is-different" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>€49/month vs. ~€3,000+/year.</strong> EthicsPortal costs roughly one-fifth of Whispli’s estimated starting price. For SMEs that need Directive compliance without enterprise features, the cost difference is significant.</li> <li><strong>Instant self-serve.</strong> No sales call, no demo, no onboarding project. Sign up, configure your portal, share the link. Whispli requires enterprise sales engagement and implementation.</li> <li><strong>Published privacy engineering.</strong> EthicsPortal documents its full anonymity architecture publicly: one-way IP hashing, EXIF stripping methodology by file type, non-deterministic encryption details, ClamAV scanning. This documentation is available to anyone evaluating the platform.</li> <li><strong>Article-by-article Directive mapping.</strong> EthicsPortal publishes a <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> matching each feature to specific Directive articles — useful for compliance officers documenting their channel.</li> </ul> <h2 id="who-should-choose-whispli"> Who should choose Whispli <a href="#who-should-choose-whispli" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Whispli is the right choice for large, global enterprises (500+ employees across multiple countries) that need ISO 27001 certification, Voice AI for frontline workers, customer-managed encryption keys, and modules beyond whistleblowing (conflicts of interest, gifts and hospitality). If your compliance team expects board-ready reporting dashboards and multi-entity governance at scale, Whispli is built for that.</p> <h2 id="who-should-choose-ethicsportal"> Who should choose EthicsPortal <a href="#who-should-choose-ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is the better fit for SMEs and mid-sized companies (50–500 employees) that need EU Directive 2019/1937 compliance without enterprise complexity or pricing. If your reporting channel needs to be operational today, not after a weeks-long implementation project, and your budget is closer to €50/month than €3,000/year, EthicsPortal delivers full Directive compliance at a fraction of the cost.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/penalties/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/penalties/Fines and penalties for non-compliance with EU Directive 2019/1937 in every member state. Updated regularly with enforcement actions.<h1 id="eu-whistleblower-directive-penalties-by-country"> EU whistleblower directive penalties by country <a href="#eu-whistleblower-directive-penalties-by-country" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EU Directive 2019/1937 requires all companies with 50+ employees to establish internal whistleblower reporting channels. Every EU member state has transposed the directive into national law with its own penalty regime.</p> <p>Non-compliance is not theoretical. In March 2025, the <a href="https://eucrim.eu/news/ecj-ordered-several-member-states-to-financial-penalties-for-failing-to-transpose-whistleblowers-directive/" rel="nofollow">EU Court of Justice fined five member states a combined €39 million</a> just for being late to implement the law. Companies that fail to comply face their own penalties under national law.</p> <hr> <h2 id="penalties-at-a-glance"> Penalties at a glance <a href="#penalties-at-a-glance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Country</th> <th>No reporting channel</th> <th>Retaliation</th> <th>Criminal liability</th> <th>Law</th> </tr> </thead> <tbody> <tr> <td><a href="/whistleblower-laws/spain/">Spain</a> </td> <td>Up to €1,000,000</td> <td>Up to €1,000,000</td> <td>No</td> <td><a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Law 2/2023</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/france/">France</a> </td> <td>—</td> <td>€60,000 + 3 years prison</td> <td><strong>Yes</strong></td> <td><a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi Waserman (2022-401)</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/poland/">Poland</a> </td> <td>PLN 5,000 (~€1,200)</td> <td>Obstruction: PLN 1,080,000 (~€250,000) + up to 1 year prison. Retaliation: up to 2 years prison</td> <td><strong>Yes</strong></td> <td><a href="https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20240000928" rel="nofollow">Act of 14 June 2024</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/portugal/">Portugal</a> </td> <td>Up to €125,000</td> <td>Up to €125,000</td> <td>No</td> <td><a href="https://diariodarepublica.pt/dr/detalhe/lei/93-2021-175659849" rel="nofollow">Law 93/2021</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/italy/">Italy</a> </td> <td>€10,000–€50,000</td> <td>€10,000–€50,000</td> <td>No</td> <td><a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">D.Lgs. 24/2023</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/germany/">Germany</a> </td> <td>€20,000–€50,000 (10x for legal entities)</td> <td>Up to €50,000</td> <td>No</td> <td><a href="https://www.gesetze-im-internet.de/hinschg/" rel="nofollow">HinSchG</a> </td> </tr> </tbody> </table> <hr> <h2 id="country-details"> Country details <a href="#country-details" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="spain"> <a href="/whistleblower-laws/spain/">Spain</a> — Law 2/2023 <a href="#spain" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Law:</strong> <a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Ley 2/2023, de 20 de febrero</a> — protection of persons who report regulatory infringements and the fight against corruption.</p> <p><strong>Applies to:</strong> Companies with 50+ employees. Deadline was June 13, 2023 (250+ employees) and December 1, 2023 (50–249 employees). <a href="https://www.garrigues.com/en_GB/new/spain-whistleblowing-law-published" rel="nofollow">Source: Garrigues</a> </p> <p><strong>Penalties:</strong></p> <ul> <li>Not establishing an internal reporting channel: €600,000–€1,000,000 for legal entities. <a href="https://cms.law/en/int/expert-guides/whistleblower-protection-and-reporting-channels/spain" rel="nofollow">Source: CMS Expert Guide</a> </li> <li>Breaching reporting channel obligations: €100,000–€1,000,000 for legal entities; €1,000–€300,000 for individuals. <a href="https://cms.law/en/int/expert-guides/whistleblower-protection-and-reporting-channels/spain" rel="nofollow">Source: CMS Expert Guide</a> </li> <li>Additional sanctions: public warning, prohibition from subsidies/tax benefits for up to 4 years, and possible suspension of operating licenses. <a href="https://www.garrigues.com/en_GB/new/whistleblowing-channels-companies-spain-key-aspects-new-law-protecting-whistleblowers-all" rel="nofollow">Source: Garrigues</a> </li> </ul> <p><strong>Enforcement authority:</strong> Autoridad Independiente de Protección del Informante (A.A.I.)</p> <p>Spain has the harshest penalties in the EU for whistleblower non-compliance.</p> <hr> <h3 id="france"> <a href="/whistleblower-laws/france/">France</a> — Loi Waserman <a href="#france" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Law:</strong> <a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi n° 2022-401 du 21 mars 2022 (Loi Waserman)</a> , amending <a href="https://www.legifrance.gouv.fr/loda/id/JORFTEXT000033558528" rel="nofollow">Loi Sapin II (2016-1691)</a> .</p> <p><strong>Applies to:</strong> Companies with 50+ employees. In effect since September 2022. <a href="https://www.integrityline.com/expertise/blog/new-french-whistleblowing-law/" rel="nofollow">Source: IntegrityLine</a> </p> <p><strong>Penalties:</strong></p> <ul> <li>Obstructing a report: up to €60,000 fine and 1 year imprisonment. <a href="https://www.whispli.com/eu-directive-whistleblowing/france/" rel="nofollow">Source: Whispli</a> </li> <li>Retaliation or discrimination against a whistleblower: up to €60,000 fine and 3 years imprisonment. <a href="https://www.jpkarsenty.com/en/the-whistleblower-the-impact-of-the-waserman-law-on-criminal-provisions-4-4/" rel="nofollow">Source: JP Karsenty</a> </li> </ul> <p>France is one of the few EU countries where obstruction and retaliation carry <strong>criminal penalties including prison time</strong>.</p> <p><strong>Key difference:</strong> Whistleblowers in France are no longer required to use internal channels before going to external authorities (end of “cascade reporting”). <a href="https://www.integrityline.com/expertise/blog/new-french-whistleblowing-law/" rel="nofollow">Source: IntegrityLine</a> </p> <hr> <h3 id="germany"> <a href="/whistleblower-laws/germany/">Germany</a> — HinSchG <a href="#germany" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Law:</strong> <a href="https://www.gesetze-im-internet.de/hinschg/" rel="nofollow">Hinweisgeberschutzgesetz (HinSchG)</a> — entered into force July 2, 2023.</p> <p><strong>Applies to:</strong> Companies with 50+ employees. Deadline was July 2, 2023 (250+ employees) and December 17, 2023 (50–249 employees). Fines enforceable since December 1, 2023. <a href="https://www.loc.gov/item/global-legal-monitor/2023-07-13/germany-whistleblower-protection-act-enters-into-force/" rel="nofollow">Source: Library of Congress</a> </p> <p><strong>Penalties:</strong></p> <ul> <li>Not establishing a reporting channel: fines of €20,000–€50,000 per Section 40 HinSchG. <a href="https://www.ebnerstolz.de/en/what-we-offer/services/legal-advice/commercial-criminal-law/german-whistleblower-protection-act-27384.html" rel="nofollow">Source: Ebner Stolz</a> </li> <li>For legal entities, fines can increase <strong>tenfold</strong> (up to €500,000) per Section 40(6). <a href="https://www.activemind.legal/guides/german-whistleblower-protection-act/" rel="nofollow">Source: activeMind</a> </li> <li>Retaliation against whistleblowers: up to €50,000. <a href="https://www.mofo.com/resources/insights/230602-the-new-german-whistleblowing-act" rel="nofollow">Source: Morrison Foerster</a> </li> </ul> <p><strong>Note:</strong> Germany was fined €34,000,000 by the EU Court of Justice in March 2025 for late transposition of the directive. <a href="https://eucrim.eu/news/ecj-ordered-several-member-states-to-financial-penalties-for-failing-to-transpose-whistleblowers-directive/" rel="nofollow">Source: eucrim</a> </p> <hr> <h3 id="italy"> <a href="/whistleblower-laws/italy/">Italy</a> — D.Lgs. 24/2023 <a href="#italy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Law:</strong> <a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">Decreto Legislativo 10 marzo 2023, n. 24</a> .</p> <p><strong>Applies to:</strong> Companies with 50+ employees (and all companies with a Model 231 compliance program regardless of size). Deadline was July 15, 2023 (250+ employees) and December 17, 2023 (50–249 employees). <a href="https://www.nortonrosefulbright.com/en-it/knowledge/publications/5ff4d59b/whistleblowing-i-nuovi-obblighi-per-le-imprese" rel="nofollow">Source: Norton Rose Fulbright</a> </p> <p><strong>Penalties:</strong></p> <ul> <li>Not establishing reporting channels or non-compliant procedures: €10,000–€50,000. <a href="https://www.nortonrosefulbright.com/en-it/knowledge/publications/5ff4d59b/whistleblowing-i-nuovi-obblighi-per-le-imprese" rel="nofollow">Source: Norton Rose Fulbright</a> </li> <li>Retaliation or obstruction of reporting: €10,000–€50,000. <a href="https://www.hoganlovells.com/en/publications/italy-implements-eu-whistleblower-directive-the-new-obligations-for-companies" rel="nofollow">Source: Hogan Lovells</a> </li> <li>Breaching confidentiality of reporter identity: €10,000–€50,000. <a href="https://www.nortonrosefulbright.com/en-it/knowledge/publications/5ff4d59b/whistleblowing-i-nuovi-obblighi-per-le-imprese" rel="nofollow">Source: Norton Rose Fulbright</a> </li> <li>False reporting by whistleblower: €500–€2,500. <a href="https://www.nortonrosefulbright.com/en-it/knowledge/publications/5ff4d59b/whistleblowing-i-nuovi-obblighi-per-le-imprese" rel="nofollow">Source: Norton Rose Fulbright</a> </li> </ul> <p><strong>Enforcement authority:</strong> ANAC (Autorità Nazionale Anticorruzione). ANAC issued its first enforcement action in July 2024 (Decision No. 380, retaliation case). <a href="https://www.clearygottlieb.com/news-and-insights/publication-listing/whistleblowing-in-focus-part-two" rel="nofollow">Source: ANAC via Cleary Gottlieb</a> </p> <hr> <h3 id="poland"> <a href="/whistleblower-laws/poland/">Poland</a> — Act of 14 June 2024 <a href="#poland" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Law:</strong> <a href="https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20240000928" rel="nofollow">Ustawa z dnia 14 czerwca 2024 r. o ochronie sygnalistów</a> — entered into force September 25, 2024.</p> <p><strong>Applies to:</strong> Employers with 50+ employees. Internal procedures required by January 1, 2025. <a href="https://knowledge.dlapiper.com/dlapiperknowledge/globalemploymentlatestdevelopments/2024/poland-whistleblower-protection-act.html" rel="nofollow">Source: DLA Piper</a> </p> <p><strong>Penalties:</strong></p> <ul> <li>Not establishing internal reporting procedures: fine of PLN 20–5,000 (~€5–€1,200) as a misdemeanor. Management board members are personally liable. <a href="https://www.rsm.global/poland/en/insights/doing-business-poland/whistleblower-protection" rel="nofollow">Source: RSM Poland</a> </li> <li>Preventing or obstructing reporting: fine up to PLN 1,080,000 (~€250,000), restriction of liberty, or up to 1 year imprisonment. With violence or threats: up to 3 years. <a href="https://www.cliffordchance.com/insights/resources/blogs/regulatory-investigations-financial-crime-insights/2024/07/poland-implements-the-eu-whistleblowing-directive.html" rel="nofollow">Source: Clifford Chance</a> </li> <li>Retaliation: fine, restriction of liberty, or up to 2 years imprisonment. <a href="https://www.kochanski.pl/en/whistleblower-protection-act-all-you-need-to-know/" rel="nofollow">Source: Kochański & Partners</a> </li> <li>Disclosing whistleblower identity: fine, restriction of liberty, or up to 1 year imprisonment. <a href="https://knowledge.dlapiper.com/dlapiperknowledge/globalemploymentlatestdevelopments/2024/poland-whistleblower-protection-act.html" rel="nofollow">Source: DLA Piper</a> </li> </ul> <p><strong>Enforcement authority:</strong> Independent Authority for Whistleblower Protection (Rzecznik Praw Sygnalistów) — operations commence September 1, 2025. <a href="https://wozniaklegal.com/en/news-and-insight/454/protection-of-whistleblowers-in-poland.html" rel="nofollow">Source: Wozniak Legal</a> </p> <p>Poland is one of the few EU countries where obstruction and retaliation carry <strong>criminal penalties including prison time</strong>.</p> <hr> <h3 id="portugal"> <a href="/whistleblower-laws/portugal/">Portugal</a> — Law 93/2021 <a href="#portugal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Law:</strong> <a href="https://diariodarepublica.pt/dr/detalhe/lei/93-2021-175659849" rel="nofollow">Lei n.º 93/2021, de 20 de dezembro</a> — General Regime for the Protection of Whistleblowers.</p> <p><strong>Applies to:</strong> Companies with 50+ employees. Penalty regime enforceable since June 7, 2024. <a href="https://www.integrityline.com/expertise/blog/new-portuguese-whistleblowing-law/" rel="nofollow">Source: IntegrityLine</a> </p> <p><strong>Penalties:</strong></p> <ul> <li>Not establishing reporting channels: fines up to €125,000. <a href="https://www.integrityline.com/expertise/blog/new-portuguese-whistleblowing-law/" rel="nofollow">Source: IntegrityLine</a> </li> </ul> <p><strong>Enforcement authority:</strong> MENAC (Mecanismo Nacional Anticorrupção). Electronic platform became operational November 2024. Received 152 reports in 2024. Focus shifting to private sector enforcement in 2025. <a href="https://commission.europa.eu/document/download/5a482f87-1f24-47bd-8595-d25f1ca29c6a_en" rel="nofollow">Source: European Commission Rule of Law Report 2025</a> </p> <hr> <h2 id="eu-court-of-justice-fines-against-member-states-march-2025"> EU Court of Justice fines against member states (March 2025) <a href="#eu-court-of-justice-fines-against-member-states-march-2025" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Five EU countries were fined by the Court of Justice for failing to transpose the directive on time:</p> <table> <thead> <tr> <th>Country</th> <th>Lump sum fine</th> <th>Daily penalty</th> </tr> </thead> <tbody> <tr> <td><a href="/whistleblower-laws/germany/">Germany</a> </td> <td>€34,000,000</td> <td>—</td> </tr> <tr> <td><a href="/whistleblower-laws/czech-republic/">Czech Republic</a> </td> <td>€2,300,000</td> <td>—</td> </tr> <tr> <td><a href="/whistleblower-laws/hungary/">Hungary</a> </td> <td>€1,750,000</td> <td>—</td> </tr> <tr> <td><a href="/whistleblower-laws/estonia/">Estonia</a> </td> <td>€500,000</td> <td>€1,500/day</td> </tr> <tr> <td><a href="/whistleblower-laws/luxembourg/">Luxembourg</a> </td> <td>€375,000</td> <td>—</td> </tr> </tbody> </table> <p><a href="https://eucrim.eu/news/ecj-ordered-several-member-states-to-financial-penalties-for-failing-to-transpose-whistleblowers-directive/" rel="nofollow">Source: eucrim</a> — <a href="https://curia.europa.eu/site/upload/docs/application/pdf/2025-03/cp250029en.pdf" rel="nofollow">Source: CJEU press release (PDF)</a> </p> <hr> <h2 id="all-27-member-states"> All 27 member states <a href="#all-27-member-states" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>All EU member states have now transposed the directive. See our complete reference:</p> <p><strong><a href="/whistleblower-laws/">Whistleblower laws in all 27 EU member states →</a> </strong></p> <p>Every country’s national law name, link to official text, penalties, deadlines, and enforcement authority.</p> <hr> <h2 id="enforcement-is-accelerating"> Enforcement is accelerating <a href="#enforcement-is-accelerating" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Most member states only finished transposing the directive in 2023–2024. Enforcement authorities are now operational and actively issuing guidance:</p> <ul> <li><strong>Italy:</strong> ANAC issued its first retaliation fine in July 2024 and published updated enforcement guidelines in November 2025.</li> <li><strong>Portugal:</strong> MENAC’s electronic enforcement platform went live in November 2024, with private sector focus in 2025.</li> <li><strong>Poland:</strong> Independent enforcement authority launches September 2025.</li> <li><strong>Germany:</strong> Fines enforceable since December 2023.</li> <li><strong>Spain:</strong> Fines enforceable since June 2023.</li> </ul> <p>The window to get compliant before active enforcement is closing.</p> <hr> <h2 id="get-compliant-now"> Get compliant now <a href="#get-compliant-now" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal gives your organization a fully compliant whistleblower reporting channel in minutes — encrypted, anonymous, and built for EU Directive 2019/1937.</p> <p><a href="/directive-coverage/">See how we meet every requirement</a> | <a href="https://secure.ethicsportal.eu/session/new" rel="nofollow">Start your portal</a> </p> <hr> <p><em>Last updated: April 2026. Penalty amounts and enforcement status are based on publicly available legal sources linked above. Contact <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> if you spot an error.</em></p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/faq/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/faq/Common questions about EthicsPortal — compliance, anonymity, data security, billing, and technical details.<h1 id="frequently-asked-questions"> Frequently asked questions <a href="#frequently-asked-questions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <hr> <h2 id="for-compliance-officers-and-decision-makers"> For compliance officers and decision makers <a href="#for-compliance-officers-and-decision-makers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="does-ethicsportal-comply-with-eu-directive-20191937"> Does EthicsPortal comply with EU Directive 2019/1937? <a href="#does-ethicsportal-comply-with-eu-directive-20191937" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. EthicsPortal is built specifically to meet the requirements of the EU Whistleblower Protection Directive. This includes secure reporting channels, anonymous two-way communication, deadline tracking (7-day acknowledgment, 3-month feedback), access controls, data retention policies, and a complete audit trail. See the <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> for an article-by-article breakdown.</p> <h3 id="which-countries-is-ethicsportal-compliant-in"> Which countries is EthicsPortal compliant in? <a href="#which-countries-is-ethicsportal-compliant-in" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal covers the requirements of EU Directive 2019/1937, which has been transposed into national law across EU member states. The platform is designed to meet the Directive’s baseline requirements, which apply across the EU. If your country has additional national requirements (e.g., France’s Loi Waserman), check our <a href="/whistleblower-laws/">country-specific guides</a> or <a href="mailto:support@ethicsportal.eu">contact us</a> .</p> <h3 id="can-we-operate-the-reporting-channel-in-house"> Can we operate the reporting channel in-house? <a href="#can-we-operate-the-reporting-channel-in-house" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes — Article 8(5) of Directive 2019/1937 explicitly permits it. But meeting the Directive’s conditions is structurally harder in-house.</p> <p>Article 9(1) requires confidentiality of the reporter’s identity, impartial follow-up, and restricted access to reports. An in-house channel runs these through the same IT administrators, backups, and litigation-hold tooling that touch every other system in the company. A separate subdomain or mailbox does not change who has access.</p> <p>GDPR adds a second problem. Whistleblowing is on the EDPB’s mandatory-DPIA list. An in-house DPIA has to document how the controller prevents itself from accessing data about itself — which is circular on its face.</p> <p>External operation is contemplated in Art. 8(5) and in the national transpositions: Loi Sapin II / Waserman (FR), HinSchG §14 (DE), D.Lgs. 24/2023 (IT), Ley 2/2023 (ES).</p> <h3 id="where-is-my-data-stored"> Where is my data stored? <a href="#where-is-my-data-stored" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Core report data is stored on Hetzner servers in Nuremberg, Germany. The marketing site is delivered via Cloudflare (United States); the reporting and handler portals are not. Hetzner is a German hosting provider subject to EU data protection law, and transfer safeguards are described in the <a href="/dpa/">DPA</a> and <a href="/subprocessors/">subprocessors</a> pages.</p> <h3 id="is-the-reporting-truly-anonymous"> Is the reporting truly anonymous? <a href="#is-the-reporting-truly-anonymous" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes, if the reporter chooses it. Providing a name or contact information is optional. EthicsPortal does not log IP addresses, strips file metadata (EXIF, GPS, author info) from uploads, and the secure message thread never reveals the case handler’s identity to the reporter. There is no technical mechanism to trace an anonymous report back to a person.</p> <h3 id="how-does-the-7-day-and-3-month-deadline-tracking-work"> How does the 7-day and 3-month deadline tracking work? <a href="#how-does-the-7-day-and-3-month-deadline-tracking-work" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>When a report is submitted, EthicsPortal automatically starts two timers based on the Directive’s requirements:</p> <ul> <li><strong>7 days</strong> to acknowledge receipt of the report.</li> <li><strong>3 months</strong> to provide substantive feedback to the reporter.</li> </ul> <p>Overdue reports are flagged in the dashboard, and handlers receive notifications as deadlines approach.</p> <h3 id="do-you-offer-a-data-processing-agreement-dpa"> Do you offer a Data Processing Agreement (DPA)? <a href="#do-you-offer-a-data-processing-agreement-dpa" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. The current DPA is published at <a href="/dpa/">DPA</a> , and a countersigned PDF is available on request.</p> <h3 id="what-certifications-do-you-have"> What certifications do you have? <a href="#what-certifications-do-you-have" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal does not currently claim ISO 27001, SOC 2, or equivalent certification on this site. We document the current security posture, subprocessors, incident disclosure, and service commitments publicly on the <a href="/security/">security</a> , <a href="/subprocessors/">subprocessors</a> , <a href="/incidents/">incidents</a> , and <a href="/sla/">SLA</a> pages.</p> <h3 id="who-is-the-contracting-party"> Who is the contracting party? <a href="#who-is-the-contracting-party" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal is operated by Yaroslav Shmarov, registered in Poland. Baseline contracting and procurement details are published on the <a href="/trust/">trust</a> page.</p> <h3 id="can-you-support-procurement-review"> Can you support procurement review? <a href="#can-you-support-procurement-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. Public due-diligence materials are published on the website, and additional procurement materials are available on request during procurement review. See the <a href="/trust/">trust</a> page.</p> <h3 id="can-i-export-case-data-for-auditors"> Can I export case data for auditors? <a href="#can-i-export-case-data-for-auditors" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. Every report can be exported to PDF, including the full message history, timeline, and audit trail. This is designed for sharing with legal counsel, auditors, or regulators. If you need an additional portability format for migration or regulatory review, contact us during procurement or offboarding review.</p> <hr> <h2 id="for-employees-and-reporters"> For employees and reporters <a href="#for-employees-and-reporters" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="do-i-need-to-create-an-account-to-submit-a-report"> Do I need to create an account to submit a report? <a href="#do-i-need-to-create-an-account-to-submit-a-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>No. You do not need an account, an email address, or any personal information. You visit the portal link, fill in the report, choose a 6-digit passcode, and receive a Case ID. That’s it.</p> <h3 id="can-my-employer-find-out-who-i-am"> Can my employer find out who I am? <a href="#can-my-employer-find-out-who-i-am" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Not through EthicsPortal. If you choose to submit anonymously (without providing your name or contact details), there is no way for your employer to identify you through the platform. EthicsPortal does not log your IP address and strips identifying metadata from any files you upload.</p> <p>That said, be mindful of what you write — if your report contains details that only you could know, that’s outside the platform’s control.</p> <h3 id="how-do-i-check-back-on-my-report"> How do I check back on my report? <a href="#how-do-i-check-back-on-my-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>You need two things: the Case ID (format <code>WB-XXXX-XXXX</code>) shown to you after submission, and the 6-digit passcode you chose. Return to the portal anytime, enter both, and see the current status or exchange messages with the case handler. Keep the Case ID somewhere safe and remember the passcode — we cannot recover the passcode and both are required.</p> <h3 id="can-i-attach-files-to-my-report"> Can I attach files to my report? <a href="#can-i-attach-files-to-my-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. You can upload images, PDFs, video, and audio files up to 100 MB each. All file metadata (location data, author info, camera details) is automatically stripped before storage to protect your identity.</p> <h3 id="can-i-communicate-with-the-case-handler-anonymously"> Can I communicate with the case handler anonymously? <a href="#can-i-communicate-with-the-case-handler-anonymously" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. The built-in message thread is fully anonymous. You see “Case handler” — never a real name. The handler sees your messages but has no way to identify you unless you choose to share that information yourself.</p> <h3 id="what-happens-after-i-submit-a-report"> What happens after I submit a report? <a href="#what-happens-after-i-submit-a-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Your report is received by the organization’s designated case handler. Under EU law, they must acknowledge receipt within 7 days and provide substantive feedback within 3 months. You can check the status at any time using your Case ID and passcode.</p> <hr> <h2 id="for-it-and-technical-teams"> For IT and technical teams <a href="#for-it-and-technical-teams" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="what-encryption-do-you-use"> What encryption do you use? <a href="#what-encryption-do-you-use" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>All sensitive report data is encrypted at rest in the database. All connections use TLS (HTTPS). File uploads are stored encrypted on EU-hosted infrastructure.</p> <h3 id="do-you-strip-file-metadata"> Do you strip file metadata? <a href="#do-you-strip-file-metadata" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. Image uploads are stripped server-side before storage. PDF, video, and audio uploads are also processed for metadata removal in the standard production setup described on the <a href="/security/">security page</a> . This reduces the risk of accidental identity disclosure through file properties.</p> <h3 id="do-you-scan-uploaded-files-for-viruses"> Do you scan uploaded files for viruses? <a href="#do-you-scan-uploaded-files-for-viruses" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. All uploaded files are scanned for malware using ClamAV, an open-source antivirus engine. Scanning happens server-side — no file data is sent to external services. Infected files are removed automatically before case handlers can access them.</p> <h3 id="do-you-log-ip-addresses"> Do you log IP addresses? <a href="#do-you-log-ip-addresses" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The application does not store the reporter’s raw IP address in the database. Public whistleblower portal rate limiting uses a one-way hash, and application logs for portal routes are scrubbed to protect reporter anonymity. See <a href="/security/">security</a> for the precise wording.</p> <h3 id="what-third-party-services-do-you-use"> What third-party services do you use? <a href="#what-third-party-services-do-you-use" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <ul> <li><strong>Hetzner</strong> (Germany) — server hosting</li> <li><strong>Stripe</strong> — payment processing</li> <li><strong>Mailjet</strong> (France) — transactional email delivery</li> <li><strong>Cloudflare</strong> — marketing-site CDN and analytics</li> <li><strong>AppSignal</strong> (Netherlands, EU) — error monitoring and application performance monitoring for admin and handler interfaces</li> <li><strong>Crisp</strong> — in-app customer chat in the handler portal</li> </ul> <p>No ad networks or third-party tracking cookies are used on the reporting portal itself.</p> <h3 id="do-you-have-an-api"> Do you have an API? <a href="#do-you-have-an-api" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Not currently available. <a href="mailto:support@ethicsportal.eu">Contact us</a> if API access is a requirement for your organization.</p> <h3 id="do-you-support-custom-domains"> Do you support custom domains? <a href="#do-you-support-custom-domains" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Not currently available. All portals are served under the EthicsPortal domain.</p> <h3 id="do-you-support-sso"> Do you support SSO? <a href="#do-you-support-sso" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Not currently available. Users sign in via magic link (passwordless email authentication).</p> <hr> <h2 id="billing"> Billing <a href="#billing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="how-much-does-ethicsportal-cost"> How much does EthicsPortal cost? <a href="#how-much-does-ethicsportal-cost" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>€49/month</strong>, flat. One plan, everything included. No per-user fees, no per-report fees, no feature tiers.</p> <h3 id="is-there-a-free-trial"> Is there a free trial? <a href="#is-there-a-free-trial" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>No — create your account, pick a plan, and your portal is live in under 10 minutes. €49/month or €490/year. Cancel anytime.</p> <h3 id="can-i-cancel-anytime"> Can I cancel anytime? <a href="#can-i-cancel-anytime" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Yes. Cancel from your account settings at any time. No contracts, no cancellation fees, no phone call required.</p> <h3 id="what-payment-methods-do-you-accept"> What payment methods do you accept? <a href="#what-payment-methods-do-you-accept" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Credit and debit cards via Stripe. If you need to pay by invoice or bank transfer, email <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> .</p> <hr> <h2 id="still-have-a-question"> Still have a question? <a href="#still-have-a-question" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Email <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> . You’ll hear back within one business day.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/product/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/product/Deploy a compliant whistleblower reporting channel in minutes, with portal configuration, case management, and audit exports included.<h1 id="a-fully-compliant-reporting-channel-operational-in-minutes"> A fully compliant reporting channel, operational in minutes <a href="#a-fully-compliant-reporting-channel-operational-in-minutes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EthicsPortal provides a fully configured whistleblower reporting channel that meets EU Directive 2019/1937 out of the box. No implementation project, no IT department required.</p> <p>For the article-by-article map of how each feature satisfies the Directive, see the <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> . For interpretive positions on the Directive’s ambiguous provisions, see the <a href="/directive-interpretations/">Directive 2019/1937 interpretations</a> .</p> <hr> <h2 id="set-up-in-3-steps"> Set up in 3 steps <a href="#set-up-in-3-steps" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="1-configure-your-portal-2-minutes"> 1. Configure your portal (2 minutes) <a href="#1-configure-your-portal-2-minutes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Create your account, then customize:</p> <ul> <li><strong>Organization name and logo:</strong> your portal, your identity</li> <li><strong>Report categories:</strong> fraud, harassment, safety, or define your own</li> <li><strong>Welcome text:</strong> reassure reporters before they submit (a sensible default is pre-filled)</li> <li><strong>Data retention period:</strong> 12, 24, 36, or 60 months, then auto-deleted</li> </ul> <p>Your portal is live instantly at a unique URL. No deployment, no waiting.</p> <figure class="not-prose my-6 sm:my-8 rounded-lg border border-base-300 overflow-hidden shadow-sm"> <img src="/images/screenshots/en-portal-edit.png" alt="Portal configuration screen" class="w-full h-auto block" loading="lazy" decoding="async" /> </figure> <h3 id="2-share-the-link-1-minute"> 2. Share the link (1 minute) <a href="#2-share-the-link-1-minute" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Every portal gets a <strong>shareable link</strong> and a <strong>QR code</strong>. Put the QR code in break rooms, bathroom stalls, the employee handbook, onboarding packs. Employees access the portal from any browser. No app, account, or company network is required.</p> <p>See EthicsPortal’s own reporting channel in production: <a href="https://secure.ethicsportal.eu/p/BiPdmk" rel="nofollow">secure.ethicsportal.eu/p/BiPdmk</a> .</p> <figure class="not-prose my-6 sm:my-8 rounded-lg border border-base-300 overflow-hidden shadow-sm"> <img src="/images/screenshots/en-portal-public-desktop.png" alt="Share portal link and QR code" class="w-full h-auto block" loading="lazy" decoding="async" /> </figure> <h3 id="3-start-managing-cases"> 3. Start managing cases <a href="#3-start-managing-cases" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>When a report comes in, you get an email notification. From the dashboard:</p> <ul> <li><strong>Read the full report:</strong> description, category, and uploaded files</li> <li><strong>Acknowledge receipt:</strong> the Directive requires this within 7 days. EthicsPortal tracks the deadline and flags overdue cases automatically</li> <li><strong>Communicate with the reporter:</strong> secure two-way messaging via access code. The reporter stays anonymous, your handler names are never revealed</li> <li><strong>Provide feedback:</strong> the Directive requires this within 3 months. Tracked automatically</li> <li><strong>Assign, triage, add internal notes:</strong> route cases to the right handler, add notes invisible to the reporter</li> <li><strong>Export to PDF:</strong> generate a complete case file for legal review, auditors, or compliance documentation</li> <li><strong>Log external reports:</strong> received a report by phone, email, or in person? Create it manually so everything lives in one place</li> </ul> <figure class="not-prose my-6 sm:my-8 rounded-lg border border-base-300 overflow-hidden shadow-sm"> <img src="/images/screenshots/en-reports.png" alt="Case management and secure messaging" class="w-full h-auto block" loading="lazy" decoding="async" /> </figure> <hr> <h2 id="what-reporters-experience"> What reporters experience <a href="#what-reporters-experience" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The reporter’s experience matters because it determines whether people actually use the channel.</p> <ul> <li><strong>No account, no app, no login.</strong> Just a browser on any device, including a personal phone on mobile data</li> <li><strong>Fully anonymous by default.</strong> No IP logging. File metadata (EXIF, GPS, author) stripped automatically before storage</li> <li><strong>Optional identity disclosure.</strong> Reporters can share their name if they choose to. It is never required</li> <li><strong>Two-factor case access.</strong> The reporter chooses a 6-digit passcode at submission and receives a Case ID (<code>WB-XXXX-XXXX</code>). Both are required to check back for updates and respond to handler messages</li> <li><strong>Handler names are never shown.</strong> The reporter sees “Case handler” and nothing more</li> </ul> <figure class="not-prose my-6 sm:my-8 rounded-lg border border-base-300 overflow-hidden shadow-sm"> <img src="/images/screenshots/en-new-report-desktop.png" alt="Anonymous reporting form" class="w-full h-auto block" loading="lazy" decoding="async" /> </figure> <hr> <h2 id="whats-under-the-hood"> What’s under the hood <a href="#whats-under-the-hood" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every technical decision serves one purpose: keeping you compliant and your reporters protected.</p> <ul> <li><strong>Encrypted at rest.</strong> All report data is encrypted in the database</li> <li><strong>Virus scanning.</strong> All uploaded files are scanned for malware server-side. Infected files are removed automatically</li> <li><strong>Append-only audit trail.</strong> Every action is logged. Entries cannot be modified after creation. Auditors get who did what, when</li> <li><strong>Two-factor authentication.</strong> TOTP-based 2FA for handler and admin accounts, via any standard authenticator app. Reporters authenticate with two factors as well: Case ID plus a reporter-chosen 6-digit passcode (stored only as a bcrypt digest)</li> <li><strong>Automatic deadline tracking.</strong> 7-day acknowledgment and 3-month feedback deadlines with overdue notifications</li> <li><strong>EU-hosted report data.</strong> Core report data is stored on Hetzner servers in Nuremberg, Germany. The marketing site is delivered via Cloudflare (CDN, United States); the reporting and handler portals are not. Transfer safeguards are documented in the published subprocessor list</li> <li><strong>No tracking.</strong> No IP logging, no analytics cookies, no third-party scripts on the reporting portal</li> </ul> <hr> <h2 id="deploy-your-reporting-channel"> Deploy your reporting channel <a href="#deploy-your-reporting-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Operational in minutes. All features included in a single plan.</p> <p><a href="https://secure.ethicsportal.eu/session/new" rel="nofollow">Deploy your reporting channel</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/incidents/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/incidents/Public register of material incidents affecting personal data processed by EthicsPortal. Maintained in the spirit of Article 33 GDPR and as a matter of institutional transparency.<h1 id="incident-register"> Incident register <a href="#incident-register" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>This page records every material incident affecting the confidentiality, integrity, or availability of personal data processed by EthicsPortal. It is maintained in the spirit of Article 33 GDPR (notification of personal data breaches) and as a matter of institutional transparency.</p> <p>Last updated: 2026-04.</p> <hr> <h2 id="scope"> Scope <a href="#scope" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>An entry is created for any of the following:</p> <ul> <li>A personal data breach as defined by Article 4(12) GDPR — “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”</li> <li>A service outage exceeding two hours that prevented reporters from submitting reports or handlers from accessing active cases.</li> <li>A significant vulnerability in EthicsPortal or a subprocessor that required emergency mitigation.</li> <li>Any incident requiring notification to a supervisory authority under Article 33 GDPR.</li> </ul> <p>Routine interruptions shorter than two hours, planned maintenance, and incidents that did not involve personal data are not recorded here.</p> <hr> <h2 id="disclosure-timeline"> Disclosure timeline <a href="#disclosure-timeline" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Within 72 hours</strong> of becoming aware of a personal data breach — notification to affected operators (controllers) via email, per Article 33(2) GDPR.</li> <li><strong>Within 7 days</strong> of containment — preliminary entry added to this register with summary, affected data categories, and mitigation status.</li> <li><strong>Within 30 days</strong> of containment — final entry with root cause, remediation, and lessons learned.</li> </ul> <p>Entries remain public indefinitely. Entries are never edited to reduce embarrassment; corrections are appended as later entries.</p> <hr> <h2 id="reporting-a-security-concern"> Reporting a security concern <a href="#reporting-a-security-concern" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>To report a security issue affecting EthicsPortal, contact <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> . Encrypted reports welcome; PGP key on request.</p> <hr> <h2 id="register"> Register <a href="#register" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><em>No entries.</em></p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/policies/information-security/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/policies/information-security/EthicsPortal's information security policy. Scope, roles, control commitments, review cadence, and document control.<h1 id="information-security-policy"> Information security policy <a href="#information-security-policy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p><strong>Effective date:</strong> 2026-05-21 <strong>Last reviewed:</strong> 2026-05-21 <strong>Next review:</strong> 2027-05-21 <strong>Owner:</strong> Yaroslav Shmarov, operator <strong>Version:</strong> 1.0</p> <hr> <h2 id="1-purpose"> 1. Purpose <a href="#1-purpose" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This policy states the information-security objectives that govern EthicsPortal, the controls that satisfy them, and the responsibilities that maintain them. It exists so that customers, controllers under GDPR, regulators, and procurement reviewers can refer to a single named document for the security posture of the Service.</p> <p>This policy is the parent document for the <a href="/policies/business-continuity/">business continuity plan</a> , the <a href="/policies/risk-register/">risk register</a> , and the <a href="/iso-27001/">ISO/IEC 27001:2022 Annex A control map</a> .</p> <hr> <h2 id="2-scope"> 2. Scope <a href="#2-scope" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This policy applies to:</p> <ul> <li>The EthicsPortal Service — the reporter portal, handler portal, and supporting infrastructure listed on the <a href="/security/#infrastructure">Security</a> page.</li> <li>All personal data processed by the Service on behalf of customer organizations (controllers under GDPR), including report content, reporter identity, handler messages, file attachments, and audit-log entries.</li> <li>The operator and all sub-processors listed on the <a href="/subprocessors/">subprocessors</a> page.</li> </ul> <p>This policy does not extend to systems operated by the controller (the customer organization) outside the Service.</p> <hr> <h2 id="3-objectives"> 3. Objectives <a href="#3-objectives" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal commits to three primary security objectives, in order of priority:</p> <ol> <li><strong>Confidentiality of reporter identity.</strong> Personal data identifying or reasonably capable of identifying a whistleblower is protected against unauthorized disclosure to any party — including controller-side personnel who are not designated handlers, sub-processors, and the operator’s own infrastructure providers — to the extent technically feasible.</li> <li><strong>Integrity of the audit trail.</strong> Records of who did what, when, are preserved in an append-only form that cannot be altered by any user, including organization administrators.</li> <li><strong>Availability of the reporting channel.</strong> The reporter portal is available to whistleblowers under the <a href="/sla/">SLA</a> target so that the protected reporting right under EU Directive 2019/1937 is not silently degraded.</li> </ol> <p>Confidentiality takes precedence over availability where the two conflict — the reporter portal will be taken offline in the event of a credible threat to reporter identity, with disclosure under the <a href="/incidents/">incident register</a> .</p> <hr> <h2 id="4-roles-and-responsibilities"> 4. Roles and responsibilities <a href="#4-roles-and-responsibilities" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is operated by a single named individual, Yaroslav Shmarov, who holds all of the following responsibilities:</p> <table> <thead> <tr> <th>Role</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td>Information security officer</td> <td>Owns this policy and its review</td> </tr> <tr> <td>Data protection officer (functional)</td> <td>Privacy and data-subject-rights inquiries; reachable at <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> and <a href="mailto:dpo@ethicsportal.eu">dpo@ethicsportal.eu</a> </td> </tr> <tr> <td>Incident response lead</td> <td>Owns the response process for events meeting the <a href="/incidents/">incident register</a> scope</td> </tr> <tr> <td>Authorized signatory</td> <td>Signs DPAs, security questionnaires, and commercial agreements</td> </tr> <tr> <td>Sub-processor manager</td> <td>Reviews sub-processor relationships and publishes the list on the <a href="/subprocessors/">subprocessors</a> page</td> </tr> </tbody> </table> <p>The single-operator structure is documented openly on the <a href="/trust/#continuity-and-personnel">Trust</a> page. Continuity arrangements that compensate for this structure are stated in the <a href="/policies/business-continuity/">business continuity plan</a> .</p> <hr> <h2 id="5-control-commitments"> 5. Control commitments <a href="#5-control-commitments" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The technical and organizational measures implementing this policy are documented on the <a href="/security/">Security</a> page and are summarized below. Each commitment maps to one or more ISO/IEC 27001:2022 Annex A controls in the <a href="/iso-27001/">control map</a> .</p> <table> <thead> <tr> <th>Domain</th> <th>Commitment</th> <th>Detail</th> </tr> </thead> <tbody> <tr> <td>Encryption at rest</td> <td>Non-deterministic encryption of all sensitive report data and reporter identity</td> <td><a href="/security/#data-encryption">Security#data-encryption</a> </td> </tr> <tr> <td>Encryption in transit</td> <td>HTTPS/TLS for all connections; unencrypted HTTP is redirected</td> <td><a href="/security/#data-encryption">Security#data-encryption</a> </td> </tr> <tr> <td>Reporter anonymity</td> <td>No raw IP storage; one-way hashing for rate limiting; metadata stripped from uploads</td> <td><a href="/security/#anonymity-and-privacy">Security#anonymity-and-privacy</a> </td> </tr> <tr> <td>Access control</td> <td>Role-based access enforced at the controller boundary via Pundit policies; least-privilege defaults; mandatory two-factor authentication available for handler accounts</td> <td><a href="/security/#access-control">Security#access-control</a> </td> </tr> <tr> <td>Session management</td> <td>14-day idle timeout; per-session revocation; nightly sweep</td> <td><a href="/security/#access-control">Security#access-control</a> </td> </tr> <tr> <td>Audit trail</td> <td>Append-only, actor + action + timestamp, cannot be edited by any user</td> <td><a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> </td> </tr> <tr> <td>Retention</td> <td>Customer-configurable 12/24/36/60-month retention with automatic deletion after closure</td> <td><a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> </td> </tr> <tr> <td>Secure development</td> <td>Documented lifecycle covering design review, code review, static analysis, dependency management, environment separation, vulnerability response</td> <td><a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> </td> </tr> <tr> <td>Vulnerability management</td> <td>Continuous SCA in CI; weekly Dependabot; no end-of-life components</td> <td><a href="/security/#dependency-and-patch-management">Security#dependency-and-patch-management</a> </td> </tr> <tr> <td>Backup and restore</td> <td>Daily encrypted database dumps + server-level snapshots in EU; RPO 24h, RTO 4h; quarterly restore drill</td> <td><a href="/security/#backups-and-restore">Security#backups-and-restore</a> </td> </tr> <tr> <td>Sub-processor management</td> <td>Published list, 30-day change notice, controller objection right</td> <td><a href="/subprocessors/">Subprocessors</a> , <a href="/dpa/">DPA §6.4</a> </td> </tr> <tr> <td>No AI / LLM processing</td> <td>Personal data covered by the DPA is not transmitted to any LLM, generative-AI, or AI-classifier service</td> <td><a href="/dpa/">DPA §6.10</a> </td> </tr> <tr> <td>No BYOK</td> <td>Customer-managed encryption keys are not supported; deliberate architectural choice</td> <td><a href="/dpa/">DPA §6.11</a> </td> </tr> <tr> <td>Incident response</td> <td>Material incidents recorded publicly within 7 days of containment; final report within 30 days</td> <td><a href="/incidents/">Incident register</a> </td> </tr> <tr> <td>Personal data breach notification</td> <td>Notification to affected controllers within 72 hours of awareness</td> <td><a href="/dpa/">DPA §6.6</a> </td> </tr> </tbody> </table> <hr> <h2 id="6-risk-management"> 6. Risk management <a href="#6-risk-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Information-security risks are assessed against the Service annually and after any material change to architecture, sub-processors, or the threat landscape. The current assessment, treatment, and residual-position decisions are published in the <a href="/policies/risk-register/">risk register</a> .</p> <p>Risks accepted as residual are stated openly with a justification; risks not yet treated are stated openly with a target.</p> <hr> <h2 id="7-sub-processor-management"> 7. Sub-processor management <a href="#7-sub-processor-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal engages sub-processors only where the function cannot reasonably be performed in-house and where the sub-processor materially improves availability, confidentiality, or compliance for the customer. The current list, the data each sub-processor receives, and the legal jurisdiction of each are published on the <a href="/subprocessors/">subprocessors</a> page.</p> <p>No large language model, generative-AI service, or AI-based classifier is engaged as a sub-processor. This is a documented product commitment (<a href="/dpa/">DPA §6.10</a> ) and a confidentiality-grade decision (<a href="/directive-coverage/">Coverage map §5</a> ), not a configuration default.</p> <p>Controllers are notified at least 30 days before any sub-processor is added or replaced. A controller that objects to a proposed change may terminate the agreement under <a href="/dpa/">DPA §6.4</a> without penalty.</p> <hr> <h2 id="8-personnel-security"> 8. Personnel security <a href="#8-personnel-security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal has no employees or contractors. All personal data is processed exclusively by the named operator. ISO/IEC 27001:2022 Annex A personnel controls (A.6.1 screening, A.6.3 awareness, A.6.4 disciplinary process) are therefore marked <strong>Not applicable</strong> in the <a href="/iso-27001/#a6-people-controls">control map</a> , with the substantive concerns addressed through compensating arrangements: privileged-production-access summary available during procurement review, operator self-directed awareness via subscribed security feeds (see ISO 27001 A.5.6), and continuity arrangements stated in the <a href="/policies/business-continuity/">business continuity plan</a> .</p> <p>If EthicsPortal engages additional personnel in the future, this policy will be updated to state the screening, training, and offboarding procedures that apply.</p> <hr> <h2 id="9-physical-security"> 9. Physical security <a href="#9-physical-security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal does not operate its own physical infrastructure. Server, database, and object-storage hosting are provided by Hetzner Online GmbH in Nuremberg, Germany. Physical security controls (data-center access, environmental controls, media destruction) are inherited from Hetzner and documented in their published certifications. See <a href="/subprocessors/">subprocessors</a> .</p> <p>The operator does not maintain a physical office that processes customer data. Operator workstations used for production access are protected by full-disk encryption and screen-lock controls.</p> <hr> <h2 id="10-compliance"> 10. Compliance <a href="#10-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal commits to compliance with:</p> <ul> <li><strong>GDPR (Regulation 2016/679)</strong>, particularly Articles 5, 28, 32, and 33.</li> <li><strong>EU Directive 2019/1937</strong> on the protection of persons who report breaches of Union law.</li> <li><strong>National transpositions</strong> of the Directive in the customer’s country of operation. See <a href="/whistleblower-laws/">whistleblower laws by country</a> .</li> <li><strong>EU Accessibility Act / EN 301 549</strong> for the reporter-facing portal. See <a href="/accessibility/">accessibility</a> and the <a href="/en-301-549-conformance/">EN 301 549 conformance statement</a> .</li> </ul> <p>EthicsPortal does not currently hold ISO/IEC 27001 certification. The platform publishes a structured self-assessment against ISO/IEC 27001:2022 Annex A controls at <a href="/iso-27001/">/iso-27001/</a> . When accreditation is obtained, the certificate scope and date will be published on <a href="/trust/#certification-status">/trust/</a> .</p> <hr> <h2 id="11-policy-violations-and-enforcement"> 11. Policy violations and enforcement <a href="#11-policy-violations-and-enforcement" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>A violation of this policy by the operator is a violation of the contractual commitments to controllers and may trigger:</p> <ul> <li>A reportable entry in the <a href="/incidents/">incident register</a> </li> <li>Notification to affected controllers under <a href="/dpa/">DPA §6.6</a> </li> <li>Notification to the competent supervisory authority where <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 33</a> GDPR requires it</li> </ul> <p>Where a violation is suspected or reported, the operator is required to record, investigate, remediate, and disclose under the same process as any other security incident.</p> <hr> <h2 id="12-document-control"> 12. Document control <a href="#12-document-control" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Document title</td> <td>EthicsPortal Information Security Policy</td> </tr> <tr> <td>Version</td> <td>1.0</td> </tr> <tr> <td>Effective date</td> <td>2026-05-21</td> </tr> <tr> <td>Last reviewed</td> <td>2026-05-21</td> </tr> <tr> <td>Next scheduled review</td> <td>2027-05-21</td> </tr> <tr> <td>Review trigger (interim)</td> <td>Any material change to architecture, sub-processors, regulatory obligations, or the <a href="/policies/risk-register/">risk register</a> </td> </tr> <tr> <td>Owner</td> <td>Yaroslav Shmarov, operator</td> </tr> <tr> <td>Distribution</td> <td>Published on <a href="/policies/">ethicsportal.eu/policies/</a> </td> </tr> </tbody> </table> <p>This policy is reviewed annually and after any of the interim triggers above. The effective date and version are incremented when the policy is materially revised.</p> <p>Signed: Yaroslav Shmarov, on behalf of EthicsPortal — 2026-05-21.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/iso-27001/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/iso-27001/Self-assessment of EthicsPortal against the 93 controls in ISO/IEC 27001:2022 Annex A. Status and evidence for every control. Not an accredited certification.<h1 id="isoiec-270012022-annex-a-control-map"> ISO/IEC 27001:2022 Annex A control map <a href="#isoiec-270012022-annex-a-control-map" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EthicsPortal does not currently hold accredited ISO/IEC 27001 certification. This page is a structured self-assessment of EthicsPortal against the same control set an external auditor would evaluate — all 93 Annex A controls — so a procurement reviewer can verify the substance directly.</p> <p>The self-assessment is published openly. Where a control is not in place, that fact is stated openly with a target. Where a control does not apply given the structure of the Service (for example, personnel controls in a zero-employee organization), that fact is stated openly with the reasoning.</p> <p>When EthicsPortal pursues accredited certification, the certificate scope and date will be published on <a href="/trust/#certification-status">/trust/</a> alongside this page.</p> <p>Last updated: 2026-05-21.</p> <hr> <h2 id="how-to-read-this-page"> How to read this page <a href="#how-to-read-this-page" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Status</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><strong>Implemented</strong></td> <td>The control is in place and operating; evidence is published or available during procurement review</td> </tr> <tr> <td><strong>Self-assessed</strong></td> <td>The control is in place and operates substantively as ISO/IEC 27001:2022 describes, but has not been independently audited</td> </tr> <tr> <td><strong>Compensating</strong></td> <td>The primary form of the control does not apply (typically because of the sole-operator structure), and an alternative arrangement achieves the same security objective</td> </tr> <tr> <td><strong>Inherited</strong></td> <td>The control is provided by a named sub-processor (typically <a href="/subprocessors/">Hetzner</a> ) under its own certification regime</td> </tr> <tr> <td><strong>Not applicable</strong></td> <td>The control does not apply given the structure of the Service; the reason is stated</td> </tr> <tr> <td><strong>In treatment</strong></td> <td>The control is not yet in place at the operator’s target level; the current state, the target, and the planned action are stated openly</td> </tr> <tr> <td><strong>Inherited + Implemented</strong></td> <td>The control has both an infrastructure layer (provided by a named sub-processor under its own certification) and an application layer (implemented in EthicsPortal); both are in place. In the summary tally below, such hybrids are counted under <strong>Implemented</strong></td> </tr> </tbody> </table> <p>The companion documents this page cites:</p> <ul> <li><a href="/policies/information-security/">Information security policy</a> </li> <li><a href="/policies/business-continuity/">Business continuity plan</a> </li> <li><a href="/policies/risk-register/">Risk register</a> </li> <li><a href="/security/">Security</a> (technical and organizational measures)</li> <li><a href="/dpa/">Data Processing Agreement</a> </li> <li><a href="/subprocessors/">Subprocessors</a> </li> <li><a href="/incidents/">Incident register</a> </li> </ul> <hr> <h2 id="a5-organizational-controls"> A.5 Organizational controls <a href="#a5-organizational-controls" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Control</th> <th>Title</th> <th>Status</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>A.5.1</td> <td>Policies for information security</td> <td>Implemented</td> <td><a href="/policies/information-security/">Information security policy</a> </td> </tr> <tr> <td>A.5.2</td> <td>Information security roles and responsibilities</td> <td>Implemented</td> <td><a href="/policies/information-security/">IS policy §4</a> — single named operator holds all security roles</td> </tr> <tr> <td>A.5.3</td> <td>Segregation of duties</td> <td>Compensating</td> <td>Sole-operator structure makes traditional duty segregation inapplicable. Compensating arrangement: append-only audit log records every action; static analysis enforces non-negotiable invariants at merge (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> , <a href="/policies/risk-register/">Risk register R-04</a> )</td> </tr> <tr> <td>A.5.4</td> <td>Management responsibilities</td> <td>Implemented</td> <td>Operator is sole management; commitments stated in <a href="/policies/information-security/">IS policy</a> §3</td> </tr> <tr> <td>A.5.5</td> <td>Contact with authorities</td> <td>Self-assessed</td> <td>Direct contact with Polish supervisory authority (UODO) and customer-side DPAs through the breach-notification path; no standing liaison</td> </tr> <tr> <td>A.5.6</td> <td>Contact with special interest groups</td> <td>Self-assessed</td> <td>CVE feeds, Rails security mailing list, Ruby Advisory Database subscribed via tooling (<a href="/security/#dependency-and-patch-management">Security#dependency-and-patch-management</a> )</td> </tr> <tr> <td>A.5.7</td> <td>Threat intelligence</td> <td>Self-assessed</td> <td>Continuous SCA via Brakeman, bundler-audit, Dependabot; no formal threat-intel program. <a href="/policies/risk-register/">Risk register R-07</a> states the residual position</td> </tr> <tr> <td>A.5.8</td> <td>Information security in project management</td> <td>Implemented</td> <td><a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> — features with new personal-data flows are reviewed at design stage</td> </tr> <tr> <td>A.5.9</td> <td>Inventory of information and other associated assets</td> <td>Implemented</td> <td><a href="/dpa/">DPA §3</a> lists processed data categories; <a href="/subprocessors/">Subprocessors</a> lists external assets; privileged-access summary available during procurement review</td> </tr> <tr> <td>A.5.10</td> <td>Acceptable use of information and other associated assets</td> <td>Compensating</td> <td>No employees; operator’s own use is governed by the <a href="/policies/information-security/">IS policy</a> and the <a href="/terms/">Terms</a> §7</td> </tr> <tr> <td>A.5.11</td> <td>Return of assets</td> <td>Not applicable</td> <td>No employees, no joiner/leaver process. Customer-side asset return (data export and deletion) is governed by <a href="/dpa/">DPA §6.8</a> </td> </tr> <tr> <td>A.5.12</td> <td>Classification of information</td> <td>Implemented</td> <td><a href="/dpa/">DPA §3</a> classifies each data category (reporter identity, report content, communications, attachments, operational data, audit-log) and states encryption status</td> </tr> <tr> <td>A.5.13</td> <td>Labelling of information</td> <td>Implemented</td> <td>Encryption status of each field is identified in <a href="/dpa/">DPA §3</a> and <a href="/security/#data-encryption">Security#data-encryption</a> </td> </tr> <tr> <td>A.5.14</td> <td>Information transfer</td> <td>Implemented</td> <td>All connections use HTTPS/TLS (<a href="/security/#data-encryption">Security#data-encryption</a> ); transfers to sub-processors are governed by written DPAs (<a href="/subprocessors/">Subprocessors</a> )</td> </tr> <tr> <td>A.5.15</td> <td>Access control</td> <td>Implemented</td> <td><a href="/security/#access-control">Security#access-control</a> — Pundit policy authorization, RBAC, 2FA, session lifecycle</td> </tr> <tr> <td>A.5.16</td> <td>Identity management</td> <td>Implemented</td> <td>Magic-link authentication; per-user identity tracked through the membership lifecycle; deactivation cuts access at the request boundary</td> </tr> <tr> <td>A.5.17</td> <td>Authentication information</td> <td>Implemented</td> <td>Reporter passcodes bcrypt-hashed and non-recoverable; handler authentication via magic-link plus TOTP; no plaintext password storage</td> </tr> <tr> <td>A.5.18</td> <td>Access rights</td> <td>Implemented</td> <td>Role-based with least-privilege defaults; periodic review via member deactivation and audit-log review (<a href="/security/#access-control">Security#access-control</a> )</td> </tr> <tr> <td>A.5.19</td> <td>Information security in supplier relationships</td> <td>Implemented</td> <td><a href="/subprocessors/">Subprocessors</a> page lists each supplier with data category, jurisdiction, and purpose; <a href="/dpa/">DPA §6.4</a> governs the relationship</td> </tr> <tr> <td>A.5.20</td> <td>Addressing information security within supplier agreements</td> <td>Implemented</td> <td>Written DPA in place with each sub-processor under GDPR Art. 28</td> </tr> <tr> <td>A.5.21</td> <td>Managing information security in the ICT supply chain</td> <td>Self-assessed</td> <td>SCA on every dependency change; sub-processor change notice on additions (<a href="/dpa/">DPA §6.4</a> ). No formal upstream-supplier audit program</td> </tr> <tr> <td>A.5.22</td> <td>Monitoring, review and change management of supplier services</td> <td>Self-assessed</td> <td>Sub-processor SLAs and security disclosures monitored informally; no formal annual supplier-review program</td> </tr> <tr> <td>A.5.23</td> <td>Information security for use of cloud services</td> <td>Implemented</td> <td>EU-only cloud hosting documented on <a href="/security/#infrastructure">Security#infrastructure</a> and <a href="/subprocessors/">Subprocessors</a> ; Standard Contractual Clauses in place for the one named non-EU sub-processor (Cloudflare, marketing-site CDN only)</td> </tr> <tr> <td>A.5.24</td> <td>Information security incident management planning and preparation</td> <td>Implemented</td> <td><a href="/policies/business-continuity/">Business continuity plan §3–5</a> defines triggers, decision authority, communication; <a href="/incidents/">Incident register</a> defines disclosure timeline</td> </tr> <tr> <td>A.5.25</td> <td>Assessment and decision on information security events</td> <td>Implemented</td> <td><a href="/policies/business-continuity/">BCP §3</a> defines trigger conditions; operator is sole decision authority</td> </tr> <tr> <td>A.5.26</td> <td>Response to information security incidents</td> <td>Implemented</td> <td><a href="/policies/business-continuity/">BCP §4–7</a> ; <a href="/incidents/">Incident register</a> records every material incident</td> </tr> <tr> <td>A.5.27</td> <td>Learning from information security incidents</td> <td>Implemented</td> <td><a href="/incidents/">Incident register</a> final entry includes root cause, remediation, and lessons learned within 30 days of containment</td> </tr> <tr> <td>A.5.28</td> <td>Collection of evidence</td> <td>Implemented</td> <td>Append-only audit log preserved in all PDF case exports; per-incident written log retained for audit</td> </tr> <tr> <td>A.5.29</td> <td>Information security during disruption</td> <td>Implemented</td> <td><a href="/policies/business-continuity/">Business continuity plan</a> §1–7</td> </tr> <tr> <td>A.5.30</td> <td>ICT readiness for business continuity</td> <td>Implemented</td> <td><a href="/policies/business-continuity/">BCP §2 & §6</a> ; RPO 24h / RTO 4h published in <a href="/sla/#recovery-objectives">SLA</a> ; quarterly restore drill</td> </tr> <tr> <td>A.5.31</td> <td>Legal, statutory, regulatory and contractual requirements</td> <td>Implemented</td> <td><a href="/directive-coverage/">Directive coverage map</a> , <a href="/directive-interpretations/">Directive interpretations</a> , <a href="/whistleblower-laws/">Whistleblower laws by country</a> , GDPR Art. 32 coverage on <a href="/security/">Security</a> </td> </tr> <tr> <td>A.5.32</td> <td>Intellectual property rights</td> <td>Implemented</td> <td><a href="/terms/">Terms §8</a> covers customer-content IP; <a href="/terms/">Terms §12</a> provides IP indemnification with standard carve-outs</td> </tr> <tr> <td>A.5.33</td> <td>Protection of records</td> <td>Implemented</td> <td>Append-only audit log; retention-based deletion (<a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> )</td> </tr> <tr> <td>A.5.34</td> <td>Privacy and protection of personal identifiable information (PII)</td> <td>Implemented</td> <td><a href="/privacy/">Privacy policy</a> , <a href="/dpa/">DPA</a> , <a href="/security/#anonymity-and-privacy">Security#anonymity-and-privacy</a> ; GDPR Art. 32 measures documented</td> </tr> <tr> <td>A.5.35</td> <td>Independent review of information security</td> <td>In treatment</td> <td>No external penetration test or independent audit currently on record. Stated openly on <a href="/trust/#certification-status">Trust#certification-status</a> . Target: external pen test once post-revenue budget permits; published here when on record</td> </tr> <tr> <td>A.5.36</td> <td>Compliance with policies, rules and standards for information security</td> <td>Implemented</td> <td>This control map plus the <a href="/policies/information-security/">IS policy</a> , <a href="/policies/business-continuity/">BCP</a> , and <a href="/policies/risk-register/">Risk register</a> form the compliance frame; CI-enforced static analysis enforces invariants at merge</td> </tr> <tr> <td>A.5.37</td> <td>Documented operating procedures</td> <td>Implemented</td> <td>SDLC documented on <a href="/security/#secure-development-lifecycle">Security</a> ; restore procedure documented in <a href="/policies/business-continuity/">BCP §6</a> ; deployment via versioned Kamal configuration</td> </tr> </tbody> </table> <hr> <h2 id="a6-people-controls"> A.6 People controls <a href="#a6-people-controls" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Control</th> <th>Title</th> <th>Status</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>A.6.1</td> <td>Screening</td> <td>Not applicable</td> <td>No employees or contractors. Sole-operator structure disclosed on <a href="/trust/#continuity-and-personnel">Trust#continuity-and-personnel</a> . Operator screening (identity, tax registration) is verifiable through the published registry information</td> </tr> <tr> <td>A.6.2</td> <td>Terms and conditions of employment</td> <td>Not applicable</td> <td>No employees</td> </tr> <tr> <td>A.6.3</td> <td>Information security awareness, education and training</td> <td>Not applicable</td> <td>No employees. Operator self-directed via the special-interest-group subscriptions noted at A.5.6</td> </tr> <tr> <td>A.6.4</td> <td>Disciplinary process</td> <td>Not applicable</td> <td>No employees</td> </tr> <tr> <td>A.6.5</td> <td>Responsibilities after termination or change of employment</td> <td>Not applicable</td> <td>No employees</td> </tr> <tr> <td>A.6.6</td> <td>Confidentiality or non-disclosure agreements</td> <td>Implemented</td> <td>Operator’s confidentiality obligation to controllers is in <a href="/dpa/">DPA §6.2</a> ; customer-facing NDAs available on request during procurement review</td> </tr> <tr> <td>A.6.7</td> <td>Remote working</td> <td>Self-assessed</td> <td>Operator works remotely; workstation hardened with full-disk encryption, screen-lock, and OS auto-update; production access only via the operator’s authenticated session. No separate remote-working policy document</td> </tr> <tr> <td>A.6.8</td> <td>Information security event reporting</td> <td>Implemented</td> <td><a href="/security/#responsible-disclosure">Responsible disclosure</a> inbox at <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> ; <a href="/incidents/">Incident register</a> records confirmed events</td> </tr> </tbody> </table> <hr> <h2 id="a7-physical-controls"> A.7 Physical controls <a href="#a7-physical-controls" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal does not operate its own physical infrastructure. The physical controls below are inherited from <a href="/subprocessors/">Hetzner</a> (Nuremberg, Germany — ISO 27001-certified data centers under Hetzner’s own scope) for hosting controls, or fulfilled at the operator-workstation level for endpoint controls.</p> <table> <thead> <tr> <th>Control</th> <th>Title</th> <th>Status</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>A.7.1</td> <td>Physical security perimeters</td> <td>Inherited</td> <td>Hetzner Nuremberg data center under Hetzner certification scope</td> </tr> <tr> <td>A.7.2</td> <td>Physical entry</td> <td>Inherited</td> <td>Hetzner Nuremberg data center</td> </tr> <tr> <td>A.7.3</td> <td>Securing offices, rooms and facilities</td> <td>Not applicable</td> <td>No EthicsPortal office processes customer data</td> </tr> <tr> <td>A.7.4</td> <td>Physical security monitoring</td> <td>Inherited</td> <td>Hetzner Nuremberg data center</td> </tr> <tr> <td>A.7.5</td> <td>Protecting against physical and environmental threats</td> <td>Inherited</td> <td>Hetzner Nuremberg data center</td> </tr> <tr> <td>A.7.6</td> <td>Working in secure areas</td> <td>Not applicable</td> <td>No EthicsPortal physical secure areas</td> </tr> <tr> <td>A.7.7</td> <td>Clear desk and clear screen</td> <td>Self-assessed</td> <td>Operator workstation has automatic screen-lock and clear-desk practice for any printed materials touching customer data (rare in practice)</td> </tr> <tr> <td>A.7.8</td> <td>Equipment siting and protection</td> <td>Self-assessed</td> <td>Operator workstation; production equipment is at Hetzner</td> </tr> <tr> <td>A.7.9</td> <td>Security of assets off-premises</td> <td>Self-assessed</td> <td>Operator workstation = primary off-premises asset; full-disk encryption, screen-lock, hardware-key 2FA on production-access accounts</td> </tr> <tr> <td>A.7.10</td> <td>Storage media</td> <td>Self-assessed</td> <td>No removable media is used for production data. Backups exist only in EU cloud object storage</td> </tr> <tr> <td>A.7.11</td> <td>Supporting utilities</td> <td>Inherited</td> <td>Hetzner Nuremberg data center</td> </tr> <tr> <td>A.7.12</td> <td>Cabling security</td> <td>Inherited</td> <td>Hetzner Nuremberg data center</td> </tr> <tr> <td>A.7.13</td> <td>Equipment maintenance</td> <td>Inherited</td> <td>Hetzner Nuremberg data center</td> </tr> <tr> <td>A.7.14</td> <td>Secure disposal or re-use of equipment</td> <td>Self-assessed</td> <td>Operator workstation is full-disk encrypted, so destruction of the encryption key on re-use suffices. Hetzner handles its own equipment disposal under its certification</td> </tr> </tbody> </table> <hr> <h2 id="a8-technological-controls"> A.8 Technological controls <a href="#a8-technological-controls" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Control</th> <th>Title</th> <th>Status</th> <th>Evidence</th> </tr> </thead> <tbody> <tr> <td>A.8.1</td> <td>User end point devices</td> <td>Self-assessed</td> <td>Operator workstation: full-disk encryption, screen-lock, OS auto-update, hardware-key 2FA on production-access accounts</td> </tr> <tr> <td>A.8.2</td> <td>Privileged access rights</td> <td>Implemented</td> <td>Only the operator has production access; access requires the operator’s authenticated session with hardware-key 2FA; privileged-access summary available during procurement review</td> </tr> <tr> <td>A.8.3</td> <td>Information access restriction</td> <td>Implemented</td> <td><a href="/security/#access-control">Security#access-control</a> — Pundit policy authorization on every controller action; RBAC; least privilege</td> </tr> <tr> <td>A.8.4</td> <td>Access to source code</td> <td>Implemented</td> <td>Private repository on Git hosting with hardware-key 2FA enforced on the operator’s account; no shared credentials</td> </tr> <tr> <td>A.8.5</td> <td>Secure authentication</td> <td>Implemented</td> <td>Magic-link primary authentication; TOTP-based 2FA for handler/admin accounts; bcrypt-hashed reporter passcodes (<a href="/security/#access-control">Security#access-control</a> )</td> </tr> <tr> <td>A.8.6</td> <td>Capacity management</td> <td>Self-assessed</td> <td>AppSignal performance monitoring on the handler portal; informal capacity planning. No formal capacity-management plan document</td> </tr> <tr> <td>A.8.7</td> <td>Protection against malware</td> <td>Implemented</td> <td>ClamAV virus scan on every uploaded file before delivery; infected files blocked and removed (<a href="/security/#virus-scanning">Security#virus-scanning</a> )</td> </tr> <tr> <td>A.8.8</td> <td>Management of technical vulnerabilities</td> <td>Implemented</td> <td>Brakeman, bundler-audit, importmap audit on every change; Dependabot weekly grouped updates; documented response SLA (critical 7d, high 30d, medium 90d) (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>A.8.9</td> <td>Configuration management</td> <td>Implemented</td> <td>All infrastructure configuration is version-controlled (Kamal deployment configuration); no out-of-band production changes</td> </tr> <tr> <td>A.8.10</td> <td>Information deletion</td> <td>Implemented</td> <td>Retention-based automatic deletion (12/24/36/60 months); deletion on subscription termination within 30 days on request (<a href="/dpa/">DPA §6.8</a> , <a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> )</td> </tr> <tr> <td>A.8.11</td> <td>Data masking</td> <td>Implemented</td> <td>Compliance-report PDF excludes sensitive report content; handler-portal views display “Case handler” rather than handler identity to reporters; admin-side views surface only authorized fields</td> </tr> <tr> <td>A.8.12</td> <td>Data leakage prevention</td> <td>Implemented</td> <td>No personal-data egress to external services; no AI/LLM sub-processor (<a href="/dpa/">DPA §6.10</a> ); subprocessor list strictly scoped per-row (<a href="/subprocessors/">Subprocessors</a> )</td> </tr> <tr> <td>A.8.13</td> <td>Information backup</td> <td>Implemented</td> <td>Daily encrypted PostgreSQL dumps to Hetzner Object Storage (separate from compute host); Hetzner server-level snapshots; 7-day retention; quarterly restore drill (<a href="/security/#backups-and-restore">Security#backups-and-restore</a> )</td> </tr> <tr> <td>A.8.14</td> <td>Redundancy of information processing facilities</td> <td>Self-assessed</td> <td>No cross-provider hot failover at current customer footprint. Backups and restore procedures provide a documented recovery path within RTO. Trade-off stated openly in <a href="/policies/risk-register/">Risk register R-02</a> </td> </tr> <tr> <td>A.8.15</td> <td>Logging</td> <td>Implemented</td> <td>Append-only audit trail for every action (timestamp, actor, action type) preserved for the configured retention; AppSignal records handler-portal request telemetry</td> </tr> <tr> <td>A.8.16</td> <td>Monitoring activities</td> <td>Implemented</td> <td>AppSignal on the handler portal. Deliberately not present on the reporter portal — reporter-side monitoring would compromise the anonymity model (<a href="/subprocessors/">Subprocessors</a> )</td> </tr> <tr> <td>A.8.17</td> <td>Clock synchronization</td> <td>Implemented</td> <td>NTP via the host operating system; all timestamps recorded in UTC</td> </tr> <tr> <td>A.8.18</td> <td>Use of privileged utility programs</td> <td>Self-assessed</td> <td>Operator has shell access to production for non-routine maintenance; use is recorded in the operator’s incident/maintenance log. No shared admin accounts</td> </tr> <tr> <td>A.8.19</td> <td>Installation of software on operational systems</td> <td>Implemented</td> <td>Production installations only via the Kamal deployment configuration. No manual package installation on production hosts</td> </tr> <tr> <td>A.8.20</td> <td>Networks security</td> <td>Inherited + Implemented</td> <td>Network-level protection inherited from Hetzner; application-level TLS termination and rate-limiting implemented in the application (<a href="/security/#rate-limiting">Security#rate-limiting</a> )</td> </tr> <tr> <td>A.8.21</td> <td>Security of network services</td> <td>Inherited</td> <td>Hetzner network services</td> </tr> <tr> <td>A.8.22</td> <td>Segregation of networks</td> <td>Self-assessed</td> <td>Production is isolated from operator workstation by network boundary; non-production environments do not contain production personal data (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>A.8.23</td> <td>Web filtering</td> <td>Not applicable</td> <td>No employee egress network to filter</td> </tr> <tr> <td>A.8.24</td> <td>Use of cryptography</td> <td>Implemented</td> <td>Non-deterministic encryption at rest via Rails ActiveRecord Encryption; HTTPS/TLS in transit; bcrypt for passcodes (<a href="/security/#data-encryption">Security#data-encryption</a> ). Customer-managed keys not supported and the reason is stated in <a href="/dpa/">DPA §6.11</a> </td> </tr> <tr> <td>A.8.25</td> <td>Secure development life cycle</td> <td>Implemented</td> <td><a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> </td> </tr> <tr> <td>A.8.26</td> <td>Application security requirements</td> <td>Implemented</td> <td>Encryption coverage, authorization scope, audit-log emission, and input-validation requirements are checked in code review for every change (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>A.8.27</td> <td>Secure system architecture and engineering principles</td> <td>Implemented</td> <td>Encryption boundary, append-only audit log, RBAC at the request boundary, and reporter-anonymity properties are architectural commitments documented on <a href="/security/">Security</a> </td> </tr> <tr> <td>A.8.28</td> <td>Secure coding</td> <td>Implemented</td> <td>Framework-level defaults (parameterized queries, strong parameters, output escaping, CSRF) are the floor; static analysis enforces non-negotiable items (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>A.8.29</td> <td>Security testing in development and acceptance</td> <td>Implemented</td> <td>Brakeman + bundler-audit + importmap audit on every change; automated test coverage of authorization paths, encryption invariants, audit-log emission, and rate-limit enforcement</td> </tr> <tr> <td>A.8.30</td> <td>Outsourced development</td> <td>Not applicable</td> <td>All development is by the sole operator; no outsourced development</td> </tr> <tr> <td>A.8.31</td> <td>Separation of development, test and production environments</td> <td>Implemented</td> <td>Production is isolated; non-production environments use synthetic fixtures; no production personal data is used outside production (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>A.8.32</td> <td>Change management</td> <td>Implemented</td> <td>Every production change goes through code review against a written security checklist and CI-enforced static analysis before deploy (<a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> )</td> </tr> <tr> <td>A.8.33</td> <td>Test information</td> <td>Implemented</td> <td>Non-production environments use synthetic data only</td> </tr> <tr> <td>A.8.34</td> <td>Protection of information systems during audit testing</td> <td>Not applicable</td> <td>No third-party audit currently scoped. When an audit is conducted, the controls protecting customer data during the audit (read-only access where possible, scoped credentials with expiry, audit-log review post-engagement) will be documented in a per-audit plan</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a href="#summary" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Of the 93 controls in ISO/IEC 27001:2022 Annex A:</p> <table> <thead> <tr> <th>Status</th> <th>Count</th> <th>Read as</th> </tr> </thead> <tbody> <tr> <td>Implemented</td> <td>55</td> <td>In place and operating; evidence published or available during procurement review</td> </tr> <tr> <td>Self-assessed</td> <td>16</td> <td>In place and operating substantively as the control describes, but not independently audited</td> </tr> <tr> <td>Inherited</td> <td>8</td> <td>Provided by named sub-processor (primarily Hetzner) under its own certification regime</td> </tr> <tr> <td>Not applicable</td> <td>11</td> <td>Does not apply given the sole-operator structure (most A.6 People controls and one-off cases)</td> </tr> <tr> <td>Compensating</td> <td>2</td> <td>Primary form not applicable; alternative arrangement achieves the same objective (A.5.3 segregation of duties, A.5.10 acceptable use)</td> </tr> <tr> <td>In treatment</td> <td>1</td> <td>Not yet in place at the operator’s target level; target stated openly (A.5.35 independent review)</td> </tr> </tbody> </table> <p>The single <strong>In treatment</strong> control — independent review of information security (A.5.35) — is the gap that an accredited certification or an independent penetration test would close. The operator’s position on this is stated openly on <a href="/trust/#certification-status">Trust#certification-status</a> : no external pen test or audit is currently on record, and the scope, date, and remediation summary will be published here when one is performed.</p> <hr> <h2 id="document-control"> Document control <a href="#document-control" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Document title</td> <td>EthicsPortal ISO/IEC 27001:2022 Annex A Control Map</td> </tr> <tr> <td>Version</td> <td>1.0</td> </tr> <tr> <td>Effective date</td> <td>2026-05-21</td> </tr> <tr> <td>Last reviewed</td> <td>2026-05-21</td> </tr> <tr> <td>Next scheduled review</td> <td>2027-05-21</td> </tr> <tr> <td>Review trigger (interim)</td> <td>Material change to the <a href="/policies/information-security/">Information security policy</a> , <a href="/policies/business-continuity/">Business continuity plan</a> , or <a href="/policies/risk-register/">Risk register</a> ; addition or replacement of a sub-processor; engagement of external review</td> </tr> <tr> <td>Owner</td> <td>Yaroslav Shmarov, operator</td> </tr> </tbody> </table> <p>This page is not an attestation of certification. It is a self-assessment that lets a procurement reviewer evaluate the same evidence an external auditor would. Material discrepancies between this page and the actual operation of the Service should be reported to <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/pricing/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/pricing/Simple, transparent pricing for EthicsPortal. One plan, everything included. No per-employee fees.<p><strong>Considering in-house?</strong> Article 9(1) of Directive 2019/1937 requires confidentiality of the reporter’s identity, impartial follow-up, and restricted access to reports. An in-house channel runs these through the same IT administrators, backups, and litigation-hold tooling that touch every other system in the company — and its DPIA has to document how the controller prevents itself from accessing data about itself. External operation, contemplated in Art. 8(5), sidesteps both problems.</p> <p><a href="/faq/">More in the FAQ →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/privacy/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/privacy/Privacy policy for EthicsPortal — how we collect, use, store, and protect your personal information.<h1 id="privacy-policy"> Privacy Policy <a href="#privacy-policy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p><strong>Effective date:</strong> February 17, 2026 <strong>Last updated:</strong> May 21, 2026</p> <h2 id="1-introduction"> 1. Introduction <a href="#1-introduction" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal (“we”, “us”, “our”) is operated by Yaroslav Shmarov, registered at ul. Obrzeżna 1A, 02-691 Warsaw, Poland. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use EthicsPortal at <a href="https://ethicsportal.eu">ethicsportal.eu</a> (the “Service”).</p> <p>By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.</p> <p><strong>Contact:</strong> <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> </p> <p>Baseline contracting-party information is published on the <a href="/trust/">trust</a> page.</p> <h2 id="2-information-we-collect"> 2. Information we collect <a href="#2-information-we-collect" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="21-account-information"> 2.1 Account information <a href="#21-account-information" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>When you create an account, we collect:</p> <ul> <li>Email address</li> <li>Display name (if provided)</li> <li>Locale preference</li> </ul> <p>Authentication is passwordless — we use magic links (one-time codes sent to your email). We do not collect or store passwords.</p> <h3 id="22-payment-information"> 2.2 Payment information <a href="#22-payment-information" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Payments are processed entirely by <a href="https://stripe.com" rel="nofollow">Stripe</a> . We do <strong>not</strong> store credit card numbers, bank account numbers, or other sensitive financial data on our servers. Stripe may collect payment details directly. Please refer to <a href="https://stripe.com/privacy" rel="nofollow">Stripe’s Privacy Policy</a> for details.</p> <h3 id="23-server-logs"> 2.3 Server logs <a href="#23-server-logs" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Our servers automatically record information when you access the Service, including:</p> <ul> <li>IP address</li> <li>Browser type and version</li> <li>Pages visited and timestamps</li> <li>Referring URL</li> </ul> <p>Server logs are used for security monitoring and debugging. They are not used for advertising or tracking.</p> <p>For whistleblower portal routes specifically, application logs are configured to scrub the reporter’s IP address.</p> <h3 id="24-whistleblower-report-data"> 2.4 Whistleblower report data <a href="#24-whistleblower-report-data" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>When a whistleblower submits a report through an organization’s portal, we collect:</p> <ul> <li>Report description, category, and source</li> <li>Reporter name and contact information (if voluntarily provided)</li> <li>Messages exchanged between the reporter and the organization</li> </ul> <p>Report descriptions, reporter names, reporter contact details, and message contents are <strong>encrypted in the database</strong> using application-level encryption. IP addresses of whistleblowers are <strong>anonymized</strong> using a one-way hash and are never stored in their original form. Server logs for portal routes are <strong>scrubbed</strong> of IP addresses to protect whistleblower identity.</p> <h2 id="3-how-we-use-your-information"> 3. How we use your information <a href="#3-how-we-use-your-information" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We use the information we collect to:</p> <ul> <li><strong>Provide the Service</strong> — create and manage your account</li> <li><strong>Process payments</strong> — handle subscriptions through Stripe</li> <li><strong>Send notifications</strong> — deliver in-app and email notifications about account activity</li> <li><strong>Maintain security</strong> — detect and prevent fraud, abuse, and unauthorized access</li> <li><strong>Improve the Service</strong> — diagnose technical issues and improve functionality</li> </ul> <p>We do <strong>not</strong> sell your personal information. We do <strong>not</strong> use your data for advertising.</p> <h2 id="4-third-party-services"> 4. Third-party services <a href="#4-third-party-services" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We share data with the following third-party services, only as necessary to provide the Service:</p> <table> <thead> <tr> <th>Service</th> <th>Purpose</th> <th>Data shared</th> </tr> </thead> <tbody> <tr> <td><strong>Stripe</strong></td> <td>Payment processing</td> <td>Email, payment details (collected by Stripe directly)</td> </tr> <tr> <td><strong>Hetzner Object Storage</strong></td> <td>File uploads (avatars, attachments)</td> <td>Uploaded files</td> </tr> <tr> <td><strong>Mailjet</strong></td> <td>Transactional email delivery</td> <td>Email address, email content</td> </tr> <tr> <td><strong>Cloudflare Web Analytics</strong></td> <td>Privacy-friendly website analytics</td> <td>Page views, referrer, browser type, country (anonymous, no cookies, no personal data)</td> </tr> <tr> <td><strong>AppSignal</strong></td> <td>Error and exception tracking, application performance monitoring</td> <td>Error details and request context for admin and handler interfaces</td> </tr> <tr> <td><strong>Crisp</strong></td> <td>Live chat support</td> <td>Email address, name, chat messages, browser type, pages visited. Crisp is based in France (EU). See <a href="https://crisp.chat/en/privacy/" rel="nofollow">Crisp’s Privacy Policy</a> </td> </tr> </tbody> </table> <p>Each third-party service is governed by its own privacy policy. We encourage you to review them.</p> <h2 id="5-cookies"> 5. Cookies <a href="#5-cookies" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We use the following cookies:</p> <table> <thead> <tr> <th>Cookie</th> <th>Purpose</th> <th>Duration</th> </tr> </thead> <tbody> <tr> <td><code>_ethicsportal_session</code></td> <td>Session management (authentication)</td> <td>2 years</td> </tr> <tr> <td><code>session_token</code></td> <td>Signed session identifier for persistent login</td> <td>Server-side session expires after 14 days of inactivity</td> </tr> <tr> <td><code>locale</code></td> <td>Stores your language preference</td> <td>1 year</td> </tr> </tbody> </table> <p>A temporary <code>pending_authentication_token</code> cookie (15 minutes) is used during the magic link sign-in process.</p> <p>Crisp live chat may set its own cookies (e.g., <code>crisp-client/*</code>) when handlers use the in-app support chat. These cookies are functional, not used for advertising, and are only set inside the handler portal — not on the marketing site or the whistleblower reporting portal.</p> <p>All first-party cookies are set with the <code>Secure</code> and <code>HttpOnly</code> flags in production. We do <strong>not</strong> use third-party tracking cookies or advertising cookies. CSRF protection is handled via tokens embedded in HTML forms, not cookies.</p> <h2 id="6-data-storage-and-security"> 6. Data storage and security <a href="#6-data-storage-and-security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Server location:</strong> Core application data is hosted by Hetzner in Nuremberg, Germany (European Union)</li> <li><strong>Encryption in transit:</strong> All connections use HTTPS/TLS</li> <li><strong>Encryption at rest:</strong> Whistleblower report data (descriptions, reporter names, contact details, messages) is encrypted in the database using Active Record Encryption</li> <li><strong>Passwordless authentication:</strong> We use magic links — no passwords are stored</li> <li><strong>Access control:</strong> Database access is restricted to authorized personnel only</li> </ul> <p>While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us at <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> .</p> <h2 id="7-data-retention"> 7. Data retention <a href="#7-data-retention" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Account data</strong> is retained for as long as your account is active</li> <li><strong>Organization data</strong> is retained while your organization is active</li> <li><strong>Whistleblower reports</strong> — closed or dismissed reports are automatically deleted after the retention period configured by the customer organization (12, 24, 36, or 60 months). Active and ongoing reports are retained until closed</li> <li><strong>Server logs</strong> are retained for up to 90 days</li> <li><strong>Payment records</strong> are retained as required by applicable tax and accounting laws</li> <li><strong>Audit logs</strong> — records of who accessed reports and when are retained alongside the report for compliance purposes</li> </ul> <p>When you delete your account, your personal data is permanently removed from our systems, except where retention is required by law (e.g., financial records).</p> <h2 id="8-your-rights-under-gdpr"> 8. Your rights under GDPR <a href="#8-your-rights-under-gdpr" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Because we are based in the European Union, the General Data Protection Regulation (GDPR) applies. You have the right to:</p> <ul> <li><strong>Access</strong> — request a copy of the personal data we hold about you</li> <li><strong>Rectification</strong> — request correction of inaccurate data</li> <li><strong>Erasure</strong> — request deletion of your data (“right to be forgotten”)</li> <li><strong>Restriction</strong> — request that we limit how we process your data</li> <li><strong>Data portability</strong> — request your data in a structured, machine-readable format</li> <li><strong>Object</strong> — object to processing of your data</li> <li><strong>Withdraw consent</strong> — withdraw consent at any time where processing is based on consent</li> </ul> <p><strong>How to exercise your rights:</strong> You can manage most of your data directly through your account settings. To delete your account, visit your account settings page. For any other requests, email us at <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> .</p> <p><strong>Data Protection Officer:</strong> Inquiries regarding our data protection practices may be directed to <a href="mailto:dpo@ethicsportal.eu">dpo@ethicsportal.eu</a> .</p> <p>Our legal basis for processing your data is:</p> <ul> <li><strong>Contract performance</strong> — to provide the Service you signed up for</li> <li><strong>Legitimate interest</strong> — to maintain security and improve the Service</li> <li><strong>Consent</strong> — for optional features</li> </ul> <h2 id="9-account-and-data-deletion"> 9. Account and data deletion <a href="#9-account-and-data-deletion" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>You can delete your account at any time from your account settings. Account deletion permanently removes:</p> <ul> <li>Your profile and account information</li> <li>Your organization memberships</li> </ul> <h2 id="10-childrens-privacy"> 10. Children’s privacy <a href="#10-childrens-privacy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> and we will delete it.</p> <h2 id="11-international-data-transfers"> 11. International data transfers <a href="#11-international-data-transfers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Core whistleblower report data is stored on servers located in Germany (EU). The marketing site is delivered via Cloudflare (United States); the reporting and handler portals are not. Where transfers to a non-EU subprocessor occur, they are described on the <a href="/dpa/">DPA</a> and <a href="/subprocessors/">subprocessors</a> pages.</p> <h2 id="12-changes-to-this-policy"> 12. Changes to this policy <a href="#12-changes-to-this-policy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through an in-app notification. The “Last updated” date at the top of this page indicates when the policy was last revised.</p> <p>Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.</p> <h2 id="13-contact-us"> 13. Contact us <a href="#13-contact-us" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:</p> <p><strong>General:</strong> <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> <strong>Privacy / GDPR rights:</strong> <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> <strong>Data Protection Officer:</strong> <a href="mailto:dpo@ethicsportal.eu">dpo@ethicsportal.eu</a> <strong>Security disclosures:</strong> <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> <strong>Legal / DPA:</strong> <a href="mailto:legal@ethicsportal.eu">legal@ethicsportal.eu</a> <strong>Location:</strong> Warsaw, Poland</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/policies/risk-register/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/policies/risk-register/EthicsPortal's information-security risk register. Top risks assessed against the Service, current treatment, and residual position.<h1 id="risk-register"> Risk register <a href="#risk-register" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p><strong>Effective date:</strong> 2026-05-21 <strong>Last reviewed:</strong> 2026-05-21 <strong>Next review:</strong> 2027-05-21 <strong>Owner:</strong> Yaroslav Shmarov, operator <strong>Version:</strong> 1.0</p> <p>This register lists the top information-security risks assessed against EthicsPortal, the treatment in place, and the residual position the operator has consciously accepted. It exists so that a controller, auditor, or procurement reviewer can verify that the most material risks have been thought about, not just the ones convenient to mention.</p> <p>The register is a summary. The substantive treatment for each risk is documented on the <a href="/security/">Security</a> page, in the <a href="/dpa/">Data Processing Agreement</a> , in the <a href="/policies/business-continuity/">Business continuity plan</a> , or in the <a href="/policies/information-security/">Information security policy</a> . The register’s job is to make the trade-offs visible in one place.</p> <hr> <h2 id="assessment-scale"> Assessment scale <a href="#assessment-scale" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Level</th> <th>Impact</th> <th>Likelihood</th> </tr> </thead> <tbody> <tr> <td>Low</td> <td>Single-customer inconvenience; no personal-data exposure</td> <td>Not expected during the review window</td> </tr> <tr> <td>Medium</td> <td>Multi-customer service degradation, or personal-data exposure confined to operational metadata</td> <td>Plausible during the review window</td> </tr> <tr> <td>High</td> <td>Confidentiality breach of reporter identity or report content; or extended unavailability of a covered surface</td> <td>Reasonably foreseeable in absence of treatment</td> </tr> </tbody> </table> <p>The review window is twelve months from the effective date above.</p> <hr> <h2 id="residual-position-vocabulary"> Residual-position vocabulary <a href="#residual-position-vocabulary" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Accepted.</strong> The residual risk after treatment is acknowledged and accepted by the operator as a deliberate trade-off. The reasoning is stated.</li> <li><strong>Monitored.</strong> The residual risk is acceptable today but is actively watched for change; specific indicators that would trigger re-treatment are stated.</li> <li><strong>In treatment.</strong> The risk is not yet treated to the operator’s target level. The current state, the target, and the timeline are stated openly.</li> </ul> <hr> <h2 id="register"> Register <a href="#register" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="r-01-operator-incapacity--single-person-of-failure"> R-01. Operator incapacity / single-person-of-failure <a href="#r-01-operator-incapacity--single-person-of-failure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>High</td> </tr> <tr> <td>Inherent likelihood</td> <td>Medium</td> </tr> <tr> <td>Treatment</td> <td>Self-service PDF case export available to every organization admin without operator intervention. <a href="/dpa/">DPA §6.8</a> deletion-and-return rights are enforceable independent of operator availability. Application is Kamal-deployed and portable to another EU operator.</td> </tr> <tr> <td>Residual position</td> <td><strong>In treatment.</strong> A formal operator-incapacity protocol with a named legal contact is on the roadmap and not yet in place. See the <a href="/policies/business-continuity/">Business continuity plan §8</a> for the full disclosure of what is and is not in place today. Controllers concerned about this gap are encouraged to take regular self-service exports.</td> </tr> </tbody> </table> <h3 id="r-02-hetzner-outage-primary-infrastructure-provider"> R-02. Hetzner outage (primary infrastructure provider) <a href="#r-02-hetzner-outage-primary-infrastructure-provider" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>High</td> </tr> <tr> <td>Inherent likelihood</td> <td>Low</td> </tr> <tr> <td>Treatment</td> <td>Daily encrypted database dumps to Hetzner Object Storage (separate from compute host) plus Hetzner server-level snapshots; quarterly restore drills into a disposable environment (<a href="/security/#backups-and-restore">Security#backups-and-restore</a> ). Kamal deployment configuration is portable to an alternative EU provider for a prolonged-outage scenario.</td> </tr> <tr> <td>Residual position</td> <td><strong>Accepted.</strong> A regional Hetzner outage may consume part of the 99.5% monthly SLA budget. Cross-provider hot failover is not in place because the additional sub-processor footprint, key-distribution surface, and operational complexity outweigh the marginal availability gain at the current customer footprint. Re-evaluated annually against the <a href="/sla/">SLA</a> target.</td> </tr> </tbody> </table> <h3 id="r-03-sub-processor-personal-data-breach"> R-03. Sub-processor personal-data breach <a href="#r-03-sub-processor-personal-data-breach" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>Medium–High (varies by sub-processor and data category)</td> </tr> <tr> <td>Inherent likelihood</td> <td>Low</td> </tr> <tr> <td>Treatment</td> <td>Minimization: each sub-processor receives only the personal-data category required for its function (see <a href="/subprocessors/">Subprocessors</a> for the per-row breakdown). Encryption-at-rest under processor-managed keys means that a sub-processor with database access does not have plaintext access to report content or reporter identity (<a href="/security/#data-encryption">Security#data-encryption</a> ). 30-day sub-processor change notice and controller objection right (<a href="/dpa/">DPA §6.4</a> ).</td> </tr> <tr> <td>Residual position</td> <td><strong>Accepted.</strong> No personal data covered by the DPA is transmitted to any sub-processor whose breach would expose reporter identity in plaintext. The reporter portal does not load Cloudflare; the reporter portal does not load Crisp; no LLM sub-processor exists. The residual risk is operational metadata (handler email, billing contact) at sub-processors whose breach would not compromise reporter confidentiality.</td> </tr> </tbody> </table> <h3 id="r-04-operator-credential-theft--account-compromise"> R-04. Operator credential theft / account compromise <a href="#r-04-operator-credential-theft--account-compromise" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>High</td> </tr> <tr> <td>Inherent likelihood</td> <td>Low</td> </tr> <tr> <td>Treatment</td> <td>Hardware-backed two-factor authentication on all operator accounts that have production access (cloud provider, deployment, code hosting, email, password manager). Production database access requires the operator’s authenticated session; credentials are not embedded in code or shared. Append-only audit log records all actions taken by any account, including the operator’s, and cannot be edited by any user (<a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> ).</td> </tr> <tr> <td>Residual position</td> <td><strong>Monitored.</strong> The risk is materially lower than typical SaaS because there are no employee credentials to compromise — the attack surface reduces to one identity. Monitored via AppSignal alerts for anomalous handler-portal authentication patterns. Trigger for re-treatment: a credible phishing attempt against the operator, or a CVE affecting the hardware-key path.</td> </tr> </tbody> </table> <h3 id="r-05-restore-failure-during-disaster-recovery"> R-05. Restore failure during disaster recovery <a href="#r-05-restore-failure-during-disaster-recovery" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>High</td> </tr> <tr> <td>Inherent likelihood</td> <td>Low</td> </tr> <tr> <td>Treatment</td> <td>Two complementary backup layers (database dump and server-level snapshot) in independent retention scopes. Restore drill performed at least quarterly into a disposable environment; drill date is published on <a href="/security/#backups-and-restore">Security#backups-and-restore</a> . Restore procedure documented in the <a href="/policies/business-continuity/">Business continuity plan §6</a> .</td> </tr> <tr> <td>Residual position</td> <td><strong>Accepted.</strong> RPO 24 hours and RTO 4 hours are stated in the <a href="/sla/#recovery-objectives">SLA</a> . Data written within the 24 hours preceding a catastrophic failure may be lost; this trade-off is disclosed.</td> </tr> </tbody> </table> <h3 id="r-06-reporter-network-side-attribution-leak-outside-processor-boundary"> R-06. Reporter network-side attribution leak (outside processor boundary) <a href="#r-06-reporter-network-side-attribution-leak-outside-processor-boundary" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>Medium</td> </tr> <tr> <td>Inherent likelihood</td> <td>Medium</td> </tr> <tr> <td>Treatment</td> <td>The Service does not store reporter IP addresses in the database; rate limiting uses a one-way hash that is not reversible. Application logs for reporter routes are scrubbed. File uploads have metadata stripped (EXIF / GPS / author) server-side before storage. See <a href="/security/#anonymity-and-privacy">Security#anonymity-and-privacy</a> .</td> </tr> <tr> <td>Residual position</td> <td><strong>Accepted.</strong> Network-side attribution (the reporter’s ISP, the reporter’s employer’s egress proxy, a man-in-the-middle, or a corporate-device endpoint agent) is outside the processor boundary and cannot be controlled by the Service. Reporters are informed of this on the portal and may choose to report from a personal device on an external network, or via Tor. This residual is disclosed to reporters at the point of submission, which is the only place the trade-off can be acted upon.</td> </tr> </tbody> </table> <h3 id="r-07-critical-vulnerability-in-upstream-dependency"> R-07. Critical vulnerability in upstream dependency <a href="#r-07-critical-vulnerability-in-upstream-dependency" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>Medium–High</td> </tr> <tr> <td>Inherent likelihood</td> <td>Medium</td> </tr> <tr> <td>Treatment</td> <td>Continuous SCA on every change: <a href="https://brakemanscanner.org" rel="nofollow">Brakeman</a> for Rails-specific issues, <a href="https://github.com/rubysec/bundler-audit" rel="nofollow">bundler-audit</a> for Ruby advisories, <code>importmap audit</code> for JavaScript imports, <a href="https://docs.github.com/en/code-security/dependabot" rel="nofollow">Dependabot</a> for weekly grouped updates. End-of-life components are replaced before their upstream support window closes. See <a href="/security/#secure-development-lifecycle">Security#secure-development-lifecycle</a> and <a href="/security/#dependency-and-patch-management">Security#dependency-and-patch-management</a> . Documented vulnerability-response timelines: critical 7 days, high 30 days, medium 90 days.</td> </tr> <tr> <td>Residual position</td> <td><strong>Monitored.</strong> The Rails ecosystem is well-staffed for security disclosures. Trigger for re-treatment: a zero-day affecting Rails request-handling, ActiveRecord encryption, or PostgreSQL with no available patch.</td> </tr> </tbody> </table> <h3 id="r-08-audit-log-integrity-compromise"> R-08. Audit-log integrity compromise <a href="#r-08-audit-log-integrity-compromise" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>High</td> </tr> <tr> <td>Inherent likelihood</td> <td>Low</td> </tr> <tr> <td>Treatment</td> <td>Audit-log entries are written append-only and cannot be edited or deleted by any user, including organization administrators. Entries are included in PDF case exports for regulatory review. Database-level access to the audit-log table is not exposed through the application surface. See <a href="/security/#audit-and-compliance">Security#audit-and-compliance</a> .</td> </tr> <tr> <td>Residual position</td> <td><strong>Accepted.</strong> A privileged database-level intervention by the operator could, in principle, alter audit-log rows. This is the same intervention that could be used to read encrypted columns and is governed by the privileged-access summary available during procurement review. The append-only contract holds at the application surface, which is where customer trust is placed.</td> </tr> </tbody> </table> <h3 id="r-09-reporter-passcode-loss"> R-09. Reporter passcode loss <a href="#r-09-reporter-passcode-loss" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>Medium</td> </tr> <tr> <td>Inherent likelihood</td> <td>Medium (reporters are anonymous and may not have password-recovery channels)</td> </tr> <tr> <td>Treatment</td> <td>The 6-digit passcode is stored only as a bcrypt digest and cannot be recovered by the operator or by any handler. Reporters are informed at submission that the passcode is non-recoverable. Handlers may invite a reporter to re-submit or continue the conversation by an alternative channel.</td> </tr> <tr> <td>Residual position</td> <td><strong>Accepted by design.</strong> Recoverability of the passcode is incompatible with the reporter-anonymity model: a recovery channel would require an identifier (email, phone) that defeats anonymity, or an operator-side reset that would allow the operator to impersonate the reporter. The trade-off is disclosed to reporters at the point of choosing the passcode.</td> </tr> </tbody> </table> <h3 id="r-10-regulatory-change-requiring-re-architecture"> R-10. Regulatory change requiring re-architecture <a href="#r-10-regulatory-change-requiring-re-architecture" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Inherent impact</td> <td>Medium–High</td> </tr> <tr> <td>Inherent likelihood</td> <td>Medium (Member-State transpositions and AI-Act delegated acts continue to evolve)</td> </tr> <tr> <td>Treatment</td> <td>Interpretive positions on ambiguous Directive 2019/1937 provisions are documented openly in the <a href="/directive-interpretations/">Directive 2019/1937 interpretations</a> , so a controller can verify alignment with their counsel’s reading before subscribing. Per-country law summaries are published in <a href="/whistleblower-laws/">whistleblower laws by country</a> and reviewed when national-law text changes. Material changes to processing (sub-processors, AI use, transfers) are notified to controllers under <a href="/dpa/">DPA §6.4</a> .</td> </tr> <tr> <td>Residual position</td> <td><strong>Monitored.</strong> Trigger for re-treatment: ECJ judgment on a Directive 2019/1937 question that contradicts a published interpretation; CJEU judgment on international-transfer adequacy affecting an EU sub-processor; AI-Act delegated act extending obligations to AI-free processors.</td> </tr> </tbody> </table> <hr> <h2 id="risks-consciously-not-in-this-register"> Risks consciously not in this register <a href="#risks-consciously-not-in-this-register" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The following are recognized risk categories that this register deliberately omits because they are eliminated by design rather than treated:</p> <ul> <li><strong>AI / LLM exposure of report content.</strong> No LLM, generative-AI, or AI-classifier service is engaged as a sub-processor. Report content is not transmitted to such services for any purpose. The attack surface (prompt injection, hallucinated compliance evidence, unauthorized retention by third parties) is therefore not present. Source: <a href="/dpa/">DPA §6.10</a> .</li> <li><strong>Reporter PII shared with handlers without justification.</strong> The Service does not surface reporter IP, browser fingerprint, or device identifiers to handlers, because none of these are collected or stored.</li> <li><strong>Cross-tenant data leakage at the application layer.</strong> Pundit-policy authorization is checked on every controller action; multi-tenant isolation is enforced at the request boundary, not via row-level visibility filters that can be bypassed.</li> </ul> <p>If any of these design constraints changes, the risk re-enters this register.</p> <hr> <h2 id="review-cadence"> Review cadence <a href="#review-cadence" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Trigger</th> <th>Action</th> </tr> </thead> <tbody> <tr> <td>Annual</td> <td>Full review of every register row; residual positions re-affirmed or revised</td> </tr> <tr> <td>Material architecture change</td> <td>Affected rows reviewed and revised in the same change</td> </tr> <tr> <td>Sub-processor added or replaced</td> <td>R-03 reviewed; new row added if the change introduces a category not already represented</td> </tr> <tr> <td>Material incident in the <a href="/incidents/">incident register</a> </td> <td>Root-cause-relevant rows reviewed; treatment updated if the incident revealed a control gap</td> </tr> <tr> <td>Material change to the <a href="/policies/information-security/">Information security policy</a> or <a href="/policies/business-continuity/">Business continuity plan</a> </td> <td>Affected rows reviewed for consistency</td> </tr> </tbody> </table> <p>Review actions are recorded in the document-control section below.</p> <hr> <h2 id="document-control"> Document control <a href="#document-control" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Document title</td> <td>EthicsPortal Risk Register</td> </tr> <tr> <td>Version</td> <td>1.0</td> </tr> <tr> <td>Effective date</td> <td>2026-05-21</td> </tr> <tr> <td>Last reviewed</td> <td>2026-05-21</td> </tr> <tr> <td>Next scheduled review</td> <td>2027-05-21</td> </tr> <tr> <td>Owner</td> <td>Yaroslav Shmarov, operator</td> </tr> <tr> <td>Distribution</td> <td>Published on <a href="/policies/">ethicsportal.eu/policies/</a> </td> </tr> </tbody> </table> <p>Signed: Yaroslav Shmarov, on behalf of EthicsPortal — 2026-05-21.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/security/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/security/Technical security measures in EthicsPortal, including encryption, anonymity, access control, audit logging, and infrastructure details for compliance review.<h1 id="security"> Security <a href="#security" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EthicsPortal handles sensitive whistleblower data. This page documents the specific technical and organizational measures we have in place. It is written for compliance officers, DPOs, and legal teams evaluating the platform.</p> <p>Last updated: 2026-05-17.</p> <hr> <h2 id="data-encryption"> Data encryption <a href="#data-encryption" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>All sensitive fields are encrypted at rest using Rails ActiveRecord Encryption with <strong>non-deterministic encryption</strong> (each encryption produces a unique ciphertext, preventing pattern analysis).</p> <table> <thead> <tr> <th>Field</th> <th>Encrypted</th> <th>Deterministic</th> </tr> </thead> <tbody> <tr> <td>Report description</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Reporter name</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Reporter contact details</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Message body (reporter–handler communication)</td> <td>Yes</td> <td>No</td> </tr> </tbody> </table> <p>Non-deterministic encryption means these fields cannot be queried by value at the database level. Even with full database access, an attacker cannot search for a specific reporter name across records.</p> <p>All connections to EthicsPortal use <strong>HTTPS/TLS</strong>. Unencrypted HTTP requests are redirected.</p> <hr> <h2 id="anonymity-and-privacy"> Anonymity and privacy <a href="#anonymity-and-privacy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="ip-anonymization"> IP anonymization <a href="#ip-anonymization" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Portal routes (report submission, case lookup, messaging) use a one-way SHA256 hash of the request IP solely for rate limiting. The hash is not reversible — it is not possible to recover the original IP from the stored value.</p> <p>At the application layer, the reporter’s raw IP address is not stored in the database, and application logs for portal routes are scrubbed to protect whistleblower anonymity.</p> <h3 id="file-metadata-stripping"> File metadata stripping <a href="#file-metadata-stripping" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Uploaded files are automatically stripped of identifying metadata <strong>before</strong> storage:</p> <table> <thead> <tr> <th>File type</th> <th>Metadata removed</th> <th>Method</th> </tr> </thead> <tbody> <tr> <td>Images (JPEG, PNG, TIFF, WebP)</td> <td>EXIF data: GPS coordinates, camera model, device serial number, author, timestamps</td> <td>Vips image processing</td> </tr> <tr> <td>PDF documents</td> <td>Author, creator application, modification history</td> <td>exiftool in the standard production setup</td> </tr> <tr> <td>Video files</td> <td>GPS, device info, recording software</td> <td>exiftool in the standard production setup</td> </tr> <tr> <td>Audio files</td> <td>Recording device, GPS, software tags</td> <td>exiftool in the standard production setup</td> </tr> </tbody> </table> <p>Metadata removal is performed server-side before storage. For file types handled by <code>exiftool</code>, this depends on the standard production tooling being present.</p> <h3 id="virus-scanning"> Virus scanning <a href="#virus-scanning" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>All uploaded files are automatically scanned for malware using <a href="https://www.clamav.net" rel="nofollow">ClamAV</a> , an open-source antivirus engine. Scanning happens server-side in a background process after upload. Files that have not passed scanning are blocked from delivery, and infected files are removed automatically.</p> <p>Files are scanned on EthicsPortal infrastructure — no file data is sent to third-party scanning services.</p> <h3 id="handler-anonymity"> Handler anonymity <a href="#handler-anonymity" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Whistleblowers never see the real names or email addresses of the people handling their report. All messages from handlers are displayed as <strong>“Case handler”</strong>. This protects handler identity and prevents social engineering.</p> <h3 id="no-tracking"> No tracking <a href="#no-tracking" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal does not use third-party tracking cookies, advertising pixels, or fingerprinting scripts. We use <a href="https://www.cloudflare.com/web-analytics/" rel="nofollow">Cloudflare Web Analytics</a> on marketing pages only — it is cookie-free, collects no personal data, and is fully GDPR-compliant. The whistleblower portal itself has no analytics.</p> <h3 id="current-assurance-status"> Current assurance status <a href="#current-assurance-status" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal does not currently claim ISO 27001, SOC 2, or equivalent certification on this site. It also does not currently publish an independent third-party audit of the anonymity architecture. If that changes, the scope and date will be published here.</p> <h3 id="security-review-materials"> Security review materials <a href="#security-review-materials" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Customers that require procurement or legal review materials can request them during procurement. Available materials may include a signed DPA, registry and tax evidence, a completed security questionnaire, and written answers covering backup and restore procedures, privileged production access, and incident-response handling.</p> <hr> <h2 id="access-control"> Access control <a href="#access-control" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Authorization is enforced at the application level using <a href="https://github.com/varvet/pundit" rel="nofollow">Pundit</a> policies.</p> <table> <thead> <tr> <th>Role</th> <th>Can view reports</th> <th>Can manage organization settings</th> <th>Can assign handlers</th> </tr> </thead> <tbody> <tr> <td>Admin</td> <td>All reports</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Handler</td> <td>Reports they are assigned to or participating in</td> <td>No</td> <td>No</td> </tr> </tbody> </table> <ul> <li>Handlers cannot see reports they are neither assigned to nor participating in. Participants are explicitly added by an admin or the primary assignee (for example, looping in legal or HR).</li> <li>Reporters have no user account — they access their report via a Case ID (<code>WB-XXXX-XXXX</code>) plus a 6-digit passcode they choose at submission.</li> <li>Every controller action checks authorization. Unauthorized access attempts are blocked and logged.</li> </ul> <h3 id="two-factor-authentication"> Two-factor authentication <a href="#two-factor-authentication" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Handler and admin accounts can enable TOTP-based two-factor authentication via any standard authenticator app (Google Authenticator, 1Password, Authy, and compatible alternatives). Once enabled, sign-in requires both the primary credential and a rotating 6-digit code.</p> <p>Reporters authenticate with two factors as well: the Case ID (something they hold) and the passcode they chose at submission (something they know). The passcode is stored only as a bcrypt digest and cannot be recovered. The follow-up inbox and message-posting are session-gated behind this check, so a leaked Case ID alone cannot read the report or impersonate the reporter.</p> <h3 id="session-lifecycle"> Session lifecycle <a href="#session-lifecycle" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Each authenticated session records <code>last_seen_at</code> on every request (debounced). Users can review their active sessions, see when each was last active, revoke any session individually, or sign out of all other sessions at once from the account settings.</p> <p>Sessions expire automatically after <strong>14 days of inactivity</strong>. The next request from an idle session destroys the server-side record, clears the cookie, and forces re-authentication via a fresh magic link. A nightly job sweeps abandoned sessions on the same timeout, so <code>user_agent</code> and <code>ip_address</code> are not retained beyond the idle window even when the user never returns.</p> <p>Magic-link authentication limits the blast radius of long-lived sessions: a stolen session cookie does not yield a reusable credential, and re-authentication requires email access.</p> <h3 id="member-access-and-offboarding"> Member access and offboarding <a href="#member-access-and-offboarding" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Organization access is enforced at the request boundary. When a member is deactivated:</p> <ul> <li>Access to the organization is rejected immediately, including on previously bookmarked URLs.</li> <li>Open report assignments are unassigned.</li> <li>Participantships are removed.</li> <li>The audit-log history attributable to the member is preserved.</li> <li>The deactivated member is notified.</li> <li>Reactivation does not automatically restore prior case access.</li> </ul> <p>The last active admin and the organization owner cannot be deactivated. All deactivation and reactivation events are written to the append-only audit log.</p> <p>Memberships with no compliance footprint (no audit-log entries, no assignments, no participantships) are hard-deleted on removal; memberships with a footprint are soft-deactivated so the audit trail remains resolvable.</p> <h3 id="rate-limiting"> Rate limiting <a href="#rate-limiting" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Public portal endpoints are rate-limited to prevent abuse and enumeration attacks:</p> <table> <thead> <tr> <th>Endpoint</th> <th>Limit</th> </tr> </thead> <tbody> <tr> <td>Report submission</td> <td>5 per 10 minutes per anonymized IP</td> </tr> <tr> <td>Case lookup (Case ID + passcode)</td> <td>10 per 3 minutes per anonymized IP</td> </tr> <tr> <td>Message submission</td> <td>10 per 3 minutes per anonymized IP</td> </tr> </tbody> </table> <p>Rate limiting uses the one-way IP hash described above — no actual IP is stored.</p> <hr> <h2 id="audit-and-compliance"> Audit and compliance <a href="#audit-and-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="append-only-audit-trail"> Append-only audit trail <a href="#append-only-audit-trail" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Every action in EthicsPortal is logged with:</p> <ul> <li><strong>Timestamp</strong> (UTC)</li> <li><strong>Actor</strong> (which user or system process performed the action)</li> <li><strong>Action type</strong> (report created, status changed, message sent, handler assigned, report viewed, report exported, report deleted, etc.)</li> </ul> <p>Audit log entries are append-only. They cannot be edited or deleted by any user, including organization admins. The full audit trail is included in PDF case exports for regulatory review.</p> <h3 id="data-retention"> Data retention <a href="#data-retention" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Organizations configure their own retention period: <strong>12, 24, 36, or 60 months</strong> after a report is closed. When the retention period expires, the report and all associated data (messages, attachments, audit log entries) are automatically and permanently deleted by a background job.</p> <p>This satisfies GDPR storage limitation requirements (Art. 5(1)(e)) and Directive 2019/1937 record-keeping obligations (Art. 17–18).</p> <h3 id="csrf-protection"> CSRF protection <a href="#csrf-protection" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>All form submissions are protected against cross-site request forgery using Rails’ built-in CSRF tokens.</p> <hr> <h2 id="secure-development-lifecycle"> Secure development lifecycle <a href="#secure-development-lifecycle" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal follows a documented development lifecycle for changes that touch the Service. The stages are stated here so a procurement reviewer can map them to ISO/IEC 27001:2022 controls A.8.25–A.8.29 (see the <a href="/iso-27001/">control map</a> for the full mapping).</p> <table> <thead> <tr> <th>Stage</th> <th>Practice</th> </tr> </thead> <tbody> <tr> <td>Architecture and design</td> <td>Features that introduce new personal-data flows, sub-processors, or authorization scopes are evaluated against the encryption, access-control, and audit-trail commitments documented on this page before implementation.</td> </tr> <tr> <td>Code review</td> <td>Production changes are reviewed against a written security checklist (encryption coverage, authorization scope, audit-log emission, input validation, secret handling) before deploy. Static analysis runs on every change and blocks merge on failure.</td> </tr> <tr> <td>Secure coding</td> <td>The codebase uses framework-level defenses by default — parameterized queries via ActiveRecord, strong parameters, output escaping in views, CSRF tokens, attribute-level encryption, Pundit authorization at the controller boundary. Deviations require a written justification.</td> </tr> <tr> <td>Security testing in development</td> <td>Static analysis (<a href="https://brakemanscanner.org" rel="nofollow">Brakeman</a> , <a href="https://github.com/rubysec/bundler-audit" rel="nofollow">bundler-audit</a> , <code>importmap audit</code>) runs on every change. Tests cover authorization paths, encryption-at-rest invariants, audit-log emission, and rate-limit enforcement. See <a href="#dependency-and-patch-management">dependency and patch management</a> for the full toolchain.</td> </tr> <tr> <td>Environment separation</td> <td>Production and non-production environments are isolated. No production personal data is used outside production; staging and development use synthetic fixtures.</td> </tr> <tr> <td>Vulnerability response</td> <td>Reports acknowledged within 2 business days (see <a href="#responsible-disclosure">responsible disclosure</a> ). Targets: critical issues remediated within 7 days, high within 30, medium within 90. Confirmed issues affecting deployed customers are reported through the <a href="/incidents/">incident register</a> when they meet the register’s scope criteria.</td> </tr> </tbody> </table> <hr> <h2 id="dependency-and-patch-management"> Dependency and patch management <a href="#dependency-and-patch-management" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal does not deploy end-of-life software components. The application runs on actively supported releases of Rails, Ruby, PostgreSQL, and the underlying operating system; upstream security releases are applied on a rolling basis.</p> <p>Dependencies are scanned continuously in continuous integration:</p> <ul> <li><strong><a href="https://brakemanscanner.org" rel="nofollow">Brakeman</a> </strong> flags Rails-specific vulnerabilities on every change.</li> <li><strong><a href="https://github.com/rubysec/bundler-audit" rel="nofollow">bundler-audit</a> </strong> checks the Gemfile against the Ruby Advisory Database on every change.</li> <li><strong><code>importmap audit</code></strong> scans JavaScript imports for known vulnerabilities on every change.</li> <li><strong><a href="https://docs.github.com/en/code-security/dependabot" rel="nofollow">Dependabot</a> </strong> opens pull requests weekly for outdated Ruby gems and GitHub Actions, grouped by minor/patch updates.</li> </ul> <p>Components reaching end-of-life upstream are replaced or upgraded before their support window closes.</p> <hr> <h2 id="infrastructure"> Infrastructure <a href="#infrastructure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Component</th> <th>Provider</th> <th>Location</th> </tr> </thead> <tbody> <tr> <td>Application server and database</td> <td><a href="https://www.hetzner.com" rel="nofollow">Hetzner</a> </td> <td>Nuremberg, Germany (EU)</td> </tr> <tr> <td>File storage</td> <td><a href="https://www.hetzner.com/storage/object-storage" rel="nofollow">Hetzner Object Storage</a> </td> <td>Nuremberg, Germany (EU)</td> </tr> <tr> <td>Transactional email</td> <td><a href="https://www.mailjet.com" rel="nofollow">Mailjet</a> </td> <td>France (EU)</td> </tr> <tr> <td>Payment processing</td> <td><a href="https://stripe.com" rel="nofollow">Stripe</a> </td> <td>EU</td> </tr> </tbody> </table> <ul> <li>All primary data processing occurs within the European Union.</li> <li>No credit card numbers or payment credentials are stored on EthicsPortal servers. All payment data is handled by Stripe.</li> <li>Mailjet is used for transactional email (handler notifications, not whistleblower-facing). Mailjet is based in France and processes all data within the EU.</li> <li>The marketing site is served via Cloudflare (CDN, United States); the reporting and handler portals are not. See the <a href="/subprocessors/">subprocessors</a> page for the full list and transfer safeguards.</li> </ul> <hr> <h2 id="backups-and-restore"> Backups and restore <a href="#backups-and-restore" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal operates two complementary backup layers, both retained within the EU:</p> <table> <thead> <tr> <th>Layer</th> <th>What</th> <th>Where</th> <th>Retention</th> </tr> </thead> <tbody> <tr> <td>Database</td> <td>Daily encrypted PostgreSQL dumps via a Kamal accessory</td> <td>Hetzner Object Storage, Nuremberg (EU)</td> <td>7 days</td> </tr> <tr> <td>Server</td> <td>Full disk snapshots of the application host</td> <td>Hetzner Cloud, Nuremberg (EU)</td> <td>7 days</td> </tr> </tbody> </table> <p><strong>Recovery objectives.</strong> Recovery point objective (RPO) is 24 hours. Recovery time objective (RTO) is 4 hours. These objectives also appear in the <a href="/sla/#recovery-objectives">service level agreement</a> .</p> <p><strong>Restore testing.</strong> A restore drill is executed at least quarterly into a disposable environment. Last drill: 2026-05-14.</p> <p><strong>Encryption.</strong> Database dumps are encrypted at rest by Hetzner Object Storage; application-layer fields encrypted under Rails ActiveRecord Encryption remain encrypted in the dump.</p> <hr> <h2 id="operational-review"> Operational review <a href="#operational-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Some operational materials are shared during procurement review rather than published in full on the open web, because they contain infrastructure and response detail that is more appropriate for controlled disclosure.</p> <p>Topics available on request during procurement include:</p> <ul> <li>Privileged production-access summary</li> <li>Incident-response workflow and escalation contacts</li> <li>Business continuity and customer offboarding/export responses</li> </ul> <hr> <h2 id="responsible-disclosure"> Responsible disclosure <a href="#responsible-disclosure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you discover a security vulnerability in EthicsPortal, please report it to <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> . We ask that you:</p> <ol> <li>Do not publicly disclose the vulnerability before we have had a chance to address it.</li> <li>Provide enough detail for us to reproduce and fix the issue.</li> <li>Do not access or modify other customers’ data.</li> </ol> <p>We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities promptly.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/sla/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/sla/Monthly availability target for EthicsPortal's reporter and operator portals, how it is measured, and what is excluded.<h1 id="service-level-agreement"> Service level agreement <a href="#service-level-agreement" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EthicsPortal commits to a monthly availability target for the reporter and operator portals. This page states the target, how it is measured, and what is excluded.</p> <p>Last updated: 2026-05-17.</p> <hr> <h2 id="availability-target"> Availability target <a href="#availability-target" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>99.5% monthly uptime</strong> for:</p> <ul> <li>The whistleblower reporting portal — the surface where reporters submit and follow up on cases.</li> <li>The operator and handler portal — the surface where designated handlers access and work cases.</li> </ul> <p>99.5% monthly allows approximately 3 hours 36 minutes of unplanned downtime per calendar month.</p> <p>The marketing site and documentation are best-effort and not covered.</p> <hr> <h2 id="measurement"> Measurement <a href="#measurement" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Uptime is measured monthly as the percentage of minutes during which the covered surfaces respond to HTTP requests with a non-error status. Measurement is taken from an external monitoring service, not self-reported.</p> <hr> <h2 id="what-counts-against-availability"> What counts against availability <a href="#what-counts-against-availability" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Outages of EthicsPortal application infrastructure.</li> <li>Outages of a subprocessor (hosting, email, object storage) that degrade a covered surface.</li> <li>Security incidents requiring a covered surface to be taken offline.</li> </ul> <p>Subprocessor outages are not excluded. The commitment reflects what operators and reporters actually experience.</p> <hr> <h2 id="exclusions"> Exclusions <a href="#exclusions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Availability is measured excluding:</p> <ul> <li><strong>Planned maintenance</strong> announced at least 48 hours in advance. Scheduled outside European business hours and typically under 30 minutes.</li> <li><strong>Force majeure</strong> — regional internet disruptions, natural disasters, failures of DNS or certificate authorities outside our vendor chain.</li> <li><strong>Unauthorized use or abuse</strong> requiring protective measures such as rate limiting or account suspension.</li> </ul> <hr> <h2 id="recovery-objectives"> Recovery objectives <a href="#recovery-objectives" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>In a disaster-recovery scenario, EthicsPortal targets:</p> <ul> <li><strong>Recovery point objective (RPO): 24 hours.</strong> Data written within the 24 hours preceding a catastrophic failure may be lost.</li> <li><strong>Recovery time objective (RTO): 4 hours.</strong> The covered surfaces are restored to a working state within four hours of a declared incident.</li> </ul> <p>Backup mechanism, storage location, retention, and restore-testing cadence are documented on the <a href="/security/#backups-and-restore">security page</a> .</p> <hr> <h2 id="downtime-disclosure"> Downtime disclosure <a href="#downtime-disclosure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Live availability for the covered surfaces is published at <a href="https://secure.ethicsportal.eu/up" rel="nofollow">secure.ethicsportal.eu/up</a> .</p> <p>Material outages are recorded in the <a href="/incidents/">incident register</a> . Any outage exceeding two hours on a covered surface results in a register entry.</p> <p>Monthly uptime figures are available to operators on request.</p> <hr> <h2 id="service-credits"> Service credits <a href="#service-credits" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Self-serve plans do not include monetary service credits. Remedies for material or repeated breaches are stated in the <a href="/terms/">Terms of Service</a> and the <a href="/dpa/">Data Processing Agreement</a> . To the maximum extent permitted by law, claims arising out of or relating to this SLA form part of the same aggregate liability cap that applies to the Service.</p> <hr> <h2 id="questions"> Questions <a href="#questions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For questions about availability or to request monthly uptime figures, contact <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/subprocessors/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/subprocessors/Third-party services that process personal data on behalf of EthicsPortal. Published per GDPR Article 28.<h1 id="subprocessors"> Subprocessors <a href="#subprocessors" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Subprocessors are third parties that process personal data on behalf of EthicsPortal when EthicsPortal acts as processor for operator-organizations (controllers). This list is published per Article 28(2) GDPR and the Data Processing Agreement.</p> <p>Last updated: 2026-04.</p> <hr> <h2 id="current-subprocessors"> Current subprocessors <a href="#current-subprocessors" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Subprocessor</th> <th>Jurisdiction</th> <th>Purpose</th> <th>Data categories</th> </tr> </thead> <tbody> <tr> <td><img src="/images/subprocessors/hetzner.png" alt="" width="20" height="20" style="display:inline;vertical-align:middle;margin:0 8px 0 0"> Hetzner Online GmbH</td> <td>🇩🇪 Germany (EU)</td> <td>Server, database hosting, and file attachment storage</td> <td>All application data: reports, handler identity, messages, audit logs; uploaded attachments (metadata stripped before upload)</td> </tr> <tr> <td><img src="/images/subprocessors/cloudflare.png" alt="" width="20" height="20" style="display:inline;vertical-align:middle;margin:0 8px 0 0"> Cloudflare, Inc.</td> <td>🇺🇸 United States</td> <td>Marketing-site CDN and DDoS protection</td> <td>Visitor IP addresses and request headers for marketing-site requests; cached static assets. No reports, handler data, or account data</td> </tr> <tr> <td><img src="/images/subprocessors/mailjet.png" alt="" width="20" height="20" style="display:inline;vertical-align:middle;margin:0 8px 0 0"> Mailjet SAS</td> <td>🇫🇷 France (EU)</td> <td>Transactional email delivery</td> <td>Handler email addresses, access-code notifications, billing emails</td> </tr> <tr> <td><img src="/images/subprocessors/stripe.png" alt="" width="20" height="20" style="display:inline;vertical-align:middle;margin:0 8px 0 0"> Stripe Payments Europe, Ltd</td> <td>🇮🇪 Ireland (EU)</td> <td>Subscription billing and payment processing</td> <td>Operator billing contact, tokenized payment data</td> </tr> <tr> <td><img src="/images/subprocessors/appsignal.png" alt="" width="20" height="20" style="display:inline;vertical-align:middle;margin:0 8px 0 0"> AppSignal B.V.</td> <td>🇳🇱 Netherlands (EU)</td> <td>Error tracking and application performance monitoring (admin and handler side only)</td> <td>Stack traces, request metadata; reporter IPs are never logged</td> </tr> <tr> <td><img src="/images/subprocessors/crisp.png" alt="" width="20" height="20" style="display:inline;vertical-align:middle;margin:0 8px 0 0"> Crisp IM SARL</td> <td>🇫🇷 France (EU)</td> <td>In-app customer chat for handlers (loaded only in the handler portal); supports operator identity verification (KYC). See note below on reporter privacy.</td> <td>Handler IP, chat content, operator organization name and contact, identity-verification materials</td> </tr> </tbody> </table> <p><strong>Whistleblower reporter privacy.</strong> Crisp is loaded only in the handler/admin portal. It is not present on the marketing site or on the whistleblower reporting portal — the surface where reporters submit and follow up on their reports. No Crisp script, cookie, or identifier reaches reporter-facing pages. Reporters are never tracked by Crisp.</p> <p><strong>No AI or LLM sub-processor.</strong> No large language model, generative AI service, or AI-based classifier is a sub-processor of EthicsPortal. Report content, reporter identity, handler messages, and audit logs are not transmitted to OpenAI, Anthropic, Google, Mistral, or any other AI inference provider. This is a product commitment, not a configuration default — see <a href="/directive-coverage/#5-confidentiality-of-identity-art-16">§5 of the Directive coverage map</a> for the legal framing.</p> <p>Transfers to jurisdictions outside the EU/EEA rely on Standard Contractual Clauses and additional safeguards as detailed in the Data Processing Agreement.</p> <hr> <h2 id="what-counts-as-a-subprocessor"> What counts as a subprocessor <a href="#what-counts-as-a-subprocessor" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>A subprocessor is any third-party service that processes personal data on behalf of EthicsPortal under a written processing agreement. Services appear here only if they receive, store, or transmit personal data. Internal libraries, package registries, and build-time dependencies are not subprocessors.</p> <hr> <h2 id="notification-of-changes"> Notification of changes <a href="#notification-of-changes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Operators are notified of additions or changes to this list at least 30 days before a new subprocessor begins processing personal data. Objections to a proposed subprocessor may be raised under the Data Processing Agreement.</p> <hr> <h2 id="questions"> Questions <a href="#questions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>For questions about subprocessor data-handling, contact <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/terms/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/terms/Terms of service for EthicsPortal — the secure whistleblower reporting platform for EU compliance.<h1 id="terms-of-service"> Terms of Service <a href="#terms-of-service" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p><strong>Effective date:</strong> April 22, 2026 <strong>Last updated:</strong> April 22, 2026</p> <h2 id="1-introduction"> 1. Introduction <a href="#1-introduction" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>These Terms of Service (“Terms”) govern your use of EthicsPortal at <a href="https://ethicsportal.eu">ethicsportal.eu</a> (the “Service”). EthicsPortal is operated by Yaroslav Shmarov, registered at ul. Obrzeżna 1A, 02-691 Warsaw, Poland (“we”, “us”, “our”). Baseline contracting-party information is published on the <a href="/trust/">trust</a> page.</p> <p>By creating an account or using the Service, you agree to be bound by these Terms. If you do not agree, do not use the Service.</p> <h2 id="2-description-of-service"> 2. Description of service <a href="#2-description-of-service" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is a secure whistleblower reporting platform. The Service allows organizations to manage compliance reporting channels and protect whistleblowers.</p> <h2 id="3-eligibility"> 3. Eligibility <a href="#3-eligibility" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>To use the Service, you must:</p> <ul> <li>Be at least 16 years of age</li> <li>Provide a valid email address</li> <li>Have the legal capacity to enter into a binding agreement</li> </ul> <p>We reserve the right to refuse service to anyone for any reason.</p> <h2 id="4-your-account"> 4. Your account <a href="#4-your-account" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>You are responsible for maintaining the confidentiality of your login credentials</li> <li>You are responsible for all activity that occurs under your account</li> <li>You must provide accurate and complete information when creating your account</li> <li>You must not create multiple accounts for the same person</li> <li>You must notify us immediately if you suspect unauthorized access to your account</li> </ul> <h2 id="5-subscriptions-and-payments"> 5. Subscriptions and payments <a href="#5-subscriptions-and-payments" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Paid features require an active subscription</li> <li>Subscriptions are billed on a recurring basis (monthly or annually) through <a href="https://stripe.com" rel="nofollow">Stripe</a> </li> <li>We do not store credit card numbers or bank account details on our servers — all payment processing is handled by Stripe</li> <li>Prices are listed in the Service and may change with notice</li> </ul> <h3 id="cancellation-and-refunds"> Cancellation and refunds <a href="#cancellation-and-refunds" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>You can cancel your subscription at any time from your billing settings, no questions asked. Cancellation takes effect at the end of the current billing period — you retain access until then.</p> <p>Subscriptions are non-refundable. We do not refund the unused portion of a billing period after cancellation.</p> <h2 id="6-user-content"> 6. User content <a href="#6-user-content" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>“User content” includes any text, images, files, or other materials you submit to the Service (profile information, uploaded files).</p> <ul> <li>By submitting content to the Service (profile information, etc.), you grant us a non-exclusive, worldwide, royalty-free license to use, display, and distribute that content solely as necessary to provide the Service</li> <li>This license ends when you delete the content or your account</li> <li>You must not submit content that is illegal, infringing, defamatory, obscene, or otherwise harmful</li> </ul> <p>We reserve the right to remove content that violates these Terms.</p> <h2 id="7-prohibited-conduct"> 7. Prohibited conduct <a href="#7-prohibited-conduct" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>You agree not to:</p> <ul> <li>Use the Service for any illegal purpose</li> <li>Scrape, crawl, or use automated means to access the Service without our permission</li> <li>Create fake accounts or misrepresent your identity</li> <li>Interfere with or disrupt the Service or its infrastructure</li> <li>Attempt to gain unauthorized access to other users’ accounts or data</li> <li>Use the Service to send spam, phishing, or unsolicited messages</li> <li>Circumvent any security measures or access controls</li> <li>Reverse-engineer, decompile, or disassemble any part of the Service</li> <li>Resell or redistribute the Service without our permission</li> </ul> <h2 id="8-intellectual-property"> 8. Intellectual property <a href="#8-intellectual-property" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Our property:</strong> The Service, including its design, code, branding, and documentation, is owned by us and protected by applicable intellectual property laws. You may not copy, modify, or distribute any part of the Service without our permission.</li> <li><strong>Your property:</strong> You retain all rights to the content you submit. We claim no ownership over your content.</li> </ul> <h2 id="9-termination"> 9. Termination <a href="#9-termination" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>By you:</strong> You can delete your account at any time from your account settings. This permanently removes your data as described in our <a href="/privacy">Privacy Policy</a> .</li> <li><strong>By us:</strong> We may suspend or terminate your account if you violate these Terms, engage in prohibited conduct, or if required by law. We will make reasonable efforts to notify you before termination, except where immediate action is necessary (e.g., fraud, security threats).</li> </ul> <p>Upon termination, your right to use the Service ceases immediately.</p> <h2 id="10-disclaimer-of-warranties"> 10. Disclaimer of warranties <a href="#10-disclaimer-of-warranties" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Service is provided <strong>“as is”</strong> and <strong>“as available”</strong> without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.</p> <p>We do not warrant that:</p> <ul> <li>The Service will be uninterrupted, timely, secure, or error-free</li> <li>The Service will meet your specific requirements</li> </ul> <h2 id="11-limitation-of-liability"> 11. Limitation of liability <a href="#11-limitation-of-liability" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>To the maximum extent permitted by law, we shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, or business opportunities.</p> <p>To the maximum extent permitted by law, our total aggregate liability arising out of or relating to the Service, these Terms, the <a href="/dpa/">Data Processing Agreement</a> , or the <a href="/sla/">Service level agreement</a> will not exceed the fees you paid us for the Service in the 12 months preceding the event giving rise to the claim.</p> <p>Nothing in these Terms excludes or limits liability for fraud, willful misconduct, or any liability that cannot be excluded or limited under applicable law.</p> <h2 id="12-intellectual-property-infringement-indemnity"> 12. Intellectual-property infringement indemnity <a href="#12-intellectual-property-infringement-indemnity" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>To the maximum extent permitted by law, we will defend the Controller against any third-party claim brought against the Controller alleging that the Service, as provided by us and used in accordance with these Terms and the <a href="/dpa/">Data Processing Agreement</a> , infringes a copyright, trademark, or patent enforceable in the European Union, and we will pay the damages and reasonable costs finally awarded against the Controller by a court of competent jurisdiction or agreed by us in settlement, provided that the Controller:</p> <ul> <li>Notifies us promptly in writing of the claim</li> <li>Grants us sole control of the defense and settlement of the claim, with the Controller’s reasonable cooperation at our expense</li> <li>Does not admit liability or settle the claim without our prior written consent</li> </ul> <p>This indemnity does not apply to claims arising from:</p> <ul> <li>Modifications to the Service made by the Controller or by any third party</li> <li>Use of the Service in combination with components, data, or services not authorized or supplied by us, where the claim would not have arisen but for that combination</li> <li>Use of the Service in violation of these Terms, the Data Processing Agreement, or applicable law</li> <li>Continued use of the Service after we have made available a non-infringing alternative or provided a written notice to discontinue use</li> </ul> <p>If the Service becomes, or in our reasonable opinion is likely to become, the subject of an infringement claim, we may, at our option and expense, (i) procure for the Controller the right to continue using the Service, (ii) modify the Service to be non-infringing while preserving substantially equivalent functionality, (iii) replace the Service with a non-infringing alternative of substantially equivalent functionality, or (iv) where none of the above is commercially reasonable, terminate the affected portion of the Service and refund any prepaid fees for the unused portion of the then-current billing period.</p> <p>To the maximum extent permitted by law, this Section 12 states our entire liability, and the Controller’s exclusive remedy, with respect to third-party intellectual-property infringement claims relating to the Service. Amounts payable under this Section 12 are subject to the aggregate liability cap in Section 11.</p> <h2 id="13-governing-law-and-disputes"> 13. Governing law and disputes <a href="#13-governing-law-and-disputes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>These Terms are governed by the laws of Poland. Any disputes arising from or related to these Terms or the Service shall be submitted to the exclusive jurisdiction of the courts of Warsaw, Poland.</p> <p>If you are a consumer resident in the EU, you also have the right to bring proceedings in the courts of your country of residence.</p> <h2 id="14-changes-to-these-terms"> 14. Changes to these Terms <a href="#14-changes-to-these-terms" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We may update these Terms from time to time. When we make material changes, we will notify you by email or through an in-app notification at least 14 days before the changes take effect.</p> <p>Your continued use of the Service after the updated Terms take effect constitutes your acceptance of the changes. If you do not agree with the updated Terms, you may delete your account.</p> <h2 id="15-severability"> 15. Severability <a href="#15-severability" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If any provision of these Terms is found to be unenforceable, the remaining provisions will continue in full force and effect.</p> <h2 id="16-contact-us"> 16. Contact us <a href="#16-contact-us" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you have questions about these Terms, contact us at:</p> <p><strong>Email:</strong> <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> <strong>Security:</strong> <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> <strong>Location:</strong> Warsaw, Poland</p> <p>Signed DPAs, registry evidence, and procurement-review materials are available on request during procurement.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/trust/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/trust/Contracting party, data residency, certifications, and procurement materials for EthicsPortal.<h1 id="trust"> Trust <a href="#trust" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Everything a procurement reviewer, DPO, or legal team needs to evaluate EthicsPortal.</p> <p>Last updated: 2026-05-24.</p> <hr> <h2 id="contracting-party"> Contracting party <a href="#contracting-party" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Service name:</strong> EthicsPortal</li> <li><strong>Operator:</strong> Yaroslav Shmarov</li> <li><strong>Registered address:</strong> ul. Obrzeżna 1A, 02-691 Warsaw, Poland</li> <li><strong>Tax identification number (NIP):</strong> 5272755790</li> <li><strong>Authorized signatory for commercial agreements, DPAs, and security questionnaires:</strong> Yaroslav Shmarov</li> <li><strong>Commercial contact:</strong> <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> </li> <li><strong>Security contact:</strong> <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> </li> <li><strong>Privacy and data protection contact:</strong> <a href="mailto:privacy@ethicsportal.eu">privacy@ethicsportal.eu</a> </li> </ul> <p>Registry evidence and signed contracting documents are provided on request during procurement.</p> <hr> <h2 id="data-residency-and-processor-relationship"> Data residency and processor relationship <a href="#data-residency-and-processor-relationship" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>In the standard subscription model, the customer is the controller and EthicsPortal acts as processor for customer report data.</p> <p>Core whistleblower report data, including the application, database, and file storage, is hosted in Nuremberg, Germany on <a href="https://www.hetzner.com" rel="nofollow">Hetzner</a> . Transactional email runs through Mailjet (France). The marketing site uses one named non-EU subprocessor, Cloudflare (CDN), listed in full on the <a href="/subprocessors/">subprocessors</a> page. The reporting portal and handler portal do not load Cloudflare.</p> <hr> <h2 id="continuity-and-personnel"> Continuity and personnel <a href="#continuity-and-personnel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>Customer data is recoverable independently of operator availability.</strong> At any point during the relationship and on contract exit, customer organizations are entitled to a complete machine-readable export of their data, plus a defined wind-down period to migrate to an alternative provider. These arrangements are stated in the <a href="/dpa/">Data Processing Agreement</a> and elaborated in the <a href="/policies/business-continuity/">business continuity plan</a> , which defines activation triggers, <strong>RPO 24 hours / RTO 4 hours</strong>, and the operator-incapacity procedure.</p> <p><strong>Backups.</strong> Daily encrypted PostgreSQL dumps to Hetzner Object Storage (EU, 7-day retention) plus Hetzner server-level snapshots (7-day retention). Last restore drill: 2026-05-14.</p> <p><strong>Personnel scope.</strong> All customer data is processed by the named operator. There are no other employees or contractors — a deliberate scope decision that removes provider-side personnel risks (background-screening gaps, joiner/leaver leakage, contractor sprawl) from the threat model. Privileged-access controls for the named operator are documented and available during procurement review.</p> <hr> <h2 id="certification-status"> Certification status <a href="#certification-status" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal does not currently claim ISO 27001, SOC 2, or equivalent certification on this site. An independent external penetration test is not currently on record. When either changes, the certification name (or test scope, date, and remediation summary) will be published here.</p> <p>In place of accredited certification, EthicsPortal publishes a structured self-assessment against the same control sets that an external audit would evaluate:</p> <ul> <li>An <a href="/iso-27001/">ISO/IEC 27001:2022 Annex A control map</a> covering all 93 controls, with status (Implemented / Self-assessed / Not applicable / Compensating control) and evidence pointers for each.</li> <li>Named policy documents at <a href="/policies/">/policies/</a> : <a href="/policies/information-security/">information security policy</a> , <a href="/policies/business-continuity/">business continuity plan</a> , <a href="/policies/risk-register/">risk register</a> .</li> <li>A <a href="/caiq/">pre-filled CAIQ-aligned questionnaire</a> for the questions whose answers are already documented publicly.</li> </ul> <p>The self-assessment is the substance an accreditation would attest to. EthicsPortal publishes it directly so a procurement reviewer can evaluate the same evidence without waiting for an auditor.</p> <hr> <h2 id="operational-lifecycle"> Operational lifecycle <a href="#operational-lifecycle" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Question</th> <th>Answer</th> </tr> </thead> <tbody> <tr> <td>Live availability</td> <td>Published at <a href="https://secure.ethicsportal.eu/up" rel="nofollow">secure.ethicsportal.eu/up</a> for the covered surfaces. See <a href="/sla/">Service level agreement</a> for measurement methodology and exclusions.</td> </tr> <tr> <td>Session and access lifecycle</td> <td>Sessions expire automatically after 14 days of inactivity and are swept nightly. Users can review and revoke their own sessions at any time. Each session records <code>last_seen_at</code> so stale devices are identifiable. Member deactivation cuts access at the request boundary, unassigns open reports, and removes participantships while preserving audit history. See <a href="/security/#access-control">Security</a> .</td> </tr> <tr> <td>Backups and restore</td> <td>Daily encrypted PostgreSQL dumps to Hetzner Object Storage (EU, 7-day retention) plus Hetzner server-level snapshots (7-day retention). <strong>RPO 24 hours, RTO 4 hours.</strong> Last restore drill: 2026-05-14. See <a href="/security/#backups-and-restore">Security</a> .</td> </tr> <tr> <td>Dependency and patch management</td> <td>Continuous SCA in CI (Brakeman, bundler-audit, importmap audit) plus weekly Dependabot updates. No end-of-life components deployed. See <a href="/security/#dependency-and-patch-management">Security</a> .</td> </tr> <tr> <td>Export and deletion</td> <td>PDF case export is available in-app for every case (description, messages, audit trail, attachments). Machine-readable bulk export of the full organization data set is available on request during contract exit. Contractual commitments are in the <a href="/dpa/">Data Processing Agreement</a> .</td> </tr> <tr> <td>Recovery objectives</td> <td>See <a href="/sla/#recovery-objectives">Service level agreement</a> .</td> </tr> </tbody> </table> <hr> <h2 id="contracting-positions"> Contracting positions <a href="#contracting-positions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>A single source of truth for the contractual questions enterprise procurement teams most often ask. Each row links to the document that controls.</p> <table> <thead> <tr> <th>Item</th> <th>EthicsPortal position</th> </tr> </thead> <tbody> <tr> <td>Aggregate liability cap</td> <td>12 months of fees paid in the 12 months preceding the event giving rise to the claim (<a href="/terms/">Terms §11</a> ). The Data Processing Agreement, Service Level Agreement, and intellectual-property indemnity all fold into the same aggregate cap.</td> </tr> <tr> <td>Intellectual-property infringement indemnity</td> <td>The operator will defend the Controller against third-party copyright, trademark, or patent claims arising from use of the Service in accordance with the Terms, subject to standard carve-outs (customer modifications, unauthorized use, non-authorized combinations) and the aggregate liability cap. See <a href="/terms/">Terms §12</a> .</td> </tr> <tr> <td>Breach notification window</td> <td>Without undue delay and in any case within 72 hours of becoming aware (<a href="/dpa/">DPA §6.6</a> ), aligned with <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 33</a> GDPR. No shorter window is contractually offered on self-serve plans, because shorter windows risk premature notification and conflict with the GDPR-mandated forensic threshold.</td> </tr> <tr> <td>Audit rights</td> <td>Per <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 28(3)(h)</a> GDPR, on at least 30 days’ advance notice and during normal business hours (<a href="/dpa/">DPA §6.9</a> ). The Processor will respond to written security questionnaires in lieu of on-site audit where the Controller’s review can be satisfied that way.</td> </tr> <tr> <td>Service credits</td> <td>Self-serve plans do not include monetary service credits. Remedies for material or repeated availability failures are governed by the aggregate liability cap (<a href="/sla/">SLA</a> ).</td> </tr> <tr> <td>Customer-managed encryption keys (BYOK / external KMS)</td> <td>Not supported. Processor-managed keys are required to maintain the reporter–handler key boundary and the end-to-end deletion guarantee. See <a href="/dpa/">DPA §6.11</a> .</td> </tr> <tr> <td>Source code escrow</td> <td>Not offered. Continuity is handled through the operator-incapacity provisions of the <a href="/policies/business-continuity/">business continuity plan</a> and the Controller’s data-export and deletion rights under <a href="/dpa/">DPA §6.8</a> .</td> </tr> <tr> <td>Sub-processor change notice</td> <td>At least 30 days before adding or replacing a sub-processor; the Controller may object and terminate if no resolution is reached (<a href="/dpa/">DPA §6.4</a> ).</td> </tr> <tr> <td>Data export and deletion on exit</td> <td>Self-service PDF case export in-product, plus machine-readable bulk export on request during exit, plus deletion within 30 days of subscription termination on written request (<a href="/dpa/">DPA §6.8</a> ).</td> </tr> <tr> <td>Cyber liability insurance</td> <td>Under review. Coverage amount and carrier will be published here when in place.</td> </tr> <tr> <td>Independent external penetration test</td> <td>None currently on record. Scope, date, and remediation summary will be published here when one is performed.</td> </tr> <tr> <td>Governing law and venue</td> <td>Laws of Poland; courts of Warsaw (<a href="/terms/">Terms §13</a> ). EU consumers retain the right to proceedings in their country of residence.</td> </tr> </tbody> </table> <p>These positions are reflected in the published <a href="/terms/">Terms of Service</a> , <a href="/dpa/">Data Processing Agreement</a> , and <a href="/sla/">Service level agreement</a> . Material deviations are not granted on self-serve plans.</p> <hr> <h2 id="public-documents"> Public documents <a href="#public-documents" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Everything a procurement reviewer needs is published openly. Grouped by what the document does.</p> <h3 id="contractual"> Contractual <a href="#contractual" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>What governs the relationship between EthicsPortal and the customer.</p> <table> <thead> <tr> <th>Document</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><a href="/terms/">Terms of service</a> </td> <td>Subscription terms, cancellation, refunds, liability cap, IP indemnity</td> </tr> <tr> <td><a href="/dpa/">Data Processing Agreement</a> </td> <td>Processor terms under GDPR Art. 28</td> </tr> <tr> <td><a href="/sla/">Service level agreement</a> </td> <td>Availability target and measurement</td> </tr> <tr> <td><a href="/privacy/">Privacy policy</a> </td> <td>How personal data is handled</td> </tr> </tbody> </table> <h3 id="operational"> Operational <a href="#operational" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>How the Service runs day-to-day and who else is involved.</p> <table> <thead> <tr> <th>Document</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><a href="/security/">Security</a> </td> <td>Technical and organizational measures</td> </tr> <tr> <td><a href="/subprocessors/">Subprocessors</a> </td> <td>Named subprocessors and their scope</td> </tr> <tr> <td><a href="/incidents/">Incident register</a> </td> <td>Material incidents affecting personal data</td> </tr> <tr> <td><a href="/accessibility/">Accessibility</a> </td> <td>EAA / EN 301 549 conformance status</td> </tr> </tbody> </table> <h3 id="directive-reference"> Directive reference <a href="#directive-reference" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>How EthicsPortal maps to, and reads, EU Directive 2019/1937.</p> <table> <thead> <tr> <th>Document</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><a href="/directive-coverage/">Directive 2019/1937 coverage map</a> </td> <td>Feature-to-Directive 2019/1937 article map</td> </tr> <tr> <td><a href="/directive-interpretations/">Directive 2019/1937 interpretations</a> </td> <td>Interpretive positions on ambiguous Directive provisions</td> </tr> <tr> <td><a href="/whistleblower-laws/">Whistleblower laws by country</a> </td> <td>National transpositions, enforcement authorities</td> </tr> <tr> <td><a href="/penalties/">Penalties by country</a> </td> <td>Fines and criminal liability per Member State</td> </tr> </tbody> </table> <h3 id="self-assessment"> Self-assessment <a href="#self-assessment" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Named policy documents and the control mappings an external audit would evaluate.</p> <table> <thead> <tr> <th>Document</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><a href="/policies/information-security/">Information security policy</a> </td> <td>Statement of intent, scope, roles, control commitments</td> </tr> <tr> <td><a href="/policies/business-continuity/">Business continuity plan</a> </td> <td>Activation triggers, recovery objectives, operator-incapacity disclosure</td> </tr> <tr> <td><a href="/policies/risk-register/">Risk register</a> </td> <td>Top risks, treatment, residual position</td> </tr> <tr> <td><a href="/iso-27001/">ISO/IEC 27001:2022 Annex A control map</a> </td> <td>Structured self-assessment against all 93 controls</td> </tr> <tr> <td><a href="/caiq/">CAIQ-aligned questionnaire</a> </td> <td>Pre-filled vendor security assessment (CSA CAIQ v4 domain structure)</td> </tr> </tbody> </table> <hr> <h2 id="available-during-procurement-review"> Available during procurement review <a href="#available-during-procurement-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The following materials are shared in controlled disclosure rather than published openly:</p> <ul> <li>Signed DPA</li> <li>Registry extract and NIP / tax proof</li> <li>Completed security questionnaire</li> <li>Privileged production-access summary</li> <li>Incident-response summary</li> <li>Business continuity, exit, and customer-export responses</li> <li>External penetration test summary (when on record)</li> </ul> <p>To request these, email <a href="mailto:support@ethicsportal.eu">support@ethicsportal.eu</a> . For security-review questions, email <a href="mailto:security@ethicsportal.eu">security@ethicsportal.eu</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/industries/financial-services/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/industries/financial-services/Whistleblower reporting requirements for banks, investment firms, and insurers under EU Directive 2019/1937, MiFID II, MAR, and AML directives.<h1 id="whistleblower-compliance-for-financial-services"> Whistleblower compliance for financial services <a href="#whistleblower-compliance-for-financial-services" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Financial institutions operate under the EU Whistleblower Directive <em>and</em> sector-specific regulations that independently require internal reporting channels. Non-compliance exposes firms to penalties from both national transposition laws and financial regulators.</p> <h2 id="regulations-that-require-reporting-channels"> Regulations that require reporting channels <a href="#regulations-that-require-reporting-channels" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>EU Directive 2019/1937</strong> — applies to all firms with 50+ employees. Requires confidential reporting channels, 7-day acknowledgment, and 3-month feedback deadlines.</li> <li><strong>MiFID II (2014/65/EU)</strong> — Article 73 requires investment firms to have procedures for employees to report potential breaches internally. National regulators enforce this independently of the Whistleblower Directive.</li> <li><strong>Market Abuse Regulation (EU 596/2014)</strong> — Article 32 requires member states to establish mechanisms for reporting actual or potential market abuse. Firms must ensure internal channels exist so employees can report before going to regulators.</li> <li><strong>Anti-Money Laundering Directives (AMLD 4/5/6)</strong> — require internal reporting procedures for suspicious transactions. The upcoming AMLD package (2024) strengthens whistleblower protections for AML reporting.</li> <li><strong>Solvency II (2009/138/EC)</strong> — Article 71 requires insurers to maintain whistleblowing procedures.</li> </ul> <h2 id="sector-regulators-with-enforcement-powers"> Sector regulators with enforcement powers <a href="#sector-regulators-with-enforcement-powers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Country</th> <th>Regulator</th> <th>Scope</th> </tr> </thead> <tbody> <tr> <td><a href="/whistleblower-laws/germany/">Germany</a> </td> <td>BaFin</td> <td>Banking, insurance, securities</td> </tr> <tr> <td><a href="/whistleblower-laws/france/">France</a> </td> <td>AMF / ACPR</td> <td>Markets / banking and insurance</td> </tr> <tr> <td><a href="/whistleblower-laws/netherlands/">Netherlands</a> </td> <td>AFM / DNB</td> <td>Markets / prudential supervision</td> </tr> <tr> <td><a href="/whistleblower-laws/italy/">Italy</a> </td> <td>Consob / Banca d’Italia</td> <td>Markets / banking</td> </tr> <tr> <td><a href="/whistleblower-laws/spain/">Spain</a> </td> <td>CNMV</td> <td>Securities markets</td> </tr> <tr> <td><a href="/whistleblower-laws/poland/">Poland</a> </td> <td>KNF</td> <td>All financial sectors</td> </tr> <tr> <td><a href="/whistleblower-laws/ireland/">Ireland</a> </td> <td>Central Bank of Ireland</td> <td>All financial sectors</td> </tr> </tbody> </table> <p>These regulators can impose fines independently of national whistleblower authorities.</p> <h2 id="what-gets-reported"> What gets reported <a href="#what-gets-reported" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Market manipulation and insider trading</li> <li>AML/KYC procedure failures</li> <li>Mis-selling of financial products</li> <li>Sanctions evasion</li> <li>Unauthorized trading or risk limit breaches</li> <li>Conflicts of interest in advisory roles</li> </ul> <h2 id="why-a-dedicated-channel-matters"> Why a dedicated channel matters <a href="#why-a-dedicated-channel-matters" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Financial sector employees who report through general HR channels risk having their disclosure misrouted to the person responsible for the breach. Article 9 of the Directive requires channels that protect confidentiality and prevent conflicts of interest — critical in organizations where compliance, trading, and management overlap.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/industries/manufacturing/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/industries/manufacturing/Whistleblower reporting requirements for manufacturers under EU Directive 2019/1937, the German Supply Chain Act (LkSG), and the upcoming EU CSDDD.<h1 id="whistleblower-compliance-for-manufacturing-and-supply-chain"> Whistleblower compliance for manufacturing and supply chain <a href="#whistleblower-compliance-for-manufacturing-and-supply-chain" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Manufacturers face whistleblower obligations from two directions: the EU Whistleblower Directive (2019/1937) for internal reporting, and supply chain due diligence laws that explicitly require grievance mechanisms covering employees <em>and</em> third parties.</p> <h2 id="regulations-that-require-reporting-channels"> Regulations that require reporting channels <a href="#regulations-that-require-reporting-channels" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>EU Directive 2019/1937</strong> — applies to all manufacturers with 50+ employees. Internal channels for employees.</li> <li><strong>German Supply Chain Act (LkSG)</strong> — in force since January 2023. Requires companies with 1,000+ employees (and their direct suppliers) to establish a <strong>complaints procedure</strong> accessible to affected persons in the supply chain — not just employees. <a href="https://www.gesetze-im-internet.de/lksg/__8.html" rel="nofollow">Section 8 LkSG</a> </li> <li><strong>EU Corporate Sustainability Due Diligence Directive (CSDDD)</strong> — adopted 2024, phased implementation from 2027. Requires companies with 1,000+ employees and €450M+ turnover to establish complaints mechanisms for human rights and environmental violations in their value chains.</li> <li><strong>EU Product Safety Regulation (2023/988)</strong> — requires manufacturers to have internal channels for reporting product safety concerns.</li> </ul> <h2 id="lksg-vs-whistleblower-directive"> LkSG vs. Whistleblower Directive <a href="#lksg-vs-whistleblower-directive" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th></th> <th>Whistleblower Directive</th> <th>LkSG</th> </tr> </thead> <tbody> <tr> <td>Who can report</td> <td>Employees, contractors</td> <td>Employees, suppliers, affected third parties</td> </tr> <tr> <td>Scope</td> <td>Breaches of EU/national law</td> <td>Human rights, environmental violations in supply chain</td> </tr> <tr> <td>Anonymity required</td> <td>Varies by country</td> <td>Not required but recommended (BAFA guidance)</td> </tr> <tr> <td>Enforcement</td> <td>National whistleblower authorities</td> <td>BAFA (<a href="/whistleblower-laws/germany/">German</a> Federal Office for Economic Affairs)</td> </tr> <tr> <td>Penalties</td> <td>Varies by country</td> <td>Up to 2% of annual global turnover</td> </tr> </tbody> </table> <p>Companies subject to both laws need a channel that serves dual obligations — internal whistleblowing <em>and</em> supply chain grievance. A single reporting channel can cover both if configured correctly.</p> <h2 id="what-gets-reported"> What gets reported <a href="#what-gets-reported" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Workplace safety violations in production facilities</li> <li>Environmental non-compliance (emissions, waste disposal)</li> <li>Forced labor or exploitative conditions at supplier sites</li> <li>Product safety defects concealed from regulators</li> <li>Bribery in procurement or supplier relationships</li> <li>Circumvention of export controls or sanctions</li> </ul> <h2 id="why-this-matters-now"> Why this matters now <a href="#why-this-matters-now" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The CSDDD extends supply chain due diligence obligations across the EU, not just Germany. Companies preparing for 2027 compliance need grievance mechanisms in place. Waiting means retrofitting under deadline pressure — the same pattern that led to five member states being fined for late Directive transposition.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/industries/public-sector/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/industries/public-sector/Whistleblower reporting requirements for municipalities, government agencies, and public bodies under EU Directive 2019/1937. No 50-employee threshold.<h1 id="whistleblower-compliance-for-public-sector"> Whistleblower compliance for public sector <a href="#whistleblower-compliance-for-public-sector" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Public sector entities have a stricter obligation than private companies. Under EU Directive 2019/1937, <strong>all public sector organizations must establish internal reporting channels</strong> — there is no 50-employee minimum. Most national transpositions preserve this broader scope.</p> <h2 id="how-the-directive-applies-differently"> How the Directive applies differently <a href="#how-the-directive-applies-differently" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Requirement</th> <th>Private sector</th> <th>Public sector</th> </tr> </thead> <tbody> <tr> <td>Employee threshold</td> <td>50+ employees</td> <td><strong>No threshold</strong> (all entities)</td> </tr> <tr> <td>Deadline</td> <td>December 2023 for 50–249 employees</td> <td>December 2021 (most member states)</td> </tr> <tr> <td>Shared channels</td> <td>Allowed for municipalities <10,000 inhabitants</td> <td>Allowed for municipalities <10,000 inhabitants</td> </tr> <tr> <td>Anonymous reporting</td> <td>Varies by country</td> <td>Mandatory in some member states</td> </tr> </tbody> </table> <p>Article 8(9) of the Directive allows municipalities with fewer than 10,000 inhabitants or fewer than 50 workers to share reporting channels. This is the only concession — all other public entities must operate their own.</p> <h2 id="national-variations"> National variations <a href="#national-variations" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong><a href="/whistleblower-laws/germany/">Germany</a> (HinSchG)</strong> — all public employers must establish internal channels. Fines of €20,000–€50,000 for non-compliance (up to €500,000 for legal entities).</li> <li><strong><a href="/whistleblower-laws/france/">France</a> (Loi Waserman)</strong> — all public bodies covered. Whistleblowers can report directly to external authorities without using internal channels first.</li> <li><strong><a href="/whistleblower-laws/poland/">Poland</a> </strong> — all public entities covered. Internal procedures required by January 1, 2025.</li> <li><strong><a href="/whistleblower-laws/spain/">Spain</a> (Ley 2/2023)</strong> — all public entities covered regardless of size. Fines up to €1,000,000.</li> </ul> <h2 id="what-gets-reported"> What gets reported <a href="#what-gets-reported" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li>Misuse of public funds or procurement fraud</li> <li>Conflicts of interest in contracting</li> <li>Environmental violations by public works</li> <li>Workplace safety failures in public facilities</li> <li>Data protection breaches involving citizen data</li> <li>Abuse of authority</li> </ul> <h2 id="why-municipalities-are-at-risk"> Why municipalities are at risk <a href="#why-municipalities-are-at-risk" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Most large government agencies have compliance infrastructure. Municipalities and smaller public bodies often do not. They assume the Directive doesn’t apply to them because they have fewer than 50 employees. It does. A reporting channel for a municipality can be operational in minutes — there is no procurement process or IT integration required.</p> <hr> <p><a href="/pricing/">Deploy your reporting channel →</a> </p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/firehose/Mon, 01 Jan 0001 00:00:00 +0000https://ethicsportal.eu/firehose/EU Directive 2019/1937 requires every company with 50+ employees to operate a confidential, deadline-tracked whistleblower reporting channel. EthicsPortal deploys in under 10 minutes for €49/month.support@ethicsportal.eu (EthicsPortal)