Skip to main content Required by EU law for organizations with 50+ employees

Methodology #

This document records how EthicsPortal interprets provisions of EU Directive 2019/1937 that admit more than one reasonable reading. It is written for compliance officers, data protection officers, and legal counsel who must make defensible operational decisions in the absence of authoritative interpretive guidance from the European Commission or the Court of Justice.

It is a living document. Where the Court of Justice, the European Data Protection Board, or a competent national authority issues binding interpretation that differs from the positions below, this document is revised and the prior position is preserved in the revision log.

For the feature-to-requirement map — which EthicsPortal capability satisfies each provision of the Directive — see the compliance page. The two documents are complementary: compliance documents what the product does; methodology documents how we read the law.

Last updated: April 2026.

§1. Scope and sources #

This methodology addresses Directive 2019/1937 as transposed into the national law of the 27 EU member states. Where national transposition is stricter than the Directive, the national rule governs for organizations operating in that jurisdiction (see §9).

Authoritative sources, in order of precedence:

  1. The Directive text itself — Directive (EU) 2019/1937 of 23 October 2019, including its recitals.
  2. National transposition laws — binding within each member state. See whistleblower laws by country for specific law names and enforcement authorities.
  3. Court of Justice of the European Union rulings — binding across the Union.
  4. European Data Protection Board guidance — for data protection aspects (Articles 17, GDPR overlay).
  5. National competent authority guidance — persuasive within the issuing state.

This document is operational methodology. It is not legal advice. Organizations should validate interpretations with competent legal counsel in their jurisdiction before relying on them in audit or litigation.

§2. Conventions #

The Directive provides introduces a statement of what the Directive text requires.

In practice, this means introduces EthicsPortal’s interpretation where the text permits more than one reading.

EthicsPortal implements this by introduces how the interpretation manifests in the product. Operators choosing a different interpretation may need to adjust configuration or procedures accordingly.

All Article references are to Directive 2019/1937 unless otherwise noted.

§3. The 50-worker threshold (Art. 8) #

The question. Article 8(3) requires entities with “50 or more workers” to establish internal reporting channels. The Directive does not define how the headcount is calculated, how part-time and temporary workers count, or whether the threshold applies per legal entity or per corporate group.

The Directive provides that “legal entities in the private sector with 50 or more workers” must comply (Art. 8(3)). Recital 48 clarifies that the threshold is calculated “in accordance with national law transposing the relevant Union law.”

In practice, this means the calculation follows each member state’s existing workforce-counting rules for employment and social-security purposes. These rules vary:

The threshold is calculated per legal entity, not per corporate group. A parent and a subsidiary are separate entities for Article 8 purposes unless national law provides otherwise. Article 8(6) permits shared resources within a group of up to 249 workers — but the obligation to establish a channel is still triggered per entity above the 50-worker threshold.

Contractors, temporary agency workers, and interns generally count toward the threshold when they fall within the national definition of “worker” — which is broader than “employee” under EU law. The Court of Justice has consistently held that the EU-law concept of “worker” includes any person who performs services for and under the direction of another in return for remuneration (see Lawrie-Blum, C-66/85).

EthicsPortal implements this by not gating access by headcount. Any organization may deploy a portal regardless of size. Organizations below the 50-worker threshold frequently operate portals voluntarily — for risk management, because national law applies a lower threshold to their sector (e.g., financial services), or because group policy mandates it.

§4. The acknowledgment timeline (Art. 9(1)(b)) #

The question. Article 9(1)(b) requires acknowledgment of receipt “within seven days of that receipt.” The Directive does not specify calendar days or business days, nor when the clock starts for reports received outside business hours.

The Directive provides for acknowledgment “within seven days of receipt.” No further qualification is given.

In practice, this means seven calendar days, counted from the moment the report enters the channel. This follows the general principle that Union-law time limits run in calendar days unless expressly stated otherwise (Regulation (EEC, Euratom) No 1182/71, Art. 3). Member states that have transposed the Directive have consistently treated the seven-day limit as calendar days (HinSchG §17(1)2; D.Lgs. 24/2023 Art. 5(1)(d); Loi Waserman Art. 8).

A report submitted at 23:59 on a Sunday is a report received on that Sunday. The seven-day clock starts on the following day (day 1 = Monday) and expires at the end of the seventh day. This follows Regulation 1182/71 Article 3(1), which provides that where a period is expressed in days, the day of the triggering event does not count.

Acknowledgment is not the same as substantive response. Acknowledgment is a confirmation that the report has been received and registered. It need not contain any assessment of the report’s merits, nor the name of the person handling it.

EthicsPortal implements this by sending an automatic acknowledgment to the reporter at the moment of submission, displayed on the portal and (where contact details are provided) by email. The acknowledgment includes the case reference and the statutory three-month feedback deadline. Organizations configured for manual acknowledgment receive deadline alerts at 48 hours before the seven-day mark and on the day of expiry.

§5. The feedback timeline (Art. 9(1)(f)) #

The question. Article 9(1)(f) requires feedback “not exceeding three months from the acknowledgment of receipt or, if no acknowledgment was sent to the reporting person, three months from the expiry of the seven-day period after the report was made.” The Directive does not define what qualifies as “feedback.”

The Directive provides that “feedback” means “the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up” (Art. 5(13)).

In practice, this means feedback is substantive. A further acknowledgment or a statement that the report is “under review” is not feedback for the purposes of Article 9(1)(f). The reporter is entitled to know, by the three-month mark, what action the organization intends to take (or has taken) and the reasoning behind it.

Feedback need not be a final determination. An organization may state that the matter is still under investigation, provided it also states what has been done so far, what further steps are planned, and when a further update can be expected. What is required is information sufficient for the reporter to evaluate whether the organization is handling the report seriously.

The three-month clock runs from the date of acknowledgment, not from the date of report submission. Where acknowledgment is delayed, the feedback window shortens accordingly — the latest permissible feedback date is three months and seven days after the report was made.

EthicsPortal implements this by tracking both deadlines (7-day acknowledgment, 3-month feedback) per case and surfacing overdue alerts to all organization admins. Feedback to the reporter is delivered through the portal’s two-way messaging channel, which preserves the reporter’s anonymity where they have not disclosed their identity.

§6. Diligent follow-up (Art. 9(1)(d)) #

The question. Article 9(1)(d) requires a “diligent follow-up by the designated person or department referred to in point (c).” “Diligent” is not defined.

The Directive provides that follow-up means “any action taken by the recipient of a report or any competent authority, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported” (Art. 5(12)).

In practice, this means diligent follow-up has three minimum operational components:

  1. Assessment. A documented evaluation of whether the allegations, if true, would constitute a breach within the material scope of the Directive (Art. 2) or national transposition.
  2. Investigation proportionate to the allegation. Investigation steps commensurate with the seriousness of the alleged breach, the strength of the evidence, and the potential harm. Not every report warrants a full investigation; a report unsupported by any concrete detail may be assessed and closed with a documented rationale. A report with specific, corroborated detail warrants more.
  3. Contemporaneous record. Actions taken, decisions made, and their reasoning must be recorded at the time they occur. A diligent follow-up that leaves no trail is indistinguishable from no follow-up at all.

“Diligent” is an objective standard. It is not satisfied by subjective good faith alone. An organization that routinely closes reports without assessment, or that takes months to open a file, is not diligent even if it believes itself to be.

EthicsPortal implements this by providing a case management workflow with status transitions (received, acknowledged, under investigation, closed), internal notes for handler collaboration, and an append-only audit trail that records every action with timestamp and actor. The audit trail is the primary evidence of diligence in an audit or regulatory review.

§7. Confidentiality of identity (Art. 16) #

The question. Article 16(1) requires that the identity of the reporting person not be disclosed to anyone beyond authorized staff members. The Directive does not specify whether “identity” extends to metadata that could identify the reporter (IP addresses, browser fingerprints, file authorship metadata, timestamps patterns).

The Directive provides that “the identity of the reporting person is not disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person” (Art. 16(1)).

In practice, this means “identity” is read functionally: it includes any information that, alone or in combination, permits identification of the reporter. This reading aligns with the GDPR definition of personal data (Regulation (EU) 2016/679, Art. 4(1)) and with the European Data Protection Board’s consistent position that identifiability is context-dependent.

The following are treated as identity information:

Organizations that retain reporter IP addresses, or that accept uploaded files without stripping metadata, are exposed to a confidentiality failure that is technically a breach of Article 16 even if the reporter’s name is never disclosed.

EthicsPortal implements this by never storing reporter IP addresses (rate limiting uses irreversible one-way hashes), stripping EXIF and document metadata from all uploaded files before storage, and encrypting reporter identity fields at rest with non-deterministic encryption (so that even full database access does not permit bulk lookup by name).

§8. Retention period (Art. 18) #

The question. Article 18(1) requires that records of reports be kept “for no longer than it is necessary and proportionate in order to comply with the requirements imposed by this Directive, or other requirements imposed by Union or national law.” The Directive does not specify a maximum period.

The Directive provides a “necessary and proportionate” standard, anchored to compliance purposes.

In practice, this means retention must be justified by reference to a concrete legal or operational purpose, time-limited, and documented in the organization’s data protection records (GDPR Art. 30). In the absence of an ongoing investigation, litigation, or specific statutory requirement, retention beyond the close of the case becomes progressively harder to justify.

Common justifications and their typical durations:

PurposeTypical retention
Active case (received to closure)Duration of case
Subsequent investigation or litigationUntil final resolution
Regulatory audit trailPeriod set by sector regulation (commonly 5 years for financial services)
Retaliation claim protection (Art. 21)National limitation period for employment claims (typically 2–5 years)
Statistical reporting under Art. 27(2)Anonymized data only; personal data to be minimized or deleted

National transposition may set specific periods. Examples:

A blanket retention period chosen for convenience (“we keep everything for 10 years”) is not compliant with either Article 18 or GDPR Article 5(1)(e). Retention must be tied to purpose.

EthicsPortal implements this by providing configurable retention periods (12, 24, 36, 60 months) with automatic deletion of closed reports at the end of the configured period. The default setting is the shortest period that satisfies the most common national transposition requirements. Operators in sectors with longer statutory retention obligations configure the period to match.

§9. Lawful basis for processing (GDPR interaction) #

The question. Article 17 of the Directive requires that personal data processing comply with GDPR. The Directive itself is not a lawful basis under GDPR Article 6 — a controller must identify which specific basis applies.

The Directive provides that processing “shall be carried out in accordance with Regulation (EU) 2016/679” (Art. 17).

In practice, this means the lawful basis is Article 6(1)(c) GDPR — legal obligation, where the organization is subject to a legal obligation to establish and operate a reporting channel. For organizations above the 50-worker threshold (or below it where sector-specific law imposes the obligation), Article 6(1)(c) is the correct and sufficient basis. No consent from the reporter is required, and none should be sought — treating the processing as consent-based would be misleading and would create a theoretical right to withdraw that the controller cannot honor.

For organizations operating a reporting channel voluntarily (below the 50-worker threshold and not subject to sector-specific mandate), the lawful basis is Article 6(1)(f) — legitimate interest, subject to a documented balancing test. The legitimate interest in preventing and detecting wrongdoing within the organization is well-established and has been recognized in national guidance across member states.

Special categories of personal data (GDPR Art. 9) may appear incidentally in reports — a report of discrimination may reveal health information or ethnic origin. The lawful basis for Article 9 data is typically Article 9(2)(g) — substantial public interest, provided the processing is proportionate and accompanied by specific safeguards. Reports revealing criminal offences (GDPR Art. 10) are processed under the corresponding Article 10 basis in national law.

EthicsPortal implements this by documenting Article 6(1)(c) as the default lawful basis in the Data Processing Agreement and privacy notice. Operators below the statutory threshold adjust the privacy notice to reflect Article 6(1)(f) and record their balancing test separately.

§10. National law supremacy (Art. 25) #

The question. Article 25(1) provides that member states may introduce or retain provisions “more favourable to the rights of reporting persons” than those set out in the Directive. The Directive does not address how operators should resolve conflicts when national law is stricter.

The Directive provides in Article 25(1) that “Member States may introduce or retain provisions more favourable to the rights of reporting persons than those set out in this Directive, without prejudice to Article 22 [rights of persons concerned] and Article 23(2) [penalties for knowingly false reports].”

In practice, this means where national transposition is stricter than the Directive, national law governs for organizations operating in that jurisdiction. There is no option to rely on the Directive minimum where the local rule is stricter. The Directive sets a floor, not a ceiling.

Practical examples of stricter national rules:

For multi-country operators, the operating rule is: in each jurisdiction, apply the stricter of (Directive, national law). This sometimes means that a group policy sets a uniform high standard matching the strictest national rule in any country of operation. This is generally preferable to maintaining parallel policies per jurisdiction, which increases administrative burden and the risk of applying the wrong rule.

EthicsPortal implements this by defaulting to the strictest common denominator across the 27 member states: shortest acknowledgment and feedback windows, narrowest retention period, fullest anti-retaliation notice. Operators in a single jurisdiction may relax specific defaults to match national rules, but the baseline is calibrated above the Directive minimum in every article where national transposition laws exceed it.

§11. Anonymous reporting (Art. 6(2), Art. 9(1)(e)) #

The question. Must an organization accept anonymous reports?

The Directive provides in Article 6(2) that it “does not affect the power of Member States to decide whether or not to require legal entities […] to accept and follow up on anonymous reports.” Article 9(1)(e) requires “diligent follow-up, where provided for in national law, as regards anonymous reporting.”

In practice, this means national law decides. Two postures:

Three consequences.

Once accepted, binding. An organization that publishes “we accept anonymous reports” has triggered Article 9(1)(e). The obligation attaches to the policy, not the individual report.

Anti-retaliation applies only from identification. Article 21 cannot protect an unknown person. Actions taken during the anonymous period are not retroactively covered.

Anonymity is a technical standard, not a promise. A form that collects an email is not anonymous. A channel that logs IP addresses is not anonymous. Article 16 confidentiality protects a known identity from disclosure; anonymity prevents identification.

EthicsPortal implements this by accepting anonymous reports by default. No contact details are required. IP addresses are never stored (rate limiting uses irreversible one-way hashes). File metadata is stripped before storage. Operators may configure the portal to require contact details where national law mandates identified reports. Accepted anonymous reports follow the same case workflow, deadlines, and diligent-follow-up standard as identified ones.

Revision log #

Corrections and inquiries #

This document is intended to be cited and relied upon. If you identify an error, a position that conflicts with a Court of Justice ruling, a European Data Protection Board opinion, or binding national guidance, contact support@ethicsportal.eu. Corrections are published in the revision log with date and summary of change.

For questions about how a specific interpretation applies to your organization’s circumstances, this document is not a substitute for legal advice. Contact competent legal counsel in your jurisdiction.

Last updated: