On 2 February 2023, the Whistleblower Protection Act (“the Act“) was promulgated in the State Gazette, and it enters into force on 4 May 2023. The obligations under this Act of employers in the private sector which have between 50 and 249 employees will start to apply from 17 December 2023. It should be noted that the Whistleblower Protection Act transposes Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. As the deadline for the transposition of this directive expired at the end of 2021, its provisions would have direct effect.
The Act finds application in relation to the reporting and prevention of violations in many areas of business such as network and information security, consumer protection, privacy, money laundering, employment law matters, etc.
The persons who have obligations pursuant to this Act can be broadly divided into three main groups:
(i) public sector employers, excluding certain municipalities;
(ii) private sector employers with 50 or more employees; and
(iii) private sector employers, regardless of the number of employees, if the activities they perform fall within certain areas (e.g., financial services).
As mentioned above, the obligations on employers in the private sector with 50 to 249 employees will come into force in December 2023.
The Whistleblower Protection Act (see also Stepping forward: The EU Whistleblower Protection Directive) outlines a wide range of persons who are entitled to report violations, including employees of the persons who have obligations under the Act, persons working on so-called civil contracts, freelancers, etc. Opportunity and its corresponding protection are also provided for shareholders and members of management and control bodies in companies, contractors, job applicants, etc. Hence, the Act attempts to encourage a very wide range of persons to report violations.
However, some limitation has been introduced, for example, persons exercising the legal profession and for whom there is a legal obligation of professional secrecy have been excluded from the abovementioned range of persons.
The persons who have obligations under this Act will be required to establish an internal reporting channel - this may include a technical procedure, reporting in written or oral form, by telephone or during a face-to-face meeting. They will need to provide clear and detailed information on the reporting procedure on their website and in their offices (where applicable). Persons responsible for the review of the violation reports should also be designated. Where companies have a data protection officer, it is also possible for this individual to combine their role with responsibilities for review of violations reports - hence, the high standard in handling information set for data protection officers is taken into account. Internal concurrent employment (where this does not lead to a conflict of interest) and contracting external consultancies are some of the other options for fulfilling the obligations of establishing internal reporting channels.
The Act also provides for an external reporting channel. The Commission for Personal Data Protection ("CPDP") has been designated as the centralised authority on this matter. Fortunately, it has also been tasked with building a dedicated team for this purpose, because it already seems overburdened by its GDPR obligations. The CPDP will have the power to verify the reports, and will also act as a distribution centre, referring them to the relevant competent authority (e.g., the Commission on Protection of Competition). It is of note that the CPDP will not disclose the whistleblower's data. On the contrary, it will be the guarantor of their security.
The Act also contains a certain mechanism which aims to limit the possibility of abuse by whistleblowers. Not every whistleblower is entitled to the protections afforded under the Act. Where they report using an internal channel, the whistleblower must have had reasonable cause to believe that the information provided about the violation was correct at the time it was provided and that such information falls within the scope of the Act. There are similar requirements for reporting through external channels, but in this case, there are additional conditions which are alternative to each other: (i) that the internal reporting procedure has been passed; or (ii) that there is considered to be a threat to public order or there is a risk of retaliation or there is a likelihood that the violation will not be dealt with effectively because of a risk of concealment or destruction of evidence, etc.
The protection measures for whistleblowers are primarily aimed at safeguarding them from possible retaliatory measures by violators. The scope of protection goes even further to include persons who have helped to report the violation, companies in which the whistleblower has a shareholding, etc.
The protection of individuals itself includes the prohibition of dismissal, prohibition of disciplinary measures, prohibition of early termination of supply contracts, etc. In addition, whistleblowers are not liable for the acquisition of, or access to, the information reported or publicly disclosed, provided that such acquisition or access does not constitute an independent offence. Potential sanctions from confidentiality and non-disclosure agreements are also excluded.
There is a presumption of intent for any harm caused to a whistleblower in connection with a violation report.
Violations of the Act result in the imposition of financial penalties ranging from BGN 400 to BGN 30,000, depending on the type, severity and repetition of the violation. The penalties are imposed by the Commission for Personal Data Protection.