Whistleblowing

2023. Jun. 5. | corporate, data protection, news

In 2019, the EU adopted the Whistleblowing Directive, which entered into force on 17 December 2021. Based on this Directive, Parliament has adopted the new law on public interest complaints, abuse reporting and rules on abuse reporting. Companies with more than 250 employees have 60 days from the date of the law’s publishing to set up an abuse reporting system. Companies employing 50-249 people have until 17 December 2023 to comply. Compliance with the obligations related to the abuse reporting system, including the investigation of individual reports, will be monitored by the labor supervisory authority. The establishment of an abuse reporting system is mandatory for businesses in certain higher risk areas, regardless of the number of employees, in particular:

  • Credit institutions and insurance companies
  • Merchants accepting cash payments of HUF three million or more
  • Dealers in specified works of art and antiques
  • Operators of ships and aircrafts
  • Service providers within the meaning of the Act on the Prevention and Combating of Money Laundering and Terrorist Financing (e.g. auditors, accountants, tax advisers, lawyers, registered seat service providers)

The system may be operated by an internal, but not instructed, impartial person or organization, but in exceptional cases it may also be operated by a trusted abuse-report protection lawyer or other external body. Reporting may be done in writing or orally and, with some specific exceptions (e.g., anonymous whistleblowing), the report must be investigated thoroughly as soon as possible. The investigation must involve the whistleblower, who may also be represented by legal counsel. The whistleblower shall be informed in writing of the investigation of the report, the outcome of the investigation and the planned measures as a result. The operation of the system must ensure adequate protection of personal data. In addition to the GDPR, the act also contains provisions on the rules for data processing and data transfer. Clear and easily accessible information should be provided on the operation of the abuse reporting system, the reporting procedure and other procedures provided for in the act. The whistleblower should also be informed of the requirements for the protection of personal data.