Introduction: The EU Commission’s Whistleblower Protection Expert Group (the “Expert Group”) has shed light on the requirements for internal reporting channels in corporate groups, by interpreting several debatable provisions of Directive (EU) 2019/1937 On Whistleblower Protection (the “Directive”).

These interpretations, while non-binding, provide valuable guidance for Romania, ensuring compliance with the principles of the Directive, as transposed into national law by Law 361/2022 Regarding the Protection of Whistleblowers.

Below is a summary of the principles clarified by the Expert Group, with a particular focus on sharing resources at the group level.

  1. Establishing Internal Reporting Channels
  • Mandatory Internal Channels: Every private legal entity with 50 or more employees is required to establish its own internal reporting channels and procedures. This applies even if the entity is part of a larger corporate group. There is no exemption for subsidiaries, meaning national laws that permit centralized group-level reporting without individual channels would misinterpret the Directive.
  • Rationale: The purpose of this requirement is to ensure proximity to the whistleblower and efficient handling of reports. Internal channels must be easily accessible, including in the local language (i.e., Romanian), and detailed information on how to use the channels, as well as on external reporting options, must be available on the company’s website or premises. Reports must be followed up by an impartial department or individual, and whistleblowers should be able to request a physical meeting with the company.
  1. Centralized Group-Wide Whistleblowing Systems
  • Coexistence with Local Systems: Centralized, group-wide whistleblowing systems (e.g., digital platforms ensuring anonymity) are permitted, but they must function alongside internal reporting systems at each subsidiary. These group-wide systems cannot replace local channels but may complement them.
  • Efficiency of Local Handling: The Expert Group emphasized that issues reported are often best handled at the subsidiary level due to differing national laws.

Subsidiaries with fewer than 249 employees may share resources with the parent company for investigating reports, provided the following conditions are met:

    • The whistleblower must be able to report directly to the subsidiary using its own internal channels.
    • The whistleblower must be informed who at the parent company level will access the report, and they must have the option to refuse parent company involvement, opting for investigation through the subsidiary instead.
    • The subsidiary remains responsible for maintaining confidentiality, providing feedback, and addressing the reported misconduct.
  1. Separate Internal Reporting Channels for Larger Subsidiaries
  • Responsibilities of Larger Subsidiaries: Subsidiaries with 250 or more employees must have independent internal reporting channels at the local level, allowing whistleblowers to choose whether to report locally or at the group level. These subsidiaries are required to establish sufficient capacity to handle reports independently from the group’s central system.

In light of the above clarifications, we would like to point out the following key Interpretations under Romanian Law 361/2022 transposing the Directive into national law:

  • Parent Company Channels Remain Open: Employees of subsidiaries or affiliates must retain access to the parent company’s reporting channels. This is consistent with Recital 55 of the Directive, which mandates that private sector entities must be able to receive and investigate reports confidentially, including those from subsidiary employees. Parent companies are required to accept and act on reports received from subsidiaries’ employees.
  • Resource Pooling for Medium-Sized Entities: Medium-sized companies (50 to 249 employees) may pool resources for receiving and investigating reports, as allowed under Article 9(4) of Romanian Law 361/2022 and Article 8(6) of the Directive. However, each company must retain responsibility for confidentiality, feedback, and addressing the reported breach.
  • Application Within Corporate Groups: Medium-sized subsidiaries within a corporate group can benefit from the parent company’s investigative resources, provided the following conditions under Article 9(4) are met:
    • The subsidiary’s internal reporting channels must remain available.
    • Whistleblowers must be informed that a designated individual at the parent company may access their report, but they have the right to object and request investigation solely at the subsidiary level.
    • Any follow-up actions and feedback must be handled by the subsidiary.
  • Handling Structural Issues: If a report reveals a structural issue affecting multiple entities in the group, the whistleblower must be informed and consent obtained before reporting to the relevant company within the group. If consent is not granted, the whistleblower retains the option to withdraw the report and escalate it externally.
  • Outsourcing Internal Reporting Channels: Under Article 3(16) of Romanian Law 361/2022, companies are allowed to outsource their internal reporting channels to third parties, provided they are external to the legal entity where the whistleblower works. This outsourcing, however, does not extend to other entities within the same corporate group.

Conclusion: The Expert Group’s interpretations underscore the importance of a dual-channel approach within corporate groups at both the subsidiary and group levels.

Each subsidiary must maintain its own internal reporting mechanism, while group-level channels can serve as a complementary tool.

Companies should review their internal procedures, particularly those related to medium-sized and larger subsidiaries, to ensure accessibility, confidentiality, and the effective handling of reports across all levels of the corporate structure, balancing both subsidiary-level autonomy and group-wide coordination.

For further guidance, or to discuss implementing these principles within your organization, please contact our legal team.

                                                                                                   ***

No information contained in this article should be considered or interpreted in any manner as legal advice and/or the provision of legal services. This article has been prepared for the purposes of general information only. PETERKA & PARTNERS does not accept any responsibility for any omission and/or action undertaken by you and/or by any third party on the basis of the information contained herein.