Hungary introduces new Whistleblower Protection Act


On 25 May 2023, Hungary adopted Act XXV of 2023 on complaints, disclosures in public interest, and related rules on reporting abuses, which is commonly known as the Whistleblower Protection Act and transposes the EU’s 2019/1937 Whistleblower Directive. Organisations in Hungary have 60 days (i.e. until 24 July 2023) to establish or review their whistleblower systems to comply with the Whistleblower Protection Act.

Which organisations are required to establish internal reporting channels?

The Whistleblower Protection Act obligates organisations to establish internal reporting channels in two separate sections, distinguishing between administrative bodies and public sector entities; and other employers. The Whistleblower Protection Act applies to employers that manage workers under a variety of employment relationships, such as employment contracts under the Act I of 2012 on the Hungarian Labour Code, civil service employment, contractors, and individual entrepreneurs.

Private sector entities employing at least 50 persons in employment relationship are required to establish internal reporting channels. SMEs with less than 50 employees are exempted from this obligation, except in certain cases specified in the Whistleblower Protection Act, such as when they fall under the scope of Act LIII of 2017 on the Prevention and Combating of Money Laundering and the Financing of Terrorism (e.g. individual lawyers, law firms, auditors, realtors).

Organisations employing 50 to 249 persons can combine their resources and jointly establish their internal reporting channel.

What can be the subject matter of a whistleblower disclosure?

Any information regarding illegal or presumed illegal acts, omissions, and other abuses can be reported. However, if an EU legal act specified in Appendix I of the Whistleblower Protection Act provides different regulations for whistleblower protection, that EU sectoral legislation applies.

Employers, including their corporate owners, may establish codes of conduct protecting public interest or significant private interests for their employees, subject to the conditions specified in the Labour Code. Violations of these behavioural rules can also be reported through the internal reporting channels.

What are the requirements for internal reporting channels?

Organisational requirements: The internal reporting channel must include either of the following:

  • an impartial person or organisational unit designated by the employer for this purpose; or
  • a whistleblower protection attorney or another external organisation operating under a service agreement.

If an internal person or unit operates the internal reporting channel, the employer must ensure its independence, lack of conflict of interest and full authority in relation to this task. If an external whistleblower protection attorney or organisation operates the reporting channel, these necessary guarantees must be specified in the service agreement.

General prohibition of retaliation: It is against the law for an organisation to take any adverse action taken against whistleblowers (e.g. suspension, termination, denial of promotion, salary reduction, denial of training, negative performance evaluation) that is a direct result of their lawful disclosure.

The protective measures only apply to the whistleblower if:

  1. the disclosed information concerns one of the EU legal acts listed in Appendices 1 and 2 of the Whistleblower Protection Act, or regulatory provisions ensuring compliance with those acts; or
  2. the whistleblower has reasonable grounds to believe that point i) above applies.

The legal acts listed in the appendices of the Whistleblower Protection Act cover areas such as public procurement, financial services, internal market infringements, environmental protection, product liability and safety, transportation, nuclear issues, food chain safety, data protection and network security, and public health regulation.

How should organisations manage complaints and disclosures by whistleblowers?

Whistleblowers must be able to submit their reports in writing or orally (via telephone or in person), and organisations must establish internal reporting channels where these means of communication are available. Organisations have a maximum of 30 days from the receipt of the report for investigation, which can be extended for a maximum of two months in particularly justified cases.

In certain cases, organisations have the discretion to decide whether to investigate a report, such as, for example, in situations where the identity of the whistleblower cannot be determined.

What are the possible sanctions for failure to establish internal reporting channels?

Violations of obligations stated in the Whistleblower Protection Act can result in sanctions imposed by the labour supervisory authority, such as warnings and prohibitions on further employment. In case of violation of data protection rules (e.g. unlawful disclosure of the whistleblower’s personal data), the Hungarian data protection supervisory authority has competence to investigate. Taking adverse measures against a whistleblower as defined by the Whistleblower Protection Act and obstruction or the attempted obstruction of the whistleblower’s report constitutes a misdemeanour, which may be subject to a fine of approximately EUR 800.

Recommended next steps

To comply with this act by the deadline, organisations are advised to take the following steps:

  • Conduct a legal analysis: examine whether an internal reporting channel is required.
  • Appoint a responsible person: assess whether an independent and impartial person or unit within the organisation can be designated for managing the reports, and if not, engage a whistleblower protection attorney or other external service provider.
  • Review and update information notices: update all data protection notices and other information related to the internal reporting channels.
  • Establish confidentiality measures: personal data revealing the identity of the whistleblower must not be disclosed to anyone other than the persons conducting the investigation. This includes the obligation for the individuals conducting the investigation to keep confidential any information regarding the content of the report and the persons involved in the report until the conclusion of the investigation.

For more information on how to implement the Whistleblower Protection Act at your organisation or business by the deadline, contact your CMS client partner or these CMS experts.

The article was co-authored by Anna Horváth.