The Commission for the Protection of Personal Data (CPPD) has adopted the Ordinance on the maintenance of the register of whistleblowers pursuant to the Whistleblowing Act, which entered into force on 4 August. Its aim is to bring clarity to the requirements for the internal register of whistleblowers, which legal entities covered by the Act must maintain from May this year. The Act is already in force for private employers with more than 250 employees, and employers with between 50 and 249 employees will have to comply with its requirements before 17 December 2023.
As part of the provisions of the Act concerning the procedure for receiving, administering and handling whistleblowing reports, these legal entities must maintain a whistleblowing register which should generally contain information about the report, details of the alleged breach, investigative actions, and other follow-up actions. The Ordinance establishes the requirements for how the register is to be maintained, stored and made available, and also contains rules for the receipt and processing of whistleblower reports through the legal entities’ internal channels, as well as for their referral to the CPPD.
Setting up and content of the register
Legal entities covered by the Act are required to determine the procedure for maintaining the register by means of internal regulation, which must establish internal rules for the processing of reports and the keeping and maintenance of the register. They need to define the requirements for the content of the register (which must be at least the minimum established by the Ordinance). This may include, among other things, information regarding:
- the person who received the report;
- the date of submission;
- the person concerned;
- summary details of the alleged breach;
- the connection of the report to other reports, if any;
- information provided to the whistleblower and the date on which it was provided;
- follow-up action taken;
- the results of the verification of the report;
- the period of retention of the report;
- its own reference number;
- the unique identification number (UIN) of the report.
The Ordinance prescribes certain deadlines for completing some of these actions, the means by which they are to be carried out, and in what instances the whistleblowing process is to be discontinued.
The Ordinance provides that legal entities in the private sector can use external services in setting up their internal whistleblowing channels to the extent that only the functions of receiving and administering reports are outsourced. The handling of reports must be the sole responsibility of the legal entity and its designated officer(s).
Receipt and processing of reports received through internal channels
Each report received through an internal channel is registered by filling in a form and obtaining a UIN from the CPPD. In practice, this means that in their rules on the administration of the internal channel, legal entities must provide that once the report has been received and filed under its own reference number, information about it is also sent to the CPPD for the purpose of obtaining the UIN.
Maintenance of the register
The register should be maintained and stored on a durable medium (which may be electronic, or stored via a cloud service), with the responsibility for this being assigned to the whistleblowing officer(s) designated by the legal entity when setting up the internal whistleblowing channel. In general, legal entities must keep the reports and any attached materials for a period of five years from the end of the examination of the report.
There is also a requirement to maintain the security and confidentiality of the information in the register, ensuring that it can only be accessed by the officer responsible for handling reports and maintaining the register, as well as by the CPPD and its officers. However, the Ordinance does not provide detailed guidance on what this entails and what specific security measures must be taken by the legal entities covered, which could lead to the adoption of a highly formalistic approach.
In the event of the dissolution of the legal entity without a successor, all reports and the register must be handed over to the CPPD for storage.
The Ordinance provides that in certain cases, a report received through an internal channel must be forwarded to the CPPD in its role as an external whistleblowing channel if:
- it is received by a legal entity in the private sector who is not obligated under the Act to maintain an internal whistleblower channel;
- it contains information on violations committed by persons holding senior public office;
- it relates to the activity of a legal entity other than the entity which received the report; or
- there is a need for action by the CPPD in accordance with the Act.
Where any of these circumstances apply, the whistleblowing officer must forward the whistleblower’s report, together with all information gathered in relation to it, to the CPPD within seven days and notify the whistleblower accordingly. This rule also applies to entities that are not obligated to maintain an internal whistleblowing channel. It remains unclear who would be the person responsible for making the referral in this case – the Ordinance requires that it be the whistleblowing officer, but if the entity is not obligated under the Act in the first place, it will not have any responsibility to designate a whistleblowing officer.
Implications for businesses
The Ordinance is expected to bring clarity and facilitate the organization of the whistleblowing process for entities covered by the Act. Nevertheless, practical difficulties may arise when implementing its provisions. It is crucial for the legal entities to effectively implement the provisions of the Ordinance and ensure compliance in order to avoid significant penalties. The Act provides that legal entities covered by the Act which do not have an internal whistleblowing channel in place in accordance with the requirements of the Act and the Ordinance are liable for a financial penalty of between BGN 5,000 and BGN 20,000. The fine for natural persons is between BGN 1,000 and BGN 5,000, and the amount of the sanction is considerably higher in case of a repeated breach (between BGN 5,000 and BGN 10,000 for natural persons, and between BGN 10,000 and BGN 30,000 for legal persons).
For more information on whistleblowing compliance, both in Bulgaria and internationally, contact your CMS client partner or these local CMS experts: Ivan Gergov and Anna Philcheva.