With issue number 11 of the State Gazette dated February 2, 2023, the Law on the Protection of Persons Reporting Signals or Disclosing Information on Violations was promulgated in the Republic of Bulgaria, thereby transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons who report breaches of Union law, after more than a year of delay.
The aim of the law is to introduce mechanisms for the protection of individuals who report signals or disclose information on violations of Bulgarian or European legislation, which has become known to them in connection with or on the occasion of their professional duties in the public or private sector. The protection can also apply to persons who work without an employment relationship, self-employed individuals, volunteers, interns, job applicants, participants in competitions, and others.
Currently, there are dozens of bodies and institutions that exercise control and conduct inspections based on signals regarding various types of violations. Often, those who identify violations cannot find appropriate assistance. Moreover, individuals reporting violations often face another problem – they fear the consequences of their actions, such as retaliatory measures, including temporary suspension, dismissal, or application of other grounds for termination of the employment relationship in the case of employees; demotion or delayed promotion; reduction of remuneration; negative work assessment, including in work references; coercion, rejection, threats to take retaliatory actions or actions expressed physically, verbally, or otherwise, aiming to undermine the dignity of the person and create a hostile professional environment, among others. Apart from explicitly prohibiting retaliatory actions, which are subject to sanctions under the law, it is of crucial importance that reporting individuals exposed to such actions have access to means of legal protection and compensation. Any harm caused to a reporting individual due to their submitted signal or publicly disclosed information is presumed to be caused intentionally until proven otherwise.
1. Which violations does the law cover?
The law applies to violations of Bulgarian legislation or explicitly specified acts of the European Union in the following areas:
Financial services, products, and markets, as well as the prevention of money laundering and the financing of terrorism;
Product safety and compliance;
Radiation protection and nuclear safety;
Food and feed safety, animal health, and animal welfare;
Protection of the inviolability of private life and personal data;
Network and information system security.
Article 3 of the law also includes several other categories of violations of EU law and Bulgarian legislation, including labor legislation.
2. Which employers are required to take action?
The law introduces three separate categories of obligated entities:
Employers in the public sector (except municipalities with a population of fewer than 10,000 people or with fewer than 50 employees, for which a reduced regime is introduced).
Employers in the private sector with 50 or more workers or employees.
Employers in the private sector, regardless of the number of workers or employees, if the activity they carry out falls within the scope of the acts of the European Union specified in Part I, Letter “B,” and Part II of the annex to Art. 3, paragraphs 1 and 3 of the law (e.g., financial services).
3. Main obligations of the employers falling into the above-mentioned categories:
The main obligation introduced by the law is the establishment of an internal reporting channel, which should be managed in a way that guarantees the completeness, integrity, and confidentiality of the information and prevents unauthorized access. The implemented channel should also allow for the storage of recorded information on a durable medium for the purposes of signal verification and further investigation. The introduction of such a system should be realized no later than December 17, 2023. The law provides that the person designated by the obligated entities to handle the signals may be the data protection officer appointed under the General Data Protection Regulation (GDPR). This activity may also be delegated to a person outside the organization, while complying with the requirements of the law.
All obligated entities must provide clear and easily accessible information regarding the conditions and procedures for filing signals on their websites, as well as in a visible place in their offices and workplaces.
It is crucial to note that anonymous signals will not be considered. However, if, after submitting an anonymous signal, the person is identified and becomes the subject of repressive actions, they have the right to protection if the conditions provided by the law are met.
An individual who fails to fulfill their obligation to maintain an internal reporting system is fined between BGN 1,000 and BGN 5,000, and for legal entities or sole traders, a penalty ranging from BGN 5,000 to BGN 20,000 applies. A person who obstructs the filing of a signal or fails to take the necessary subsequent actions as required by the law is fined between BGN 400 and BGN 4,000.
Repressive actions are penalized with fines ranging from BGN 2,000 to BGN 8,000, and such actions are prohibited (or respectively punishable) when committed against assistants, relatives, or colleagues of the reporting person.
A penalty is also provided for those individuals who publicly disclose false information. In such cases, the fine ranges from BGN 3,000 to BGN 7,000.
5. Who is the national whistleblowing and enforcement authority?
The national authority for external reporting of signals and exercising control is the Commission for Personal Data Protection. As the central authority for receiving external signals, the Commission is responsible for directing these signals to the competent authorities, approving forms for signal submission, providing methodological guidelines to obligated entities, and conducting control over the implementation of the newly adopted law.
The newly introduced obligations are likely to increase the administrative burden on the private sector, but they will expand the corporate culture of compliance, which will have a positive impact on companies in the long run. Similar obligations already exist for some categories of obligated entities in the private sector. Many laws have long required their subjects to implement similar mechanisms for internal reporting (e.g., the Law on Credit Institutions for banks, the Law on Market Abuse with Financial Instruments – for all persons engaged in financial services, the Law on Financial Instruments Markets – for investment intermediaries, market operators, and reporting services providers, etc.).
If you need additional information and clarification, the team of “Velinov and Partners” Consulting House remains at your disposal to provide assistance and consultations on arising cases and bringing your business into compliance with the requirements of the law.
Author: Attorney Zlatka Kotsalova