After a one-and-a-half-year delay, the act on whistleblowing (the “Whistleblowing Act”) was finally adopted in Hungary. The Whistleblowing Act will enter into force on the 60th day after its publication in the Official Gazette (most probably at the end of June). Update 24.05.2023: The Parliament adopted the new version of the Whistleblowing Act after the President requested the Parliament to reconsider some points of the original bill. The provisions of the Act regarding internal whistleblowing systems have not been changed compared to the originally adopted version. Update 06.06.2023: The Act (Act XXV of 2013) was published in the Official Gazette on May 25, 2023, i.e. it becomes effective as of July 24, 2023.
Directive 2019/1937 on the protection of persons who report breaches of Union law should have been transposed into national law by Member States until December 17, 2021. Transposition has not progressed smoothly and only 8 Member States have fulfilled their obligations by the above deadline, with several Member States still lagging behind. For this reason, the European Commission also opened infringement procedures against 8 Member States in mid-February (the eight Member States concerned by the infringement procedures: Czech Republic, Estonia, Germany, Italy, Luxembourg, Hungary, Poland and Spain).
In the following, I give a short summary about the main rules on internal whistleblowing systems to be set up by employers based on the adopted Hungarian law.
Which employers should set up a whistleblowing system?
The following employers must operate an internal whistleblowing system:
- employers with at least 50 employees,
- regardless of headcount, employers who:
- are subject to Section 1(1) and (1a) of Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing,
- are registered in Hungary and carry out offshore oil and gas operations outside the borders of the European Union as licensees or operators,
- fall within the scope of Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007, and
- operate a floating facility with Hungarian and non-Hungarian flags in operation on the territory of Hungary.
Employers with at least 50 and not more than 249 persons in an employment relationship may set up the whistleblowing system jointly. The employer may establish an internal whistleblowing system even if there is no such obligation under the law.
The Whistleblowing Act also contains some additional provisions regarding whistleblowing systems to be established at state and municipal bodies.
What is the deadline for employers to set up the whistleblowing system?
The Whistleblowing Act enters into force on the 60th days after its publication in the Official Gazette, so in general, the internal whistleblowing systems should be set up by that date with some exceptions. One of the main exceptions is that those employers employing between 50 and 249 people will have a small grace period and will have to fulfil their obligations under the Whistleblowing Act from December 17, 2023. This exception should not apply to employers that are obliged to set up an internal whistleblowing system regardless of the number of employees (e.g. financial institutions).
(The rules applicable to local governments, budgetary bodies under the direction or supervision of local governments, or organizations or business associations owned by local governments shall apply from January 1, 2025.)
Who can operate the whistleblowing system?
The whistleblowing system may be operated by:
- an impartial person or organisational unit designated for this purpose at the employer, or
- - under contract - a trusted lawyer (a lawyer engaged for the operation of the internal whistleblowing system; in Hungarian: bejelentővédelmi ügyvéd) or other external organisation (if an external organisation is commissioned, the rules on conflicts of interest and impartiality applicable to the external organisation, the trusted lawyer apply).
What steps should be made under the reports received through the whistleblowing system?
In relation to reports received in the internal whistleblowing system, the following process steps are to be taken:
What are the deadlines for handling reports?
How can whistleblowers submit their reports?
Reports can be made orally (in person or by phone/other voice messaging system) and in writing.
What requirements shall be fulfilled by employers that are obliged to operate such systems?
According to the Whistleblowing Act, employers and operators of the system must be prepared to fulfil the following requirements:
- receiving oral and written reports, establishing appropriate channels,
- providing clear and easily accessible information on the functioning of the system, the reporting procedure,
- recording the oral report in a durable and retrievable form (in compliance with data protection rules) or drawing it up in writing and handing over a duplicate to the whistleblower,
- in the case of an oral report, drawing the attention of the whistleblower to the consequences of reporting in bad faith, to the procedural rules governing the investigation of the report and to the fact that his identity will be treated confidentially at all stages of the investigation,
- in the case of a written notification, sending an acknowledgement of the filing of the report within 7 days of its receipt and providing general information on the procedural and data processing rules,
- investigating the report within a maximum of 30 days from receipt of the report (this deadline may be extended in particularly justified cases with simultaneous notification to the whistleblower, but the deadline for investigating and informing the whistleblower of the outcome of the investigation cannot exceed 3 months, even if the deadline was extended),
- contacting with the whistleblower (e.g. for more information or for clarifications, etc.),
- assessing the circumstances set out in the report and taking appropriate measures to remedy abuses,
- if the report justifies, initiating criminal proceedings,
- informing the whistleblower in writing about the fact that an investigation has or has not been launched, and in case of not starting an investigation, the reason for not doing so, the outcome of the investigation, the measures taken or planned (exceptionally, written information may be omitted if the information is provided orally and the whistleblower acknowledges this).
What are the data protection requirements laid down by the Whistleblowing Act?
Internal whistleblowing systems are also subject to the following data protection requirements, in particular
- personal data of the whistleblower and of the person whose act or omission gave rise to the report or who may have relevant information about the contents of the report may only be processed for the purpose of investigating the report and remedying or terminating the conduct that is the subject of the report and may be transferred to a trusted lawyer or external body involved in the investigation of the report,
- personal data not covered by point (i) above (i.e. data that is not strictly necessary for the investigation of the report) shall be deleted without delay,
- the personal data of the reporting person may be transferred to a body competent to conduct proceedings, if that body is entitled to process it by law or if the whistleblower has given his consent to the transfer of his data, unless it has become apparent that the reporter has provided false data or information in bad faith, and (a) this creates circumstances suggesting the commission of a criminal offence or administrative offence, transfer his or her personal data to the body or person authorised to conduct proceedings (b) there are grounds for believing that he has caused unlawful damage or other impairment of rights, his personal data must be disclosed at the request of the body or person competent to initiate or conduct proceedings,
- where the report relates to a natural person, the personal data of the whistleblower shall not be disclosed to the person requesting information when exercising his or her right of access in accordance with the personal data protection requirements applicable to that natural person,
- the transfer of data processed within the framework of the system to another state or international organisation may only take place in the event of a legal commitment by the recipient of the transfer to comply with the statutory rules on notification and taking into account the provisions on the protection of personal data,
- the system shall be designed in such a way that the personal data of the whistleblower who disclosed his identity or of the concerned person (or of any person with relevant information about the contents of the report) cannot be disclosed to anyone other than the persons investigating the report,
- the person concerned by the report (or the person with relevant information about the contents of the report) must be informed in detail about the report, about his or her rights in relation to the protection of his personal data and about the rules governing the processing of his data at the beginning of the investigation (the person concerned by the report may be informed exceptionally, in justified cases, at a later date, if immediate information would endanger the investigation of the report).
Which authority(ies) can monitor compliance with the whistleblowing system rules and what are the possible consequences of non-compliance?
Compliance with employers' obligations shall be monitored by the employment inspection authority. In case of violation of obligations, the provisions of Act CXXXV of 2020 on services and subsidies promoting employment and on employment supervision shall apply, except that fines and disqualification from carrying out activities may not be applied. (The question is to what extent employers will be motivated to set up and properly operate whistleblowing systems in the absence of these legal consequences.)
In addition, of course, due to the nature of internal whistleblowing systems, data protection issues are of great importance during the operation of the system, so the role of the Hungarian Data Protection Authority (NAIH) is also very important in connection with monitoring compliance with data protection rules. It is likely that due to the significant increase in the number of whistleblowing systems operated by employers (which is inevitable due to the significant expansion of the circle obliged to operate such systems), the number of data protection cases related to such systems and data processing related to whistleblowing may also increase significantly.