New whistleblowing law in Romania: it’s time to streamline processes and secure your data flows

Material scope significantly expanded

Romania will soon enforce new national legislation implementing the Whistleblowing Directive¹. The Romanian legislation draft will replace the existing mechanism applicable in the public sector and mandatory in public
institutions and state-owned companies². As per the new draft law, the element of novelty relates to the extension of protection for whistleblowers to the private sector. Thus, companies with more than 50 employees
will have to identify or establish internal reporting channels, which they will make available for potential reports³.

Romania has chosen to adopt a wide scope of reporting, which goes beyond the material scope enshrined by the Whistleblowing Directive (i.e. limited to breaches of EU law in specific areas). Under the draft law, whistleblowers may report on any breach of law occurring within an organisation, irrespective of the field or the gravity of
the infringement. This proposal triggered significant criticism from the business community in Romania and was seen as exceeding the public interest rationale of the whistleblowing rules. There were also concerns that it could potentially overload the whistleblowing mechanism with trivial or abusive reports.

Such a wide scope comes with unique challenges

If the wide material scope of reporting is maintained, companies will face the challenge of adopting appropriate
whistleblower mechanisms. Such systems will in turn need to ensure an adequate level of trust for employees as to encourage the use of internal reporting channels and investigations.

In line with the Whistleblowing Directive, a whistleblower can also choose to go directly to the central state authorities responsible and, where relevant, to EU bodies, in cases where: internal channels were used but did not function properly or they could not reasonably be expected to function properly (for example, because of the fear of retaliation, concerns about confidentiality, the possible implication of the management in the breach, fear that the breach or the evidence might be concealed or destroyed, or if urgent action is required because of an imminent substantial danger to the life, health and safety of persons, or to the environment).

Additionally, the reporting person may publicly disclose (i.e. via the media, social media) the breach of law
where there are reasonable grounds to believe that the breach may constitute or manifest an imminent
danger to the public interest or, in the case of external reporting, that there is a risk of retaliation or a low
prospect of the breach being effectively addressed.

The attractiveness and effectiveness of internal reporting will depend to a large extent on the actual design of internal policies and compliance with data protection principles.

Whistleblowing procedure involves the processing of personal data of the whistleblowers, the alleged wrongdoers, as well as of the other individuals mentioned in the reporting.

Legal entities in the private and public sector in Romania must comply with the provisions of data protection legislation, including the General Data Protection Regulation/GDPR, while processing personal data within the whistleblowing procedure.

Anonymous whistleblowing will most likely not be pursued in Romania

While the Whistleblowing Directive leaves discretion for Member States to allow anonymous reporting, in Romania, legal entities will not be able to offer this option to their employees, if the draft law passes in its current form.
This policy choice is expected to increase the use of external reporting channels unless organisations
are able to effectively implement and enforce a noretaliation policy and guarantee the confidentiality of
the reporter.

Under the draft law, whistleblowers must fully identify themselves and provide for specific information enabling the internal investigation of the reported breach (description of facts, related evidence). If reporting is anonymous, the report will be dismissed, without any further assessment.

Nevertheless, whistleblowers having made anonymous reports still enjoy confidentiality and anti-retaliation
protection under the law if they are identified post-reporting, with no obligation on behalf of the organisation
to follow up on their submission.

Confidentiality remains key when designing a trusted internal reporting system

Based on the draft law, organisations should ensure that internal procedures are in place in order to protect
the identity of concerned data subjects and to prevent access to the reporting process by unauthorised staff
members. Appropriate technical and organisational measures in order to ensure data security and minimise
the potential risks should be put in place.

According to the draft law, the person designated to handle reports has the obligation to not disclose the
identity of whistleblower, as well as the information that may allow the direct or indirect identification of
that whistleblower. The draft law provides for some exemptions from the above obligation of confidentiality,
namely when:

• The whistleblower has expressly consented to the disclosure of his/her identity;
• There is an obligation imposed by law. In such a case, the whistleblower will be informed beforehand, in writing, on the disclosure of the whistleblower’s identity and the reasons for the disclosure of the confidential data in question. Nevertheless, the obligation to inform the whistleblower as mentioned above, does not apply if the respective information would jeopardise the investigation or legal proceedings;
• The whistleblower has intentionally revealed his/ her identity in the context of a public disclosure. Also, the identity of the accused person should be protected while the actions related to the reporting or public disclosure are ongoing, unless, after solving the reporting, it is found that the data subject is not guilty of breaches of law that were reported or disclosed.

Provided the confidentiality of the identity of the reporting person is ensured, it is up to each individual legal entity in the private and public sector to define the type of reporting channels to establish.

More specifically, the reporting channels should enable persons to report in writing, on paper or via electronic
means or orally via phone or other voice messaging systems or, upon request by the reporting person, by
means of physical meetings.

Legal entities may consider using digital whistleblowing platforms, as such tools provide for effective ways to comply with GDPR requirements related to the exercise of data subjects’ rights (e.g. data anonymisation in the case of the exercise of data subject’s right to be forgotten).

Systems should implement data minimisation

Personal data processed within the whistleblowing procedure must be limited only to the data that is relevant to the case. The Romanian whistleblowing draft law specifies that the personal data should not be collected if such data is not required for resolving the report and, if accidentally collected, it should be deleted without undue delay.

Storage limitation
Also, the draft law specifies the storage period of the whistleblowing reports and settlement resolution, which
should be centralised in a register to be kept for a period of 5 (five) years.

Conclusion

Given the sensitive nature of the information processed within the context of whistleblowing procedure and the follow-up on internal investigation, ensuring the observance of data protection rules will be key to the effectiveness and trusted use of internal reporting tools.

Externalised whistleblower digital tools may be fit for this purpose while reducing the operational overhead and compliance costs.

The national transposition of the Whistleblowing Directive gives the opportunity to legal entities in Romania, both in the private and the public sector, to optimise their processes and systems in order to implement the new legal requirements and, at the same time, to streamline and secure data flows while maintaining a resilient profile.

¹(EU) 2019/1937 on the protection of persons who report breaches of Union law. In April 2021, the Romanian draft law was subject to public consultation, while the law adoption is expected by December 2021.
² Law no. 571/2004 on the protection of the whistleblowers in the public sector, adopted following the recommendations of GRECO and the UN Convention against Corruption. The option to report must be ensured in areas such as corruption, conflicts of interest, discrimination, public procurement, gross negligence, non-compliance with transparency in relation to public information or decision-making processes in the public sector, etc.
³ The draft law exempts private companies with less than 50 employees from the obligation to set up internal reporting channels. Employees of such undertakings may report externally, directly to the competent national authorities