Available also in Slovenian below

A law for whistleblower protection in the private sector was adopted in Slovenia, which introduces new requirements for internal compliance checks. Is your company ready?

The Slovenian Parliament has adopted the Whistleblower Protection Act (“Act“) which will enter into force on 22 February 2023. The Act transposes the provisions of Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the “Directive“) into Slovenian law. Although the deadline for transposition has formally expired, Slovenia is far from being the only EU Member State to have missed the implementation deadline, as only 10 EU Member States have complied with this obligation so far.

Apart from new regulation of a whistleblowers’ status and rights in the private sector, the Act also provides for an obligation to establish and maintain an internal system of whistleblower report verification. These new requirements significantly strengthen the responsibility of companies for their internal control of compliance, as has already been the practice of companies abroad for many years.

From a wider perspective, it may be as important as the proper implementation of the obligations under the Act that companies also conduct broader checks and comply with existing and binding sectoral regulations, including implementation of all the necessary internal policies and procedures.

What are the reporting procedures under the Act?

The Act provides for two channels through which whistleblowers (i.e. natural persons who report or publicly disclose information about a violation in a work-related context) can report violations, i.e. internal and external reporting channels.

The internal reporting channel should be the primary way of reporting. All legal entities employing 50 or more employees, as well as other entities engaged in certain specific activities, are required to set up internal reporting channels within the company. Private entities employing 250 or more employees are obliged to set up internal reporting channels within 90 days from the date of the entry into force of the Act,i.e. by 23 May 2023, while all others must comply with this obligation by 17 December 2023.

The internally-submitted report is handled by an internally-appointed trustee who, after the procedure is completed, prepares an account of the findings on the merits of the report, the proposed and implemented measures and submits it to the management of the company and the whistleblower. The trustee must be an employee of the relevant company. Engagement of external contractors for this purpose is not allowed. The entities are obliged to annually report the number of reports received, the number of anonymous and justified reports, and the number of retaliatory actions, to the Slovenian Commission for the Prevention of Corruption (“CPC“).

Only companies employing less than 250 employees are allowed to share their resources for the receipt and investigation of reports with other group companies. The systems for receipt and investigation of reports that are now in place on a group level may not therefore comply with the Act.

Whistleblowers can use the external reporting channel in cases where the breach cannot be addressed effectively through internal reporting channels or if the whistleblower believes that there is a risk of retaliation in the case of an internal report. Depending on the nature of the breach, 22 different state institutions are responsible for receiving and handling the external reports (e.g. CPC, the Slovenian Securities Market Agency (ATVP), the Slovenian Competition Protection Agency (AVK), the Slovenian Insurance Supervision Agency (AZN), the Bank of Slovenia, the Agency for Medicinal Products and Medical Devices of the Republic of Slovenia (JAZMP), the Financial Administration of the Republic of Slovenia (FURS), inspectorates, etc.). When dealing with an external report, the relevant institution acts in accordance with the relevant sectoral laws and within its powers. In practice, this may result in the initiation of supervisory, inspection, administrative proceedings and, in extreme cases, even criminal proceedings.

Ensuring an efficient compliance system in accordance with the requirements of the Directive and the Act

For companies that are obliged to establish internal reporting channels under the Act, it is essential to set up and maintain an effective, independent and credible system for receiving and handling reports by whistleblowers, that are trusted by both employees and external stakeholders.

Such a system allows the company to identify and duly address any shortcomings before any state authorities or agencies may interfere with its operations and indirectly limits the number of external reports and related procedures that may significantly interfere with the company’s day-to-day operations.

In view of the above, it is important that the company’s existing policies are sufficiently specific in terms of both content and procedure to contain clear rules of conduct, responsibilities and action in cases of irregularities or breaches (e.g. on giving/accepting gifts, conflicts of interest, prevention of corruption, use of a company’s email and telephone, storage of personal emails and documents, protection of personal data, prevention of mobbing, etc.).

Prohibition of retaliation against whistleblowers

Under the Act, any retaliatory action against a protected whistleblower, such as termination of employment, suspension of an employment contract, transfer to a lower position, preventing or withholding training or promotion, introduction of disciplinary proceedings, etc., is prohibited.

According to the Act, the whistleblower will not be considered to be in breach of any contractual or legal restriction or prohibition of disclosure of certain information (e.g. trade secrets) and will not be liable in connection therewith if the whistleblower did not report false information and believed that the report was crucial for the disclosure of the violation. Also, the whistleblower will not incur liability in respect of the acquisition of or access to information reported or publicly disclosed, provided that such acquisition or access did not constitute an independent criminal offence.

In the case of retaliation, the whistleblower may seek judicial protection before a competent court. If the whistleblower seeks an interim injunction in respect of retaliation measures taken against them and proves to have made a report before the retaliatory measure was taken, the more onerous of the conditions to be fulfilled for an interim relief (i.e. that the enforcement of the claim will be prevented or substantially impeded) will automatically be deemed to have been fulfilled.

Furthermore, the damage incurred by the whistleblower will be deemed to have resulted from the retaliation and therefore, for instance, it is for the employer to prove that the employer’s actions were legal, appropriate and not related to the report.What are the consequences for breaching the new Act?

The Act distinguishes between systemic, minor and serious offences. Systemic offences refer to breaches of the obligation to establish an internal reporting channel, to appoint a trustee and to report to the CPC. Minor and serious offences refer to the disclosure of the whistleblower’s identity and retaliation respectively. It should be noted that the Act explicitly criminalises the mere attempt or threat of such acts. The CPC will be responsible for conducting offence proceedings and for imposing penalties.

For serious offences, fines range between EUR 5,000 and EUR 20,000; EUR 10,000 and EUR 60,000 for companies (depending on their size) and, additionally, between EUR 300 and EUR 2,500 for their responsible persons.

How can we support you?

Wolf Theiss offers the following integrated and tailored solutions to ensure business compliance, both in light of the Act and existing regulations:

• SecuReveal: a compliance tool — software-based reliable system for anonymous notification of irregularities in the company, which meets the highest data protection standards,
• review of existing policies or drafting new internal policies for your company in order to establish an effective internal compliance system (e.g. policies on the use of the company’s email and other communication systems, the use of work equipment and the storage of documents),
• trainings for staff and management on compliance and on dealing with reports,
• an experienced team of specialised lawyers covering various legal fields to manage and conduct more complex internal investigations within a company,
• coordination and communication with regulators and investigative authorities in the event of an external report, where unlike other advisers, we can offer both the facilities and the confidentiality of our legal services.

In addition to our in-house expertise in employment law, personal data protection, as well as in corporate and white-collar crime investigations, we also have the advantage of extensive international experience and effective cross-border cooperation when dealing with corporations with affiliated companies in Central, Eastern and Southeastern Europe.

Zaščita prijaviteljev – žvižgačev

Zagotavljanje sistema ravnanja v skladu z direktivo

Sprejeta je bila celostna ureditev položaja žvižgačev v zasebnem sektorju, ki prinaša tudi nove zahteve glede notranjega preverjanja skladnosti poslovanja. Ste pripravljeni?

Državni zbor je sprejel Zakon o zaščiti prijaviteljev (“Zakon“), ki bo stopil v veljavo 22. februarja 2023. Z Zakonom se v slovenski pravni red prenašajo določbe Direktive 2019/1937 Evropskega parlamenta in Sveta z dne 23. oktobra 2019 o zaščiti oseb, ki prijavijo kršitve prava Unije (“Direktiva“) – rok za prenos se je sicer formalno že iztekel, a Slovenija še zdaleč ni edina zamudnica med članicami EU, saj je doslej to obveznost v celoti izpolnilo le 10 držav.

Zakon ne predvideva le nove ureditve statusa in pravic žvižgačev v zasebnem sektorju, temveč tudi vzpostavitev in vzdrževanje notranjega sistema preverjanja prejetih prijav o kršitvah. S tem se znatno in pomembno krepi odgovornost družb za notranjo kontrolo skladnosti poslovanja, kar je sicer v tujini praksa že več let.   

V širšem pogledu pa utegne biti v enaki meri kot pravilna in popolna implementacija obveznosti po predlogu Zakona pomembno tudi, da družbe širše preverijo in zagotovijo spoštovanje obstoječih področnih predpisov, ki jih zavezujejo pri poslovanju, ter vzpostavijo potrebne interne pravilnike in postopke. 

Kakšne postopke prijave predvideva Zakon?

Zakon predvideva dve poti, prek katerih naj bi prijavitelji (tj. fizične osebe, ki prijavijo ali javno razkrijejo informacije o kršitvi, pridobljene v njihovem delovnem okolju) lahko podali prijavo kršitev – notranjo in zunanjo.

Notranja pot predstavlja primaren način podajanja prijav. Notranji sistem prijave morajo vzpostaviti vsi pravni subjekti, ki zaposlujejo 50 ali več delavcev, ter tudi nekateri drugi subjekti, ki opravljajo posebne dejavnosti. Zasebni subjekti, ki zaposlujejo 250 ali več delavcev, so dolžni notranjo pot prijave vzpostaviti v roku 90 dni od uveljavitve Zakona, to je do 23. 5. 2023, preostali pa do 17. 12. 2023.

Notranje podano prijavo obravnava interno imenovani zaupnik, ki po zaključeni obravnavi pripravi poročilo z ugotovitvami o utemeljenosti prijave, predlaganih in izvedenih ukrepih, s katerim seznani vodstvo družbe in prijavitelja. Zaupnik mora biti zaposlen v družbi – angažiranje zunanjih sodelavcev v ta namen ni dopustno. Zavezanci so dolžni Komisiji za preprečevanje korupcije (“KPK“) letno poročati o številu prejetih, anonimnih in utemeljenih prijav ter o številu obravnavanih povračilnih ukrepov.

Le tiste družbe, ki zaposlujejo manj kot 250 delavcev, si lahko delijo sredstva za prejemanje prijav in preiskave z drugimi družbami iz skupine. Obstoječi sistemi sprejemanja prijav in izvajanja preiskav, organizirani na ravni skupin, tako morda ne zagotavljajo skladnosti z Zakonom.

Zunanje poti za prijavo se bodo prijavitelji posluževali v primerih, ko notranje prijave ni mogoče učinkovito obravnavati, ali če prijavitelj meni, da v primeru notranje prijave obstaja tveganje povračilnih ukrepov. Za sprejem in obravnavo zunanje prijave je glede na naravo kršitve pristojnih 24 različnih državnih institucij (primeroma – KPK, ATVP, AVK, AZN, Banka Slovenije, JAZMP, FURS, inšpektorati, ipd.). Pri obravnavi zunanje prijave institucija postopa skladno z relevantno področno zakonodajo in pooblastili, kar v praksi utegne pomeniti predvsem uvedbo nadzorstvenih, inšpekcijskih, prekrškovnih in v skrajnem primeru kazenskih postopkov.    

Zagotavljanje učinkovitega sistema skladnosti z zahtevami iz Direktive in Zakona

Za družbe, ki so po Zakonu zavezane k vzpostavitvi notranje poti prijave, je zato bistvenega pomena, da vzpostavijo in vzdržujejo učinkovit, neodvisen in verodostojen mehanizem sprejemanja in preverjanja prijav, ki uživa zaupanje tako zaposlenih kot zunanjih deležnikov.

Takšen mehanizem družbi omogoča, da prepozna in premišljeno naslovi vse morebitne pomanjkljivosti, še preden se v njeno poslovanje vmešajo državni organi in nosilci javnih pooblastil, ter da posredno omeji število zunanjih prijav in s tem povezanih postopkov, ki lahko izdatno ovirajo njeno vsakodnevno poslovanje.

Upoštevajoč navedeno je pomembno tudi, da so obstoječi pravilniki v družbi tako vsebinsko kot postopkovno dovolj določni, da vsebujejo jasna pravila ravnanja, odgovornosti in ukrepanja v primerih nepravilnosti ali kršitev (npr. glede dajanja in sprejemanja daril, nasprotij interesov, preprečevanja korupcije, uporabe službenega elektronskega naslova in telefona, shranjevanja osebne elektronske pošte in dokumentov, varstva osebnih podatkov, preprečevanja mobinga ipd.).

Prepoved povračilnih ukrepov zoper žvižgače

Po Zakonu so zoper zaščitenega prijavitelja prepovedani vsakršni povračilni ukrepi, primeroma prepoved odpovedi delovnega razmerja, suspenza pogodbe o zaposlitvi, premestitve na nižje delovno mesto, onemogočanja ali zadržanja napredovanja, prepoved uvedbe disciplinskega postopka ipd.

Zaščiteni prijavitelj ne krši morebitne pogodbene ali zakonske omejitve ali prepovedi glede razkritja določenih informacij (poslovnih skrivnosti) in ne nosi s tem povezane odgovornosti, če ni podal lažne prijave in meni, da je prijava nujna za razkritje kršitve. Prijavitelj prav tako ne nosi odgovornosti v zvezi s pridobitvijo ali dostopom do informacij, ki jih prijavi ali javno razkrije, če takšna pridobitev ali dostop ni samostojno kaznivo dejanje.

Zaščiteni prijavitelj lahko v primeru uvedbe povračilnih ukrepov uveljavlja sodno varstvo pred pristojnim sodiščem. Če prijavitelj zahteva izdajo začasne odredbe glede povračilnega ukrepa in izkaže, da je pred povračilnim ukrepom podal prijavo, se težji izmed pogojev za izdajo začasne odredbe (tj. da bo uveljavitev terjatve onemogočena ali znatno otežena) avtomatsko šteje za izpolnjenega.

Nadalje je podana domneva, da je škoda, ki je nastala prijavitelju, posledica povračilnega ukrepa in tako mora primeroma delodajalec dokazati, da je bil njegov ukrep zakonit, primeren in nepovezan s prijavo.

Kakšne so posledice za kršitelje Zakona?

Zakon razlikuje med sistemskimi, lažjimi in težjimi prekrški. Sistemski prekrški se nanašajo na kršitve obveznosti vzpostavitve notranje poti prijave, imenovanja zaupnika in poročanja KPK. Lažji in težji prekrški pa se nanašajo na razkrivanje identitete prijavitelja in povračilne ukrepe. Pri tem velja izpostaviti, da je po Zakonu izrecno kazniv že poskus oziroma grožnja navedenih ravnanj. Za vodenje prekrškovnih postopkov in izrekanje kazni je pristojna KPK.

Kako vam Wolf Theiss lahko pomaga

Za težje prekrške je predpisana globa v razponu od 5.000 do 20.000 EUR oziroma od 10.000 do 60.000 EUR (odvisno od velikosti gospodarske družbe), pri čemer se z globo od 300 do 2.500 EUR lahko kaznuje tudi odgovorno osebo.

Wolf Theiss ponuja celostne in hkrati po meri strank prilagojene rešitve za zagotavljanje skladnosti poslovanja, tako v luči Zakona kot drugih predpisov, in sicer:

• SecuReveal: orodje za zagotavljanje skladnosti – programsko podprt zanesljiv sistem za anonimno obveščanje o nepravilnostih v družbi, ki izpolnjuje najvišje standarde varstva podatkov,
• revizijo obstoječih pravilnikov oz. pripravo novih internih pravilnikov delodajalca s področij, ki so nujna za namen vzpostavitve učinkovitega notranjega sistema skladnosti poslovanja (npr. pravilnikov o uporabi službene elektronske pošte in drugih sistemov komunikacije, uporabe delovnih sredstev in shranjevanja dokumentov),
• izobraževanja za zaposlene in vodstvene kadre s področja skladnosti in obravnave prijav,
• izkušeno ekipo odvetnikov specialistov z različnih pravnih področij za vodenje in izvedbo kompleksnejših notranjih preiskav v gospodarski družbi,
• koordinacijo in komunikacijo z regulatorji in preiskovalnimi organi v primeru zunanje prijave, pri čemer lahko za razliko od drugih svetovalcev nudimo tako opremo kot tudi zaupnost odvetniških storitev.

Našo prednost poleg samih strokovnjakov s področja delovnega prava in varstva osebnih podatkov ter s področja preiskav podjetij in gospodarskega kriminala predstavljajo bogate mednarodne izkušnje ter učinkovito čezmejno sodelovanje, kadar gre za korporacije s povezanimi družbami v regiji Srednje, Vzhodne in Jugovzhodne Evrope.