EU Whistleblowing Directive – Bulgaria

Whistleblowers protection already in place

Before the directive

Bulgaria doesn’t have a comprehensive legal framework for whistleblowing protection. The Bulgarian legislation covering whistleblowing matters is spreaded accross different laws.

Instead of amending the current legislation with the requirements of the Directive, or to implement a separate dedicated law, the Bulgarian government decided to embed Whistleblowing Protection into an anti-corruption strategy.

Following the adoption of a draft in 2021, it has been decided that a separate dedicated law for whistleblowing should be drafted by the official deadline of implementation of the Directive. The key points of this legislation are to broaden the requirements of the Directive to cover breaches of national law, and to establish new reporting channels accross several competent authorities.

Current implementation status

The new Whistleblowing Directive has been implemented into national law by the Whistleblowing Law with its promulgation in State Gazette N°11 of 2 February 2023. 

The law enters into force on 4 May 2023. By this date, all private sector organizations with 250 employees or more must comply with its new requirements. Organizations with 50 to 249 employees have until 17 December 2023 to be compliant.

New Requirements

Who is concerned with the new Whistleblowing Law?

Under the Whistleblowing Law, private companies with 50 or more employees and all public sector employers are required to establish channels and procedures for employees to report issues internally. This means that employees have a safe and secure way to report any concerns or issues within their company.

However, some small municipalities and private companies with less than 50 employees are exempt from this requirement, unless they are working in certain financial areas regulated by the Whistleblowing Law. These areas include financial services, products, and markets, as well as prevention of money laundering and terrorism financing.

If the EU or national laws have special rules for reporting issues in a specific sector, those rules will apply instead of the Whistleblowing Law. This means that companies operating in a particular sector must follow the reporting procedures set out in that sector’s regulations.

For example, the Bulgarian Measures Against Money Laundering Act requires certain businesses such as banks, financial institutions, insurers, investment intermediaries, auditors, notaries, and lawyers in certain cases, to have specific internal procedures for employees to report anonymously about suspected money laundering or terrorism financing. These internal reporting procedures should be described in the company’s internal rules for control and prevention of money laundering and terrorism financing.

Extended material scope

In addition to the material scope set forth in the Directive, the Whistleblowing Law allows a wide range of topics to be reported through a Whistleblowing System. The topics must fall within the material scope of the Whistleblowing Law, covering:

• Breaches of national law or Union acts listed in an annex to the Whistleblowing Law
• Areas listed in Art. 2, Section (1), paragraph (a) of the Directive, including public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, product safety and compliance, and transport safety, among others
• Breaches affecting the financial interest of the Union
• Breaches relating to the internal market, including Union competition and State aid rules
• Breaches relating to trans-border tax schemes aimed at obtaining a tax advantage that defeats the object or purpose of the applicable corporate tax law
• Crimes of general character investigated by the prosecution authorities ex oficio that the whistleblower became aware of while performing their work or official duties

Anonymity and protection of confidentiality

Anonimity of the whistleblower is forbidden by the law. According to the new Whistleblowing Law, an investigation cannot be carried out upon an anonymous report. 

However, the Whistleblowing Law requires obliged entities to take measures to keep reports and related information confidential. The identity of the reporting person and the person against whom the report is filed must be kept confidential. The identity of the whistleblower and information in the report can only be disclosed with the explicit consent of the reporting person or in limited cases allowed by the law after notifying the whistleblower in writing. Retaliation against reporting persons is strictly prohibited, including threats or attempts of retaliation.

Prohibited forms of retaliation include:

• suspension, lay-off, or dismissal
• denial of promotion
• changes in job duties or location, reductions in wages, and changes in working hours.

Reporting persons who experience retaliation are entitled to compensation for any material and non-material damages they may incur.

Group-wide whistleblowing systems are allowed under certain conditions

Organizations falling under the scope of the new Whistleblowing Law can choose how to implement their internal reporting system under certain conditions.

As a basis, all obliged entities must designate one or more reports administrator within their structure, who is in charge of the receipt and registration of reports (these officers can also be appointed data protection officers, if any).

Receiving and registering reports can also be assigned to an external third party (natural person or legal entity).

The Whistleblowing Law allows entities with 50 to 249 workers to have a shared channel for internal reporting. They can designate a single person or department to handle the investigation of reports. This shared channel must comply with the same standards as an individual channel. 

A common (group-wide) system can be used, provided that the system complies with certain requirements of the Whistleblowing Law, including:

• The registration of reports follows templates approved by the Bulgarian Personal Data Protection Commission, being the national authority for external reporting
• A register of submitted reports, containing information prescribed by the law, must be kept
• The procedure for keeping the register must comply with a regulation on keeping registers and forwarding internal reports. This regulation will be adopted by the Bulgarian Personal Data Protection Commission within six months of the promulgation of the Whistleblowing Law in the State Gazette (by August 2, 2023)

Get a Head Start 

Having a flexible platform that can adapt to any legislation and regulations can give you a great head start. With Whispli, you can build up your solution according to your current needs, and modify it at any time. 

You can start by complying to the minimum requirement of the EU Directive today and adjust to your local legislation later. 

Get in touch with one of our expert and get a guided demo to see how Whispli can help your Organization to comply with the Directive.