Dóra Ágnes Nagy

Under a law passed by Parliament yesterday, all companies with more than 50 employees will be obliged to have a whistleblowing system in place from December. Employers with 250 employees cannot wait any longer, as they will have 60 days to implement the system. The question is, of course, whether companies will see the regulation as another unnecessary administrative burden or whether it will trigger an avalanche of internal investigations.

Is the new GDPR here?

Under the legislation recently passed by Parliament, all companies with more than 50 employees will be required to set up a system by December to report unlawful or suspected unlawful acts by employees. Employers with more than 250 employees will have to set up the system within 60 days of the law's publication, rather than in December. Employers covered by the Money Laundering Act – including credit institutions, auditors, fiduciaries and even law firms – will have to set up a reporting system (also within 60 days of the publication of the Act), regardless of the number of employees,.

According to preliminary calculations, in Hungary, in the private sector, around 7-8,000 companies are affected by the obligation. Around December, we can therefore expect a similar rush to the one that took place when the GDPR obligations were set up - again, those who see setting up the system as a compulsory homework exercise are likely to come to their senses at the last minute.

The regulation includes an easing for employers with 50-249 employees. They can also operate a so-called joint notification system. However, no information has yet emerged on how this joint system can be implemented, who will set it up and how it can be joined. It is expected that for the sectors most targeted by the regulation (accountants, auditors, lawyers) the relevant chambers will set up such a system.

What exactly needs to be done?

The employers concerned will be required to establish an internal procedure, i.e. rules on where complaints can be lodged and how they will be dealt with. There are no specific formal requirements for a whistleblowing system, which can be set up by setting up a dedicated email account or complaints box, but a telephone line or dedicated platform may also be appropriate.

At the same time, the employer must also designate a person or organisation responsible for the operation of the system, to whom the reports will be sent in the first instance. The expectation is that this person should be independent and without conflict of interest. It is for the individual to assess whether there is a person within the company's organisation who meets this independence criterion. As with the Data Protection Officer, this position may be outsourced to a whistleblower protection lawyer or other independent company.

What happens when a notification is received?

As a general rule, the employer is obliged to investigate all complaints and inform the whistleblower of the receipt of the complaint and the procedure followed. In a few specific cases, the employer is exempted from the obligation to investigate the merits of the complaint, for example in the case of manifestly unfounded complaints (e.g. someone makes the same complaint again with the same content as before). Complaints do not have to be made by name, but the law allows anonymous complaints not to be investigated unless they indicate a serious breach of rights or interests. The person against whom the complaint has been made may also be informed of the investigation - but he or she may not know the identity of the person making the complaint.

Will the system work?

The commitment of the employer, the level of trust within the company and the IT and whistleblowing investigation method chosen will probably determine whether the new system will really change the culture of a company. If a potential whistleblower does not believe that his or her complaint will be truly impartial and without disclosure, he or she is unlikely to engage in such an ordeal. However, for those companies that have paid serious attention to the IT and organisational implementation of the system, the new rule is likely to represent not only a compulsory homework exercise to be ticked off, but also a potential increase in internal ethical standards.