Whistleblowing Systems: Obligations, Whistleblower Protection and Corporate Compliance

In today’s globalised business environment, whistleblowing – the internal or external reporting of misconduct – constitutes a key institution of corporate culture and the rule of law. Following the EU Whistleblowing Directive (2019/1937/EU) adopted in 2019, Hungary comprehensively regulated this area: Act XXV of 2023 on Complaints, Public Interest Disclosures and the Rules Related to the Reporting of Abuses (hereinafter: Whistleblowing Act) entered into force on 24 July 2023. Below we examine the mandatory elements of the system, the guarantees of whistleblower protection and the practical steps involved.

Legal Framework

EU Level

• Directive (EU) 2019/1937 of the European Parliament and of the Council (Whistleblowing Directive) – on the protection of persons who report breaches of Union law
• The directive is a minimum harmonisation measure: Member States may provide higher levels of protection

Hungarian Legislation

• Act XXV of 2023 – on complaints, public interest disclosures and the rules related to the reporting of abuses (Whistleblowing Act)
• Act I of 2012 – Labour Code (Mt.) – for employment law consequences
• Act V of 2013 – Civil Code (Ptk.) – compensation rules
• GDPR (Regulation (EU) 2016/679) and Act CXII of 2011 (Info Act) – data processing rules related to reports

Which Organisations Are Obliged?

Mandatory Establishment of an Internal Reporting System (Whistleblowing Act Section 18)

The Act imposes obligations with differentiated deadlines:

• Employers with at least 250 employees: mandatory from 17 December 2023
• Employers with 50–249 employees: mandatory from 17 December 2025
• Sector-based obliged entities (financial sector, public sector etc.) – regardless of headcount

Important: the obligation is not exclusively linked to headcount – organisations subject to anti-money laundering and counter-terrorism financing rules (Act LIII of 2017) are obliged regardless of headcount (Whistleblowing Act Section 18(2)).

Mandatory Elements of the Internal Reporting System

Operating Requirements (Whistleblowing Act Sections 19–22)

The internal reporting system must comply with the following mandatory (non-derogable) requirements:

1. Reporting Channels (Section 19)

The reporter must be able to submit reports through at least the following means:

• In writing (by post, electronic form, email)
• Orally (by telephone or through a personal hearing – the latter must be provided within 15 days upon request)

2. Confidentiality and Data Protection (Section 29)

• The reporter’s identity must be treated confidentially – it may not be disclosed to anyone other than the person conducting the investigation without the reporter’s express consent
• The operator of the system is bound by a duty of confidentiality
• Personal data contained in reports must be processed in accordance with the GDPR and the Info Act

Important clarification: the Act mandates confidentiality (confidential handling), not technical “full anonymity.” The possibility of submitting anonymous reports may be provided by the organisation, but the Act does not require it – anonymous reports may be investigated (Section 20(1)), but handling them is not mandatory.

3. Procedural Deadlines (Section 22)

• Within 7 days: written acknowledgment of receipt of the report
• Within 30 days: conducting the investigation and informing the reporter of the outcome
• Extension: in complex cases, the 30-day deadline may be extended once by a further 30 days (maximum 60 days total), with simultaneous notification of the reporter (Section 22(4))

What May Be Reported?

Subject Matter of Reports (Whistleblowing Act Sections 1, 16)

The following breaches may be reported through the internal reporting system:

• Breaches of EU law in the areas listed in the annex to the Directive (public procurement, financial services, product safety, environmental protection, tax fraud, consumer protection etc.)
• Breaches of Hungarian legislation – related to the organisation’s activities
• Serious breaches of internal rules

Important: the Act’s protection extends only to reporters who reasonably believe that the reported information was true at the time of reporting (good faith requirement – Section 4(1)).

External Reporting Channels

Procedure of the Commissioner for Fundamental Rights (Whistleblowing Act Sections 24–28)

In addition to – or instead of – the internal channel, the reporter may use an external reporting channel. In Hungary, the designated body for receiving external reports is the Commissioner for Fundamental Rights (Ombudsman).

External reporting does not depend on whether the reporter previously used the internal channel – the reporter is free to choose between channels.

Whistleblower Protection: Prohibition of Retaliation

Scope of Protection (Whistleblowing Act Sections 41–43)

The Act provides strict protection for the reporter against retaliation in connection with the report:

Prohibited retaliatory measures (Section 41(2)) – including:

• Dismissal, termination
• Transfer, demotion
• Disciplinary action
• Discrimination
• Intimidation, harassment
• Withholding of payments

Reversed Burden of Proof (Section 43(5))

One of the most important guarantees of whistleblower protection is the reversed burden of proof:

• If the reporter suffers a detriment after making a report, the Act establishes a rebuttable presumption (praesumptio iuris): the detriment occurred because of the report
• The employer must prove that the measure was taken for a lawful reason independent of the report
• This is a rebuttable presumption (not irrebuttable!) – the employer may rebut it through successful counter-evidence

Note: there is a fundamental difference between an “irrebuttable presumption” (praesumptio iuris et de iure) and a “rebuttable presumption” (praesumptio iuris tantum). The Act contains a rebuttable presumption: the employer may rebut the presumption with evidence. An irrebuttable presumption, by contrast, admits no counter-evidence.

Compensation Consequences

In the event of unlawful retaliation, the reporter may enforce their claim under the general compensation rules of the Civil Code (Sections 6:519–6:534):

• Pecuniary damage: lost income, expenses
• Non-pecuniary damage: compensation for personality rights violations under Section 2:52 of the Civil Code (sérelemdíj)

The amount of compensation is determined by the court on the basis of all circumstances of the case – the Act does not prescribe fixed amounts or multipliers.

Sanctions Against the Employer

Administrative Consequences

• The authority may impose a fine for failure to establish or inadequate operation of the internal reporting system
• The Employment Supervisory Authority may inspect employment law aspects
• Sectoral supervisors (e.g. the Central Bank of Hungary in the financial sector) may act within their own competence

Criminal Liability

• Retaliation against a reporter may in certain cases (e.g. coercion, harassment) give rise to criminal liability (Criminal Code Section 195 – coercion, Section 222 – harassment)
• Concealing misconduct may also constitute a criminal offence

Data Protection Aspects

GDPR Compliance (Whistleblowing Act Sections 29–34)

Operating the internal reporting system requires particular attention to data protection requirements:

• Preparing a data protection notice for reporters and data subjects
• Conducting a Data Protection Impact Assessment (DPIA) – reporting systems typically constitute high-risk data processing
• Retention period: data related to reports may be retained for a maximum of 5 years after the closure of the investigation, and must be deleted thereafter (Section 34)
• Access restriction: only authorised persons conducting the investigation may access the data

Practical Advice

For Businesses

1. System choice: the reporting system may be operated in-house (internal compliance department) or outsourced (external service provider, e.g. law firm) – Section 18(5) expressly permits outsourcing
2. Policy development: adopt an internal whistleblowing policy containing the reporting channels, procedural rules and feedback deadlines
3. Training: regular briefing of managers and employees on reporting options and the prohibition of retaliation
4. Documentation: careful documentation of all reports and investigations – due to the reversed burden of proof, the employer must be prepared to prove the lawfulness of any measure taken

For Employees (Potential Reporters)

1. Good faith: a report enjoys protection only if the reporter reasonably believes the information to be true
2. Channel selection: the reporter may freely choose between internal and external (Ombudsman) channels
3. Documentation: it is advisable to record circumstances related to the report (dates, communications, witnesses)
4. Legal advice: in complex cases, seeking legal counsel before making a report is recommended

The whistleblowing system is not merely a regulatory obligation but a tool of corporate governance and ethical business culture. Act XXV of 2023, transposing the EU Directive, provides a robust legal framework for both whistleblower protection and organisations’ compliance obligations – the proper application of the system serves the shared interest of employers and employees alike.