Deloitte Legal Guide to Cross-Border Secured Transactions


Three questions on whistleblowing channels and procedures

Published: 2022-06-29

Since December 2021, Sweden has a new whistleblowing law in the Act (2021:890) on the protection of persons who report misconduct. The new Whistleblowing Act requires, among other things, that employers with 50 or more employees must have internal channels for reporting misconduct and procedures for receiving and investigating reports. Although the Act came into force last year, the requirements for channels and procedures will only apply this summer. By 17 July 2022, public sector employers and employers with more than 249 employees will need to have their channels and procedures in place, while private companies with 50-249 employees will have a respite until 17 December 2023. The new Whistleblowing Act has raised many questions and in this article we answer three questions focusing on reporting channels and procedures.*

The article is available in Swedish here.

1. Which employers must have channels and procedures?

All employers, private and public, who at the beginning of the calendar year had 50 or more employees are required to have internal channels for reporting misconduct and procedures for receiving and investigating reports. When assessing whether an employer has 50 or more employees, all employees shall be taken into account, including part-time employees, fixed-term employees, employees on-leave and employees in managerial positions. The timing of when an employer should have 50 or more employees is the beginning of the calendar year. Thus, the employer who at the beginning of the calendar year does not have 50 or more employees is not obliged to have channels and procedures under the Whistleblowing Act. This means, for example, that there may be a legal obligation to have channels and procedures in a given year but not in subsequent years if the number of employees has decreased. Employers who are not required to have channels and procedures may choose to still have it on a voluntary basis. However, the Act does not apply in its entirety to voluntarily established channels and procedures, for example with regard to confidentiality requirements. Furthermore, voluntarily established channels do not imply that there is a legal obligation to comply with regard to the legal basis for the processing of personal data in a follow-up errand, i.e. a report that is received and handled within the framework of the whistleblower function. Thus, it is important as an employer from year to year to keep track of whether there is a legal requirement to have channels and procedures or not. In the transition period, employers close to the 249-employee limit also need to keep track of the number of employees at the beginning of 2023 as the time limit for when employers with more than 249 employees should have channels and procedures in place will then have passed.

2. What does it mean to have channels and procedures?

There are no requirements for the technical design of the channel, but the channel must be accessible to people who in a work-related relationship with the employer. According to the Act, the following groups must be able to report on misconduct through the internal reporting channel:

  1. employees,
  2. volunteers,
  3. trainees,
  4. persons who otherwise carry out work under the control and direction of the employer,
  5. self employed,
  6. persons who are members of the administrative, management or supervisory body of an undertaking and,
  7. shareholders operating in the company.

Former employees and job seekers are part of the group covered by the law's protection against, for example, retaliation in reporting misconduct, but according to the requirements of the law, do not need to have access to the internal reporting channels. Such groups but may then report in other ways.

As there are no requirements for the technical design of the channel, it may for example consist of a telephone number and an email address. However, reporting shall be possible orally, in writing and, if requested by the reporting person, at a physical meeting. The reporting person shall receive confirmation of receipt of the report within seven days of the report. There is a duty of confidentiality regarding information in follow-up errand and only persons designated as authorized persons may have access to personal data. With regard to the processing of personal data, purpose limitations apply, which mean that personal data collected accidentally or that is not necessary for the follow-up errand must be deleted. The limit for how long personal data may be stored is two years. Many employers opt for a digital solution that facilitates regulatory compliance through built-in features.

In addition to establishing channels, the employer shall appoint autonomous and independent persons or entities to be authorized to receive and investigate reports on behalf of the employer. Those appointed can either be employees of the employer or be an external party such as an external whistleblowing service provider. It is not allowed to appoint persons who are employees of other companies of the same group.

Channels and procedures shall be documented by describing them in writing. The documentation shall, upon request, be submitted to the Swedish Work Environment Authority during an inspection.

3. Can we share channels and procedures within the Group?

As a starting point, each individual employer with 50 or more employees at the start of the year is required to have channels and procedures. However, the law allows employers with 50 – 249 employees to share channels and the procedures relating to the receipt and investigation of reports. This applies regardless of whether the employers are part of the same group or not. However, contact with the reporting person is not included in the procedures that may be shared. Therefore, someone employed by the respective employer (or an external party) always needs to be appointed as authorized even in cases where channels and procedures can be shared in order for someone to have contact with the reporting person. Contact with the reporting person is in turn a legal requirement as the reporting person must, among other things, receive confirmation that the report has been received.

Employers with fewer than 50 employees or more than 249 employees may not share channels and procedures. However, for example, employers within a group may appoint the same external party as authorized to receive and investigate reports regardless of the number of employees and thus indirectly share resources for receiving and investigating reports.

In its current form, the Act's rules on processing of personal data mean that the sharing of channels and procedures within groups is limited to follow-up errands that do not involve any processing of personal data. This is because only the persons designated as authorized may have access to personal data in follow-up errands. Since only employees of the employer and external parties (which do not include other group companies) may be appointed as authorized, an employee of another group company with which procedures for receiving and investigating reports are shared may not have access to personal data. One might question whether this was really the intention of the legislator and it is not impossible that we will see a revision of the Act in that regard. The Act's rules on professional secrecy also largely limit the possibility of sharing resources for the investigation of cases as it is currently unclear to what extent information that can reveal the identity of someone mentioned in a follow-up errand may be shared outside the group of authorized persons appointed by the employer. It is likely that the legal situation surrounding these issues will become clearer as the law is applied.

If you have questions about the new whistleblowing law you are warmly welcome to contact us at Deloitte Legal.

*The information should not be seen as exhaustive or advisory. For advice in specific cases, please contact us via the channels listed below.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Hade du nytta av den här informationen?