The Reporting Persons Protection Act (»ZZPri« or »the Act«), which entered into force on 22 February 2023, transposed the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (»the Directive«) into Slovenian national law. Legal Buzz has already reported on the Directive and the obligations it imposes (the article is available here.) This time, we focus on the obligations imposed on employers by ZZPri and the possibilities it provides to employees in the event of detected irregularities.
The Act comprehensively regulates the protection of reporting persons (i.e., »whistleblowers«), covering not only the areas highlighted by the Directive (public procurement, financial services, prevention of money laundering and terrorist financing, etc.), but extending to violations of any regulations applicable in the Republic of Slovenia.
The goal of ZZPri is to encourage individuals who detect irregularities in their work to report them through specially established internal or external channels for reporting breaches of regulations. Furthermore, the goal is also to prevent retaliation against reporting persons or, if retaliation does occur, to provide assistance, effective protection, and judicial protection to reporting persons. For this purpose, the Act establishes a procedure for dealing with violations and grants additional powers to the Commission for the Prevention of Corruption (»KPK«). It will also be applicable in cases of anonymous reports and, compared to the Directive, it expands the range of protective measures for reporting persons.
What obligations has ZZPri imposed on employers?
In line with the content of the Directive, the Act requires public and private sector entities with 50 or more employees (and some others, e.g., if they are engaged in certain activities of public interest as defined in the third paragraph of Article 9 of ZZPri, as well as many public authorities, etc.) to establish internal reporting channels (»obligated entities«).
Obligated entities are required to appoint a confidant for receiving and processing internal reports. This may be one or more trustworthy employees or an internal organisational unit (e.g., a compliance department, human resources or legal department, etc.).
It will be mandatory to adopt an employer bye-law wherein obligated entities will have to describe the internal reporting channel and, in particular, identify a confidant, the contact details for reporting, the procedure for receiving and following up on reports, the measures to prevent unauthorised persons from accessing information on the reporting person and other content of the reporting register, the notification of internal organisational units and management, and informing employees how to use the internal reporting channels and the internal bye-law (information must be provided to the employees in a simple and transparent way). Employers must report once a year (by 1 March) to the KPK on the number of reports received.
Failure to comply with these obligations constitutes a misdemeanour, punishable by a fine ranging from EUR 2,000 to EUR 4,000 or from EUR 3,000 to EUR 6,000 for large and medium-sized companies.
If an internal report cannot be handled effectively, or if the reporting person considers that there is a risk of retaliation in the case of an internal report, then the reporting person can report the breach directly through an external reporting channel and will be handled by one of the public authorities listed in the Act. If the first two options are ineffective, or if there are other specifically justified reasons, ZZPri provides the individual with a third option, namely public disclosure of the breach.
What is the role of a confidant within the employer’s organisation?
The Act specifies the tasks of the confidant concerning the examination and handling of a report on the breach. The confidant must inform the reporting person about possible protective measures and the procedures for external reporting and provide the reporting person who is being subjected to retaliation with information about legal options and assistance in administrative and judicial proceedings, etc.
When the confidant offers the reporting person protection against retaliation, they may also seek advice from the KPK. When establishing the internal reporting channel, the obligated entities can also seek advice and assistance from KPK.
In what way are reporting persons protected?
The second part of the Act sets out measures to protect reporting persons. The Act firstly, by way of example, lists retaliations, including the threat of retaliation and attempted retaliation. Protection is afforded to a reporting person who had reasonable grounds to believe the information about the breach was true at the time of reporting and made a report (or publicly disclosed information about the breach) in accordance with the law, and no later than within two years of the breach.
The Act explicitly prohibits the disclosure of the identity of the reporting person. Furthermore, the reporting person will be able to seek judicial protection against retaliation. Court proceedings conducted on the foot of such report will be considered an urgent matter under Article 83 of the Courts Act, meaning that procedural deadlines will run even during the court vacation. ZZPri has also mitigated the conditions for issuing an interim measure. In addition, the ZZPri introduces a rebuttable presumption that the damage suffered by the reporting person is the result of retaliation, making it easier for the reporting person to prove causation. The reporting person will be exempt from paying court fees and entitled to free legal aid, regardless of financial standing. Furthermore, a reporting person whose employment has been terminated by the employer and seeks judicial protection under the ZZPri will be entitled to unemployment benefits. To avoid the frequent accusation in practice that reporting persons have unjustifiably disclosed a trade secret through a report or public disclosure, the Act also provides an exemption of the reporting person’s liability regarding the disclosure. In addition, the KPK may, at the reporting person’s initiative, also suggest treatment in a psychiatric outpatient clinic if the reporting person also needs psychological support due to the retaliation.
Finally, please note that the Act sets 17 December 2023 as the deadline for establishing the reporting channel for private sector obligated entities employing less than 250 employees. However, obligated entities with more than 250 employees were required to fulfil this obligation by 22 May 2023.
Authors: Tina Mihalič, Senior Associate, Katja Triller Vrtovec, Attorney at Law