On May 4, 2023, the Bulgarian Whistleblower Protection Act (the Act), which transposes Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of whistleblowers for violations of Union law (the Whistleblowing Directive) will enter into force.
In addition to the public sector, the Act will also apply to the private sector, where the demarcation line is the number of employees – for companies with more than 50 employees, the Act enters into force on December 17, 2023. However, regardless of the number of employees, companies that carry out certain specific activities determined by the Act also fall under its scope. These are, for example, activities from the financial and insurance sectors, other enterprises of public interest, persons obligated under the anti-money laundering laws, and others.
To date, most of the comments on the Act point to the need for whistleblower protection, which in many member states has been non-existent or severely limited. The slow process of transposing the Whistleblowing Directive was also criticized.
However, it is of interest how such legislation will be adopted in countries like Bulgaria (from the former Eastern Bloc) and what kind of understanding it will meet in business circles.
First, it is striking that the Bulgarian legislator has given up the possibility of anonymous reporting. This was an expected solution. The submission of anonymous reports has long been frowned upon in our country, as it is considered that their credibility cannot be proven, and the person who filed an anonymous report is not responsible in any way whatsoever. However, this local decision is in sharp contrast to the legislation of other member states, which consider that if the possibility of anonymous reporting is not given, the persons who might face discomfort in commenting on a violation are discouraged due to the presence of subordination relations in their employment. It is expected that the scope of the Act would be limited in practice also because, in countries with fresh memories of the communist regime, this type of regulation is instinctively associated with the duty to report rather than the right to protection.
Next, the Act contains clauses that are contradictory to the rest of the Bulgarian legislation. For example, reporting to the responsible person in the company is accompanied by a warning of liability for solicitation – a crime, the composition of which takes place only when the solicitation is carried out before an official state authority.
The entire organization of the whistle-blowing process also deserves criticism – especially the internal whistle-blowing channels that should be created for each company. The data protection officer (DPO), or other persons performing a personal data protection position with the company, may be additionally charged with the duties of collecting and analyzing the evidence on alerts. Thus, the job description of a DPO, which is already most often performed by persons with other employment duties, now increases with more – and significant – obligations. In reality, if an employee carries out all these duties, they will hardly have the opportunity to professionally perform their main duties in terms of competence.
On top of it all, the Commission for Personal Data Protection (the regulator for personal data issues in Bulgaria) will also be the central authority for filing reports under the Act. Although the Act will enter into force soon enough, clarifications and guidelines are still awaited from this body on how and in what form reports should be submitted to it, in order to ensure the existence of an external whistleblowing channel. So, as companies struggle to reach compliance with the new legislation, they are hampered by a lack of clear instructions on how to achieve it.
It must be recognized that the new whistleblower protection rules may theoretically be of benefit to the adherence to the rules for carrying out basic economic activities, but on the other hand, they are another serious burden on businesses that are already struggling to prove themselves in compliance with all regulatory requirements. It also remains to be seen how well the use of this Act for “retaliatory” purposes will be avoided, although the law itself prohibits such actions on paper.
By Irena Georgieva, Managing Partner, PPG Lawyers