Please note that the date you requested in the address for this web page is not an actual date upon which a change occurred to this item of legislation. You are being shown the legislation from , which is the first date before then upon which a change was made.
Without prejudice to point (b) of Article 15(1), reporting persons shall report information on breaches using the channels and procedures referred to in Articles 11 and 12, after having first reported through internal reporting channels, or by directly reporting through external reporting channels.
1.Member States shall designate the authorities competent to receive, give feedback and follow up on reports, and shall provide them with adequate resources.
2.Member States shall ensure that the competent authorities:
(a)establish independent and autonomous external reporting channels, for receiving and handling information on breaches;
(b)promptly, and in any event within seven days of receipt of the report, acknowledge that receipt unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of the report would jeopardise the protection of the reporting person's identity;
(c)diligently follow up on the reports;
(d)provide feedback to the reporting person within a reasonable timeframe not exceeding three months, or six months in duly justified cases;
(e)communicate to the reporting person the final outcome of investigations triggered by the report, in accordance with procedures provided for under national law;
(f)transmit in due time the information contained in the report to competent institutions, bodies, offices or agencies of the Union, as appropriate, for further investigation, where provided for under Union or national law.
3.Member States may provide that competent authorities, after having duly assessed the matter, can decide that a reported breach is clearly minor and does not require further follow-up pursuant to this Directive, other than closure of the procedure. This shall not affect other obligations or other applicable procedures to address the reported breach, or the protection granted by this Directive in relation to internal or external reporting. In such a case, the competent authorities shall notify the reporting person of their decision and the reasons therefor.
4.Member States may provide that competent authorities can decide to close procedures regarding repetitive reports which do not contain any meaningful new information on breaches compared to a past report in respect of which the relevant procedures were concluded, unless new legal or factual circumstances justify a different follow-up. In such a case, the competent authorities shall notify the reporting person of their decision and the reasons therefor.
5.Member States may provide that, in the event of high inflows of reports, competent authorities may deal with reports of serious breaches or breaches of essential provisions falling within the scope of this Directive as a matter of priority, without prejudice to the timeframe as set out in point (d) of paragraph 2.
6.Member States shall ensure that any authority which has received a report but does not have the competence to address the breach reported transmits it to the competent authority, within a reasonable time, in a secure manner, and that the reporting person is informed, without delay, of such a transmission.
1.External reporting channels shall be considered independent and autonomous, if they meet all of the following criteria:
(a)they are designed, established and operated in a manner that ensures the completeness, integrity and confidentiality of the information and prevents access thereto by non-authorised staff members of the competent authority;
(b)they enable the durable storage of information in accordance with Article 18 to allow further investigations to be carried out.
2.The external reporting channels shall enable reporting in writing and orally. Oral reporting shall be possible by telephone or through other voice messaging systems and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe.
3.Competent authorities shall ensure that, where a report is received through channels other than the reporting channels referred to in paragraphs 1 and 2 or by staff members other than those responsible for handling reports, the staff members who receive it are prohibited from disclosing any information that might identify the reporting person or the person concerned, and that they promptly forward the report without modification to the staff members responsible for handling reports.
4.Member States shall ensure that competent authorities designate staff members responsible for handling reports, and in particular for:
(a)providing any interested person with information on the procedures for reporting;
(b)receiving and following up on reports;
(c)maintaining contact with the reporting person for the purpose of providing feedback and requesting further information where necessary.
5.The staff members referred to in paragraph 4 shall receive specific training for the purposes of handling reports.
Member States shall ensure that competent authorities publish on their websites in a separate, easily identifiable and accessible section at least the following information:
the conditions for qualifying for protection under this Directive;
the contact details for the external reporting channels as provided for under Article 12, in particular the electronic and postal addresses, and the phone numbers for such channels, indicating whether the phone conversations are recorded;
the procedures applicable to the reporting of breaches, including the manner in which the competent authority may request the reporting person to clarify the information reported or to provide additional information, the timeframe for providing feedback and the type and content of such feedback;
the confidentiality regime applicable to reports, and in particular the information in relation to the processing of personal data in accordance with Article 17 of this Directive, Articles 5 and 13 of Regulation (EU) 2016/679, Article 13 of Directive (EU) 2016/680 and Article 15 of Regulation (EU) 2018/1725, as applicable;
the nature of the follow-up to be given to reports;
the remedies and procedures for protection against retaliation and the availability of confidential advice for persons contemplating reporting;
a statement clearly explaining the conditions under which persons reporting to the competent authority are protected from incurring liability for a breach of confidentiality pursuant to Article 21(2); and
contact details of the information centre or of the single independent administrative authority as provided for in Article 20(3) where applicable.
Member States shall ensure that competent authorities review their procedures for receiving reports, and their follow-up, regularly, and at least once every three years. In reviewing such procedures, competent authorities shall take account of their experience as well as that of other competent authorities and adapt their procedures accordingly.