1.[F1The competent authority must establish] effective mechanisms to encourage reporting of potential or actual infringements of this Regulation to competent authorities.

2.The mechanisms referred to in paragraph 1 shall include at least:

(a)specific procedures for the receipt and investigation of reports on potential or actual infringements and their follow-up, including the establishment of secure communication channels for such reports;

(b)appropriate protection for employees of institutions who report potential or actual infringements committed within the institution against retaliation, discrimination or other types of unfair treatment at a minimum;

(c)protection of personal data concerning both the person who reports the potential or actual infringements and the natural person who is allegedly responsible for an infringement in compliance with the principles laid down in [F2data protection legislation];

(d)protection of the identity of both the person who reports the infringements and the natural person who is allegedly responsible for an infringement, at all stages of the procedures unless such disclosure is required by national law in the context of further investigation or subsequent administrative or judicial proceedings.

3.[F3The competent authority] shall require institutions to have in place appropriate procedures for their employees to report actual or potential infringements internally through a specific, independent and autonomous channel.

Such a channel may also be provided through arrangements provided for by social partners. The same protection as is referred to in points (b), (c) and (d) of paragraph 2 shall apply.