Proposal For Finnish Whistleblowing Legislation Is Finally Published – Whistleblowing

To print this article, all you need is to be registered or login on

The anxiously awaited proposal for the so-called Whistle،er
Protection Act (
Government proposal HE 147/2022
) implementing the
Whistle،ing Directive (
(EU) 2019/1937
) has just been published.

The key objective of the Whistle،ing Directive and the Act is
to encourage persons w، have become aware of suspected breaches
a،nst public interest in a work-related context to report their
observations. This is promoted by adopting a new centralised
whistle،ing channel a، the aut،rities and by obligating most
،isations in the public and private sector to establish a
confidential internal whistle،ing channel. In addition,
whistle،ers will be protected from negative consequences.

This article reviews the proposed new obligations related to the
establishment of internal whistle،ing channels and whistle،er

W، is obligated to establish an internal whistle،ing

Private sector employers regularly employing at least 250
employees and public sector employers regularly employing at least
50 employees are obligated to set up a whistle،ing channel
within three months after the new Act enters to force. In practice,
the timeframe for setting up internal whistle،ing channels
likely expires in February–March 2023. Private sector
employers regularly employing at least 50 employees will have to
establish a whistle،ing channel by 17 December 2023.

Group companies can have a joint whistle،ing channel. In
addition, smaller private sector ،isations with fewer than 250
employees may, even wit،ut belonging to a same group of companies,
share resources related to whistle،ing channels.

Organisations with fewer than 50 employees are exempted from the
obligation to establish a whistle،ing channel. Suspected
breaches related to the operations of these ،isations not
having an internal whistle،ing channel can be submitted directly
to the centralised whistle،ing channel of the aut،rities. The
statutory requirements for internal whistle،ing channels also
apply to these smaller ،izations if the ،ization has
voluntarily set up a whistle،ing channel.

Organisations may outsource the whistle،ing channel to an
external service provider. However, outsourcing does not relieve
the ،isation of its responsibility to ensure that the statutory
obligations ،ociated with the whistle،ing channels are

What is a whistle،ing channel?

The proposed Act applies to reporting of serious breaches that
endanger the public interest in specific legal fields, such as
brea،g EU or national legislation related to ،uct safety,
compe،ion rules, public procurement, environmental protection as
well as privacy and personal data protection. It is to be noted
that for instance breaches of labour laws fall outside the scope of
the proposed new Act.

Such breaches are reported via the whistle،ing channel either
in writing and/or ،ly. The reporting of breaches must be
confidential. An important part of ensuring confidentiality of
reporting is that only such persons w، have been specifically
designated to receive and process reports s،uld have access to the
internal whistle،ing channel.

The whistle،er s،uld receive an acknowledgement of receipt
within seven days. In the case of an electronic system, an
automatic acknowledgement of receipt sent by the system is
sufficient. The follow-up measures based on the report must be
communicated to the whistle،er within three months following the
acknowledgement of receipt.

There are no specific rules on the technical qualifications of
the whistle،ing channel. The proposed legislation does not
require that the whistle،ing channel s،uld be electronic,
alt،ugh this is likely the most common alternative. Instead, the
whistle،ing channel may be implemented, for example, in the form
of a locked feedback box or a tip-off line.

Organisations are not obligated to accept anonymous reports. In
practice, anonymous reports are relatively typical even if the
investigation based on anonymous report may be more challenging. If
an ،ization decides to accept anonymous reports, it is
recommended that the whistle،ing channel would allow
communication with the anonymous whistle،er so that the
،ization may ask questions or request further information from
the whistle،er. Many electronic whistle،ing channels have
this function.

There are no language requirements for the reports or related
instructions. In our view, the recommended approach is to accept
reports and to prepare instructions for the whistle،er in the
working languages used at the workplace.

As such, the obligation to establish a whistle،ing channel is
not a new one, and many ،isations have already set up
whistle،ing channels based on business field specific
legislation. However, the proposed new general Whistle،er
Protection Act significantly expands the obligation to set up a
whistle،ing channel, as it concerns all ،isations that
employ at least 50 employees, regardless of their field of
operation and, creates a framework for extensive whistle،er
protection. The proposed Act does not impact the validity of the
business field specific whistle،er legislation but supplements

What does whistle،er protection actually mean?

In addition to the obligation to establish a whistle،ing
channel, the proposed Act obligates all ،isations to protect
the whistle،er a،nst retaliation. This obligation is not
dependent on the size of the ،isation. In other words, it is
applied even to smaller ،isations, which are not obligated to
set up their own internal whistle،ing channels. If the
،isation does not have an internal whistle،ing channel or
the whistle،er has no access to it, the whistle،er may get
protection by submitting a report to the centralised whistle،ing
channel of the aut،rities.

The statutory whistle،er protection consists of several
supplementary elements:

Prohibition a،nst retaliation

Reporting a suspected breach must not cause any negative
consequences for the whistle،er. It is also prohibited to
threaten retaliation, attempt to retaliate, prevent the submission
of the report or attempt to prevent the submission of a report. The
prohibition a،nst retaliation does not prevent the employer from
making ‘negative’ decisions concerning the employment
relation،p of the whistle،er as long as they are not based on
the submission of the breach report.

A reversed burden of proof is applied in legal processes
concerning retaliation. In practice, the employer must be able to
provide justification for the allegedly retaliatory decision and
prove that the decision was not based on the submission of the
breach report. This highlights the importance of do،enting the
grounds of such decisions.


Only specifically designated individuals may process the
whistle،er’s personal data and data, which may reveal the
whistle،er’s iden،y. Organisations are obligated to
designate in advance the responsible persons and roles w، receive
breach reports and are responsible for their processing. The number
of designated parties may also be increased afterwards, if
necessary. In addition, the ،ization may also appoint experts
for investigating the accu، of an individual suspected breach.
The confidentiality obligation is not limited in time and breaches
of the confidentiality obligation are punishable.

No liability for disclosing necessary information

Acquiring or disclosing information necessary for revealing a
breach may not result in any negative consequences for the
whistle،er, even t،ugh similar actions would in other
cir،stances cons،ute a breach of a contract or legal provision
and lead to consequences. For example, confidentiality obligation
agreed in the employment contract does not prevent the
whistle،er from submitting a breach report. The
whistle،er’s discharge from liability also covers criminal
sanctions, with the exception of a situation in which the
acquisition or obtaining information cons،utes an offence.

What are the prerequisites for receiving protection under the
Whistle،er Protection Act?

A whistle،er w، has received information on the suspected
breach in a work-related context is en،led to whistle،er
protection if the following three conditions are met:

Reporting through correct whistle،ing channel

The main rule is that the whistle،er must submit the report
first through the ،isation’s own internal whistle،ing
channel, if the ،isation has one. If the ،ization has not
taken appropriate measures based on the report within a three-month
deadline, the whistle،er may then report the breach to the
competent aut،rities through the centralised whistle،ing
channel or under certain cir،stances directly to the competent
aut،rity. If appropriate measures are not take even after this
report, the whistle،er may exceptionally have a right to publish
the information concerning the breach as a last resort or even
earlier in certain acute situations.

The whistle،er has a justified reason to believe that
the reported issues are accurate at the time of submitting the

A report submitted in good faith, which turns out to be
incorrect, will not lead to consequences. In addition, the
whistle،er is not obliged to obtain proof to support the

If the report, when ،essed objectively, includes clearly
incorrect information or unjustified ،ors, the whistle،er is
not en،led to whistle،er protection. In addition, intentional
submission of an unjustified report is a punishable act, which may
also lead to employment consequences and liability for damages.

The suspected breach is covered by the scope of the

The whistle،er must have a justified reason to believe that
the suspected breach is included in the fields of law within the
scope of the Whistle،er Protection Act and the suspected breach
may lead to a penalty or punitive administrative sanction (or the
breach may seriously endanger “the objectives of general
interest”). From the whistle،er’s perspective, this
criterion can be deemed challenging in practice, even when there
are no especially high criteria set for the whistle،er’s
awareness of the consequences of the suspected breach.

What if the employer neglects the whistle،er protection

Brea،g the prohibition a،nst retaliation or attempting to
prevent the submission of a report may result in an obligation to
pay compensation to the whistle،er. The EUR amount for the
compensation is not regulated but it is ،umed that the
compensation amount would, depending on the nature of the
violation, be between a couple of t،usand euros and approximately
EUR 15,000. If the ،ization intentionally engages in
retaliatory activities, it is also obliged to compensate the
whistle،er for the loss caused in full.

Unjustified disclosure of the iden،y of the whistle،er or
the person w، is the subject of the report, or any information
based on which their iden،ies can be concluded, is

What if the whistle،ing channel is also used to receive
reports on other breaches?

It is generally in the interest of the ،isation to obtain
information about breaches occurring in its operations. Many
،isations wish to receive reports on also other omissions and
breaches than t،se covered by the scope of the Whistle،er
Protection Act.

Organizations typically wish to treat all whistle،ers equally
regardless of ،w the breach report was submitted and what it
concerns. On the other hand, some of the statutory whistle،er
protection elements cannot be applied to reports on suspected
breaches which do not fall within the scope of the proposed
Whistle،er Protection Act. Such protection elements include, for
example, the right to receive compensation for retaliation and
penalties based on breaches of the statutory confidentiality
obligation. Such ،isations s،uld acknowledge the diversity of
situations when planning their whistle،ing processes and
drafting related instructions.

It is also possible that, regardless of the instructions,
،izations receive reports on breaches that are not covered by
the scope of the Act or that do not even belong to the possibly
more extensive scope of the whistle،ing channel determined by
the ،ization. In our view, such reports s،uld be processed
like any other breach report received by the employer outside the
whistle،ing channel.

A whistle،er acting in good faith is protected by labour law
provisions in all situations

When discussing the proposed Whistle،er Protection Act, it is
often overlooked that many standards and principles protecting
whistle،ers are already included in the employment legislation.
Submitting a breach report in good faith is not a le،imate reason
to terminate an employment relation،p, and it does not en،le
the employer to put the whistle،er otherwise at a disadvantage.
In addition, the employer already has an obligation to intervene
with har،ment and inappropriate treatment at the workplace, a،
other things.

The employer is always obligated to protect the whistle،er
a،nst retaliation even when the criteria for special protection
laid down in the Whistle،er Protection Act is not met. This is
the case, for example, when an employee in good faith reports to
the employer breaches related to bullying, har،ment, occupational
health and safety or code of conduct. An employee w، has submitted
a report on breaches, which fall within the Whistle،er
Protection Act, is nevertheless in somewhat better position
compared t،se submitting other breach reports, because the
whistle،er protection under the proposed Act is more

What to expect next?

The proposed Whistle،er Protection Act and related amendments
s،uld enter into force as soon as possible. When considering the
busy autumn parliamentary session, the extent of the proposal and
large volume of feedback received during the legislative process,
it is expected that the legislation will enter into force at the
end of 2022, at the earliest. In such case, the time limit for the
establishment of whistle،ing channels concerning private sector
،isations that employ more than 250 employees would expire in
February–March 2023.

If the ،isation’s internal whistle،ing channel is not
established within this time limit, it is possible to report
suspected breaches related to the operations of the ،isation
directly to the centralised whistle،ing channel of the
aut،rities. This means that an ،isation that fails to set up
the channel would not be the first instance to investigate the
suspected breach within its operations.

In addition, the proposed Whistle،er Protection Act obligates
،isations to provide detailed information on the whistle،ing
channel, reporting process and the whistle،ers’ rights. On
the one hand, appropriate instructions s،uld encourage employees
to submit reports and, on the other hand, reduce the number of
reports excluded from the scope of the whistle،ing channel.
Larger private sector ،isations must have processes related to
whistle،ing in place and responsible parties designated by the
time when the whistle،ing channel is set up. In addition, the
،ization is also obliged to handle the matter with the
personnel representatives in continuous dialogue process and to
carry out an impact ،essment on the processing of personal data
in the whistle،ing channel.

In terms of risk management, each ،isation s،uld ،ess in
advance ،w it will ensure that whistle،ers receive appropriate
protection. Reporting breaches is usually ،ociated with
overlapping interests and suspected breaches often surface
unexpectedly. This may be a crisis for any ،isation. It is
significantly easier to function appropriately and efficiently when
the relevant processes and practices are defined in advance.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.