Bulgarian National Assembly accept a new Whistleblower Protection Act (“The Act”), which was promulgate in the “State Gazette” No 11 dated 02.02.2023 and will enter into force as of 04.05.2023 for all obliged entities except the provisions applicable for employers in the private sector, who have between 50 and 249 workers or employees, to whom the requirements for creating of internal reporting channel for submitting reports will apply as of 17.12.2023. The Act introduce the requirements of the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
The Whistleblower Protection Act has the purpose to protect persons in the private and public sector, who report or publicly disclose information about breaches of Bulgarian legislation or acts of the European Union, which became known to them during the performance of their work.
The obliged entities pursuant to the Act are:
- employers in the public sector except the Municipalities with population less than 10,000 people or less than 50 workers or employees;
- employers in the private sector with 50 or more workers or employees;
- employers in the private sector, regardless of the number of workers or employees, if their activity falls within the scope of the activities detailed in the Act (such as activity in financial or insurance sector);
Setting up of an internal reporting channel
The obliged entities in the private sector with a total number of 50 to 249 workers or employees may use a common channel for internal reporting by appointing one person or a separate unit for handling of reports.
This exception shall not be applied for the employers in private sector, who perform activity within the scope of the Acts of the European Union, pursuant to the Whistleblower Protection Act.
The obliged entities in the private sector could use an internal reporting channel, created by the economy group, to which they belong, if the channel meets the requirements of the Act. Also the obliged entities in the private sector may assign the functions of receiving and registering reports for breaches to another natural or legal person outside their structure.
Requirements for the employers
The employers, who are obliged entities pursuant to the Act, shall:
- Set up an internal reporting channel for breaches, which meets the requirements of the Act;
- Provide clear and easily accessible information about the conditions and procedures for reporting of breaches;
- Designate one or more officials, responsible for handling of reports (that could be the Data protection officer and in case of lack of such officer – another employee);
- Adopt internal whistleblowing rules, analyze the practice of applying this Act and update the rules at least once every three years;
- Create and maintain a register of reports of breaches;
- Submit the necessary statistical information to the national body for external reporting of reports in accordance with the procedure established by it;
- Fulfill other obligations provided for in the Act.
Persons granted protection
Pursuant to the Act, protection is granted to a reporting person, who is a natural person who files a report or publicly discloses information about a breach, that has become known to him in work-related context, including in his capacity as worker, employee, civil servant, a self-employed person, volunteer, intern, job candidate, shareholder, member of management or supervisory body of an undertaking, person, who works for a natural or legal person, its subcontractors or suppliers, etc.
Persons who help the reporting person in the process of filing a report, persons who are related to reporting person and legal entities, in which the reporting person has a shareholding, for which he works or with which he is otherwise connected in a work-related context, are also protected.
Measures to ensure protection
Any form of retaliatory actions against the reporting persons or the other protected persons, as repression, putting in a disadvantageous position, threats or attempts of such actions, is prohibited by the Act. The forms of retaliatory actions could be dismissal, demotion, negative assessment of work, imposition of disciplinary penalties, discrimination, premature termination of a contract, damages, including to the person’s reputation, in particular in social networks, or financial losses, including loss of business and loss of income, etc. In case of breach of prohibition for retaliatory actions, the reporting person has the right to compensation for the property and non-property damages suffered.
Damages, caused to the reporting person in connection with the report submitted by him or the publicly disclosed information are considered to be caused intentionally.
External reporting of breaches
The central authority for external reporting of breaches and for the protection of the persons, to whom such protection is provided within the Act, is the Commission for Protection of Personal Data (“the Commission”).
In the powers of Commission enter: organizing the adoption of the reports, giving methodological instructions to the obliged entities, adopting an ordinance for keeping the report’s register of the breaches,
approves forms for receiving reports, include applying the administrative measures provided for in the Act.
The Act provides different amounts of sanctions, depending on the type of breaches, which range from BGN 400 to BGN 20,000. For repeated breaches, the amount of the sanctions is BGN 5,000 to BGN 30,000.
When it is established that the person has intentionally filed a report, containing false information or made public false information, he shall be punished with a fine of BGN 3,000 to BGN 7,000.
For questions and the further need for assistance regarding the interpretation and application of the new Whistleblower Protection Act, the team of TPA Bulgaria is at disposal.
This Newsletter is a service of TPA
TPA Bulgaria EOOD
Str. Rakovski G.S. 128
Tel.: +359 (2) 981 66 46
Fax: +359 (2) 981 66 46
If you want regular information please sign up for our newsletter.