On February 4th, 2022, Cyprus adopted and integrated the EU Whistleblowing Directive into its national legislation. The directive mandates that all organisations operating within Cyprus, regardless of their size or sector, and engaging in activities that fall under the ambit of EU law, establish internal reporting mechanisms for whistleblowers to report potential violations of EU law.

The law also establishes a framework for cooperation between the relevant authorities in Cyprus and other EU Member States to ensure effective protection for whistleblowers across the EU. This includes the exchange of best practices, the provision of mutual assistance, and the coordination of investigations where necessary.

The EU Whistleblowing Directive establishes minimum standards for the protection of whistleblowers across all EU Member States. Its purpose is to encourage individuals to report breaches of EU law and to protect them from retaliation for doing so. The directive requires that all EU Member States provide internal reporting channels for whistleblowers, which can either be through a designated person within the organisation, or an independent third party, such as a legal or regulatory body.

The directive also establishes that whistleblowers must be protected from retaliation, including dismissal, demotion, harassment, and other forms of discrimination. In addition, the directive requires that Member States take measures to protect the identity of whistleblowers, both during and after the reporting process, to the extent that this is necessary to safeguard the whistleblower’s rights and interests.

The EU Whistleblowing Directive applies to all organisations, regardless of size or sector, that are established in an EU Member State and that carry out activities that fall within the scope of EU law. This includes public and private sector organisations, as well as non-profit organisations.

Breaches of EU law that are covered by the Directive

The EU Whistleblowing Directive covers a wide range of breaches of EU law that are deemed to be in the public interest, including:

  1. Fraud: This covers any illegal activity that involves deceiving others for personal gain, such as embezzlement, money laundering, and tax evasion.
  2. Corruption: This covers any illegal activity that involves abuse of power or position for personal gain, such as bribery, influence peddling, and nepotism.
  3. Environmental protection: This covers any breach of EU law related to the protection of the environment, such as illegal dumping of waste, pollution, and deforestation.
  4. Public health: This covers any breach of EU law related to the protection of public health, such as non-compliance with food safety regulations and failure to comply with pharmaceutical regulations.
  5. Privacy and personal data protection: This covers any breach of EU law related to the protection of personal data, such as unauthorised access to sensitive information or illegal data transfers.
  6. Financial interests of the EU: This covers any breach of EU law related to the financial interests of the EU, such as fraud or mismanagement in the use of EU funds.
  7. Workers’ rights: This covers any breach of EU law related to the protection of workers’ rights, such as discrimination, exploitation, or forced labor.

Penalties for Non-Compliance

The EU Whistleblowing Directive establishes penalties for organisations that fail to comply with the directive’s provisions, including provisions on the protection of whistleblowers.

In general, organisations that fail to comply with the directive’s provisions could face fines, legal action, or other forms of enforcement, depending on the nature and severity of the non-compliance. For example, organisations that engage in retaliation against whistleblowers, such as dismissal, demotion, harassment, or discrimination, could be subject to legal proceedings and penalties.

In addition to penalties for organisations, individuals who engage in retaliation against whistleblowers could also face legal consequences, such as fines or imprisonment, depending on the circumstances.

In Cyprus, the penalties in case of retaliation, can be up to 3 years imprisonment and a €30,000 fine. The Law also imposes criminal liability on legal entities for offences committed by any person acting on behalf of such entity.

Reporting Procedures

The EU Whistleblowing Directive requires all organisations established in an EU Member State and carrying out activities that fall within the scope of EU law to put in place internal reporting procedures for whistleblowers. The reporting procedures should be designed to ensure that whistleblowers can report suspected breaches of EU law in a confidential and secure manner.

The internal reporting procedures should include at least one of the following options for whistleblowers to report suspected breaches of EU law:

  1. Direct reporting to the employer: This option allows whistleblowers to report suspected breaches of EU law directly to their employer.
  2. Reporting through a dedicated contact point: This option requires organizations to appoint a dedicated contact point, such as an ombudsman or a hotline, to receive reports from whistleblowers.
  3. External reporting: This option allows whistleblowers to report suspected breaches of EU law to an external body, such as a regulatory authority or a watchdog organisation.

Organisations must ensure that the reporting procedures are easily accessible and widely known to all employees, and that they are regularly reviewed and updated as necessary. They must also ensure that the reporting procedures are accompanied by clear information on the protection that whistleblowers can expect against retaliation, and on the rights and responsibilities of whistleblowers.

In addition to internal reporting procedures, the EU Whistleblowing Directive also allows whistleblowers to report suspected breaches of EU law to competent authorities, such as the police or a regulatory body, or to other relevant stakeholders, such as the media, in circumstances where internal reporting is not possible or would not provide an effective remedy. In such cases, the whistleblower must be protected against retaliation and the protection of their identity must be ensured, to the extent necessary to safeguard their rights and interests.

Under Cyprus law, personal data must be kept confidential, and any personal data relating to a report must be erased 3 months or 1 year after the conclusion of any legal or disciplinary processes.