February 7, 2023

Whistleblowers Protection Act adopted

Whistleblowers Protection Act (full name: Protection of Persons Who Report Breaches or Publicly Disclose Information on Breaches Act) (the Act) was adopted at second reading on the Parliament’s last working day and promulgated in the State Gazette.

Below are the most important points you need to know:

The Act’s scope is broad, and concerns reports of breaches of the Bulgarian or European law across a broad spectrum, such as: public procurement; employment law; product safety and compliance; public health; consumer protection; food safety; financial services, products and markets and the prevention of money laundering and terrorist financing; privacy and personal data protection; transport security; environmental protection and many others.

In brief, the Act provides for:

  • the protection of persons who become aware of breaches in a work-related context (i.e. information that has come to their attention in the course of or in connection with the performance of their work or employment duties or in another work-related context) and who wish to report for such wrongdoing/breaches with as little risk as possible to them. Such persons might be current and former employees or workers, trainees, volunteers, partners, shareholders, equity holders, board members, freelancers, jobseekers, etc.
  • reports can be submitted externally to a central authority – in Bulgaria such authority is the Commission for Personal Data Protection;
  • obligation to establish an internal channel for submitting reports for:
  1. employers in the public sector (except for some municipalities);
  2. employers in the private sector with 50 or more employees;
  3. employers whose scope of activity is covered by certain EU acts;
  • an obligation to establish internal rules for the purposes of implementing the Act;
  • an obligation to designate one or more employees to be responsible for handling/reviewing reports. Subject to the requirements of the Act, it is permissible:
  1. to delegate the functions to a third party outside the employer’s structure, and
  2. to use internal reporting channels established by the economic group the employer belongs to;
  • an obligation to provide accessible information on the terms and conditions for reporting (including on the websites of the obliged entities, as well as in prominent places within the offices and work premises);
  • measures to protect persons who submit reports, such as: prohibiting specific retaliation against them, supporting measures and limiting the liability of reporting persons for acquiring information and for disclosing it, including where such disclosure is restricted by contract, regulation or administrative act;

The Act comes into effect on May 3, 2023. Employers in the private sector with 50 to 249 employees have to comply with the obligation to provide an internal reporting channel until December 17, 2023.

In order to ensure the processing of internal reports, employers are obliged to take a number of actions such as designating persons who will handle/review them, keeping a register of the reports, defining the terms and conditions for submitting reports and publishing them on the internet and in prominent places in their offices, etc.

In addition, the Personal Data Protection Act  (PDPA) requires employers to adopt specific policies and procedures when using a reporting/whistleblowing system which contains information on the scope, obligations and methods of its implementation in practice. The application of the new Act could lead to the use of such a system, as well as to the need not only to update certain already existing documents relating to personal data protection (notices, registers under Article 30 GDPR, etc.) but also to develop and adopt such specific rules within the PDPA.

Last but not least, depending on how the rules and procedures under the Act are implemented, certain employment law requirements may also need to be complied with (e.g. ensuring that workers/employees are involved in the process of adopting the relevant acts).

Desislava Krusteva

With technology and data in her heart, Desislava has 16 years of unmatched experience exclusively practicing in the legal areas of information technologies, privacy, and data protection.

Related insights

Innovative solutions and customer care.
Get in touch