Whistleblower protection and reporting channels Luxembourg

Yes. The law of 16 May 2023 (the “Law”) implements Directive (EU) 2019/1937 of the Parliament and of the Council of 23 October 2019 into Luxembourg law.

In addition, specific sectorial laws, such as the law on the financial sector or the law on the insurance sector and the law on the fight against money laundering and terrorist financing, provide for whistleblowing procedures.

Yes. Private entities with 50 workers or more for a period of 12 consecutive months are required to establish an internal whistleblowing system.

Relevant competent authorities may impose administrative fines on legal persons, which do not establish channels and procedures for internal reporting and follow-up. The fine ranges from EUR 1,500 to EUR 250,000. The maximum fine may be doubled in the event of a repeated offence within five years of the last sanction becoming final.

Yes. Legal entities in the private sector with more than 50 employees during a period of 12 consecutive months must set up internal reporting channels that ensure the confidentiality of the identity of the whistleblower. The law also specifies that internal reporting procedures must comply with the following obligations:

• In the event of a report, obligation to acknowledge receipt within seven days;
• Obligation to designate a person or an impartial service competent to follow up on reports;
• Obligation of diligent follow-up by the designated person or service;
• Maximum of three months to respond to the person making the alert;
• Obligation to provide clear and easily accessible information on the reporting procedure;
• Written and/or oral reporting in one of the three administrative languages (i.e. French, German, Luxembourg) or in any other language allowed by the legal entity, by telephone, voice mail or face-to-face meeting.

Yes. The staff delegation is necessarily involved in the implementation of an internal reporting procedure.

Such a procedure should be considered as part of a company's internal regulations under Luxembourg labour law.

In this respect, employers must involve the staff delegation. This involvement will depend on the number of employees:

• In companies with less than 150 employees: the staff delegation is consulted on the elaboration or modification of the procedure. It also has the right to propose modifications.
• In companies with more than 150 employees: the decision to establish or modify this procedure is a joint decision between the staff delegation and the employer.

No. However, public disclosure is strictly regulated. A person who makes a public disclosure is entitled to protection under the Law if one or the other of the following conditions is met:

1. The person has first made an internal and external report, or has made an external report directly, but no appropriate action has been taken in response to the report within the time provided by the Law.
2. The person has reasonable grounds to believe that: (a) the breach may represent an imminent or obvious danger to the public interest, such as where there is an emergency situation or a risk of irreversible harm; or (b) in the case of an external report, there is a risk of retaliation or there is little likelihood that the breach will actually be remedied due to the particular circumstances of the case, such as where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.

Yes. All forms of retaliation, including threats and attempts at retaliation, are prohibited as a result of reporting under the conditions of the Law. In particular, the following are prohibited:

• suspension, dismissal, non-renewal or early termination of a fixed-term employment contract or equivalent measures;
• demotion or refusal of promotion;
• transfer of duties, change of workplace, reduction of salary, change of working hours;  
• suspension of training;
• disciplinary measures imposed or administered, reprimand or other sanction, including a financial penalty.

The Law recalls that any processing of personal data under the Law, including the exchange or transmission of personal data by the competent authorities, should be carried out in accordance with Regulation (EU) 2016/679 (GDPR) and the Law of 1 August 2018 on the protection of individuals regarding the processing of personal data in criminal matters and in matters of national security.

The Law also stresses that data not relevant for the specific processing of a report should not be processed and if processed accidentally should be deleted without delay.

If an entity has set up a recorded or unrecorded telephone line or other voice recording systems with the consent of the reporter, it should allow the reporter to check, rectify and approve the transcript of the call by signing it.

Finally, in order to ensure the compliance of the reporting channel with the GDPR, it is strongly advised to carry out a personal data protection impact assessment (DPIA) on such reporting channels.

No. Nothing in the Law prevents a group of independent entities from setting up a joint whistleblowing system provided that each independent entity has between 50 and 249 employees. This is without prejudice to the obligations of such entities to maintain confidentiality, provide feedback and remedy the reported violation and comply with the GDPR.

However, this does not affect the possibility for an entity and its subsidiaries to have a single reporting channel.