Purpose and scope
The WPA is aimed at ensuring the protection of persons who report or make public information on breaches of Bulgarian or EU law that they have become aware of by virtue of their employment or otherwise in connection with work (commonly referred to as "whistleblowers"). Eligible for protection under the act are:
- current or former employees;
- self-employed persons;
- volunteers, interns/trainees;
- shareholders, members of management or supervisory bodies;
- job candidates, etc.;
- as well as persons who have aided whistleblowers with reporting and other categories of related natural/legal persons.
While the WPA provides that proceedings are not initiated with respect to anonymous reports, persons who anonymously report or disclose information on breaches but are subsequently identified and subjected to retaliation may nevertheless be eligible for protection.
Protection under the act is offered to persons reporting or disclosing information on a wide range of breaches, including those related to AML/CFT, public procurement, financial services, transport safety, data and consumer protection, environmental protection and more, as well as breaches of Bulgarian employment law. The scope of the WPA also covers reports and disclosures on any infringements related to the internal market or affecting the financial interests of the EU. Several categories of reports are explicitly excluded, such as those disclosing confidential health information, etc. Importantly, proceedings under the act are also not initiated with respect to infringements older than two years.
Employer's internal reporting channels
Under the WPA, several categories of employers are obliged to create an internal reporting channel in accordance with the specifications of the act, including by designating an employee responsible for receiving, registering, reviewing and, if necessary, referring reports externally. This obligation applies to (from date):
- employers in the public sector (except for some categories of municipalities) (4 May 2023);
- employers in the private sector with more than 249 employees (4 May 2023);
- employers in the private sector with 50 to 249 employees (17 December 2023), and
- employers in the private sector, regardless of the number of employees, whose activities fall within the scope of certain EU legal acts, including in the field of banking, financial and payment services as well as in other areas of importance such as transport safety, offshore oil and gas operations safety, etc. (4 May 2023).
Under the act, internal reporting channels must be managed in a way that guarantees the completeness, integrity, and confidentiality of information, prevents unauthorised access, and makes it possible for the information to be stored on a durable medium for investigation purposes. To this end, internal procedures governing such reporting must be revised and, if needed, updated every three years. In addition, the act lays down specific requirements as regards the protection of whistleblowers' identities and the information received.
Employers in the private sector may also utilise an internal reporting channel that already exists within their corporate group if that channel is in full compliance with the requirements laid down in the WPA. The act also requires employers to provide clear and easily accessible information on the procedures and conditions for internal reporting, once established, on their internet page(s) and in a visible place at their office premises.
Further, qualifying employers are required to designate one or more employees responsible for receiving, registering, and reviewing reports. These employees may also carry out other functions for the employer (subject to conflict-of-interest rules), including that of a Data Protection Officer (DPO). Private sector employers may also choose to outsource the functions of receiving and registering the reports to legal/natural persons outside their organisation. In addition, private sector employers with 50 to 249 employees may essentially share a reporting channel by designating a common responsible person or unit. This opportunity, however, does not extend to employers who are obliged to create an internal reporting channel because their activities fall within the scope of certain key EU legal acts.
Reports are submitted in writing (including via email) or orally (including via telephone or other similar audio medium) and registered in the form and with the minimum content prescribed, upon which the designated person(s) must acknowledge receipt of the report, review the report, provide a diligent follow-up, and organise further action. The act also establishes the obligation for qualifying employers to create and maintain a register of submitted reports in accordance with the specifications laid down and to regularly submit the necessary statistical data to the competent external reporting body (see below).
The WPA authorises the existing Bulgarian Personal Data Protection Commission ("PDPC") to be the competent central external reporting authority under the WPA (the PDPC is also the reporting authority under the Bulgarian Personal Data Protection Act). As such, the PDPC is empowered, among other things, to conduct the overall organisation and coordination of external reporting, to receive reports and to refer them to other authorities competent to review them based on the infringement(s) concerned. The PDPC is also empowered to issue guidance to qualifying employers, to conduct trainings for designated persons, and to establish specific rules for the registration, keeping and referral of internal reports to the external reporting authority, where needed.
The act prohibits any form of retaliation (including threats and attempted retaliation) against whistleblowers that puts them at a disadvantage or is repressive in nature. This includes termination or temporary suspension from work, demotion or delay in promotion, any direct or indirect discrimination, the imposition of disciplinary sanctions, etc. (this list is not exhaustive). As protection under the act is offered to a wide range of whistleblowers, including those that perform work for the qualifying employer but are nevertheless not employees, prohibited measures may also include, for example, early termination or cancellation of a supply contract. In cases of breaches of the above prohibition, the whistleblower is also entitled to compensation for pecuniary and non-pecuniary damages suffered as a result of the breach.
Finally, subject to conditions, reporting persons are immune from liability for their acquisition of or access to the information, as well as breaches of confidentiality obligations or commitments regarding the disclosure of trade secrets with respect to the information. However, the persons affected by the report or disclosure (i.e. the natural/legal persons or other associated parties to which the infringement is attributed) are entitled to compensation for pecuniary and non-pecuniary damages if the whistleblower knowingly reports or makes public false information, or was under a duty to assume that the information was false under the circumstances.
1Act on the Protection of Persons who Report or Make Public Information on Breaches, promulgated in State Gazette Issue 11 of 2 February 2023.
2Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.