- about us
you are being redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH
On 4 May 2023 the Bulgarian Act on the protection of persons who report or make public information on breaches (Закон за защита на лицата, подаващи сигнали или публично оповестяващи информация за нарушения, "Whistleblower Protection Act" or "WPA")1 adopted earlier this year enters into force, giving effect to the provisions of Directive (EU) 2019/19372 and imposing a number of obligations on employers in both the public and private sector.
The WPA is aimed at ensuring the protection of persons who report or make public information on breaches of Bulgarian or EU law that they have become aware of by virtue of their employment or otherwise in connection with work (commonly referred to as "whistleblowers"). Eligible for protection under the act are:
While the WPA provides that proceedings are not initiated with respect to anonymous reports, persons who anonymously report or disclose information on breaches but are subsequently identified and subjected to retaliation may nevertheless be eligible for protection.
Protection under the act is offered to persons reporting or disclosing information on a wide range of breaches, including those related to AML/CFT, public procurement, financial services, transport safety, data and consumer protection, environmental protection and more, as well as breaches of Bulgarian employment law. The scope of the WPA also covers reports and disclosures on any infringements related to the internal market or affecting the financial interests of the EU. Several categories of reports are explicitly excluded, such as those disclosing confidential health information, etc. Importantly, proceedings under the act are also not initiated with respect to infringements older than two years.
Under the WPA, several categories of employers are obliged to create an internal reporting channel in accordance with the specifications of the act, including by designating an employee responsible for receiving, registering, reviewing and, if necessary, referring reports externally. This obligation applies to (from date):
Under the act, internal reporting channels must be managed in a way that guarantees the completeness, integrity, and confidentiality of information, prevents unauthorised access, and makes it possible for the information to be stored on a durable medium for investigation purposes. To this end, internal procedures governing such reporting must be revised and, if needed, updated every three years. In addition, the act lays down specific requirements as regards the protection of whistleblowers' identities and the information received.
Employers in the private sector may also utilise an internal reporting channel that already exists within their corporate group if that channel is in full compliance with the requirements laid down in the WPA. The act also requires employers to provide clear and easily accessible information on the procedures and conditions for internal reporting, once established, on their internet page(s) and in a visible place at their office premises.
Further, qualifying employers are required to designate one or more employees responsible for receiving, registering, and reviewing reports. These employees may also carry out other functions for the employer (subject to conflict-of-interest rules), including that of a Data Protection Officer (DPO). Private sector employers may also choose to outsource the functions of receiving and registering the reports to legal/natural persons outside their organisation. In addition, private sector employers with 50 to 249 employees may essentially share a reporting channel by designating a common responsible person or unit. This opportunity, however, does not extend to employers who are obliged to create an internal reporting channel because their activities fall within the scope of certain key EU legal acts.
Reports are submitted in writing (including via email) or orally (including via telephone or other similar audio medium) and registered in the form and with the minimum content prescribed, upon which the designated person(s) must acknowledge receipt of the report, review the report, provide a diligent follow-up, and organise further action. The act also establishes the obligation for qualifying employers to create and maintain a register of submitted reports in accordance with the specifications laid down and to regularly submit the necessary statistical data to the competent external reporting body (see below).
The WPA authorises the existing Bulgarian Personal Data Protection Commission ("PDPC") to be the competent central external reporting authority under the WPA (the PDPC is also the reporting authority under the Bulgarian Personal Data Protection Act). As such, the PDPC is empowered, among other things, to conduct the overall organisation and coordination of external reporting, to receive reports and to refer them to other authorities competent to review them based on the infringement(s) concerned. The PDPC is also empowered to issue guidance to qualifying employers, to conduct trainings for designated persons, and to establish specific rules for the registration, keeping and referral of internal reports to the external reporting authority, where needed.
The act prohibits any form of retaliation (including threats and attempted retaliation) against whistleblowers that puts them at a disadvantage or is repressive in nature. This includes termination or temporary suspension from work, demotion or delay in promotion, any direct or indirect discrimination, the imposition of disciplinary sanctions, etc. (this list is not exhaustive). As protection under the act is offered to a wide range of whistleblowers, including those that perform work for the qualifying employer but are nevertheless not employees, prohibited measures may also include, for example, early termination or cancellation of a supply contract. In cases of breaches of the above prohibition, the whistleblower is also entitled to compensation for pecuniary and non-pecuniary damages suffered as a result of the breach.
Finally, subject to conditions, reporting persons are immune from liability for their acquisition of or access to the information, as well as breaches of confidentiality obligations or commitments regarding the disclosure of trade secrets with respect to the information. However, the persons affected by the report or disclosure (i.e. the natural/legal persons or other associated parties to which the infringement is attributed) are entitled to compensation for pecuniary and non-pecuniary damages if the whistleblower knowingly reports or makes public false information, or was under a duty to assume that the information was false under the circumstances.
1Act on the Protection of Persons who Report or Make Public Information on Breaches, promulgated in State Gazette Issue 11 of 2 February 2023.
2Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
authors: Tereza Shishkova and Ema Stoyanova
Attorney at Law