Czech Republic: Whistleblowing

According to the Act, an internal reporting system must be put in place by so-called obliged entities, which are:

1. national public buyers;
2. employers with 50 or more employees (including agreement or agency workers);
3. public authorities/employers with competence in certain selected areas (e.g. corporate income tax administration, civil aviation, maritime transport, oil and gas, etc.);
4. employers in the financial services sector that are not AML obliged entities (e.g. investment companies and funds, insurance or reinsurance companies, etc.);

+ AML obliged entities – obligation to revise existing reporting systems

For obliged entities employing 50 – 249 employees, no later than 15 December 2023. Companies with 250 or more employees must implement the internal reporting system immediately as of 1 August 2023.

Obliged entities must:

1. Establish an internal reporting system and allow whistleblowers to report breaches (i) orally (i.e. mainly by telephone), (ii) in writing (i.e. mainly via a dedicated online whistleblowing platform), and (iii) in person (i.e. by meeting with the competent person) if the whistleblower explicitly requests it.
2. Appoint a competent person, i.e. the person responsible for receiving and dealing with reports (including communicating with the whistleblower, verifying reports, maintaining legal records, etc.).
3. Ensure protection of whistleblowers: (i) protection of the identity of whistleblowers, (ii) protection of whistleblowers against retaliation by the employer (e.g. termination or non-renewal of employment, transfer to another job, reduction in pay, termination of supply contract, etc.).

According to the European Commission's interpretative opinion on the Directive, group reporting systems can only be shared by companies employing up to 249 employees.

If companies have up to 249 employees, the Directive states that they may share resources for investigating reports with their parent company, but the following conditions must be met, as interpreted by the European Commission:

1. The whistleblower must be able to report at the subsidiary level, i.e. the subsidiary's internal reporting channels must be active and functional.
2. The whistleblower must be informed of who at the parent company will have access to the reports for the purpose of investigating; the whistleblower always has the option of refusing the parent company's investigation of the report and requesting an investigation of the report in the subsidiary's reporting system.
3. The responsibility for maintaining the confidentiality of the report, for providing feedback to the whistleblower and for taking corrective action in relation to the breaches always remains with the subsidiary.

If a company has more than 249 employees, it cannot share the reporting system.

However, the option of outsourcing offers some possibilities for sharing (i.e. the Czech company could theoretically outsource the obligations to the parent company), whereas the above limits resulting from the Commission's opinions do not apply to outsourcing. Nevertheless, outsourcing has a number of practical disadvantages, especially when outsourcing to a foreign parent company. For example, the competent person always has obligations and responsibilities under Czech law, the internal reporting system must comply with the requirements set out by Czech legislation, issues in the area of personal data protection (GDPR), especially in relation to data transfer to third countries, etc.).  

The report can be submitted by an employee, a member of the statutory body or other corporate body, a partner, an intern, a volunteer, a trainee, a cooperating self-employed person, a job applicant, but also a contractor (service provider or customer), etc.

In addition to the whistleblower, a person who (i) has provided assistance to the whistleblower, (ii) is close to the whistleblower, (iii) is an employee or colleague of the whistleblower, etc. is protected.

The Act specifically regulates the following:

1. crimes;
2. violations of the Law;
3. violations of EU laws or national regulations in certain selected areas, e.g. financial services, AML, consumer protection, environmental protection, OSH, EU financial interests, data protection, etc;
4. offences with a fine ceiling of at least CZK 100,000.

However, any obliged person may voluntarily extend its internal reporting system to other areas beyond the scope of the Act.

Knowingly false reporting.

1. A fine of up to CZK 1m.
2. The whistleblower uses an external reporting channel operated by the Ministry of Justice (i.e. the matter then falls outside the company's control).
3. Reputational risk. If the matter is not resolved within the statutory time limits, the whistleblower may make the matter public in the media