Parliament of Cyprus has recently passed a law on the protection of whistleblowers. This is an important step in cracking down on corruption in the public sector.
The new legislation called “the Protection of Persons Reporting Breaches of Union and National Law of 2022” (the Law), applies to the reporting of breaches of EU or Cyprus law by individuals working in the private or public sector who acquired information on breaches of EU or Cyprus law in a work-related context.
The Law transposes Directive (EU) 2019/1937 on the Protection of Persons who Report Breaches of Union Law (the Directive) into national law. In transposing the Directive, the Law applies to breaches of EU law.
CX Financia’s Compliance team analyses the Law and provides its main provisions below:
Which Breaches are reportable under the Law?
Breaches that may be reportable under the Law include:
- acts or omissions in relation to the commission or potential commission of a criminal offence, in particular, corruption offences
- acts or omissions in relation to non-compliance with any legal obligation imposed on a person
- infringements which endanger or are likely to endanger the safety or health of any person; and
- infringements that cause or are likely to cause damage to the environment.
To which persons does the Law apply?The Law applies to:
- Civil servants,
- Self-employed persons,
- Shareholders and persons belonging to the administrative, management or supervisory body of an undertaking (including non-executive members),
- Volunteers, paid or unpaid trainees and
- Persons working under the supervision and direction of contractors, subcontractors and suppliers.
- Persons reporting or disclosing information on breaches, the acquisition of which was in the context of a working relationship that has since ended or has yet to begin in cases where information on breaches was in place during the recruitment process or other pre-contractual negotiations.
- Third persons in connection with the reporting persons and who could suffer retaliation in a work-related context
- Legal entities that the reporting person owns, works for or is otherwise in connection within a work-related context.
Use of Internal Reporting channels and ConfidentialityAny public disclosure can also qualify for protection under the Law where certain conditions are in place. The reporting person will not be able to qualify for protection where they directly disclose information to the press. Confidentiality requirements apply for the processing of personal data and the maintenance of records. The collection of any personal data must be deleted within 3 months from completion of the procedure concerned. Where legal or disciplinary proceedings are initiated against the reporting person or the person concerned, such personal data shall be retained for the duration of those proceedings, including in the event of an appeal or objection, and must be deleted after 1 year from their completion. The Law also encourages the voluntary introduction of internal reporting channels in the private sector.
What kind of protection is provided to whistleblowers by the Law?The Law generally protects against retaliation, namely, any direct or indirect act or omission which occurs in a work-related context, either by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the whistleblowers. Witnesses involved in proceedings related to a report will be subject to protection afforded under the applicable witness protection legislation. There is the obligation for employers to protect employees from acts of their superiors or any other employee which constitutes retaliation for reporting. A reporting person’s dismissal from employment or any detrimental change to their working conditions or any retaliation measure will be deemed invalid unless the employer proves that the basis of such dismissal was due on other grounds.
Which are the penalties in place for those attempting to punish whistleblowers ?Persons who hinder whistleblowing, retaliate against whistleblowers, bring vexatious proceedings against whistleblowers, breach confidentiality on a whistleblower’s identity or who knowingly report or disclose false information, could incur criminal liability. On conviction, such persons may face imprisonment up to 3 years and/or a fine of up to €30.000. The Law also imposes criminal liability on legal entities for these offences committed by any person acting on behalf of such entity Legal entities may also be prosecuted where lack of supervision or control on behalf of the legal entity makes the commission of any offence possible on behalf of the legal entity by a person hierarchically in a position below such entity. The Law provides for mitigating the sentence of offenders by half, where, as a result of such offenders’ cooperation with the authorities initiated criminal proceedings against a public official for corruption or bribery.
How can CX Financia Help You comply with the whistleblowers Law?Internal controls are policies and procedures created to mitigate the risks of non-compliance. A strong set of internal policies is the starting point and offers guidance on how to stay compliant with the regulatory framework.We can assist you with designing and implementing an effective ccompliance program to support your organization’s compliance and regulatory obligations. If you are looking for a way to strengthen and organize your Company’s compliance mechanism and provide your employees with the necessary training to help them protect your entity from hefty fines and prosecutions we are here to help. In relation to whistleblowing we can assist you in the following:
- Whistleblowing management gap analysis to better understand your readiness status and support timely planning for process and platform improvements
- Process design drafting, including whistleblowing policies, identity protection setup, impartial case management organization, triage protocols and feedback monitoring setup, escalation processes, a crisis management plan, privacy-by-design and default frameworks, international group strategy and data protection binding corporate rules.
- In relation to your Company’s training, our team comprises of skilled trainers certified by the Human Resource Development Authority of Cyprus (HRDA). Our team’s professional background ranges from key positions regulated firms in Cyprus. We have a proven experience offering regulatory compliance services as well as regulatory onsite inspection audits, advisory audits and consulting. Our trainers ensure a qualitative teaching experience through in-house training, simulation exercises, and group work.