In recent years, whistleblowers have become an important part in uncovering misconduct – be it in companies, governmental bodies, or other institutions. This has brought widespread attention to whistleblowing and its consequences. Thereby, the European Parliament recognized that the protection of whistleblowers in the European Union (EU) was inconsistent and insufficient. In view of this, the European Parliament adopted a directive which was to be implemented by the member states to establish common minimum standards of whistleblower protection within the EU.

In this article, our experts from Portugal and Germany answer 6 key questions on the implementation of legislation on whistleblower protection in their respective countries and the impacts the legislation has for employers. 

1. Through which regulations are whistleblowers protected?

In 2019, the EU established the Whistleblower Directive 2019/1937 to protect individuals who report violations of Union law. Portugal transposed the directive by Law 93/2021, from 20 December 2021, coming into force on 18 June 2022. Germany transposed the directive by the Whistleblower Protection Act from 31 May 2023, which came into force on 2 July 2023.

The objective of the Directive, along with the national laws which transpose it, is to protect individuals who find out about and seek to disclose wrongdoing within a company. The regulations particularly protect employees who report misconduct within the company they are employed in. This is based on the premise that employees are on a privileged position to detect irregularities and make a report (which often does not occur due to fear of retaliation).

For this purpose, whistleblower legislation stipulates the establishment of confidential reporting units that whistleblowers can turn to. Such reporting units are to be established by companies (internal reporting channels) as well by public authorities (external reporting channels). In Germany, whistleblowers are free to choose whether they turn to an internal or external reporting channel. In either case, they are protected against any type of retaliation such as dismissals, disciplinary measures, refusal of promotions or similar acts. In Portugal, however, whistleblowers may only choose external reporting channels over internal reporting channels when certain conditions are met (e.g. the company does not have an internal reporting channel or the whistleblower has grounds to believe that there is a risk of retaliation when using the internal reporting channel).

In certain cases, in both countries, whistleblowers are also protected in the event of public disclosure.

2. What is the scope of application of the whistleblower regulations?

As stipulated by the EU Directive, the whistleblower legislation in both Portugal and Germany cover reports on acts or omissions that do not comply with certain legislation of the EU and national laws that transpose them. The legislation covered may derive from the following areas: (a) public procurement; (b) financial services, products and markets, and prevention of money laundering and terrorist financing; (c) product safety and compliance; (d) transport safety; (e) protection of the environment; (f) radiation protection and nuclear safety; (g) food and feed safety, animal health and welfare; (h) public health; (i) consumer protection; and (j) protection of privacy and personal data, and security of network and information systems.


Additionally, the Portuguese Whistleblower Protection Law is aimed at the protection of those who report on fraud, breach of competition, state aid and company taxation rules, as well as violent criminality (especially highly organized violent criminality) and organized economic-financial criminality.


In addition to the above-mentioned EU law, the German Whistleblower Protection Act covers certain areas of national law. The national laws covered are (i) criminal provisions and (ii) provisions punishable by fines if the regulation serves to protect life, body, or health or the rights of employees or their representative bodies. The latter includes, for example, the Working Hours Act and the Minimum Wage Act. In all cases, only offences that are related to a professional, entrepreneurial or business activity are covered. Purely private misconduct is therefore not included in the scope of application.

3. Which companies are under the obligation to have an internal reporting channel?

All private and public companies with 50 employees or more are obliged to implement an internal reporting channel. In addition, companies in certain sectors that are covered by specific EU regulation are obliged to set up an internal reporting channel, regardless of their number of employees. These include, for example, investment services companies or credit institutions.

4. How must a company implement an internal reporting channel and what characteristics must the internal reporting channel fulfil?


Internal reporting channels must allow for the safe submission and follow-up of reports, ensuring the completeness, integrity and conservation of the report.

To receive the reports, internal reporting channels must be operated internally or externally. Notwithstanding, to follow up on the report, the reporting channels must always be operated internally.

The person or team designated to receive and forward reports must also guarantee their independence, impartiality, confidentiality, data protection and the absence of conflicts of interests in the performance of their role. Additionally, companies with 50 to 249 employees may share one single reporting channel, as well as the person or team allocated to said channel.

Furthermore, whistleblowers must be given the possibility of either identifying themselves (and the company must safeguard their identity, keeping it confidential), or of submitting the report anonymously.

The identity of the whistleblower, as well as information that, directly or indirectly, allows their identity to be deduced, is strictly confidential and should be accessed only by those responsible for receiving or following up on reports. The identity of the whistleblower may only be disclosed as a result of legal obligation or court decision.

If a verbal complaint is admissible, the internal reporting channels must allow it to be presented by telephone or through other voice messaging systems or, at the request of the whistleblower, in a face-to-face meeting.


Companies can set up an internal reporting channel by establishing an inhouse reporting unit and assigning the corresponding tasks to employees. Alternatively, companies can outsource the channel by appointing a third party (e.g., a law firm) to function as a reporting unit. Companies with 50 to 249 employees may also set up joint reporting channels with other companies.

The internal reporting channel must accept verbal reports as well as reports in text form. While the German Whistleblower Protection Act stipulates that the internal channel “should” accept anonymous reports, there is no obligation to do so. If a company chooses not to allow anonymous reports, whistleblowers must therefore provide their name when making a report.

Upon receival of a report, the reporting unit must examine whether the reported conduct is covered by the Whistleblower Protection Act. If it is, the unit examines the conclusiveness of the report, requests further information from the whistleblower if necessary and takes appropriate follow-up measures such as conducting an internal investigation or turning over the case to the employer. Remedying any detected misconduct as well as imposing possible sanctions due to misconduct remains solely in the employer’s responsibility. 

The reporting unit must comply with strict confidentiality obligations. This applies in particular to the identity of the whistleblower. Any information on the whistleblower’s identity may only be passed on if the whistleblower has agreed to this or in case of requests made by certain public authorities or a court. Without the whistleblower’s consent, their identity may therefore not be disclosed when turning over the reported case to the employer. However, the identity of a whistleblower is not protected in case they intentionally or grossly negligently report incorrect information.

Companies must ensure that the reporting unit has the necessary expertise to correctly fulfil their duties. If a company chooses to establish an inhouse reporting unit, it must therefore provide adequate training for the designated employees. Such trainings are, for example, offered by law firms.

5. Are there sanctions in place for the violation of whistleblower regulations?


Yes – breach of the rules set out in the Portuguese Whistleblower Protection Law may constitute an administrative offence, punishable with fines under the following terms:

  • Between 1,000 EUR and 25,000 EUR for natural persons, or between 10,000 EUR and 250,000 EUR for legal persons, in the case of a very serious offense.
  • Between 500 EUR and 12,500 EUR for natural persons, or between 1,000 EUR and 125,000 EUR for legal persons, in the case of a serious offense.


The German Whistleblower Protection Act stipulates several sanctions for violations. For employers, the following sanctions are the most important:

  • The Whistleblower Protection Act forbids any type of retaliation against a whistleblower (e.g., dismissal, disciplinary measures or similar). If a company violates this rule, the measure that constitutes a retaliation is ineffective (e.g., if a whistleblower is dismissed because they reported misconduct by their employer, the dismissal would be ineffective). In addition, a fine of up to 50,000 EUR may be imposed on the company. Lastly, the company is liable for damages resulting from the retaliation. 
  • A fine of up to 50,000 EUR may be imposed if a company obstructs a whistleblowing report or the communication between a whistleblower and a reporting unit.
  • A fine of up to 20,000 EUR may be imposed if a company violates its obligation to implement an internal reporting channel.

6. Will the legislation on the protection of whistleblowers benefit my business?

Yes – although the legislation entails administrative procedures and imposes strict sanctions, it is indeed beneficial for companies.

Even with diligent corporate governance, there is always a certain risk of internal misconduct. The legislation on the protection of whistleblowers provides useful risk prevention and management mechanisms, allowing companies to quickly and efficiently identify and correct non-compliance situations. Ultimately, the implementation of whistleblower protection mechanisms can avoid or mitigate relevant financial losses and reputational damage – allowing a company to resolve its problems before they become public.

By establishing a reliable internal reporting channel, companies can strengthen the trust of their employees and encourage them to choose the internal reporting channel over an external one. Employers should therefore ensure that employees are fully informed about the internal reporting channel and the provided protection. In addition, employers should ensure that the channel is kept strictly confidential by providing sufficient training to the responsible employees in case the channel is an inhouse unit or by working with reliable third-party units if the channel is outsourced.


Sophia Hartmann is an attorney at our German member firm Altenburg. She is specialised and focuses on dismissal protection law, International employment law, Employment and service contract law, Works related to constitution law, Collective bargaining law and Reference law.

She has completed her law studies in Hamburg and São Paulo and did her traineeship in Hamburg and Berlin.

Sophia speaks German and English.

Ana Rita do Carmo is a lawyer at Paramount Legal, the Portuguese member of Ellint, and is based in Lisbon.

Ana Rita holds a Master in Litigation Law, with courses in Labour Law and Labour Procedure Law, from the Portuguese Catholic University.

She speaks Portuguese, English and Spanish.