Whistleblower Policy: Does Your Company Need One?
Does your company need a whistleblower policy? Get a clear overview of the rules, who they apply to, and exactly what you need to do to stay compliant.
Since the whistleblower act came into force in Denmark, many business owners have been asking themselves: does this apply to me? The answer depends on the size of your company, and the consequences of overlooking the requirement can be serious.
What is a whistleblower policy?
A whistleblower policy is an internal channel through which employees can report violations and serious irregularities, either anonymously or in confidence. It gives staff a way to speak up about issues such as corruption, accounting fraud, or breaches of workplace health and safety rules -- without fear of retaliation.
The purpose is twofold: to protect the person making the report, and to give the company an early opportunity to identify and address problems internally before they escalate or end up in the press.
Who is covered by the whistleblower act?
The Danish Whistleblower Act (Act No. 1436 of 29 June 2021) implements the EU Whistleblowing Directive into Danish law. The act requires an internal whistleblower policy for:
- Companies with 250 or more employees -- this requirement applied from the act's entry into force in December 2021.
- Companies with 50 to 249 employees -- this requirement took effect on 17 December 2023.
- The financial sector -- the requirement applies here regardless of headcount, as the sector is subject to separate regulation.
If your company has fewer than 50 employees, you are generally not obliged to set up an internal scheme. You may still choose to establish a voluntary policy, which many companies do to signal a strong corporate culture and openness.
Note that the employee count typically includes all staff across any group entities. If you are unsure whether your company falls within scope, it is worth investigating further.
What must the policy include?
The act sets out a number of specific requirements for how a whistleblower policy must be structured:
Confidentiality and anonymity. The policy must allow employees to report in confidence. Many solutions also support the option of anonymous reporting.
Acknowledgement and follow-up. The company must acknowledge receipt within seven days and provide a status update on the report within three months.
Independent handling. The person or persons receiving and processing reports must have the necessary competence and act independently. In practice, this may be an internal compliance officer, an external provider, or a combination of both.
Documentation. Reports must be logged and stored securely so that the company can demonstrate that each case has been handled correctly.
Employee awareness. Staff must be kept informed about the existence of the policy and how to use it.
What does the policy cover?
The act protects reports of violations across a wide range of EU legislation and Danish law, including the following areas:
- Financial services, accounting, and auditing
- Product safety and product liability
- Food safety and animal health
- Environmental and climate regulation
- Data protection and privacy
- Competition law and state aid
- Workplace health and safety, and workers' rights
This means a broad spectrum of violations can be reported, and the company is obliged to treat them seriously.
Consequences of non-compliance
If your company meets the whistleblower policy requirement, it is in a strong position. If the requirement is not met, you risk:
- A fine issued by the Danish Data Protection Agency or another relevant authority.
- Negative publicity and reputational damage if a case comes to light regardless.
- A lack of legal protection, because you cannot document proper case handling.
It is important to note that this is provided as information only and does not constitute legal advice. If you have specific questions about your situation, please consult a lawyer or compliance adviser.
Practical steps to get started
- Determine whether you are in scope. Count your employees and establish whether you fall within the 50 to 249 or the 250 and above group.
- Choose a solution. You can either build an internal policy from scratch or use an external software solution that meets the technical requirements of the act.
- Appoint a responsible person. Decide who will receive and handle reports, and whether you want to outsource that role.
- Communicate with your employees. Create a short guide and make it clear that the policy is available and safe to use.
- Keep the policy up to date. Make sure you continuously update procedures and inform new employees.
Frequently asked questions
Can two companies share a whistleblower policy? Yes. Companies with 50 to 249 employees are able to join together in a shared scheme, provided it meets the act's requirements for confidentiality and independent handling.
What happens if an employee reports something that turns out to be incorrect? An employee who in good faith reports a suspected violation is protected against retaliation -- even if the report subsequently proves to be unfounded. Protection only lapses if the employee knowingly submits false information.
Is a whistleblower policy the same as an anonymous mailbox? Not necessarily. A whistleblower policy is a structured system with set procedures for receiving, processing, and following up on reports. A simple anonymous email address rarely meets all of the act's requirements on its own.
Get started with Legiant
Keeping track of whether your company complies with the whistleblower act and the other compliance requirements that are continuously updated can quickly become overwhelming. Legiant automatically monitors the rules that apply to your specific company and notifies you when you need to act. Try Legiant for free and get a clear picture of your compliance status from day one.
