An article from our Finnish law firm NORDIA Law about the protection for whistleblowers

In Finland, national implementing measures for the Whistleblowing Directive have been waited for a long time. These measures have now been presented in the Finnish Government Bill issued this autumn concerning the new whistleblower protection act (Government Bill on the protection of persons who report violations of European Union law and national law, and the laws relating to the protection, available in Finnish HE 147/2022 vp).

The aim is that the proposed laws enter into force as soon as possible. Organisations regularly employing at least 50–249 persons would be obliged to establish a new reporting channel or to ensure that their existing channel meets the requirements of the whistleblower protection provisions under the current proposal by 17 December 2023. For organisations employing more than 250 persons, the corresponding obligation would apply within 3 months after the national whistleblower protection act has entered into force. Each employer should therefore at last familiarise themselves with the upcoming national whistleblower protection obligations that may apply to them.

What is the purpose of the whistleblower protection provisions?

The purpose of the whistleblower protection provisions is to enable confidential and secure reporting of breaches or misconduct discovered or suspected within an organisation. By means of the provisions, it is ensured that such a whistleblower is effectively protected against any possible retaliation.

Who is obliged by the whistleblower protection provisions?

The whistleblower protection provisions oblige private and public organisations regularly employing at least 50 persons to establish a reporting channel. The number of employees is examined on a legal entity basis, i.e., a group company at a time. Even then, however, it is recommended to assess whether it would be good to establish an internal, common reporting channel or to have common practices at group level. Smaller organisations can also establish their own voluntary reporting channels, to which the provisions corresponding to the upcoming act will apply.

The whistleblower protection provisions apply only in specifically designated areas of legislation where whistleblowing is considered necessary for the public interest. These include e.g., public procurement, financial services, prevention of money laundering and terrorist financing, product safety, environmental protection, food safety, or consumer protection.

Who is protected by the whistleblower protection provisions?

A natural person who has become aware of breaches in the course or in connection with their work duties is considered as a protected whistleblower. The person must be financially or otherwise dependent on the subject of the report or any contractor of the subject due to their employment, position, or duties, in a way that puts the person at a particular risk of retaliation. The whistleblower can be self-employed, employed by a subcontractor, a shareholder actively working for their company, a volunteer worker, or a trainee. In addition to the whistleblower, e.g., a person assisting them or any other third natural person, such as a relative, can be considered as a protected person, if such a person is in a position to be retaliated against.

What does whistleblower protection mean in practice?

The whistleblower must be protected against possible retaliation. These include e.g., dismissal, change of work duties, reduction of salary, disciplinary actions, or other adverse consequences. The causal connection between the report and the retaliatory action is always evaluated on a case-by-case basis.

The whistleblower must also be protected from actions aimed at preventing information disclosure or publication, such as threatening with retaliation or unjustifiably invoking a legal confidentiality obligation that restricts disclosure.

If any action described above is directed to the whistleblower or other person protected by the provisions, the organisation may have to pay compensation to the person in question and, depending on the case, possible compensation for damages, e.g., for groundless termination of employment.

When does a whistleblower get whistleblower protection?

The whistleblower must have reasonable grounds to believe that the information on the reported breach was true at the time of reporting and that such information fell within the scope of the whistleblower protection provisions (assessed on a low threshold). The existence of reasonable grounds is evaluated objectively. The whistleblower does not need to have concrete evidence for the reported information, but reporting cannot be based e.g. on rumours or information that has already been made public. In addition, it should not be possible to report only with the intention of causing harm or maliciously.

In addition, it is required to follow a three-step reporting procedure:

    1. Primarily, the report is made by using the reporting channel of the organisation where the breach or misconduct was discovered.
    2. Secondarily, the report is made by using the centralised reporting channel of the Chancellor of Justice of Finland or to the competent authority.
    3. As the last instance (and exceptionally), the information is publicly disclosed.

What is the required reporting channel?

An organisation can establish a reporting channel itself or outsource all or part of the establishment to an external service provider. In the latter case, however, the final responsibility for complying with the whistleblower protection obligations lies with the organisation itself.

The organisation must ensure that the reports are handled impartially and independently so, that there are no conflicts of interest. Accordingly, the reports may only be processed by the responsible person or persons designated by the organisation.

It is up to the organisation itself to decide what kind of reporting channel is used, provided, however, that it needs to be possible to report orally or in writing and that the identity of the whistleblower remains confidential. In addition to the reporting channel, the organisation must have clear policies on how the whistleblower is notified of the receipt of the report, what kind of actions will possibly be taken within the time limits set by the upcoming legislation in response to the report, as well as how the accuracy of the report is verified within the organisation, and, if necessary, how the breach is dealt with. The establishment and use of the reporting channel must also consider the requirements of data protection legislation and include the necessary data protection documentation.

It is good to note that the channel established under the whistleblower protection provisions is not a feedback channel for employees’ own employment issues, and therefore it does not cover all the organisation’s activities. This should be clearly communicated to the personnel when the channel is implemented.

Whistleblower protection is part of the organisation’s internal risk management.

If your business falls within the scope of the whistleblower protection provisions based on its size, it is important to start the preliminary preparations for establishing the necessary reporting channel soon, as this requires both administrative and technical measures from the organisation and can be a time-consuming process.

Due compliance with the whistleblower protection provisions is an essential part of the organisation’s own risk management and contributes to demonstrating the organisation’s responsibility in relation to its personnel.


Annamari Männikkö
Nordia Law, Helsinki, Finland
Attorney, Senior Associate

Annamari Männikkö

Nordia Law Helsinki

+358 9 4250 5000