Protection of Whistleblowers in Lithuania: Most Common Mistakes in Practice and What Should be Remembered

The Law on the Protection of Whistleblowers, which establishes the mechanism for protection of the persons reporting the breach in the institutions, has been applied in Lithuania for almost four years. This year the law was improved, additional safeguards for the persons reporting the breaches were introduced, and new obligations to the institutions were established.  However, in 2021 the Prosecutor General’s Office conducted the study to find out how the provisions of the Law on the Protection of Whistleblowers were implemented in the private sector and it was established that the descriptions of internal channels and applicable procedures that were published must be improved by more than half of the companies that publish them. ECOVIS ProventusLaw provides a review of the most common difficulties faced by the companies and mistakes related to the application of the law.

Mistakes in administration of the channels for reporting the breaches

One of the most common mistakes is that the companies do not have a separate internal reporting channel for submission of the reports on the breaches according to the said law.  In practice, the companies often choose one-stop shop, i.e. they introduce a channel that can be used for reporting different breaches, such as making a complaint on improper service of the customer/client and so on.  In such case, anonymous complaints are also accepted.  “According to the Law on the Protection of Whistleblowers, the reporting person is provided with the confidentiality guarantees but anonymous complaints are not allowed, therefore, it is recommended to introduce a separate channel for the reports according to the Law on the Protection of Whistleblowers which clearly separates the procedure for submission of other kind of complaints”, states Brigida Bacienė, the Associate Partner of ECOVIS ProventusLaw.

This relates to another issue identified by the Prosecutor General’s Office.  It has been identified that often the procedures for implementation of confidentiality of the reporting person are not introduced in practice.  The descriptions of internal channels of the companies most often state that the persons are subject to confidentiality but the details on how it is ensured are not provided in any internal legal acts, there are no policies and procedures for implementation of confidentiality.  According to the conductors of the study, this often results in insufficient confidentiality ensured by the companies, failure to assess the risk of the conflict of interests.  ECOVIS ProventusLaw recommends to draw up the policies implementing the confidentiality of the reporting person: to give access to the internal channel to a limited number of persons, to ensure that the company has the procedures for confidentiality, storage and destruction of the data obtained under the Law on the Protection of Whistleblowers.

Another common problem related to the internal reporting channels is that other persons who do not have employment relations with the company do not have access to the internal channel.  In practice, often only the employees are allowed to use the internal reporting channel.   “However, such practice should be improved because the legal acts state that not only current but also former employees as well as persons who have or have had contractual relations with the company should be allowed to use the internal channel”, states Brigida Bacienė, the Associate Partner.

It is important to remember and implement the provisions of the GDPR

In addition to other most common mistakes, it should be stated that the companies often do not have a specific person or department responsible for investigation of such report, therefore, the complaint is investigated by different persons in different cases (e.g. by the company’s lawyer in one case and by the personnel department in another case).  Moreover, it must be noted that one of the ways to provide the person with the information on the investigation of the breach must be the provision of information in writing because only a written response can be appealed to a competent authority, if the person is not satisfied with the result of the investigation.

If the services of the internal channel are provided by the service providers, include them into the register of the data processors, specify the processing of personal data.

It should be noted that the companies often forget that the information obtained by submission of the report under the Law on the Protection of Whistleblowers or after the investigation belongs to the category of personal data, therefore, such data must be subject to the GDPR.  Brigida Bacienė, the Associate Partner of ECOVIS ProventusLaw, encourages to make sure that the employees of the institution as well as other persons who may report the breach are informed about the personal data processing related to the protection of the whistleblowers.  Moreover, she also gives the following advice related to the data protection:

  • Assess whether it is necessary to carry out the Data Protection Impact Assessment;
  • Ensure that the period for data storage of such processing is set.  Information on the breaches, including any personal data therein, must be stored for at least five years from the date of the last decision adopted during investigation of such information.

All of the above mistakes determine that the Law on the Protection of Whistleblowers is not properly implemented yet and, also, the possibility for the persons to submit reports and to use the guarantees provided by the legal acts is limited.  Therefore, it is suggested for the companies to check both: whether they have officially approved descriptions for the provision of information on the breaches and whether they have proper procedures and policies for the investigation of such reports and protection of the reporting persons.


Newsletter SubscriptionGet in touch