The Finnish Whistleblower Protection Law

Finnish Whistleblower Protection Law overview

On 1st January 2023, the Finnish Whistleblower Act (1171/2022) entered into force. This marks the transposition of the EU Whistleblower Protection Directive’s requirements for the effective protection of whistleblowers reporting infringements of European and National Law. 

The new legislation came into force on January 1st 2023. It states that Finnish private sector employers regularly employing at least 250 employees, and public sector employers regularly employing at least 50 employees, must set up a secure, confidential whistleblowing channel before the deadline of 1st April 2023. 

The Act extends this requirement to all remaining private sector organizations employing at least 50 employees to establish a secure internal whistleblowing channel by 17th Dec 2023. This requirement will also apply to smaller organizations that operate within the financial sector. If the organization does not have an internal whistleblowing channel, or the whistleblower does not have access, the whistleblower can still get protection by submitting the report to the official external reporting channel established by the Office of the Chancellor of Justice on 1st January 2023.

What does the Finnish Whistleblower Protection Act cover?

The Act adopts the minimum standards for whistleblower protection outlined in the EU Whistleblower Protection Directive. These requirements include:

1. A secure and confidential channel for receiving whistleblower reports must be in place 
2. Acknowledgment of the receipt of every whistleblowing report must be provided to the whistleblower within seven days 
3. An impartial person or department must be appointed to follow up on the reports 
4. Records must be kept of every report received in compliance with confidentiality requirements 
5. There must be diligent follow-up of the report by the designated person or department 
6. Feedback on the follow-up or investigation must be given to the whistleblower within three months of receiving the report 
7. All processing of personal data must be done in accordance with GDPR

What are the new rules outlined in the Finnish Whistleblower Protection Act?

By 17th December 2023, all Finnish organizations with at least 50 employees must set up a whistleblowing channel with comprehensive whistleblower protection. These protections include confidentiality, a prohibition against retaliation and no liability for disclosing necessary information to the report. This should be the first-line channel for whistleblowing in the organization. 

The Act does not replace existing legislation. It instead acts as an additional measure of protection in certain legal areas – specifically around reporting serious breaches that could endanger the public interest, including violation of regulations concerning product safety, competition laws, public procurement, privacy and personal data protections, and environmental protection. 

Whistleblowing in good faith is already protected under Finnish labor law, so violations of labor law covered by existing legislation are not included in the scope of the new Act. 

Organizations must provide detailed information on whistleblowing channels, processes and rights. Instructions for using these channels should both encourage reporting and reduce excluded reports, and it must be possible to submit reports in writing or orally through the internal channel. Larger private sector organizations (>250 employees) must have set up their own related procedures for handling reports by the April 1st 2023 deadline. 

All organizations, regardless of size, are obliged to protect the whistleblower from retaliation provided three conditions are met: 

• The whistleblower has first submitted through the organization’s internal whistleblowing channel, if it has one 
• The whistleblower has a justified reason to believe the reported issues are accurate at the time of reporting
• The whistleblower has a justified reason to believe the breach is covered by the scope of the Whistleblower Protection Act

What other frameworks does the Finnish legislation cover?

Organizations with fewer than 50 employees are exempt from the requirement to set up a whistleblowing channel. In this case, suspected breaches related to these organizations can be reported directly to the Finnish centralized official whistleblowing channel. If a smaller organization (<50 employees) has voluntarily set up a reporting channel, it must follow the statutory requirements. 

Organizations in Finland do not have to accept anonymous reports. However, if they choose to accept them, a whistleblowing channel that allows communication with an anonymous whistleblower is recommended in case further information is needed. In addition, external service providers can be used for outsourcing whistleblowing channels, though the organization is still responsible for meeting statutory obligations associated with the channel. 

If the organization does not take appropriate action on whistleblowing reports within three months, the whistleblower may report the breach to the competent authorities through the centralized whistleblowing channel. Under some circumstances, they may instead report directly to a competent authority. If the organization continues to take no appropriate actions after this is done, the whistleblower may have the right to publish the information about the breach.

If an organization is found acting in retaliation against a whistleblower or attempting to prevent them from reporting an issue, it may be required to pay compensation ranging from several thousand to an estimated 15,000 euros. Disclosure of identity without consent or engagement in retaliatory behavior can also result in compensation for the whistleblower’s loss in full.