The Romanian Whistleblower Protection Law

Romania Whistleblower Protection Law overview

In March 2023, Romania amended its whistleblower protection law, which was originally passed at the end of 2022, to transpose the EU Whistleblower Protection Directive’s requirements into national law. The law defines whistleblower protections for anyone reporting violations of either EU law or Romanian criminal, corporate, and tax law, and imposes several obligations on organizations to protect internal whistleblowers. 

The new legislation covers all public and private organizations with at least 50 employees, requiring them to establish mechanisms to allow for whistleblower reports and to protect whistleblowers. However, there are certain institutions where the Law applies if there are fewer than 50 employees, including, “Authorities, public institutions, other legal persons governed by public law, regardless of the number of employees, Article 9(1)”. Employers must also appoint someone to investigate whistleblower claims, and this can be an internal manager or an external third party. 

The law protects whistleblowers and those assisting them from retaliation for submitting a report. It also allows them to report their concerns externally to Romanian law enforcement and regulatory agencies, depending on the exact concern being raised.

What does the Romanian whistleblower protection law cover?

The law adopts the minimum standards for whistleblower protection outlined in the EU Whistleblower Protection Directive. These requirements include: 

• A secure and confidential channel for receiving whistleblower reports must be in place. 
• Acknowledgment of the receipt of every whistleblowing report must be provided to the whistleblower within seven days. 
• An impartial person or department must be appointed to follow up on the reports. 
• Records must be kept of every report received in compliance with confidentiality requirements. 
• There must be diligent follow-up of the report by the designated person or department. 
• Feedback on the follow-up or investigation must be given to the whistleblower within three months of receiving the report. 
• All processing of personal data must be done in accordance with GDPR.

What are the rules outlined in the Romania whistleblower protection law?

Formally known as Law no. 316/2022 (and informally as “the Whistleblowing Law”), Romania’s law covers all public or private organizations with at least 50 employees. Organizations with 250 or more employees should have already implemented their whistleblower protections by the start of 2023; companies with 50 to 249 employees must do so by the end of 2023. Those with fewer than 250 employees are also allowed to establish a joint whistleblower program in coordination with other small businesses. Financial service firms need to establish an internal reporting system even if they have only one employee. 

The law requires all covered organizations to (1) set up a whistleblowing system with comprehensive whistleblower protections; and (2) adopt a policy on reporting legal violations and other misconduct. Businesses must also train employees on how to use the hotline and on the importance of non-retaliation, and maintain records of the whistleblower complaints they receive for at least five years. Companies are allowed to outsource the management of their hotline to a third-party service provider.

Anonymous report intake and management

Whistleblowers are allowed to submit reports in writing, verbally, or in person, and the company must preserve a record of every report submitted. Anonymous reports are allowed under Romania’s law, and must be handled with the same attention and care as reports from named whistleblowers. That said, if a company receives an anonymous report that doesn’t contain sufficient information to investigate the issue, the company can request more details from the original reporter, and if the reporter does not reply within 15 days, the company can discard the anonymous report. 

If a company receives an anonymous report and that person’s identity later becomes known, they are still eligible for the law’s anti-retaliation protections just like any other whistleblower.

What are the risks of non-compliance?

Companies that violate Romania’s whistleblower law by failing to implement a whistleblower program can be subject to enforcement and fines up to 30,000 Romanian lei, the national currency. Penalties for failing to investigate whistleblower reports or to prevent retaliation are subject to fines up to 40,000 lei.