According to the law transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (hereinafter the "Law"), Luxembourg has 22 competent authorities for whistleblowing, including the CNPD.
The CNPD is competent for reports within the scope of its tasks and competences under the RGPD, i.e., in particular regarding data protection.
If the breach does not fall within the CNPD's remit, the competent authority should be contacted. Anyone can contact the Reporting Office (13, rue Erasme, Centre administratif Werner, L-1468 Luxembourg, Tel: (+352) 247-88564, E-mail: ods.info@mj.etat.lu) to obtain general information on the competent authority according to the type of report concerned.
1. What type of behaviour can be reported to the CNPD as part of a notification under the Data Protection Act?
Any type of breach of data protection law, whether administrative, criminal, or otherwise, may be reported to the CNPD.
Whistleblowers may report any information, including reasonable suspicions, concerning:
- actual or potential violations; and
- attempts to conceal such violations;
- that have occurred or are very likely to occur:
- in the organisation in which he works or has worked; or
- in another organisation with which they are or have been in contact in the course of their work.
Warning: whistleblowers may not disclose information that they have obtained or to which they have had access by committing a criminal offence.
2. Who can issue an alert under the law?
The Act protects whistleblowers working in the private or public sector who have obtained information about violations in a professional context (current, past, or future employment relationship), including:
- workers (including civil servants and state employees);
- self-employed workers
- shareholders and members of the administrative, management or supervisory body of a company, including non-executive members as well as volunteers and paid or unpaid trainees;
- any person working under the supervision and direction of contractors, subcontractors, and suppliers.
The Act also protects:
- facilitators (an individual who assists a whistleblower on a confidential basis) ;
- colleagues or relatives of the whistleblower who are at risk of reprisals; and
- legal entities belonging to the whistleblower for which he or she works, or with which he or she has professional links;
- Individuals who have reported or disclosed information about violations anonymously, but who are subsequently identified and are subject to retaliation;
- persons who report violations to the relevant EU institutions, bodies, offices or agencies.
This protection does not apply to:
- reports of breaches of national security;
- whistleblowers whose relations are covered by:
- medical confidentiality
- lawyer-client privilege; and
- the professional secrecy to which a notary or bailiff is bound;
- the secrecy of judicial deliberations;
- rules governing criminal proceedings.
3. What is the status of a whistleblower protected by law?
Whistle-blowers who report such violations and who fall within the scope of the Act are protected against all forms of reprisal.
No liability for whistleblowers
Whistleblowers who meet the conditions for protection do not break the law by disclosing information and incur no liability:
- with regard to reporting (internal and/or external) or public disclosure provided that they had reasonable grounds to believe that the reporting or public disclosure was necessary to reveal a breach of the law;
- with regard to obtaining information that is reported or publicly disclosed, or access to such information (unless such obtaining, or access constitutes an autonomous criminal offence);
- as a result of reports or public disclosures made, including in legal proceedings for defamation, breach of copyright, breach of secrecy, breach of data protection rules or disclosure of business secrets, or for compensation claims based on private law, public law or collective labour law.
In such cases, they may invoke the public notice or disclosure to request that the proceedings be discontinued.
Prohibited retaliatory measures
All forms of retaliation, including threats and attempts at retaliation, are prohibited against whistleblowers because of the report they have made.
In particular, the following are prohibited and automatically null and void:
- suspension of an employment contract, lay-off, dismissal, non-renewal or early termination of a fixed-term employment contract or equivalent measures;
- demotion or refusal of promotion;
- transfer of duties, change of place of work, reduction in salary, change in working hours;
- suspension of training;
- disciplinary measures imposed or administered, reprimand or other sanction, including a financial penalty;
- non-conversion of a temporary employment contract into a permanent contract, where the employee had a legitimate expectation of being offered permanent employment;
- negative performance appraisal or work certificate;
- early termination or cancellation of a contract for goods or services;
- cancellation of a licence or permit.
The following are also prohibited:
- coercion, intimidation, harassment or ostracism;
- discrimination, disadvantageous or unfair treatment;
- harm, including damage to a person's reputation, particularly on social networks, or financial loss, including loss of business and loss of income;
- blacklisting on the basis of a formal or informal agreement at sector or industry level, which may mean that the person will not be able to find employment in the future in the sector or industry;
- referral for psychiatric or medical treatment.
Action against retaliatory measures
A whistleblower who suffers retaliatory measures may, within 15 days of being notified of the measures, ask the competent court to declare the measures null and void and to order their cessation.
A person who has not invoked the nullity of the retaliatory measures or who has already obtained a declaration of nullity may still bring an action for damages.
The CNPD recommends that legal counsel be retained for any such action.
Reversal of the burden of proof
A whistleblower who suffers prejudicial measures automatically benefits from the presumption that these measures were taken against him or her in retaliation for the report.
It is therefore up to the person who took the measures to establish the reasons for them.
Persons taking retaliatory measures or bringing abusive proceedings against whistleblowers are liable to a fine of between €1,250 and €25,000.
4. What are the conditions for protection?
To be protected against all forms of reprisals, the whistleblower must:
- have had reasonable grounds to believe that the information reported on violations was true at the time of reporting and that it falls within the scope of the law; and
- made a report either internally (via the reporting channels of his or her company or administration), externally (via the reporting channels of the relevant CNPD) or publicly (following an unsuccessful external report).
A whistleblower who publicly discloses a violation enjoys the protection of the law if:
- he or she has first made either an internal and external report or an external report directly but no appropriate action has been taken in response to the report within 3 months of the report; or
- they have reasonable grounds to believe that:
- the breach may represent an imminent or obvious danger to the public interest (for example where there is an emergency situation or a risk of irreversible harm); or
- in the case of external reporting, there is a risk of retaliation or the breach is unlikely to be effectively remedied, due to the particular circumstances of the case (e.g. where evidence may be concealed or destroyed or where an authority may be colluding with or implicated in the breach).
5. Will the CNPD examine the report even if the whistleblower has not first used the internal whistleblowing procedure with the professional concerned?
Yes, but as far as possible we would ask you to pass on the alert internally first.
6. Will the whistleblower's identity be disclosed, in particular, to his employer?
The CNPD undertakes to protect the identity of whistleblowers within the limits of the applicable legislation. In other words, neither the identity of the employee who made the whistleblowing report, nor that of any third parties who may be involved, will be communicated to the professional concerned. The identity of the whistleblower and third parties will only be disclosed in circumstances where this becomes unavoidable by law (for example, because of the CNPD's obligation to inform the State Prosecutor if the facts are likely to constitute a crime or an offence, or in the context of criminal proceedings against the entity where the whistleblower may be called as a witness). Although, despite all precautions, it cannot be totally ruled out that the employer may discover the identity of the whistleblower by cross-checking information, the CNPD will of course do everything in its power to protect the identity of the whistleblower.
7. What procedure does the CNPD follow?
Whistleblowers wishing to report breaches of legislation falling within the CNPD's remit may contact the CNPD in French, Luxembourgish, German or English:
The CNPD's reporting platform guarantees the completeness, integrity and confidentiality of the information sent to the CNPD. Only authorised CNPD staff members have access to it, and they are bound by professional secrecy in accordance with the oath they took on taking up their duties.
The CNPD does not record reports made by telephone, but it can draw up a detailed report of the main points of the conversation, which the whistleblower can then check, rectify, and sign for approval.
Similarly, the CNPD will, with the whistleblower's consent, keep full and accurate records of reports made in person in the form of a recording or minutes.
In the case of reports made through other channels or via other CNPD staff members, the latter are also required to respect confidentiality regarding the identity of the whistleblower or the person concerned and forward the report as quickly as possible to the staff members in charge of processing it.
The CNPD receives and follows up reports falling within its remit.
It may make a written request to the entity to which the alert relates for any information it deems necessary, while strictly respecting the confidentiality of the whistleblower's identity.
In particular, the CNPD will:
- acknowledge receipt of the alert within 7 days of its receipt, unless:
- the whistleblower expressly requests otherwise; or
- there are reasonable grounds to believe that acknowledging receipt of the alert would compromise the protection of the whistleblower's identity;
- to ensure diligent follow-up;
- and, in compliance with the legal obligation of professional secrecy, to provide the whistleblower with feedback within 3 months, or 6 months in duly justified cases;
- When the CNPD receives an alert for which it is not competent, it forwards it within a reasonable timeframe and in a confidential and secure manner to the competent national authority. The latter will inform the whistleblower.
After examination, the CNPD:
- may decide to close the procedure:
- in the event of a manifestly minor breach (without prejudice to other applicable obligations or procedures aimed at remedying the reported breach);
- in the case of repeated alerts containing no significant new information in relation to a previous alert for which the procedure has been closed.
The CNPD then notifies the whistleblower of its decision and the reasons for it.
8. What are the penalties for malicious reporting?
The perpetrator of an alert who knowingly reports or publicly discloses false information may be liable to a prison sentence of between 8 days and 3 months and a fine of between €1,500 and €50,000.
The perpetrator of a false report will be held civilly liable. The entity that has suffered damage may seek compensation for the loss suffered before the competent court.