Duty of confidentiality
Directive on the protection of persons who report breaches of Union law · UE 2019/1937
Duty of confidentiality
1. Member States shall ensure that the identity of the reporting person is not disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person. This shall also apply to any other information from which the identity of the reporting person may be directly or indirectly deduced.
2. By way of derogation from paragraph 1, the identity of the reporting person and any other information referred to in paragraph 1 may be disclosed only where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned.
3. Disclosures made pursuant to the derogation provided for in paragraph 2 shall be subject to appropriate safeguards under the applicable Union and national rules. In particular, reporting persons shall be informed before their identity is disclosed, unless such information would jeopardise the related investigations or judicial proceedings. When informing the reporting persons, the competent authority shall send them an explanation in writing of the reasons for the disclosure of the confidential data concerned.
4. Member States shall ensure that competent authorities that receive information on breaches that includes trade secrets do not use or disclose those trade secrets for purposes going beyond what is necessary for proper follow-up.
In Luxembourg, the duty of confidentiality is overseen by the Office for Reception of Reports (OFRS), the cross-sector external authority, and its breach is criminally sanctioned: fines from 1,250 to 25,000 EUR, doubled on repeat offence, plus civil compensation for the reporting person. The law of 16 May 2023 on the protection of whistleblowers sets the 50-employee threshold for public and private organisations, with no threshold for public bodies, and provides for sector reporting to the CSSF (finance), CNPD (data), ITM (labour), CAA (insurance) or ILR (telecom) depending on the field.
Luxgap practice: restrict the list of authorised staff by name, log every access in a tamper-proof manner and prepare the prior written notice template before any derogatory disclosure, as this is the first item checked during an OFRS or CNPD inspection.