Commission Implementing Directive (EU) 2015/2392 of 17 December 2015 on Regulation (EU) No 596/2014 of the European Parliament and of the Council as regards reporting to competent authorities of actual or potential infringements of that Regulation
Commission Implementing Directive (EU) 2015/2392of 17 December 2015on Regulation (EU) No 596/2014 of the European Parliament and of the Council as regards reporting to competent authorities of actual or potential infringements of that RegulationTHE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/ECOJ L 173, 12.6.2014, p. 1., and in particular Article 32(5) thereof,Whereas:(1)Persons reporting actual or potential infringements of Regulation (EU) No 596/2014 (whistle-blowers) to competent authorities may bring new information to the attention of competent authorities and assist the latter in detecting and imposing sanctions for market abuse offences. However, whistleblowing of infringements may be deterred by fear of retaliation, discrimination or disclosure of personal data. Adequate arrangements regarding whistleblowing are hence necessary to ensure the overall protection and the respect of the fundamental rights of the whistle-blowers and the accused persons. Persons who knowingly report wrong or misleading information to competent authorities should not be considered as whistle-blowers and thus should not enjoy the protection mechanisms.(2)Anonymous reporting should be allowed by competent authorities and the protection mechanisms of this Directive should also apply where an anonymous whistle-blower decides to reveal its identity to the competent authority at a later stage. Whistle-blowers should be free to report either through internal procedures, where such procedures exist, or directly to the competent authority.(3)Dedicated staff members of the competent authorities, who are professionally trained, including on applicable data protection rules, would be necessary in order to handle reports of infringements of Regulation (EU) No 596/2014 and to ensure communication with the reporting person, as well as following up on the report in a suitable manner.(4)Persons intending to report actual or potential infringements of Regulation (EU) No 596/2014 should be able to make an informed decision on whether, how and when to report. Competent authorities should therefore publicly disclose and make easily accessible information about the available communication channels with competent authorities, about the applicable procedures and about the dedicated staff members within the authority dealing with reports of infringements. All information regarding reports of infringements should be transparent, easily understandable and reliable in order to promote and not deter reporting of infringements.(5)In order to allow for effective communication with its dedicated staff it is necessary that the competent authorities have in place and use different communication channels that should be user-friendly and allow for written and oral, as well as electronic and non-electronic communication.(6)It is important that the procedures for the protection of persons working under a contract of employment, irrespective of the nature of their working relationship and whether they are paid or not, who report infringements or are accused of infringements of Regulation (EU) No 596/2014 protect such persons against retaliation, discrimination or other types of direct or indirect unfair treatment. Unfair treatment can take very different forms depending on the circumstances. Thus individual cases need to be assessed through dispute resolution rules or judiciary procedures available under national law.(7)Member States should ensure that competent authorities have in place adequate protection procedures for the processing of reports of infringements and reported persons' personal data. Such procedures should ensure that the identity of every reporting and reported person is protected at all stages of the procedure. This obligation should be without prejudice to the necessity and proportionality of the obligation to disclose information when this is required by Union or national law and subject to appropriate safeguards under such laws, including in the context of investigations or judicial proceedings or to safeguard the freedoms of others, including the rights of defence of the reported person.(8)It is highly important and necessary that dedicated staff of the competent authority and staff members of the competent authority who receive access to the information provided by a reporting person to the competent authority comply with the duty of professional secrecy and the confidentiality when transmitting the data both inside and outside of the competent authority, including where a competent authority opens an investigation or an inquiry or subsequent enforcement activities in connection with the report of infringements.(9)Member States should ensure the adequate record-keeping of all reports of infringement and that every report is retrievable within the competent authority and that information received through reports could be used as evidence in enforcement actions where appropriate. Member States should ensure the compliance with Directive 95/46/EC of the European Parliament and of the CouncilOJ L 281, 23.11.1995, p. 31. and national legislation transposing Directive 95/46/EC.(10)Protection of personal data of the reporting and reported person is crucial in order to avoid unfair treatment or reputational damages due to disclosure of personal data, in particular data revealing the identity of a person concerned. Hence, in addition to the national data protection legislation which transposes Directive 95/46/EC, competent authorities should establish adequate data protection procedures specifically geared to the protection of the reporting and reported person that should include a secure system within the competent authority with restricted access rights for authorised staff only.(11)Transmission of personal data connected to reports of infringements by the competent authority could be necessary to evaluate a report of infringements and to undertake the necessary investigation and enforcement actions. When transmitting data within the competent authority or to third parties, competent authorities should preserve the confidentiality to the maximum extent possible in accordance with national law.(12)The rights of the reported person accused of an infringement of Regulation (EU) No 596/2014 should be protected in order to avoid reputational damages or other negative consequences. Furthermore, the rights of defence and access to remedies of the reported person should be fully respected at every stage of the procedure following the report. Member States should ensure the right of defence of the reported person, including the right to access to the file, the right to be heard and the right to seek effective remedy against a decision concerning the reported person under the applicable procedures set out in national law in the context of investigations or subsequent judicial proceedings.(13)The regular and at least biannual (once every two years) review of the procedures of competent authorities should guarantee that these procedures are adequate and state of the art, and thus serving their purpose. For this purpose, it is important that competent authorities evaluate their own experiences and exchange experiences and good practices with other competent authorities.(14)Given that detailed rules on the protection of whistle-blowers would make it more difficult for Member States to ensure compatibility and operational fit with their national systems, including administrative, procedural and institutional aspects, some flexibility is needed for the implementing act. Such flexibility would best be achieved through a directive, rather than a regulation and hence a directive appears to be the most appropriate instrument in order to allow Member States to adapt the reporting of infringements regime efficiently into their national systems including the institutional framework.(15)Given the fact that Regulation (EU) No 596/2014 enters into application on 3 July 2016, it is appropriate that the Member States transpose and apply provisions pertaining to this Directive from 3 July 2016.(16)The measures provided for in this Directive are in accordance with the opinion of the European Securities Committee,HAS ADOPTED THIS DIRECTIVE: