Commission Implementing Directive (EU) 2015/2392 of 17 December 2015 on Regulation (EU) No 596/2014 of the European Parliament and of the Council as regards reporting to competent authorities of actual or potential infringements of that Regulation
Commission Implementing Directive (EU) 2015/2392of 17 December 2015on Regulation (EU) No 596/2014 of the European Parliament and of the Council as regards reporting to competent authorities of actual or potential infringements of that Regulation THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/ECOJ L 173, 12.6.2014, p. 1., and in particular Article 32(5) thereof,Whereas:(1)Persons reporting actual or potential infringements of Regulation (EU) No 596/2014 (whistle-blowers) to competent authorities may bring new information to the attention of competent authorities and assist the latter in detecting and imposing sanctions for market abuse offences. However, whistleblowing of infringements may be deterred by fear of retaliation, discrimination or disclosure of personal data. Adequate arrangements regarding whistleblowing are hence necessary to ensure the overall protection and the respect of the fundamental rights of the whistle-blowers and the accused persons. Persons who knowingly report wrong or misleading information to competent authorities should not be considered as whistle-blowers and thus should not enjoy the protection mechanisms.(2)Anonymous reporting should be allowed by competent authorities and the protection mechanisms of this Directive should also apply where an anonymous whistle-blower decides to reveal its identity to the competent authority at a later stage. Whistle-blowers should be free to report either through internal procedures, where such procedures exist, or directly to the competent authority.(3)Dedicated staff members of the competent authorities, who are professionally trained, including on applicable data protection rules, would be necessary in order to handle reports of infringements of Regulation (EU) No 596/2014 and to ensure communication with the reporting person, as well as following up on the report in a suitable manner.(4)Persons intending to report actual or potential infringements of Regulation (EU) No 596/2014 should be able to make an informed decision on whether, how and when to report. Competent authorities should therefore publicly disclose and make easily accessible information about the available communication channels with competent authorities, about the applicable procedures and about the dedicated staff members within the authority dealing with reports of infringements. All information regarding reports of infringements should be transparent, easily understandable and reliable in order to promote and not deter reporting of infringements.(5)In order to allow for effective communication with its dedicated staff it is necessary that the competent authorities have in place and use different communication channels that should be user-friendly and allow for written and oral, as well as electronic and non-electronic communication.(6)It is important that the procedures for the protection of persons working under a contract of employment, irrespective of the nature of their working relationship and whether they are paid or not, who report infringements or are accused of infringements of Regulation (EU) No 596/2014 protect such persons against retaliation, discrimination or other types of direct or indirect unfair treatment. Unfair treatment can take very different forms depending on the circumstances. Thus individual cases need to be assessed through dispute resolution rules or judiciary procedures available under national law.(7)Member States should ensure that competent authorities have in place adequate protection procedures for the processing of reports of infringements and reported persons' personal data. Such procedures should ensure that the identity of every reporting and reported person is protected at all stages of the procedure. This obligation should be without prejudice to the necessity and proportionality of the obligation to disclose information when this is required by Union or national law and subject to appropriate safeguards under such laws, including in the context of investigations or judicial proceedings or to safeguard the freedoms of others, including the rights of defence of the reported person.(8)It is highly important and necessary that dedicated staff of the competent authority and staff members of the competent authority who receive access to the information provided by a reporting person to the competent authority comply with the duty of professional secrecy and the confidentiality when transmitting the data both inside and outside of the competent authority, including where a competent authority opens an investigation or an inquiry or subsequent enforcement activities in connection with the report of infringements.(9)Member States should ensure the adequate record-keeping of all reports of infringement and that every report is retrievable within the competent authority and that information received through reports could be used as evidence in enforcement actions where appropriate. Member States should ensure the compliance with Directive 95/46/EC of the European Parliament and of the CouncilOJ L 281, 23.11.1995, p. 31. and national legislation transposing Directive 95/46/EC.(10)Protection of personal data of the reporting and reported person is crucial in order to avoid unfair treatment or reputational damages due to disclosure of personal data, in particular data revealing the identity of a person concerned. Hence, in addition to the national data protection legislation which transposes Directive 95/46/EC, competent authorities should establish adequate data protection procedures specifically geared to the protection of the reporting and reported person that should include a secure system within the competent authority with restricted access rights for authorised staff only.(11)Transmission of personal data connected to reports of infringements by the competent authority could be necessary to evaluate a report of infringements and to undertake the necessary investigation and enforcement actions. When transmitting data within the competent authority or to third parties, competent authorities should preserve the confidentiality to the maximum extent possible in accordance with national law.(12)The rights of the reported person accused of an infringement of Regulation (EU) No 596/2014 should be protected in order to avoid reputational damages or other negative consequences. Furthermore, the rights of defence and access to remedies of the reported person should be fully respected at every stage of the procedure following the report. Member States should ensure the right of defence of the reported person, including the right to access to the file, the right to be heard and the right to seek effective remedy against a decision concerning the reported person under the applicable procedures set out in national law in the context of investigations or subsequent judicial proceedings.(13)The regular and at least biannual (once every two years) review of the procedures of competent authorities should guarantee that these procedures are adequate and state of the art, and thus serving their purpose. For this purpose, it is important that competent authorities evaluate their own experiences and exchange experiences and good practices with other competent authorities.(14)Given that detailed rules on the protection of whistle-blowers would make it more difficult for Member States to ensure compatibility and operational fit with their national systems, including administrative, procedural and institutional aspects, some flexibility is needed for the implementing act. Such flexibility would best be achieved through a directive, rather than a regulation and hence a directive appears to be the most appropriate instrument in order to allow Member States to adapt the reporting of infringements regime efficiently into their national systems including the institutional framework.(15)Given the fact that Regulation (EU) No 596/2014 enters into application on 3 July 2016, it is appropriate that the Member States transpose and apply provisions pertaining to this Directive from 3 July 2016.(16)The measures provided for in this Directive are in accordance with the opinion of the European Securities Committee,HAS ADOPTED THIS DIRECTIVE:
CHAPTER ISUBJECT MATTER AND DEFINITIONS
Article 1Subject-matterThis Directive lays down rules specifying the procedures set out in Article 32(1) of Regulation (EU) No 596/2014, including the arrangements for reporting and for following-up reports, and measures for the protection of persons working under a contract of employment and measures for the protection of personal data.
Article 2DefinitionsFor the purposes of this Directive, the following definitions shall apply:(1)"reporting person" means a person reporting an actual or potential infringement of Regulation (EU) No 596/2014 to the competent authority;(2)"reported person" means a person who is accused of having committed, or intending to commit, an infringement of Regulation (EU) No 596/2014 by the reporting person;(3)"report of infringement" means a report submitted by the reporting person to the competent authority regarding an actual or potential infringement of Regulation (EU) No 596/2014.
CHAPTER IIPROCEDURES FOR THE RECEIPT OF REPORTS OF INFRINGEMENTS AND THEIR FOLLOW-UP
Article 3Dedicated staff members1.Member States shall ensure that competent authorities have staff members dedicated to handling reports of infringements ("dedicated staff members"). Dedicated staff members shall be trained for the purposes of handling reports of infringements.2.Dedicated staff members shall exercise the following functions:(a)providing any interested person with information on the procedures for reporting infringements;(b)receiving and following-up reports of infringements;(c)maintaining contact with the reporting person where the latter has identified itself.
Article 4Information regarding the receipt of reports of infringements and their follow-up1.Member States shall ensure that competent authorities publish on their websites in a separate, easily identifiable and accessible section the information regarding the receipt of reports of infringements set out in paragraph 2.2.The information referred to in paragraph 1 shall include all of the following:(a)the communication channels for receiving and following-up the reporting of infringements and for contacting the dedicated staff members in accordance with Article 6(1), including:(1)the phone numbers, indicating whether conversations are recorded or unrecorded when using those phone lines;(2)dedicated electronic and postal addresses, which are secure and ensure confidentiality, to contact the dedicated staff members;(b)the procedures applicable to reports of infringements referred to in Article 5;(c)the confidentiality regime applicable to reports of infringements in accordance with the procedures applicable to reports of infringements referred to in Article 5;(d)the procedures for the protection of persons working under a contract of employment;(e)a statement clearly explaining that persons making information available to the competent authority in accordance with Regulation (EU) No 596/2014 are not considered to be infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and are not to be involved in liability of any kind related to such disclosure.3.Competent authorities may publish on their websites more detailed information regarding the receipt and follow-up of infringements set out in paragraphs 2.
Article 5Procedures applicable to reports of infringements1.The procedures applicable to reports of infringements referred to in Article 4(2)(b) shall clearly indicate all of the following information:(a)that reports of infringements can also be submitted anonymously;(b)the manner in which the competent authority may require the reporting person to clarify the information reported or to provide additional information that is available to the reporting person;(c)the type, content and timeframe of the feed-back about the outcome of the report of infringement that the reporting person can expect after the reporting;(d)the confidentiality regime applicable to reports of infringements, including a detailed description of the circumstances under which the confidential data of a reporting person may be disclosed in accordance with Articles 27, 28 and 29 of Regulation (EU) No 596/2014.2.The detailed description referred to in point (d) of paragraph 1 shall ensure awareness of the reporting person concerning the exceptional cases in which confidentiality of data may not be ensured, including where the disclosure of data is a necessary and proportionate obligation required under Union or national law in the context of investigations or subsequent judicial proceedings or to safeguard the freedoms of others including the right of defence of the reported person, and in each case subject to appropriate safeguards under such laws.
Article 6Dedicated communication channels1.Member States shall ensure that competent authorities establish independent and autonomous communication channels, which are both secure and ensure confidentiality, for receiving and following-up the reporting of infringements ("dedicated communication channels").2.Dedicated communication channels shall be considered independent and autonomous, provided that they meet all of the following criteria:(a)they are separated from general communication channels of the competent authority, including those through which the competent authority communicates internally and with third parties in its ordinary course of business;(b)they are designed, set up and operated in a manner that ensures the completeness, integrity and confidentiality of the information and prevents access to non-authorised staff members of the competent authority;(c)they enable the storage of durable information in accordance with Article 7 to allow for further investigations.3.The dedicated communication channels shall allow for reporting of actual or potential infringements in at least all of the following ways:(a)written report of infringements in electronic or paper format;(b)oral report of infringements through telephone lines, whether recorded or unrecorded;(c)physical meeting with dedicated staff members of the competent authority.4.The competent authority shall provide the information referred to in paragraph 2 of Article 4 to the reporting person before receiving the report of infringement, or at the moment of receiving it at the latest.5.Competent authorities shall ensure that a report of infringement received by means other than dedicated communication channels referred to in this Article is promptly forwarded without modification to the dedicated staff members of the competent authority by using dedicated communication channels.
Article 7Record-keeping of reports received1.Member States shall ensure that competent authorities keep records of every report of infringement received.2.Competent authorities shall promptly acknowledge the receipt of written reports of infringements to the postal or electronic address indicated by the reporting person, unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of a written report would jeopardise the protection of the reporting person's identity.3.Where a recorded telephone line is used for reporting of infringements, the competent authority shall have the right to document the oral reporting in the form of:(a)an audio recording of the conversation in a durable and retrievable form; or(b)a complete and accurate transcript of the conversation prepared by the dedicated staff members of the competent authority. In cases where the reporting person has disclosed its identity, the competent authority shall offer the possibility to the reporting person to check, rectify and agree with the transcript of the call by signing it.4.Where an unrecorded telephone line is used for reporting of infringements, the competent authority shall have the right to document the oral reporting in the form of accurate minutes of the conversation prepared by the dedicated staff members of the competent authority. In cases where the reporting person has disclosed its identity, the competent authority shall offer the possibility to the reporting person to check, rectify and agree with the minutes of the call by signing them.5.Where a person requests a physical meeting with the dedicated staff members of the competent authority for reporting an infringement according to Article 6(3)(c), competent authorities shall ensure that complete and accurate records of the meeting are kept in a durable and retrievable form. A competent authority shall have the right to document the records of the physical meeting in the form of:(a)an audio recording of the conversation in a durable and retrievable form; or(b)accurate minutes of the meeting prepared by the dedicated staff members of the competent authority. In cases where the reporting person has disclosed its identity, the competent authority shall offer the possibility to the reporting person to check, rectify and agree with the minutes of the meeting by signing them.
Article 8Protection of persons working under a contract of employment1.Member States shall put in place procedures ensuring effective exchange of information and cooperation between competent authorities and any other relevant authority involved in the protection of persons working under a contract of employment who report infringements of Regulation (EU) No 596/2014 to the competent authority or are accused of such infringements, against retaliation, discrimination or other types of unfair treatment, arising due to or in connection with reporting of infringements of Regulation (EU) No 596/2014.2.The procedures set out in paragraph 1 shall ensure at least the following:(a)reporting persons have access to comprehensive information and advice on the remedies and procedures available under national law to protect them against unfair treatment, including on the procedures for claiming pecuniary compensation;(b)reporting persons have access to effective assistance from competent authorities before any relevant authority involved in their protection against unfair treatment, including by certifying the condition of whistle-blower of the reporting person in employment disputes.
Article 9Protection procedures for personal data1.Member States shall ensure that competent authorities store the records referred to in Article 7 in a confidential and secure system.2.Access to the system referred to in paragraph 1 shall be subject to restrictions ensuring that the data stored therein is only available to staff members of the competent authority for whom access to that data is necessary to perform their professional duties.
Article 10Transmission of data inside and outside of the competent authority1.Member States shall ensure that competent authorities have in place adequate procedures for the transmission of personal data of the reporting person and reported person inside and outside of the competent authority.2.Member States shall ensure that the transmission of data related to a report of infringement within or outside the competent authority does not reveal, directly or indirectly, the identity of the reporting person or reported person or any other references to circumstances that would allow the identity of the reporting person or reported person to be deduced, unless such transmission is in accordance with the confidentiality regime referred to in Article 5(1)(d).
Article 11Procedures for the protection of the reported persons1.Where the identity of reported persons is not known to the public, the Member State concerned shall ensure that their identity is protected at least in the same manner as for persons that are under investigation by the competent authority.2.The procedures set out Article 9 shall also apply for the protection of the identity of the reported persons.
Article 12Review of the procedures by competent authoritiesMember States shall ensure that their competent authorities review their procedures for receiving reports of infringements and their follow-up regularly, and at least once every two years. In reviewing such procedures competent authorities shall take account of their experience and that of other competent authorities and adapt their procedures accordingly and in line with market and technological developments.
CHAPTER IIIFINAL PROVISIONS
Article 13TranspositionMember States shall adopt and publish, by 3 July 2016 at the latest, the laws, regulations and administrative provisions necessary to comply with this Directive. They shall forthwith communicate to the Commission the text of those provisions.They shall apply those provisions from 3 July 2016.When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
Article 14Entry into forceThis Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 15AddresseesThis Directive is addressed to the Member States.
Done at Brussels, 17 December 2015.For the CommissionThe PresidentJean-Claude Juncker