Skip to content

Extended and enhanced legal protection for whistleblowers and increased obligations for employers in Luxembourg

Adoption today (02 May 2023) of bill no. 7945 aiming to transpose the European directive on persons who report breaches by a company (the "whistleblowers"), via internal or external channels (to the authorities), or by public disclosure (via the press, the media). Whistleblowers will benefit from a protection regime aiming to guarantee their anonymity and employment.

Below, an overview of the new law (hereinafter the Law) whose entry into force is planned 4 days after the publication of the text in the Mémorial, with a publication expected in the next few weeks.

For companies with 250 employees or more, the obligation to set up internal reporting channels will be immediate, while companies with between 50 and 249 employees will have until 17 December 2023 to comply with this obligation.

A reporting office, specially created, as well as several authorities declared competent in the matter (including the Financial Regulator - the CSSF, the Labour Inspectorate - the ITM, and the Data Protection Authority - the CNPD) will be in charge of monitoring compliance with the new provisions and mainly the setting up of internal reporting channels, with a possibility to issue significant administrative fines.

Triggering of the protection: launching the alert via the reporting channels

In order to ensure the protection of whistleblowers, the setting up of internal and external reporting channels, as well as in some cases, the possibility of public disclosure, are regulated. We will present exclusively the obligations incumbent on employers.

The obligation to set up internal reporting channels

Any company with at least 50 employees must establish channels and procedures for internal reporting and its follow-up.

There are exceptions to this minimum threshold. In particular, alternative investment fund managers (AIFM) are subject to this obligation regardless of the number of employees they occupy.

The Law lists the elements that any internal reporting and follow-up procedure must include, in particular:

  • secure reporting channels protecting the identity of the whistleblower and of any third party mentioned;
  • an acknowledgement of receipt sent to the whistleblower within seven days;
  • a reasonable time limit, not exceeding three months, for providing feedback on the measures envisaged or taken as part of the follow-up.

These channels must allow reports to be made in writing or orally, in French, German or Luxembourgish, or in any other language accepted by the company.

The obligation of a diligent follow-up implies assessing the accuracy of the allegations made by the whistleblower, in particular by conducting an internal investigation.

Any processing of personal data carried out in this context must comply with the General Data Protection Regulation (GDPR) and in particular with the principle of data minimisation (i.e. only the data relevant for the reporting may be processed).

Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party. A sharing of resources is possible for companies employing between 50 and 249 employees (for instance by organizing a common service).

The establishment of the channels and procedures for internal reporting and their follow-up will require the involvement of the staff delegation, if there is one.

In order to prioritize internal reporting and thus minimise the risk of financial and reputational impact, it is recommended to ensure the simplicity of use, as well as the attractiveness of the internal reporting channels. In this regard, the implementation of a digital whistleblowing system, compliant with the GDPR, has the advantage of guaranteeing the security and anonymity of whistleblowers.

Extended and reinforced protection regime1

Beneficiaries of the protection beyond the employees of the company

The protection is very broad and benefits not only the employees, shareholders, members of the governing, managing or supervisory body of any company concerned by the alert, but also the volunteers, interns, subcontractors, independent contractors, facilitators, and even third parties who are in contact with the whistleblowers (colleagues, staff representatives, relatives).

The information that can give rise to reporting can have been obtained before the start of the employment relationship (for example, during the recruitment phase), during the employment relationship or even when it has ended.

The reporting of a violation of any provision of national or European law

Whistleblowers who, in the course of their professional activities, report acts or omissions violating any provision whatsoever of national or European law will benefit from the protection.

The prohibition of retaliation and the immunity from liability

As long as they acted in good faith, the whistleblowers, as well as the facilitators or third parties, are protected against any form of retaliation for reporting. Any disciplinary measure taken because of a report is therefore null and void.

Besides a court action for annulment of the disciplinary measure, whistleblowers can bring a judicial action for compensation of the prejudice suffered. Whistleblowers benefit from a presumption of causal link. Indeed, if the whistleblowers prove that they made a report through the established channels and that they suffered a prejudice, this prejudice is presumed to result from the retaliation for the report. In this case, it is up to the employer to rebut this presumption by establishing separate reasons (which must be the precise, real and serious) that justify the measure.

Whistleblowers will not be held liable for the means used to obtain the information disclosed if they have reasonable grounds to believe that their report is necessary to reveal a violation (e.g.: if the whistleblower copies documents that he/she takes out of the company in breach of contractual clauses).

Sanctions regime

A fine of up to EUR 25,000 is provided for any person who exercises retaliation.

Moreover, an administrative fine of up to EUR 250,000 can be imposed on natural and legal persons who, among other things:

  • obstruct a report; or
  • do not establish the channels and procedures for internal reporting and its follow-up.

It should also be noted that anyone who knowingly reports false information will be liable to a prison sentence and/or a fine of up to EUR 50,000.

Allen & Overy Luxembourg will be happy to assist you in setting up the channels and procedures for internal reporting and its follow-up.


1. In the area of financial services, detailed rules on the protection of whistleblowers already exist. These special sectoral laws will, in principle, not be affected by the general provisions of this Law.