Internal whistleblowing and how to handle it

Internal whistleblowing and how to handle it : a guide for management teams and investigators.

Internal whistleblowing is an increasingly important topic in companies. Whether for ethical or legal reasons, it is essential that management teams know how to handle reports and conduct investigations properly and efficiently. This article aims to provide a guide for management teams and those responsible for investigations on how to handle internal reports.

Legal framework

Law 93/2021 of December 20th made the adoption of whistleblowing channels mandatory and established the rules for the reporting and public disclosure of violations. 


Public and private sector entities employing 50 or more workers are now required to have internal reporting channels as of June 18, 2022. In the public sector, local authorities with 50 or more employees but fewer than 10,000 inhabitants are excluded. 



According to the law, violations that have already been committed, are in the process of being committed, or are reasonably foreseeable to be committed, as well as concealment attempts, may be reported or publicly disclosed. The report or public disclosure of the infraction may be based on information obtained in the course of the professional activity (current or terminated) of the whistleblower, or even during the recruitment phase and regardless of the nature of the activity, the respective sector and/or the status of the whistleblower (employee, service provider, supplier, partner or shareholder, member of management or supervisory bodies, trainee, other). 



Violations may be reported through internal or external reporting channels or publicly disclosed, with rules of use and precedence between the different means being established. As a rule, the whistleblower should use the internal reporting channels. 


The internal whistleblowing channels:

Internal whistleblowing channels should enable the submission and follow-up of reports (in writing, verbally and/or through face-to-face meetings) and comply with certain rules, particularly with regard to confidentiality and protection of the whistleblower’s identity. 


What to do when faced with the submission of an internal reporting?


Receipt of the report

Within 7 days, the obliged entities shall notify the whistleblower that the report has been received.  

– The notification must clearly state the requirements, the competent authorities and the form and admissibility of the external report. 


Internal investigation

– The entities carry out the appropriate internal acts to verify the allegations contained therein and, where appropriate, to stop the reported violation. 

– An internal investigation may be opened, or the communication may be made to the competent authority for investigation of the infringement, including the European Union institutions, bodies, offices or agencies. 


Follow-up on the complaint

Within 3 months from the date of receipt of the report, the entities shall inform the complainant of the measures planned or taken to follow up on the report and the reasons for such measures.  


Conclusion of the internal investigation

Within 15 days of its conclusion, the complainant may request, at any time, that the obliged entities communicate the result of the analysis and internal investigation of the report. 

In the above-mentioned procedures, certain provisions applicable to reports will be relevant, under penalty of constituting very serious offenses and consequently susceptible to high fines that may reach up to € 250,000.00. 


Rules applicable to whistleblowing:



The identity of the whistleblower, as well as the information that directly or indirectly allows the identity of the whistleblower to be deduced, is confidential and access is restricted to the persons responsible for receiving or following up reports. 

The identity of the whistleblower is only disclosed as a result of a legal obligation or court order. 


Processing of personal data

The processing of personal data under this Act, including the exchange or transmission of personal data by the competent authorities, complies with the provisions of the General Data Protection Regulation. 

Personal data that are clearly not relevant to the processing of the complaint shall not be stored and shall be deleted immediately. 


Retention of reports

The obligated entities and competent authorities responsible for receiving and processing reports under this law shall keep a record of the reports received and retain it for at least five years and, irrespective of such period, during the pendency of judicial or administrative proceedings relating to the report. 

If the report is made at a face-to-face meeting, obliged entities and competent authorities shall ensure, after obtaining the whistleblower’s consent, that the meeting is recorded by: 

  • Recording the communication on a durable and retrievable media; or  
  • Trusted minutes. 

 Maria Cristina Freitas, Lawyer

Published at: 18/04/2023

Leave a Comment

Your email address will not be published. Required fields are marked *

Add Comment *

Name *

Email *