Act on Protection of Persons Who Report Work-Related Breaches of European Union Law1
Passed 15.05.2024
RT I, 30.05.2024, 1
Entry into force 01.09.2024
Amended by the following legal instruments (show)
| Passed | Published | Entry into force |
|---|---|---|
| 05.05.2025 | RT I, 17.05.2025, 1 | 18.05.2025 |
Chapter 1 General Provisions
§ 1. Scope of regulation and purpose of Act
(1) This Act provides legal grounds for the reporting of breaches of European Union law which have become known in the context of work-related activities and for the protection of reporting persons and establishes liability for the breach of obligations.
(2) The purpose of this Act is to ensure protection for the persons who report breaches of European Union law which have become known in the context of work-related activities.
§ 2. Material scope of Act
(1) This Act applies in the event of reporting of breaches of the requirements arising from European Union law which have become known in the context of work-related activities in the following areas:
1) public procurement;
2) financial services, products and markets, and prevention of money laundering and terrorist financing;
3) product safety and compliance;
4) transport safety;
5) protection of the environment;
6) radiation protection and nuclear safety;
7) food and feed safety, animal health and welfare;
8) public health;
9) consumer protection;
10) protection of privacy and personal data, and security of network and information systems;
11) breaches affecting the financial interests of the European Union as provided in Article 325 TFEU and as further specified in relevant European Union measures;
12) breaches relating to the internal market, as referred to in Article 26(2) TFEU, in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law;
13) restrictive measures adopted by the European Union on the basis of Article 29 TEU or Article 215 TFEU.
[RT I, 17.05.2025, 1 - entry into force 18.05.2025]
(2) This Act does not apply:
1) in the area of national defence, security and state secrets and classified information of foreign states if this defeats the special rules provided in legislation regulating national defence, security and state secrets and classified information of foreign states;
2) in criminal proceedings if these defeat the provisions of the Code of Criminal Procedure;
3) in the professional activities of an attorney if these defeat the special rules of the attorney-client privilege provided in § 45 of the Bar Association Act;
4) in the professional activities of a health care provider and of persons participating in the provision of health care service if these defeat the special rules of the duty of health care providers to maintain confidentiality provided in § 768 of the Law of Obligations Act;
5) to a minister of religion in relation to the information entrusted with them in the course of a private confession or pastoral conversation if this defeats § 22 of the Churches and Congregations Act;
6) to the activities of courts in the administration of justice if these defeat the provisions of §§ 71 and 72 of the Courts Act.
§ 3. Personal scope of Act
(1) On the basis of this Act, the following persons who have reported breaches of European Union law which have become known to them in the context of work-related activities obtain protection:
1) a person who performs work on the basis of an employment contract or another contract under the law of obligations;
2) an official;
3) a sole proprietor;
4) a member of the management and control body of a company, non-profit association, foundation and profit-making state agency;
5) a shareholder of a company;
6) a person acting as a volunteer;
7) a person undergoing training in an agency or at a legal person or sole proprietor;
8) a person engaged in pre-contractual negotiations or otherwise preparing a contract or a person whose employment relationship has ended;
9) a person receiving an athlete grant;
10) a person working with a contractual partner of an agency or of a legal person in the form specified in clauses 1–9 of this subsection.
(2) The prohibition of retaliation provided in § 16 of this Act also applies to a natural or legal person related to the reporting person and to a person or entity liable for the obligations provided in subsection 3 of § 8 and in subsection 3 of § 9.
(3) This Act does not apply to the persons specified in §§ 2 and 4 of the Imprisonment Act, except in the event of working on the basis of § 41 of the Imprisonment Act.
§ 4. Breaches and reporting thereof
(1) For the purposes of this Act, breach means an act or omission that is unlawful or defeats the purpose of a legal provision.
(2) For the purposes of this Act, reporting person means a natural person who reports a breach which has become known to them in the context of work-related activities and who has reasonable grounds to believe that the breach has been directly commenced or it has been completed.
(3) Reporting of breaches means reporting of breaches on the grounds provided in this Act:
1) through an internal reporting channel;
2) through the head of the reporting person;
3) through an external reporting channel; or
4) by public disclosure on the conditions provided in this Act.
(4) An external reporting channel may also be chosen to report a breach without first using an internal channel.
§ 5. Prohibition on hindering reporting and on making false reports of breaches
(1) It is prohibited to hinder the reporting of breaches.
(2) It is prohibited to submit knowingly false reports of breaches.
§ 6. Competent authority
(1) For the purposes of this Act, competent authority means a state authority and a municipal authority that has been granted competence by law for exercising regulatory enforcement or administrative or internal oversight in respect of a breach specified in subsection 1 of § 4 of this Act or for conducting proceedings concerning an offence in respect thereof.
(2) For the purposes of this Act, reporting to a competent authority is also deemed to be reporting to a European Union institution, body, office or agency.
§ 7. Mandatory nature of provisions
Any agreement deviating from the provisions concerning the application of the rights and remedies prescribed in this Act is null and void unless the possibility of an agreement deviating to the detriment of the reporting person has been prescribed in this Act.
Chapter 2 Reporting
§ 8. Internal reporting channel
(1) An internal reporting channel is a channel established within an agency for the receipt of reports of breaches, which enables confidential reporting in writing or orally, or both.
(2) The obligation to establish an internal reporting channel rests with:
1) the state authority specified in subsection 2 of § 6 of the Civil Service Act and an agency administered by it;
2) a municipal authority and an agency administered by it with 50 or more servants, or a municipality with 10,000 or more inhabitants;
3) a legal person with 50 or more employees;
4) a subject of state financial supervision specified in subsection 2 of § 2 of the Financial Supervision Authority Act.
(3) An internal reporting channel is operated by a person or department designated by the authority, agency or legal person specified in subsection 2 of this section or by an external third party who is responsible for:
1) receiving reports of breaches;
2) maintaining contact with and giving feedback to the reporting person and requesting further information where necessary;
3) informing about follow-up.
(4) Only the person or department designated therefor has access to the reporting channel, reports of breaches and other information on breaches.
(5) The reporting channels specified in subsection 1 of this section may be shared or jointly operated by:
1) legal persons governed by private law with up to 249 employees;
2) local authorities and agencies administered by them;
3) enterprises belonging to a group of undertakings;
4) state authorities and agencies administered by them.
§ 9. External reporting channel
(1) An external reporting channel is a channel established outside an agency for the receipt of reports of breaches, which enables confidential reporting orally by voice message and during a face-to-face meeting and in writing.
(2) The obligation to establish an external reporting channel rests with the competent authority specified in subsection 1 of § 6 of this Act.
(3) An external reporting channel is operated by a person or department designated by the authority specified in subsection 2 of this section who is responsible for the following obligations of the competent authority:
1) receiving reports of breaches;
2) maintaining contact with and giving feedback to the reporting person and requesting further information where necessary;
3) informing about follow-up.
(4) Only the person or department designated therefor has access to the reporting channel, reports of breaches and other information on breaches.
(5) The competent authority establishes requirements for the receipt of and follow-up on reports of breaches, which it will publish on its website. The competent authority assesses the need to amend these requirements at least once every three years.
(6) The rules for the receipt of and follow-up on reports of breaches specified in subsection 5 of this section are established by a regulation of the Government of the Republic.
§ 10. Receipt of reports of breaches
(1) Acknowledgement of receipt of a report of breaches must be sent to the reporting person within seven days of the receipt of the report unless the reporting person explicitly prohibited sending the acknowledgement or there is a reason to believe that this would jeopardise the confidentiality of the reporting person.
(2) If the authority which has received a report of breaches does not have the competence to address the report, it will transmit the report to the competent authority without delay, but no later than on the fifth working day of the receipt thereof, at the same time also informing the reporting person thereof unless the reporting person explicitly prohibited sending the acknowledgement or there is a reason to believe that this would jeopardise the confidentiality of the reporting person.
(3) A report of breaches is stored for three years as of giving the feedback specified in subsection 4 of § 11 of this Act.
(4) The rules for storage of reports of breaches are established by a regulation of the Government of the Republic.
§ 11. Follow-up and feedback
(1) The authorities, agencies and legal persons specified in §§ 8 and 9 of this Act give appropriate follow-up to ascertain, eliminate and prevent breaches or forward reports of breaches to the competent authority for processing.
(2) The reporting person must be given feedback on the follow-up as soon as possible, but no later than three months or, if the report is filed through an external reporting channel, in a duly justified case, six months after the receipt of the report of breaches. No feedback must be given if the reporting person explicitly prohibited sending the feedback or there is a reason to believe that this would jeopardise the confidentiality of the reporting person.
(3) The competent authority has the right, in the event of a significant increase in the workload resulting from the number of reports of breaches, to deal first with serious breaches when giving appropriate follow-up.
(4) The competent authority does not have the obligations provided in subsections 1 and 2 of this section if the competent authority is of the opinion that the report of breaches concerns a minor breach or if it constitutes a repetitive report of the same content.
(5) If the performance of the obligation to give feedback provided in subsections 2 and 6 of this section would entail the disclosure of confidential information, the provisions of relevant specific Acts will be observed upon handling information and giving feedback on follow-up to the reporting person.
(6) The reporting person must be given feedback on the final outcome of the proceedings unless the reporting person explicitly prohibited sending the feedback or there is a reason to believe that this would jeopardise the confidentiality of the reporting person.
§ 12. Protection in the event of public disclosure
A reporting person disclosing information on breaches to the public obtains protection on the basis of this Act if:
1) the person has first reported the breach at least through an external reporting channel and the report of the breach was not processed pursuant to §§ 10 and 11 of this Act;
2) the breach constitutes an imminent or manifest irreversible risk of danger to the public interest;
3) in the case of external reporting, there is reasonable doubt of retaliation; or
4) in the case of external reporting, there is reasonable doubt that the breach is not processed properly or that the competent authority is involved in the breach.
Chapter 3 Protection Measures
§ 13. Conditions for obtaining protection of reporting persons
A reporting person obtains protection on the basis of this Act if:
1) at the time of the reporting of a breach, the reporting person has reasonable grounds to believe that the breach has been directly commenced or it has been completed and the breach falls within the scope of this Act; and
2) reporting of a breach was internal, external or public disclosure in accordance with the provisions of this Act.
§ 14. Ensuring confidentiality
(1) The person or department designated on the basis of subsection 3 of § 8 and subsection 3 of § 9 of this Act for receiving reports of breaches, for giving feedback to the reporting person and for following up ensures confidentiality of the fact of reporting of breaches. The identity of the reporting person may only be disclosed with the written consent of the person.
(2) If criminal proceedings are commenced on the basis of a report of breaches, the confidentiality of the fact of reporting will be ensured with the special rules provided in the Code of Criminal Procedure.
(3) In the event of reporting of breaches, the person designated for receiving and following up on reports of breaches ensures that the content of the report is only used for follow-up purposes.
§ 15. Processing of personal data
(1) Personal data, including special categories of personal data, collected pursuant to this Act or legislation issued on the basis thereof are processed in order to ensure protection upon reporting breaches of European Union law that have become known in the context of work-related activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1–88) and the Personal Data Protection Act, taking into account the special rules of this Act.
(2) Upon processing of personal data on the basis of this Act, the controller restricts the rights of the data subject if this is necessary for ensuring the confidentiality of the reporting person.
§ 16. Prohibition of retaliation
(1) Any direct or indirect work-related act or omission which is prompted by reporting and causes or may cause unjustified detriment to the reporting person is prohibited in relation to the reporting person. Retaliation, an attempt and threat thereof are prohibited.
(2) If a reporting person suffers retaliation and establishes that they reported breaches, it is deemed that the retaliation was suffered due to the reporting unless the perpetrator of retaliation established that it was justified.
§ 17. Exclusion of liability of reporting persons
(1) In the event of reporting of breaches on the grounds provided in this Act, the reporting person does not incur liability in respect of the legal consequences arising from the disclosure of information provided that they had reasonable grounds to believe that the disclosure of information was necessary for revealing a breach, unless such disclosure of information is punishable as a criminal offence. The disclosure of a trade secret under the same circumstances is considered lawful.
(2) The reporting person does not incur liability in respect of obtaining access to information for reporting purposes unless obtaining such access to information is punishable as an offence.
Chapter 4 Liability
§ 18. Hindering reporting of breaches
(1) Hindering the reporting of breaches
is punishable by a fine of up to 300 fine units.
(2) The same act, if committed by a legal person,
is punishable by a fine of up to 100,000 euros.
(3) An attempted misdemeanour provided in subsection 1 of this section is punishable.
§ 19. Retaliation
(1) Retaliation against reporting persons
is punishable by a fine of up to 300 fine units.
(2) The same act, if committed by a legal person,
is punishable by a fine of up to 100,000 euros.
(3) An attempted misdemeanour provided in subsection 1 of this section is punishable.
§ 20. Breach of confidentiality of reporting persons
(1) A breach of the duty of maintaining the confidentiality of the reporting person
is punishable by a fine of up to 300 fine units.
(2) The same act, if committed by a legal person,
is punishable by a fine of up to 100,000 euros.
§ 21. Reporting knowingly false information
Internal or external reporting or public disclosure by the reporting person of knowingly false information if there are no necessary elements of an offence provided in § 319 of the Penal Code
is punishable by a fine of up to 300 fine units.
§ 22. Proceedings
(1) The out-of-court proceedings authority for the misdemeanours specified in §§ 18–21 of this Act is the Police and Border Guard Board.
(2) If the Estonian Internal Security Service ascertains a misdemeanour specified in §§ 18–21 of this Act in the course of offence proceedings, the out-of-court proceedings authority will be the Estonian Internal Security Service.
Chapter 5 Implementing Provisions
§ 23. Application of clause 3 of subsection 2 of § 8 of this Act
Clause 3 of subsection 2 of § 8 of this Act applies to legal persons with 50–249 employees as of 1 January 2025.
§ 24. – § 30.[Omitted from this text.]
§ 31. Entry into force of Act
This Act enters into force on 1 September 2024.
1 Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law (OJ L 305, 26.11.2019, p. 17–56);
Directive (EU) 2024/1226 of the European Parliament and of the Council on the definition of criminal offences and penalties for the violation of Union restrictive measures and amending Directive (EU) 2018/1673 (OJ L, 2024/1226, 29.4.2024).
[RT I, 17.05.2025, 1 - entry into force 18.05.2025]
Facebook
X.com