Eu Whistleblower Protection

Protection of whistleblowers in the European Union

Starting with December 2023, Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law will be in effect across all member states, most of which have already adopted internal laws for the transposition of the Directive.

Based on the Directive’s provisions, legal entities with more than 50 employees or an annual turnover of more than 10 million euros are required to implement effective internal reporting channels that ensure the protection of whistleblowers. 

  1. Scope of regulation

Directive (EU) 2019/1937 sets out to guarantee a high level of protection for whistleblowers who report breaches of EU law that they observed in a professional context.

At least the following categories fall under the protection of the new regulation:

  • Employees;
  • Individuals engaged in independent activities;
  • Shareholders and individuals serving on the management, executive, or supervisory bodies of an enterprise, including non-executive members of the board of directors, as well as paid or unpaid volunteers and interns;
  • Any person working under the supervision and direction of a natural or legal person with whom they have entered into a contract, subcontractors, and suppliers thereof;
  • Individuals whose employment relationships have not yet begun and who make reports through internal or external reporting channels or disclose information about legal violations obtained during the recruitment process or other pre-contractual negotiations, or when the employment or service relationship has ended;
  • Persons who report or disclose information about legal violations anonymously.

Correspondingly, the Directive sets out several obligations for public and private legal entities, requiring them to:

  • establish accessible internal reporting channels that ensure the protection of the whistleblower;
  • set out clear reporting and whistleblower protection procedures;
  • hold records related to internal reports filed and their follow-up;
  • provide information/training sessions for their employees.
  1. Aspects subject to reporting

Are subject to reporting all actions or omissions that constitute breaches of the EU/national law applicable in areas such as:

  • Public procurement;
  • Services, products, and financial markets, as well as the prevention of money laundering and terrorist financing;
  • Product safety and compliance;
  • Transportation safety;
  • Environmental protection;
  • Radiological protection and nuclear safety;
  • Food safety and animal feed, animal health, and welfare;
  • Public health;
  • Consumer protection;
  • Protection of private life and personal data, and the security of networks and information systems.

Information regarding legal violations consist of information, including reasonable suspicions, regarding actual or potential legal violations that have occurred or are likely to occur within government authorities, public institutions, or other public legal entities, as well as within private legal entities where the whistleblower works or has worked or has been in contact with through their activities, as well as information regarding attempts to conceal such violations.

  1. Reporting channels

Internal reporting involves the oral or written communication of information regarding legal violations through internal reporting channels established by employers. Internal reporting channels may be operated by a person or department designated for that purpose by the employer or provided externally by a third party contracted by the employer with this specific purpose.

The following private legal entities have the obligation to establish internal reporting channels, as well as to hold records of reporting and follow-up by December 2023:

  • Companies with at least 50 employees must identify or establish internal reporting channels and establish procedures for internal reporting and subsequent actions.
  • Companies with between 50 and 249 employees may group together and share resources for receiving reports regarding legal violations and subsequent actions.
  • Companies operating in the specific sectors expressly and exclusively listed in Parts I.B and II of the Annex to the Directive have the obligation to establish internal reporting channels regardless of the number of employees.

External reporting involves the oral or written communication of information regarding legal violations through external reporting channels organized by the member states.

  • External reporting channels are operated by public authorities and institutions that are appointed by the member states to receive and handle reports regarding legal violations.
  • In the absence of internal reporting channels for private legal entities with fewer than 50 employees, whistleblowers who make reports regarding legal violations may use external channels.
  • The external reporting channels are also available to whistleblowers who have used an internal reporting channel but are not pleased by the outcome of the employer’s actions.

Public disclosure is also recognized as a last resort option for the whistleblower who:

  • has first reported internally and/or externally, but no appropriate action was taken in response to the report;
  • has reasonable grounds to believe that (i) the breach observed may constitute an imminent or manifest danger to the public interest (such as where there is an emergency situation or a risk of irreversible damage) or (ii) there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case.
  1. Protective measures

Whistleblowers are protected by law against all acts of retaliation, as well as threats of retaliation and attempts of retaliation.

Member states should also have in place effective support measures, in particular the following:

  • comprehensive and independent information and advice, which is easily accessible to the public and free of charge, on procedures and remedies available, on protection against retaliation, and on the rights of the person concerned;
  • effective assistance from competent authorities before any relevant authority involved in their protection against retaliation;
  • legal aid in criminal and in cross-border civil proceedings in accordance with Directive (EU) 2016/1919 and Directive 2008/52/EC of the European Parliament and of the Council, and, in accordance with the applicable national law, legal aid in further proceedings and legal counselling or other legal assistance.

To benefit from protective measures, whistleblowers must meet the following conditions cumulatively:

  • be one of the individuals making reports and who has obtained information about legal violations in a professional context;
  • have had reasonable grounds to believe that the information regarding the reported violations was true at the time of reporting;
  • have made an internal report, an external report, or a public disclosure;
  • be subject to reprisals as a direct consequence of reporting a breach of law under the provisions of Directive (EU) 2019/1937.

The protective measures also apply to:

  • facilitators;
  • third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context, such as colleagues or relatives of the reporting persons;
  • legal entities that the reporting persons own, work for or are otherwise connected with, in a work-related context.
  1. Sanctions

Sanctions for whistleblowers:

  • Filing a report in bad faith is sanctionable and the whistleblower in this case might even be held to compensate for the damage resulting from such reporting or public disclosure, in accordance with the applicable national law.

Sanctions are also applicable for employers and individuals involved in internal reporting that:

  • hinder or attempt to hinder reporting;
  • retaliate against the persons for which the Directive imposes protective measures;
  • bring vexatious proceedings against protected persons;
  • breach the duty of maintaining the confidentiality of the identity of reporting persons;

For additional information, please contact us at , the APTIQ Legal team is at your disposal.

Read More


Current legislative procedures of the European Parliament: AI Law:
 One step closer to first rules for artificial intelligence

In order to guarantee a human-centric and ethical development of artificial intelligence (AI), the European Parliament has approved new transparency and risk management rules for AI systems.

On May 11, the Internal Market Committee and the Civil Liberties Committee in Strasbourg adopted the draft negotiating mandate for the first rules on artificial intelligence with 84 votes in favour, 7 against and 12 abstentions. In their amendments to the Commission’s proposal , MEPs want to ensure that AI systems are human-monitored, safe, transparent, accountable, non-discriminatory and environmentally friendly. They also want a unified and technology-neutral definition of AI so that it can apply to the AI ​​systems of today and tomorrow.

Risk-Based Approach to AI – Prohibited AI Practices

The regulations follow a risk-based approach and set out obligations for providers and users based on the level of risk that AI can create. AI systems that pose an unacceptable risk to human safety would be strictly prohibited. This includes systems that employ subliminal or intentionally manipulative techniques that exploit people’s vulnerabilities or are used for social scoring (classifying people based on their social behavior, socioeconomic status, or personal characteristics).

MEPs significantly amended the list to include bans on intrusive and discriminatory uses of AI systems, such as:

  • Real-time biometric recognition systems in public spaces;
  • ex post biometric recognition systems, with the sole exception of law enforcement agencies for the purpose of prosecuting serious crimes and only with judicial approval;
  • biometric categorization systems using sensitive characteristics (e.g. gender, race, ethnicity, nationality, religion, political orientation);
  • predictive police systems (based on profiling, location or past criminal behavior);
  • systems for detecting emotions in law enforcement, border protection, the workplace and educational institutions; and
  • indiscriminate reading of biometric data from social media or video surveillance recordings to create facial recognition databases (violation of human rights and the right to privacy).

High Risky AI

MEPs have expanded the classification of high-risk areas to include health, safety, fundamental rights and the environment. by social media platforms (with more than 45 million users according to the Digital Services Act) to the list of high-risk areas. They also added AI systems for influencing voters in political campaigns and in recommendation systems used

General Purpose AI – Transparency Measures

MEPs included commitments for providers of foundation models – a new and rapidly evolving area of ​​AI – to ensure robust protection of fundamental rights, health and safety, the environment, democracy and the rule of law. They would have to assess and mitigate risks, comply with design, information and environmental requirements and register in the EU database.

Generative foundation models like GPT would have to meet additional transparency requirements and, for example, disclose that the content was generated by AI. Models would also have to be designed in such a way that no illegal content would be generated and no summaries of copyrighted data would be published.

Promoting innovation and protecting citizens’ rights

To encourage AI innovation, MEPs included exceptions for research activities and AI components under open-source licenses in the regulations. The new law encourages regulatory sandboxes, or controlled environments, set up by public authorities to test AI before it is deployed.

MEPs want to strengthen citizens’ rights to lodge complaints about AI systems and to receive explanations about decisions based on high-risk AI systems that significantly affect their rights. MEPs also recast the role of the EU’s artificial intelligence agency, which will be tasked with overseeing the implementation of the AI ​​rulebook.

Next Steps

Before negotiations can begin with the Council on the final form of the law, the draft negotiating mandate must be approved by the full Parliament; the vote is expected at the June 12-15 session.

Read More
Gdpr Aptiq Art

GDPR – Right to copy may also include excerpts from documents or even entire documents

GDPR – Right to copy may also include excerpts from documents or even entire documents
[ECJ decision of 4 May 2023 (Case C300/21)]

Within the scope of the GDPR right to information according to Art. 15 Para. 3 Sentence 1, data subjects can receive a copy of processed personal data. However, in a legal dispute in Austria, the Federal Administrative Court remained unclear as to exactly what this right encompasses. The question was whether the envisaged obligation – to provide a “copy” of the personal data – is already fulfilled if the controller transmits the personal data as a table in an aggregated form, or whether this obligation also includes the transmission of extracts from documents or even entire documents as well as extracts from databases in which this data is reproduced.

The ECJ interprets the provision of Art. 15 Para. 1 S. 1 GDPR in such a way that the data subject must be provided with a faithful and understandable reproduction of all his processed personal data. That right implies that a copy of extracts from documents or even entire documents or extracts from databases containing, inter alia, contain his data, if the provision of such a copy is essential to enable the data subject to effectively exercise the rights conferred on him by the GDPR. In doing so, the rights and freedoms of others must be taken into account, i. H. in the event of a conflict, a balance must be struck between a data subject’s right to full access and the rights or freedoms of others. However, this should not lead to the data subject being denied any information.
In addition, the ECJ explained that the term “information” in Art. 15 Para. 3 S.3 GDPR only covers the personal data from which the person responsible for processing according to Art. 15 Para. 3 S. 1 GDPR GMO must provide a copy. This does not include the information specified in Art. 15 (1) (a) to (h) GDPR or even additional information such as data metadata.

In the initial legal dispute, the plaintiff requested information from a credit reporting agency in accordance with Art. 15 GDPR about the processed personal data relating to him. The credit agency then sent the plaintiff an aggregated list of his personal data that was the subject of the processing. Since the plaintiff was of the opinion that the credit agency should have sent him a copy of all documents containing his data, such as e-mails and extracts from databases, he lodged a complaint with the Austrian data protection authority, which was unsuccessful stayed.

The Federal Administrative Court, which subsequently dealt with the matter, then submitted a request for a preliminary ruling to the ECJ on the interpretation of Art. 15 Para. 3 S. 1 GDPR and also asked for clarification as to what the term “information” in Art. 15 Para. 3 p. 3 GDPR.

The decision will raise questions in practice, e.g. when a document or a database as a whole is to be regarded as personal data and when at the same time the rights and freedoms of others conflict. One will also have to deal with the question of how the requirements of Article 12 (1) GDPR can be met at the same time, because according to this, the information to be transmitted in an “intelligible form”.

The APTIQ Global legal and compliance consultants have many years of practical experience in the field of data protection law and are happy to support you with all data protection challenges.

Read More
Umrug Aptiq

Transformation Directive (UmRUG) implemented

Transformation Directive (UmRUG) implemented by Andreas Ludl


The Act on the Implementation of the Conversion Directive was originally scheduled to come into force in January 2023, after the Federal Cabinet had adopted the draft law on the Conversion Directive (EU) 2019/2121 on 6 July 2022. After a tough legislative process, the law transposing the Transformation Directive finally came into force last week – the Bundestag has decided on the draft law on 20 January 2023. The Act essentially entered into force on 1 March 2023.

The regulations for cross-border conversions are found in a newly inserted sixth book of the Act. The regulations on cross-border mergers – previously regulated in §§ 122a et seq. UmwG – also move there. In addition to the cross-border merger (§§ 305 ff. UmwG n.F.), the cross-border demergers (§§ 320 ff. UmwG n.F.) and the cross-border change of legal form (§§ 333 ff. UmwG) are regulated there.

The essential basic principles are as follows:

·                Right of withdrawal against cash compensation (in the case of mergers, demergers and changes of legal form).

·                Right to improvement of the exchange ratio (in the case of mergers and demergers).

·             Exclusion of the right of rescission with regard to valuation complaints (in the case of mergers, demergers and changes of legal form). The valuation complaint is rather to be asserted in the adjudication proceedings. The appraisal proceedings will be available to both groups of minority shareholders, thus ending the different legal protection for minority shareholders of the transferring and the acquiring company.

Not only in the case of cross-border conversions but also in the case of purely domestic mergers, demergers and changes of legal form, public limited companies are also granted the possibility to compensate for necessary adjustments of the exchange ratio not only by an additional cash payment but also by granting additional shares. This possibility considerably improves the liquidity protection of the legal entity otherwise affected by an additional payment obligation.

The protection of creditors has been increased compared to the previous national conversion in Germany and the previous cross-border mergers pursuant to §§ 122a UmwG in the previous version. Upon request, the transferring company must provide security to entitled creditors prior to the registration of the cross-border conversion. Creditors can block the registration if they sue for security.

The role of the registry courts is strengthened by the UmRUG in cross-border conversions. This relates in particular, but not only, to the abuse test. A preliminary certificate is issued on the examination as a basis for further proceedings abroad. Europe-wide exchange of register courts – In the case of cross-border conversions, the legality control is (still) carried out in two stages (with the first control stage in the source state and the second control stage in the target state). The procedure for the preliminary certificate in Germany as the source state is partially restructured by the UmRUG. In future, the preliminary certificate must be sent directly to the competent control authority in the destination state via the Business Registers Interconnection System (BRIS). With regard to the newly introduced abuse control, it is clarified that no preliminary certificate has to be issued in cases of abusive conversions.

Amendment of the rulings procedure. A large number of changes have also been made to the appraisal procedure (including rules for improved cooperation between the appraisal panels involved to avoid divergent decisions in cross-border conversions; the introduction of a general obligation to be represented by a lawyer; the admissibility of a pleading settlement and a majority-consensual appraisal; and the introduction of a requirement to state reasons for appeals).

With the exception of the cross-border merger, which has already been codified, forms of cross-border transformations will now be regulated by law, thus creating more legal certainty.

The new UmRUG adds further legal tools to the previous options. Cross-border transformations therefore have new opportunities – this applies especially to the transfer of individual parts of companies or business divisions that are to be transferred to other EU countries.

The APTIQ Global legal team is happy to support you with all related challenges.

Read More
Gdpr Artic

Email advertising – GDPR consent requirements

Email advertising – GDPR consent requirements  – by Andreas Ludl

The requirements for the legally correct data protection consent in newsletters and other advertising measures are repeatedly the subject of court decisions. The higher regional court in Hamm recently dealt with this issue and tightened the requirements –

In the case to be decided, an online retailer wanted quasi consent for all advertising purposes.<br>

In addition to typical advertising emails (newsletters), his customers also received personalized advertising tailored to purchases they had already made.

Although the plaintiff had revoked his consent, the court took the case as an opportunity to carry out an in-depth examination of whether consent could actually be valid if consent was obtained for several advertising purposes in a non-transparent manner.

The starting point here is always competition law. According to this, such business activities are to be rated as unreasonable harassment if they take place without express consent. The requirements for such consent lead to data protection law. The requirements are standardized in Art. 4 No. 11 GDPR:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

In the court’s view, the clarity of the consent was problematic in the present case, since the declaration of consent must clearly state which specific categories of advertising measures the consent applies to. If these requirements are not met, the consent is deemed not to have been given and the advertising sent is therefore unlawful as unreasonable harassment.

According to the judgment of the court, two essential requirements for declarations of consent must be observed. On the one hand, it must be clear which specific advertising measures are to be covered by the consent. On the other hand, the purpose of the advertising measures must be described sufficiently clearly.

A careful design of declarations of consent in advertising measures is therefore always recommended.

The APTIQ Global legal and compliance consultants have many years of practical experience in the field of data protection law and are happy to support you with all data protection challenges.

Read More
Trust Large

Trust Services in Italy: what a trust is, how does it work and why it’s an useful vehicle for sustainable wealth preservation and growth

The trust is an institution of the common law legal system that can regulate a multiplicity of legal and financial relations. The trust has entered the Italian legal system when Italy became a party of the International Convention of The Hague on 1st July 1985, in force in Italy from 1st January 1992. In this regard, the trust has been strengthened by large series of Court decisions on the importance of this legal instrument.


Trust can be seen as a mandate through which a manager is appointed, the “trustee”, to follow instructions on how to hold and manage the trust fund, which can be composed by different types of assets, like real estate, financial instruments, shares, credits, arts etc. The aim of a trust is written in the deed of trust and it’s directed to satisfy the needs of the “beneficiaries” (individuals, companies, charitable entities etc.). Who formally establishes a trust is known as the “settlor”.

The most important effect of a trust is the separation between the personal assets of the settlor and the trust fund, so that the trust fund is protected by debtors and insolvency of the Settlor and also by any charges belonging to the trustee.

If the main positive effect of the establishment of a trust is the complete protection of the assets under a trust, we can also add the flexibility of management in a medium and long term so that families and corporations can plan the generational transition. And also, planning the generational transition for the successors could also mean optimizing the fiscal effects.


Trusts can take effect during the lifetime of the settlor or after the death of the settlor, and that means that it is important to establish now the rules for the future.


The purposes of a settlor can be various, in particular: the management and the protection of family assets from the bad events of life and business; the management and the protection of assets for minors and people with disadvantages; the planning of inheritance; the management of a company or a group of companies, acting with a trust as a holding entity; protect the voting syndicates in the companies; the management of M&A transaction, instead of an escrow contract; the management of charitable assets, using the fiscal advantages that in Italy are reserved to these kind of projects.

The use is wide and more purposes can be imagined because the trust is the most flexible fiduciary system we can find in different jurisdictions.

What we do for our Clients that need a wealth planning consultancy is an analysis of the most efficient instruments to use for their needs. If we find the trust well-fitting, we start with a tailor-made project, constantly shared with the client, implemented and improved through the drafting of the specific clauses, with an important focus on previous Court decisions, to guarantee the client the safety of a highly effective tool.


Not only consultancy but also managing: we also act as the trustee, as responsible in charge for the management of assets; co-trustee, in the case of a collective body, together with other trustees; or as a Protector, to overview that the trustee is acting in respect of the law and the deed of trust.


What we offer is not a standard formula but a consultancy that comes from the fact that everyone of us has been working on managing assets (money, real estate, arts, shares) for several years.

We are independent from bank and other financial institutions in order to avoid any conflicts, that is one of the cornerstones of the trust in our Italian fiscal-juridical system.

Read More