A law of 16 May 2023 now protects people who report a breach of the law in a professional context.

Please note: This law does not affect the rules relating to the exercise by employees of their right to consult their representatives or their trade unions, and to protection against any unjustified prejudicial measure arising from such consultation, as well as the autonomy of the social partners and their right to conclude collective agreements.

Legal basis

What types of reports are covered?

This covers reports of breaches of the law in a professional context, whether in the context of an ongoing, upcoming or terminated employment relationship.

What can be reported?

“Breaches”, i.e. acts or omissions can be reported that:

  • are unlawful; or
  • go against the object or purpose of directly applicable national or European legal rules.

The whistleblower may provide “information on breaches”, i.e. information including reasonable suspicion, concerning actual or potential breaches which have occurred or are very likely to occur in the organisation in which the whistleblower works or has worked or in another organisation with which the whistleblower is or has been in contact in the course of his or her work, and concerning attempts to conceal such breaches.

Who can report a breach?

Any person who has obtained information about breaches in a professional context, such as:

  • an employee;
  • a public servant;
  • a self-employed;
  • a shareholder or member of company’s administrative, management or supervisory body of a company;
  • a volunteer;
  • a trainee;
  • an employee of a co-contractor, a subcontractor or a supplier.

Who is protected by law?

The law protects:

  • the whistleblower;
  • the facilitator, i.e. the physical person who assists a whistleblower during the process of the signatory in a professional context and whose assistance should be confidential;
  • third parties who are connected to the whistleblowers and who are at risk of retaliation in a professional context, such as colleagues or relatives of the whistleblowers, and
  • legal entities belonging to the whistleblowers or for which they work, or with which they are connected in a professionnal context.

What are the legal requirements for protection?

Whistleblowers are protected by law under the following conditions:

  • they had reasonable grounds to believe that the information reported on the breaches was true at the time of reporting and that this information is within the scope of the law; and
  • whether they made a report either internally or externally, or made a public disclosure (see explanation below).

Persons who have reported or disclosed information on breaches anonymously, but who are subsequently identified and subject to retaliation, also benefit from the protection provided by law as long as they meet the conditions provided for above.

Persons who report breaches to the competent institutions, bodies, offices or agencies of the European Union enjoy the protection provided by law under the same conditions as persons who make an external reporting.

What are the different reporting types provided for by law?

The law distinguishes between reports made through internal reporting channels, reports made through external reporting channels to the competent authorities, and public disclosures.

Internal and external reporting to the competent authorities

Internal reporting

Reporting breaches internally must, according to the law, be the preferred procedure when it is possible to effectively remedy the breach internally and there is no risk of retaliation.

This means that the breach should preferably be reported to the designated person or structure within the company or organisation concerned.

To make a report to the CSL, click here.

External reporting

The authorities listed below are responsible for receiving reports made through external reporting channels, providing feedback and following up on the reports.

Depending on the issue in question, these authorities are competent:

  1. Financial Sector Supervisory Commission
  2. Supervisory Authority for the Insurance Sector
  3. Competition Authority
  4. Registration Duties, Estates and VAT Authority
  5. Inspectorate of Labour and Mines
  6. National Data Protection Commission
  7. Centre for Equal Treatment
  8. Ombudsman in the context of his task of external control of places where there are persons deprived of liberty
  9. Ombudsman for children and youngsters
  10. Luxembourg Regulatory Institute
  11. Luxembourg Independent Audiovisual Authority
  12. Luxembourg Bar association and Diekirch Bar association
  13. Chamber of Notaries
  14. Medical board
  15. Nature and Forest Agency
  16. Water Management Agency
  17. Air Navigation Administration
  18. National service of the Mediator of consumption
  19. Order of Architects and Consulting Engineers
  20. Order of Chartered Accountant
  21. Luxembourg Institute of Registered Auditors
  22. Luxembourg Inland Revenue

Each of these authorities must put in place the reporting procedure to be used when reporting to it.

In the performance of their respective duties, these authorities may request, in writing, from the reporting entity or in the event of breach of obligations with respect to internal reporting channels, the disclosure of any information they deem necessary, while ensuring the confidentiality of the identity of the whistleblower.

The competent authorities referred to in points 1°, 2°, 4°, 6°, 12°, 13°, 14°, 19°, 20°, 21° and 22° above may impose an administrative fine on natural and legal persons :

  • who obstruct or attempt to obstruct a report;
  • who refuse to provide the information required or provide incomplete or false information;
  • who violate the confidentiality enjoyed by the whistleblowers;
  • who refuse to remedy the breach observed;
  • who fail to establish the channels and procedures for internal reporting and follow-up required by law.

Where the alert falls within the remit of one of the competent authorities referred to in points 3°, 5°, 7°, 8°, 9°, 10°, 11°, 15°, 16°, 17° and 18° above, these authorities will, after examination, communicate it to the Reporting office, which may impose an administrative fine on natural and legal persons:

  • obstructing or attempting to obstruct a report;
  • who refuse to provide the information requested, or provide incomplete or false information;
  • who violate the confidentiality enjoyed by the whistleblowers;
  • who refuse to remedy the breach observed;
  • who fail to establish channels and procedures for internal reporting and follow-up required by law.

The fine can range from €1 500 to €250 000. The maximum fine may be doubled in the event of a repeat offence within 5 years of the last penalty becoming final.

The Reporting Office, which will be set up in December 2023, is responsible in particular for assisting a whistleblower to make his or her internal or external report.

Competent authorities that receive a report that does not fall within their area of competence shall transmit the report confidentially and securely to the competent authority within a reasonable period of time. The latter shall inform the whistleblower without delay of the report of this transmission.

Competent authorities are obliged to:

  • acknowledge receipt of reports promptly and within seven days of receipt of the report, unless the author of the report expressly requests otherwise or unless the competent authority has reasonable grounds to believe that acknowledging receipt of the report would compromise the protection of the identity of the author of the report;
  • ensure diligently following up of reports;
  • provide the author of the report with feedback within a reasonable period of time not exceeding three months, or six months in duly justified cases;
  • inform the whistleblower of the final outcome of the action taken in response to the report, subject to information falling within the scope of a legally sanctioned obligation of secrecy;
  • forward the information contained in the report to the competent EU institutions, bodies, offices or agencies in good time.

The competent authorities, after duly considering the matter, may decide that a reported breach is manifestly minor and does not require any further follow-up other than the closure of the procedure, without prejudice to other applicable obligations or procedures aimed at remedying the reported breach.

The competent authorities shall notify the whistleblower of their decision and the reasons for it.

The competent authorities may decide to close the procedure in the event of repeated reports which do not contain any significant new information in relation to the previous report on which the relevant procedures were closed, unless new legal or factual elements justify a different follow-up.

To the extent necessary to carry out their respective tasks under this law, the competent authorities shall cooperate and provide mutual assistance.

Rules common to internal and external reports – Duty of confidentiality

The identity of the whistleblower shall not be disclosed without the express consent of the latter to any person other than than authorized personnel competend to receive or follow up on reports. This also applies to any other information from which the identity of the whistleblower may be directly or indirectly inferred.

By way of derogation, the identity of the whistleblower and any other information relating to the report may be disclosed only where it is a necessary and proportionate obligation imposed by the amended law of 8 June 2004 on freedom of expression in the media or by European Union law in the context of investigations carried out by national authorities or in the context of legal proceedings, in particular with a view to safeguarding the rights of defence of the person concerned.

However, in this case, the wisthleblowers shall be informed before their identity is disclosed, unless such information risks compromising the relevant investigations or legal proceedings concerned. When notifying whistleblowers, the competent authority shall provide them with a written explanation of the reasons for the disclosure of the confidential data concerned.

Competent authorities receiving information on breaches that involve trade secrets shall not use or disclose such trade secrets for purposes beyond what is necessary to ensure appropriate follow-up.

Public disclosures

A person who makes a public disclosure of a breach is protected by law if any of the following conditions are met:

  • the person has first made an internal and external report, or directly made an external report, but no appropriate action has been taken in response to the report within the legal period;
  • the person has reasonable grounds for believing that:
    • the breach may represent an imminent or obvious danger to the public interest, such as where there is an emergency situation or a risk of irreversible harm; or
    • in the case of external reporting, there is a risk of retaliation or the breach will be effectifely remedied, due to the particular circumstances of the case, such as where evidence may be concealed or destroyed or where an authority may be colluding with or implicated in the breach.

What protection is there for whistleblowers?

Prohibition of retaliation

All forms of retaliation, including threats and attempts of relatiation, are prohibited against people because of their reporting. In particular, the following are prohibited:

  • suspension of an employment contract, lay-off, dismissal, non-renewal or early termination of a fixed-term employment contract or equivalent measures;
  • downgrading or refusal of promotion;
  • transfer of duties, change of place of work, reduction in salary, change in working hours;
  • suspension of training;
  • disciplinary measures imposed or administered, reprimand or other sanction, including a financial penalty;
  • failure to convert a temporary employment contract into a permanent contract, where the employee had a legitimate expectation of being offered permanent employment;
  • coercion, intimidation, harassment or ostracism;
  • discrimination, disadvantageous or unfair treatment;
  • negative performance evaluation or work attestation;
  • prejudice, including damage to the individual’s reputation, particularly on social networks, or financial loss, including loss of business and loss of income;
  • blacklisting on the basis of a formal or informal agreement at sector or industry level, which may mean that the individual will not be able to find future employment in the sector or industry;
  • early termination or cancellation of a contract for goods or services;
  • cancellation of a licence or permit;
  • referral for psychiatric or medical treatment.

The prohibitions set out above also apply, where applicable, to:

  • facilitators, i.e. natural persons who assist a whistleblower during the reporting process in a professional context and whose assistance should be confidential;
  • third parties who are in contact with whistleblowers and who are at risk of retaliation in a professional context, such as colleagues or relatives of whistleblowers.

Retaliation under points 1 to 6, 12 and 13, if implemented, shall automatically be null and void.

The protected person may request, within 15 days following the notification of the measure, through an introductory act, that the competent jurisdiction declares the nullity of the measure and orders its cessation.

The person who has not invoked the nullity of the measure or who has invoked it and, where applicable, obtained nullity, may still bring a legal action for compensation for the damage suffered.

In the context of proceedings before a court or a competent authority concerning damage suffered by the whistleblower, and provided that the latter establishes that he or she has issued a report or made a public disclosure and that he or she has suffered damage, it shall be presumed that the damage was caused in retaliation for the report or public disclosure. In this case, the person who took the prejudicial action is responsible for establishing the grounds on which the action was taken.

Protection against retaliation

When persons report information about breaches or make a public disclosure, they shall not be considered to have breached any restriction on disclosure of information and shall not incur liability of any kind in respect of such reporting or public disclosure provided that they had reasonable grounds for believing that the reporting or public disclosure of such information was necessary to reveal a breach. Termination of proceedings shall not affect any other applicable obligations or procedures to remedy the reported breach.

Whistleblowers shall not incur any liability in respect of the obtaining of, or access to, information which is reported or publicly disclosed, provided that such obtaining or access does not constitute a separate criminal offence.

In legal proceedings, including for defamation, breach of copyright, breach of secrecy, breach of data protection rules or disclosure of trade secrets, or for claims for compensation based on private law, public law or collective labour law, whistleblowers shall not incur any liability as a result of reports or public disclosures.

These persons have the right to invoke this report or public disclosure to request discontinuance of proceedings, provided that they had reasonable grounds for believing that the report or public disclosure was necessary to reveal a legal breach.

A fine of between €1,250 and €25,000 will be imposed on those who retaliate or bring abusive proceedings against whistleblowers.

But beware: the whistleblower who knowingly reported or publicly disclosed false information may be subject to a prison sentence of between eight days and three months and a fine of between €1,500 and €50,000.

The whistleblower who makes a false report may be held civilly liable. The entity that has suffered damage may seek compensation before the competent court.