Luxembourg - Whistleblowing Laws in Europe: An international guide

Por

1) Local Laws

a) Has the country implemented any laws / regulations on whistleblowing (Local Law)?

While current legislation in Luxembourg has been a huge step forward, it still lacks key elements such as definitions of whistleblowing and of a whistleblower; there is no general provision on whistleblowing under Luxembourg law. Despite this, CAA/CSSF Procedures (as defined below) have established standards and created market practice within credit institutions and (re-)insurance companies, while other sector-specific regulations and procedures fill in other gaps.

The EU Directive will be transposed into Luxembourg law by December 17, 2021 at the latest.

Two situations may apply for the moment and before the transposition of the EU Directive):

  • Companies covered by the CAA/CSSF Procedures or one of the other procedures mentioned below have to implement a whistleblowing system, or could face penalties.
  • Luxembourg companies not covered by these procedures may opt-in to implement a whistleblowing policy.

CSSF and CAA Procedures

These whistleblowing procedures can be used either by customers or (former) employees of (re-)insurance companies and/or financial institutions and other regulated entities.

The first procedure is the Luxembourg Insurance Regulator (Commissariat aux Assurances, CAA Procedure). A form is available on the website CAA.lu for the following reports:

  • Under article 4, letter o) of the law of December 7, 2015, on the insurance sector, as amended.
  • Under article 8-3 of the law of November 12, 2004, on the fight against money laundering and terrorist financing, as amended (AML Law).

The second procedure is the Luxembourg Supervision Commission of the Financial Sector (Commission de Surveillance du secteur financier, CSSF Procedure), as mentioned in the Circular CSSF 12/552 as amended by Circulars CSSF 13/563, 14/597, 16/642, 16/647 and 17/655 (Circular CSSF 12/552). The law of 5 April, 1993 on the financial sector, as amended (LFS), states in its Articles 5 (1a) and 17 (1a) that credit institutions and PFS must have robust “internal governance arrangements” in place, including internal reporting procedures.

For both procedures, current and former employees of an insurance company/one of the above financial institutions can report directly to the CAA or CSSF. Both emphasise that employees should first follow their own internal procedures if they exist and otherwise follow the procedure of the CAA described on its website. The CAA/CSSF will consider a whistleblower’s report if they have not first tried to raise the concern internally but the CSSF strongly encourages employees to report internally in the first instance.

Regarding the information to be provided to the CAA/CSSF, the whistleblower must have reasonable grounds to believe the information and any allegations it contains are substantially true and genuine. They can provide hard evidence by attaching documents to their report. In the case of an anonymous disclosure, supporting documentation must be provided. The CAA further specifies that it needs the name and contact details of the whistleblower to facilitate the processing of information and to allow the CAA to contact the whistleblower in case of additional questions.

2011 Law

Whistleblowing has been enacted by the law of February 13, 2011, strengthening the means to fight against corruption and amending the Luxembourg Labour Code, the Code of criminal procedure, the Criminal Code, the law dated April 16, 1979 determining civil servants’ status and the law dated December 24, 1985 determining local civil servants’ status (2011 Law).

There is no general obligation in the 2011 Law for private individuals to denounce criminal offences known to them.

MAL

Article 8(1) of the law of 23 December, 2016 on market abuse, as amended (MAL) refers to an Annex specifically dedicated to whistleblowing (MAL Annex). The MAL specifies that the CSSF shall assign dedicated members of its staff to handle reports of infringements (as defined in the MAL) and that employers carrying out activities regulated by service regulations must put in place appropriate internal procedures allowing their staff to report any breach of the MAR. An external reporting channel through the CSSF is also available.

The MAL includes information obligations: the CSSF shall publish on its website in a separate, easily identifiable and accessible section the information regarding the receipt of reports of infringements set out in paragraph 2 of point IV of the MAL Annex. The CSSF can also publish more detailed information. In addition, the CSSF and the Labour and Mines Inspectorate (Inspection du Travail et des Mines) shall:

  • Establish common procedures detailing the exchange of information and the co-operation for the protection of employees who report infringements of the MAR to the CSSF, or are accused of such infringements, against retaliation, discrimination and other types of unfair treatments arising in connection with such infringements reporting.
  • Ensure at least the following:
    • Reporting persons have access to comprehensive information and advice on the remedies and procedures available under Luxembourg law to protect them against unfair treatment, including on the procedures for claiming pecuniary compensation; and
    • Reporting persons have access to assistance from the CSSF before any relevant authority involved in their protection against unfair treatment, including by certifying the condition of whistleblower of the reporting person in employment disputes.

Labour Law

Articles L.271-1 and L.271-2 of the Luxembourg Labour Code aim to protect workers who report breaches in the areas of corruption, influence peddling and unlawful taking of interest regarding their colleagues, their employer or any senior in rank, as well as external persons (e.g. clients or service providers). The employee is protected against reprisals such as an employment termination for having reported such breach in good faith. In case of a litigation, where an employee establishes such illegal termination or other reprisals resulting from the said breach, the employer has the burden of proof to convince the court that the reprisals were justified by other objective elements rather than related to whistleblowing.

Criminal Code

Article 140 of the Luxembourg Criminal Code provides that any person having knowledge of a crime, which could still be averted or limited in its effects, or whose authors are prone to commit other crimes which could be prevented, is required to inform the judicial or administrative authorities e.g. public prosecutor, investigating magistrates, police authorities, Labour Inspectorate.

Article 23 (2) of the Luxembourg Criminal Procedure Code compels public officials (fonctionnaires) and employees or agents entrusted with a public service mission (salariés ou agents chargés d'une mission de service public) to report to the attorney general any crime or offence including bribery they become aware of in the performance of their duties.

AML Law

Article 5 of the Luxembourg Law of 12 November, 2004 on the AML Law provides that professionals that fall within its scope are obliged to fully co-operate with the Luxembourg authorities responsible for combating money laundering and the financing of terrorism. The AML Law implies the obligation to inform promptly the Luxembourg Financial Intelligence Unit of any fact which could be an indication of money laundering or terrorist financing.

Moreover, the law of 25 March, 2020 implementing certain provisions and amending the AML Law has introduced “self-regulatory bodies” as other entities of supervision and sanction for the observance of anti-money laundering and know-your-customer (AML and KYC) obligations. This includes the following entities: Institute of Auditors (Institut des Réviseurs d'Entreprises; Luxembourg Bar Association (Conseil de l'Ordre); the Chamber of Bailiffs (Chambre des Huissiers); Chamber of Notaries (Chambre des Notaires); and Order of Chartered Accountants (Ordre des Experts-Comptables).

This law provides that the supervisory authorities and self-regulatory bodies must put in place effective and reliable mechanisms, such as reporting channels, to encourage the reporting of potential or proven breaches of professional obligations in the fight against money laundering and the financing of terrorism by professionals (Article 8-3 of the AML Law).

Investment Funds Managers

The Circular CSSF 18/698 requires Investment Funds Managers to establish an internal whistleblowing procedure, and requires their designated Compliance Officer to include the handling of whistleblowing cases in his/her summary report.

2) Scope of application

a) What types of wrongdoings are covered by the Local Law? Does it cover breaches of EU law?

Under CAA/CSSF Procedures and the 2011 Law, employees can report any of the following wrongdoings:

  • Potential or actual infringements of the laws and regulations listed in Articles 303, paragraph 1 and 304 or other conduct referred to in Articles 303 paragraph 1, and 304 (Article 4, a) of the law of December 7, 2015, on the insurance sector.
  • Potential or actual breaches of the professional obligations as regards the fight against money laundering and terrorist financing by the professionals (Article 8-3 of the law of the AML Law).
  • Serious and legitimate concerns about internal governance.
  • Breaches of applicable regulations to which entities or persons of the financial sector falling under the supervision of the CSSF are subject to (CSSF Circular 12/552).
  • Illegal taking of interests, corruption or influence peddling under the terms of articles 245 to 252, 310 and 310-1 of the Criminal Code, whether this is the work of one’s employer or any other hierarchical superior, co-workers or external persons in relation with the employer (2011 Law).
  • Infringements of the MAR (Article 8(1) of the MAL.
  • Breaches in the areas of corruption, influence peddling (traffic d’influence) and unlawful taking of interest (prise illégale d’intérêts) (Articles L.271-1 and L.271-2 of the Luxembourg Labour Code).
  • A crime (Article 140 of the Luxembourg Criminal Code).
  • Any crime or offence including bribery (Article 23 (2) of the Luxembourg Criminal Procedure Code).

For CAA/CSSF Procedures, please note that the whistleblowing procedure should not be used for breaches that are clearly of a criminal nature, such as the unlawful exercise of activities in the financial sector. Persons who become aware of facts that may constitute a crime or an offence should inform the state prosecutor.

Therefore, the scope of the breaches is large but should be adapted to be clearer and provide greater legal certainty.

b) Personal scope

  1. Does the Local Law apply to reporting persons working in both the private and public sectors?

  2. Yes. For the moment, the following persons are subject to whistleblowing procedures:

    • Staff (employees) of institutions under the supervision of the CAA and the CSSF and people whose employment has ended.
    • Under certain circumstances, customers of financial service providers.
    • Employees/civil servants of companies that have opted-in for the whistleblowing procedure.

    In particular, the Circular CSSF 12/552 shall apply to:

    • Credit institutions and investment firms incorporated under Luxembourg Law.
    • On an individual basis.
    • On a consolidated basis (i.e. parent company).
    • Where the institution holds significant participations (between 20% and 50%), but is not the parent company.
    • Non-EU branches of credit institutions and investment firms in Luxembourg.
    • Luxembourg branches of credit institutions and investment firms (for matters where the CSSF has the supervisory responsibility) in the EU/European Economic Area.
    • Professionals carrying on lending operations: please see the definition of lending operations as defined in Article 28-4 of the law of April 5, 1993, on the financial sector, as amended (LFS).

    The whistleblowing procedure may, under certain circumstances, also be used by customers of financial service providers. However, customers of financial service providers having a commercial dispute with such a provider are requested to use the “out-of-court complaint resolution” procedure in accordance with CSSF Regulation N°16-07 relating to out-of-court complaint resolution.

    Please note, there is no definition of staff nor of employees. We therefore cannot confirm that the following persons are also covered self-employed person, board members, shareholders, volunteers, job applicants, sub-contractors, etc.

    The CAA Procedure does not apply to persons who are legally subject to a professional duty of disclosure in relation to the CAA, such as chartered auditors (réviseurs d’enteprises agréés) and actuaries (actuaires).

  3. Does the Local Law apply only to breaches that the reporting person became aware of in a work-related context?

  4. Yes, local law applies only to such breaches.

  5. Does the Local Law also protect: facilitators; people connected to the whistleblower and who could suffer retaliation in a work-related context; and legal entities the whistleblower owns, works for, or is otherwise connected with?

  6. No, local law does not extend to such facilitators.

c) Does the Local Law require specific conditions to protect reporting persons?

Yes. The Circular CSSF 12/552 states that a “warning given in good faith” only “shall not result in any liability of any sort for the persons who issued them”. The Luxembourg Labour Code states that an employee cannot be a victim of reprisals because of their protests or refusal against a fact that they consider, in good faith, as being constitutive of illegal catch of interests, corruption or influence, that this fact is committed by their employer or any other senior in rank, colleagues, or external people in relation to the employer (article L.271-1(2) of the Luxembourg Labour Code).

3) Reporting channels

a) Does the Local Law allow anonymous reports? How are companies/agencies meant to handle them?

The only procedures in Luxembourg that indicate anonymous reports are allowed are: the CAA website (in the case of an anonymous disclosure, supporting documentation must be provided, implying that anonymous disclosure is possible); and the MAL, which states there is a possibility for infringements to be reported anonymously.

Nevertheless, as the identity of the whistleblower is protected in both procedures, this implies the reports should contain the name/identity of the whistleblower. As mentioned previously, the CAA specifies that it needs the name and contact details of the whistleblower to facilitate the processing of information and to allow the CAA to contact the whistleblower in case of additional questions.

The Luxembourg National Commission for Data Protection (Commission nationale pour la protection des données, CNPD) considers the following points to be important:

  • Restricting the whistleblowing proceeding to the countable field, the control of the accounts, the banking field and of the fight against corruption.
  • Discouraging anonymous denunciations while ensuring, as far as possible, the identification of the reporting persons.
  • Setting up a specific organisation to collect and manage reports; those in charge of such collection must be trained and are subject to confidentiality regarding the data they gain knowledge of.
  • Processing the information of person(s) being reported as soon as possible, in order to allow them to exert their rights of opposition, access and correction.

b) Is there a duty of confidentiality and any derogation from this duty?

Yes. Entities need to guarantee the confidentiality of a whistleblower’s identity.

Circular CSSF 12/552 emphasises that the system shall respect and preserve the confidentiality of whistleblowers.

Both the CSSF and CAA are committed to protecting the whistleblower’s identity within the limits of applicable legislation. In other words, neither the identity of the employee having blown the whistle nor the identity of third parties who may be involved will be disclosed to the entity concerned.

The identity of the whistleblower or of third parties will only be disclosed in circumstances in which the disclosure becomes unavoidable in law. For example, as a result of the CAA/CSSF’s duty to inform the state prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case the whistleblower may be called as a witness. Although it may not always be entirely excluded, despite all precautions taken, that the employer may discover a whistleblower’s identity by cross-checking information, the CAA/CSSF will make every effort to protect it.

Article 38-12 of the LFS provides that the internal reporting process shall at least guarantee in all cases the confidentiality of the person who reports the breach (unless disclosure is required by or pursuant to a law) through the implementation of clear confidentiality rules.

Moreover, the procedures applicable to reports of infringements (as defined in the MAL only) need to state the confidentiality regime applicable to reports of infringements, This includes a detailed description of the circumstances under which the confidential data of a reporting person may be disclosed in accordance with Articles 27, 28 and 29 of the MAR. It should also raise awareness of the exceptional cases in which confidentiality of data may not be ensured. These include where the disclosure of data is imposed by Luxembourg or EU law in the context of investigations or subsequent judicial proceedings, or to safeguard the freedoms of others including the right of defence of the reported person, and in each case subject to appropriate safeguards under such laws. The same applies for reported persons.

c) Public disclosures: does the Local Law provide for this possibility?

No, there is no specific provision on public disclosure.

4) Reporting channels: internal

a) Is there an obligation for private and/or public legal entities to establish channels and procedures for internal reporting and follow-ups?

Yes, this is mandatory for public legal entities (controlled by the CSSF). No specific requirement must be met except the ones stated in the Circular CSSF 12/552 as described below.

In accordance with the Circular CSSF 12/552, such companies must have internal communication arrangements including an internal whistleblower procedure that enables the staff of the institution to draw the attention of those responsible to all their significant and legitimate concerns related to internal governance of the institution. The institutions shall maintain internal whistleblower arrangements that enable the entire staff of the institution to draw attention to serious and legitimate concerns about internal governance. These arrangements shall respect the confidentiality of the persons who raise such concerns and provide for the possibility to raise concerns outside established reporting lines as well as with the board of directors. The warnings given in good faith shall not result in any liability of any sort for the persons who issued them.

As previously mentioned, any person (in particular employees or former employees or entities of the financial sector) may in good faith submit a report directly to the CSSF in a confidential and secure manner if such person has reasonable grounds for believing the report will show breaches of the applicable regulation by entities or persons of the financial sector that fall under the supervision of the CSSF.

In accordance with the Circular CSSF 12/552, internal whistleblower procedures must be laid down in writing.

Moreover, Article 8-3 of the AML Law states that professionals subject to this law “shall provide the persons with one or more secure communication channels” for the whistleblowing reporting. “Such channels shall ensure that the identity of persons providing information is known only to the supervisory authority or self-regulatory body to which the information has been reported.” This would mean:

  • Specific procedures for the receipt of reports on breaches and their follow-up.
  • Appropriate protection for employees or persons in a comparable position, of legal persons subject to the supervision of the supervisory authorities or the self-regulatory bodies who report breaches committed within this entity.
  • Appropriate protection for the accused person.
  • Protection of personal data concerning both the person who reports the breaches and the natural person who is allegedly responsible for the breach.
  • Clear rules to ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches, unless disclosure is required by or pursuant to a law.

Finally, the MAL Annex states that the CSSF shall establish independent and autonomous communication channels, which are both secure and ensure confidentiality, for receiving and following-up the reporting of infringements. These channels shall be considered independent and autonomous, provided they meet three criteria as set out in the MAL Annex.

b) Do internal reporting channels need to allow reporting in writing, orally or both?

No Luxembourg provision sets forth a specific requirement in this respect. However, the CSSF and the CAA procedures are as follows.

Before contacting the CSSF, employees are requested to first use the whistleblowing procedures in their workplace, if there are any. The CSSF will only consider a written statement of information transmitted by email to the following address: whistleblowing@cssf.lu. If this is not possible or if you do not feel able to do so for a first contact, you may call Mr. Marc Limpach, head of the legal department JUR-CE during office hours before transmitting a written statement. The telephone number of the departmental secretariat is: +352 26251 2757 (Ms. Stéphanie Theis). The CSSF does not audio record whistleblowing telephone calls.

With the CAA Procedure, in principle the CAA will only review statements submitted via the whistleblowing form found on its website, which must be submitted by email to whistleblowing@caa.lu. If this is not possible or if the whistleblower does not feel able to do so, they can telephone call 226911-1 during business hours before submitting a written statement. The CAA will not record reports made by telephone.

Regarding infringements as defined in the MAL, reports can be done either by writing in electronic or paper format, or orally through telephone lines (whether recorded or unrecorded) or even by physical meeting with the dedicated staff members of the CSSF.

c) Procedures for internal reporting and follow-up: does the Local Law require legal entities to adopt internal reporting systems with the following elements?

  1. Channels able to ensure the confidentiality of the identity of the reporting person and the protection of third parties mentioned in the report:

  2. Yes. Circular CSSF 15/552 states that internal whistleblower arrangements shall “respect the confidentiality of the persons who raise such concerns” but no mention is made regarding third parties. This is the same for the AML Law, which states that “clear rules that ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches” are required.

  3. Acknowledgement of receipt of the report to the whistleblower within seven days of receipt:

  4. No Luxembourg provision makes reference to any acknowledgment of receipt except the MAL Annex. This states that “the CSSF shall promptly acknowledge the receipt of written reports of infringements to the postal or electronic address indicated by the reporting person, unless the reporting person explicitly requested otherwise or where the CSSF reasonably believes that acknowledging receipt of a written report would jeopardise the protection of the reporting person’s identity.”

  5. The designation of an impartial function/team to manage follow-ups on reports and maintain communication with the whistleblower:

  6. There is nothing in Luxembourg law regarding this but the Q&A of the Circular CSSF 12/552 on internal governance, central administration and risk control (published by the CSSF) states that persons within an institution’s organisation who have the required level of authority and independence can be put in charge of the internal whistleblowing process.

    The whistleblowing procedure should also provide an alternative route for flagging problems that may relate to the person in charge of the whistleblowing process itself. The CSSF considers that the chief compliance officer and chief internal auditor in particular fulfil the necessary criteria of authority and independence.

    An external review of the whistleblowing procedure is advisable to confirm its compliance with the current guidelines and practices, and identify legal risk related to its scope, unfair collection of data, infringement of confidentiality and to reduce potential future labour issues.

  7. Any other follow-up requirements including those for anonymous complaints:

  8. No.

  9. A reasonable timeframe to provide feedback, not exceeding three months from acknowledgment of receipt or if no acknowledgement was sent, three months from the expiry of the seven-day period after a report is made:

  10. No. Moreover, due to the legal duty on professional secrecy, the CAA/CSSF will not inform the whistleblower on the actions taken on the whistleblowing report. There is nothing in Luxembourg law regarding internal procedures.

  11. Providing clear and easily accessible information on internal reporting procedures and external reporting procedures to competent authorities and/or EU institutions/bodies:

  12. No Luxembourg provision makes a reference to this.

  13. Should legal entities take any additional measures in order to comply with the above requirements?

  14. Once transposed, the provisions of the EU Directive will broaden the protection of whistleblowers.

    Following implementation, private companies with more than 50 employees will have to implement the Directive’s provisions as transposed by Luxembourg law. As the law is not yet available and should go further than the Directive itself, the following explanations could potentially change in the near future.

    First, the Directive provides for a wider material scope through a long list of areas (e.g. consumer protection, protection of environment, protection of privacy and personal data, etc.) that are currently not covered under Luxembourg law.

    Second, there will be no confusion regarding the individuals eligible, as whistleblower and the following persons would be covered:

    • EU citizens and third country nationals who deal with EU companies.
    • Employees, self-employed workers, volunteers, unpaid trainees, shareholders, and members of supervisory bodies including the board of directors.
    • Independent third party contractors, subcontractors and suppliers.

    Third, all companies will need to include an internal reporting requirement that should be one of the priorities for businesses operating in the EU. All businesses with more than 50 employees must establish internal reporting mechanisms for whistleblowers. The exact requirements will vary based on the number of employees. For small businesses (fewer than 50 employees), entities may be required to establish internal reporting mechanisms at the Member State’s discretion if they are at a high risk of breach. The creation of external reporting channels i.e., through competent public authorities will be mandatory.

    Fourth, internal reporting mechanisms must protect whistleblowers’ identities. Unauthorised staff members who are not explicitly referred to as recipients of reports in a whistleblowing policy should be precluded from viewing this information and a whistleblower’s identity must not be publicly disclosed without their explicit consent.

    Fifth, any processing of personal data carried out pursuant to the future transposition law of the EU Whistleblower Protection Directive must comply with GDPR and Directive 2016/680.

    Sixth, it must be possible for staff to report concerns in a manner that preserves confidentiality, including (as already existing in the MAL):

    • Written complaints including through an online platform intranet or internet.
    • Oral complaints, which must be possible by telephone, online or other voice messaging systems (such as automated voicemail).
    • In person upon request of the complainant within a reasonable time frame.

    Seventh, on receipt of a report, an acknowledgement of the report’s receipt must be made to the whistleblower within seven days and follow-up steps must be taken where necessary to address the report through whichever means the situation requires. After the follow-up, feedback entailing the actions taken or lack thereof must be given to the whistleblower, not exceeding three months from the acknowledgement of a report’s receipt, or if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made.

    Eighth, as whistleblowing is seen as an expression of an individual’s fundamental right to free speech, any form of retaliation including threats of retaliation and attempts of retaliation against whistleblowers is expressly prohibited. Measures for protection against retaliation and the related sanctions will be determined by implementing legislation in Luxembourg.

    Ninth, a general prohibition of reprisals including attempts and threats against whistleblowers (e.g. suspension, dismissal, downgrading, refusal of promotion) will be introduced.

    Tenth, the robust legal protection offered to whistleblowers under the EU Directive only applies if the information disclosed pertains to legal violations. The Directive calls for penalties against persons who knowingly disclose false information, to deter malicious reporting. The Directive calls for effective, proportionate and dissuasive penalties for those who retaliate against whistleblowers. Luxembourg’s penalties in the context of this Directive have not yet been published.

    In conclusion, many new measures will need to be taken e.g. acknowledgment of receipt, follow-up, different ways of reporting.

5) Reporting channels: external

a) Has the country designated a competent authority to receive and investigate whistleblower disclosure and retaliation complaints?

For now, only the CAA and CSSF are competent authorities regarding the companies they supervise.

b) Is an independent and autonomous external reporting channel already established in the country?

No.

6) Processing of personal data

a) Is personal data concerning the reports processed in compliance with local and EU legislation such as EU Regulation 2018/1725 and local privacy laws?

Although no Luxembourg laws provide guidance on such issues, entities are required to process data in compliance with the applicable Luxembourg data protection laws.

The MAL Annex states that “the CSSF shall store the records (…) in a confidential and secure system” and that the “access to the system shall be subject to restrictions ensuring that the data stored therein is only available to the CSSF staff members for whom access to that data is necessary to perform their professional duties”. Article 38-12 of the LFS provides that the internal reporting process shall at least ensure the protection of personal data concerning both the person who reports the breach and the natural person who is allegedly responsible for a breach, in accordance with the Luxembourg data protection provisions.

7) Record keeping of reports

a) Is there any obligation regarding record keeping of reports as provided for by the EU Directive?

No, apart from the MAL Annex that states “the CSSF shall keep records of every report of infringement received in accordance with Regulation (EU) No 596/2014 and this law.” Specific clauses refer to telephone call recording, accurate minutes, etc.

8) Protection

a) Is there any difference between whistleblower protections in the private and public sectors?

Protection (confidentiality and against retaliation) of the whistleblower is envisaged in the CAA/CSSF Procedures and in the 2011 Law as described below.

According to the 2011 Law, an employer is not authorised to retaliate against the person who has filed a complaint or informed the employer of any wrongdoing. Assuming that an employee is victim of an adverse reaction of their employer, the employer bears the burden of proof to justify that the negative influence on the employee does not stem from retaliation against the whistleblowing action. Any wrongful retaliation gives rise to damages covering the actual loss suffered.

Article 38-12 of the LFS provides that the internal reporting process shall at least ensure the appropriate protection against unfair treatment (including retaliation and discrimination) for employees who report breaches of defined financial sector regulations (including of the LFS) internally.

An employee cannot be a victim of reprisals because of his/her protests or refusal against a fact that he/she considers, in good faith, as being constitutive of illegal catch of interests, corruption or influence, that this fact is committed by his/her employer or any other senior in rank, colleagues, or external people in relation to the employer (article L.271-1(2) of the Luxembourg Labour Code). Any termination of the employment contract as well as any other reprisals because of whistleblowing are therefore null and void (Article L.271-1 (3) of the Luxembourg Labour Code).

However, a complaint is considered to be slanderous if, directed against a private person, the relevant facts prove not to be a criminal offence and are rejected as such by a court of law.

According to Article 8-3 of the AML Law, “individuals, including employees and representatives of the professional may not be subject to threats, retaliatory or hostile action, and in particular to adverse or discriminatory employment actions due to the report of a suspicion of money laundering or terrorist financing internally, to a supervisory authority or to a self-regulatory body. Individuals who are exposed to threats, hostile actions, or adverse or discriminatory employment actions for reporting suspicions of money laundering or terrorist financing internally, to a supervisory authority or to a self-regulatory body are entitled to present a complaint to the supervisory authority or self-regulatory body which has the power to supervise the professional.”

In addition, “any contractual clause or any act contrary (…) and, notably any termination of the employment contract (…) shall be null and void. In case the employment contract is terminated, the employee may seek the remedies provided for in Article L.271-1(4) to (7) of the Labour Code.”

In the same vein, regarding the CSSF Procedure, the Circular CSSF 12/552 states that “warning given in good faith shall not result in any liability of any sort for the persons who issued them.”

b) Are whistleblowers protected against all forms of retaliation including threats and attempts of retaliation? Which forms of retaliation are expressly indicated?

Yes, including retaliation, reprisal, termination of the employment contract, threats, retaliatory or hostile action, adverse or discriminatory employment actions and unfair treatment (thus including retaliation and discrimination).

c) Does the Local Law provide for any other measures of support such as those indicated in the EU Directive?

There are no other specific additional measures of support.

d) Does the Local Law provide for the necessary measures to prohibit any form of retaliation against whistleblowers?

Yes, partially. Please see previous answer 8) a).

e) Does the Local Law provide for any remedial measures, including interim relief measures?

No remedial measures exist.

f) Does the Local Law provide for exemptions from liability for whistleblowers?

No, but whistleblowers are excluded from the protective measures set forth by Circular CSSF 12/552 if warnings are not given in good faith and can thus result in liability for the persons who issued them.

g) Does the Local Law provide for sanctions against natural and legal persons that violate whistleblowers’ protection or the duty of maintaining the confidentiality of their identity?

No.

h) Does the Local Law provide for sanctions in case of false reports?

Yes. Whistleblowers are excluded from the protective measures set forth by Circular CSSF 12/552 in case warnings are not given in good faith and can thus result in liability for the persons who issued them.

9) Other issues

a) Under the Local Law, is adopting a whistleblowing system relevant to assess the adequacy of a compliance program? Does this have any value to mitigate or eliminate criminal liability for legal entities?

Not applicable.

b) Does the Local Law or another law in your country provide for whistleblower reward programs?

No reward programs are envisaged.

c) Can companies benefit from any incentives in the case of voluntary self-disclosure of violations they became aware of following an internal report?

No leniency programs are envisaged.

d) Will implementing the EU Directive create any issues with obligations provided for under other laws / regulations?

No discussions have been held or documents created regarding potential issues with implementing the Directive in Luxembourg.


Return to Overview page

For a pdf of the full guide please click on the button below.

Contenidos del número