A whistleblower report internal investigation is triggered once a whistleblower submission is received and constitutes one of the key elements in fulfilling the obligations under the Whistleblower Protection Act. Implementing an internal reporting procedure alone is not sufficient if the employer is unable to properly receive the report, verify the information provided, carry out appropriate follow‑up actions, and document the entire process in compliance with data protection laws and regulations. In this article, we discuss what a proper internal investigation should look like, what obligations rest with the employer, how to conduct follow‑up actions, and how to minimize the risk of violations of the Whistleblower Protection Act and the GDPR.
Table of Contents
- What Happens After Receiving a Whistleblower Report?
- Confirmation of Receipt of the Report and Feedback
- What Does an Internal Investigation After a Whistleblower Report Involve?
- Who Should Conduct the Internal Investigation?
- Follow-Up Action After a Whistleblower Report
- The Whistleblower Report Register
- Internal Investigations and GDPR
- Documenting the Internal Investigation
- Most Common Employer Mistakes
- How to Prepare Your Organisation for Internal Investigations
- Whistleblower Report Internal Investigation — Summary
What Happens After Receiving a Whistleblower Report?
The obligation to establish an internal reporting procedure applies to organisations with at least 50 employees. The number of employees is calculated as of 1 January or 1 July of a given year. The Act provides exceptions where this threshold does not apply. Smaller organisations may voluntarily implement an internal reporting procedure.
After receiving an internal report, the employer should first determine whether it falls within the scope of the internal reporting procedure. The next step is to verify if it contains enough information to take further action.
At this stage, it is especially important to protect the confidentiality of the report quickly. Limit access to data to authorised persons only. Even the fact that a report has been submitted can be organisationally sensitive. It may require appropriate protection.
After receiving a report, the organisation should follow a structured process. This helps maintain confidentiality, meet statutory deadlines, and properly document the case.
| Stage After Receiving the Report | What Should the Employer Do? |
| Receiving the report | Protect confidentiality and restrict access to data. |
| Confirmation of receipt | Send the whistleblower written confirmation of receipt. |
| Initial review | Assess whether the report falls within the scope of the internal reporting procedure. |
| Case registration | Assign a case number and enter the report in the register. |
| Risk assessment | Determine whether urgent protective measures are needed. |
| Appointing investigators | Ensure impartiality and the absence of any conflict of interest. |
The employer should also assess whether the report calls for urgent protective measures. These may include restricting access to systems or securing documents. Temporarily removing certain individuals from specific processes may also be necessary.
Confirmation of Receipt of the Report and Feedback
The Act of 14 June 2024 on the Protection of Whistleblowers requires the employer to confirm receipt of an internal report to the whistleblower. As a rule, this must happen within 7 days of receiving the report. The exception is where the whistleblower did not provide contact details for the confirmation to be sent. The communication method must not compromise the whistleblower’s confidentiality or investigation security.
The acknowledgement of receipt should not include detailed substantive assessments. At this stage, the employer usually limits the communication to confirming receipt. You may also outline the next steps and explain the contact arrangements.
The employer must also provide the whistleblower with feedback on the follow-up action taken or planned. This feedback must be sent within 3 months of the acknowledgement of receipt. If no confirmation was sent, the deadline runs from 7 days after the report was submitted.
Feedback does not mean sending a full investigation report or disclosing all findings. The employer should, however, provide enough information to show that the report was genuinely reviewed.
What Does an Internal Investigation After a Whistleblower Report Involve?
An internal investigation aims to establish whether the reported breach could have occurred. It also verifies whether follow-up action is necessary.
The law does not prescribe a single model for internal investigations. The procedure should be tailored to the size of the organisation, the nature of the report, the level of risk, and the type of business.
The most important principles are:
- impartiality;
- confidentiality;
- proportionality;
- documenting all actions taken;
- restricting access to information;
- protecting the whistleblower from retaliation.
An internal investigation may include reviewing documents, securing correspondence, analysing system data, conducting interviews, and running internal audits. It may also involve checking whether specific processes comply with the law.
In more complex cases, employers often bring in law firms, compliance teams, internal audit, or external specialists in cybersecurity, HR, or finance.
Who Should Conduct the Internal Investigation?
A typical, practical problem is usually a lack of impartiality of those who conduct the investigation.
Investigations must not be led by persons named in the report. Or those with a conflict of interest. It is especially risky to let the reported person’s manager run the investigation alone.
In many organisations, the investigation is led by:
- the compliance team;
- a designated member of the legal department;
- an internal reporting team;
- a compliance officer;
- an external law firm or specialist provider.
It is also important to formally authorise the investigators. Moreover, they should have access only to the data they need to carry out their duties.
Follow-Up Action After a Whistleblower Report
Follow-up action refers to the steps taken after reviewing a report. The purpose is to address the breach or reduce the effects of the irregularity.
Follow-up action can be organisational, legal, disciplinary, or corrective.
The most common types of follow-up action include:
- conducting the internal investigation;
- implementing corrective measures;
- amending internal procedures;
- carrying out additional checks;
- reporting the matter to public authorities;
- taking disciplinary action;
- training;
- reducing compliance risks;
- taking steps to prevent similar breaches in the future.
What matters is not just closing the case. The organisation must be able to show that it responded to the report.
The Whistleblower Report Register
An employer required to accept internal reports must keep a whistleblower register.
The register must allow the employer to document the progress of the case, deadlines, follow-up action, and how the case was closed. Personal data and other information in the internal report register must be kept for 3 years after the end of the calendar year in which the follow-up action or any proceedings it triggered were completed.
The internal report register must contain the elements required by the Act. In particular:
- The report number;
- The subject of the breach;
- The personal data of the whistleblower and the person the report concerns. (Only to the extent needed to identify them);
- The whistleblower’s contact details;
- The date of the report;
- Information on the follow-up action taken;
- The date the case was closed.
For evidence purposes, the employer may record the date of the feedback sent to the whistleblower.
Internal Investigations and GDPR
One key risk area is processing personal data in whistleblower reports.
The employer must remember that an internal reporting procedure does not remove the obligation to comply with the GDPR. This applies to the whistleblower’s data. It also applies to the data of persons named in the report and witnesses. Data that could reveal the whistleblower’s identity may only be disclosed to authorised persons. This is allowed only if the whistleblower has given explicit consent.
The most important principles are:
- the data minimisation;
- restricting access to information;
- proper authorisations;
- securing documentation;
- limiting data retention periods;
- meeting information obligations correctly;
- protecting the confidentiality of the whistleblower’s identity.
The employer should also remember that information obligations towards the person concerned must comply with GDPR. They must not breach the whistleblower’s confidentiality. They must not compromise the security of the proceedings. The limitations of the Whistleblower Protection Act must be respected.
Documenting the Internal Investigation
Proper documentation is essential from a compliance perspective. It is also crucial for legal proceedings or an inspection.
Documentation should cover:
- the content of the report;
- the confirmation of receipt;
- the steps taken during the investigation;
- the findings;
- decisions on follow-up action;
- feedback sent to the whistleblower;
- personal data protection records.
Many organisations also prepare a final report summarising the case and the findings. It may include recommendations for corrective action.
Most Common Employer Mistakes
The most common problems arise when an organisation treats the whistleblower procedure as a formality. Then, it usually does not build a real process for handling reports.
Many violations result not from the absence of a procedure. Applying it incorrectly might be a problem.
| Most Common Mistake | Risk for the Employer |
| Lack of impartiality among investigators | Undermines the credibility of the investigation |
| Overly broad access to data | Breach of confidentiality and GDPR violation |
| Missing statutory deadlines | Risk of liability and disputes |
| No follow-up action taken | Allegation of processing reports only on paper |
| Poor register management | Evidentiary problems during an inspection |
| No protection against retaliation | Legal liability for the employer |
| Automatic dismissal of reports | Risk of violating the Whistleblower Protection Act |
Automatically treating a report as unfounded without proper review also carries significant risk.
How to Prepare Your Organisation for Internal Investigations
An internal reporting procedure alone is usually not enough. The organisation should build a practical model for handling reports.
It is worth deciding in advance:
- who receives reports;
- who leads investigations;
- who decides on follow-up action;
- how information flows within the organisation;
- how actions are documented;
- how data is secured;
- when the legal team or external providers are brought in.
Training for those handling reports and regular updates to procedures is also important.
Whistleblower Report Internal Investigation — Summary
The investigation after a whistleblower report should not be limited to formal acceptance. Follow-up actions must be well-organised. Impartiality is essential. All actions must be documented. Employers should also remember about personal data protection.
The greatest risks arise when an organisation has no real investigation model. Then, it is often impossible to show that a report was genuinely reviewed.
A well-prepared procedure should cover not just reporting channels. It should define the rules for conducting investigations. It should focus on the division of responsibilities and data protection. Documenting follow-up action is especially important.
Has your organisation implemented a whistleblower procedure? Are you unsure how to conduct an internal investigation after a report?
Contact us. We can help you build follow-up action procedures, an investigation model, documentation rules, and solutions that comply with the Whistleblower Protection Act and GDPR.
FAQ — Frequently Asked Questions About Whistleblower Report Internal Investigation
1. How long does the employer have to provide feedback to the whistleblower?
Within 3 months of the acknowledgement of receipt of the internal report.
2. Does every report require a full internal investigation?
Not always. The action should be proportionate to the nature of the report, the level of risk, and the information available.
3. Does the person named in the report have to be informed?
In many cases, yes. However, the timing and method of disclosure must take into account the protection of the investigation. Confidentiality and GDPR rules are also important.
4. Must the employer keep a whistleblower report register?
Yes. The Act requires the employer to keep an internal report register.
5. Should the whistleblower receive a final report?
There is no obligation to send a full final report. Yet, the whistleblower should receive feedback on the follow-up action taken or planned.
6. Can the investigation be outsourced to an external law firm?
Yes. In practice, many organisations use the support of law firms or compliance providers. Especially when conducting internal investigations.
7. How long can documentation relating to reports be kept?
Personal data and other information in the internal report register must be kept for 3 years after the end of the calendar year in which the follow-up action or any proceedings it triggered were completed. After this period, the data should be deleted, unless other regulations justify keeping specific records for longer.
8. Must anonymous reports be considered?
This depends on the internal reporting procedure in place. The Act does not require the employer to accept anonymous reports. Yet, the organisation may choose to allow them. If the employer accepts anonymous reports, it should set out how they will be handled. How communication with the whistleblower will work, and how feedback will be provided, if this is technically possible.