Law no. 93/2021, of December 20, establishes the general whistleblower protection framework (RGPDI), transposing into national law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019. In this context, LNEC, IP has created a Whistleblowing Portal, where reports can be submitted and monitored securely, ensuring independence, impartiality, confidentiality, data protection, and secrecy.

1. Who can be a whistleblower?

According to Article 5 of Law no. 93/2021, a "whistleblower" is any natural person who reports or publicly discloses an infringement based on information obtained in the context of their professional activity, regardless of the nature of the activity or the sector involved. Whistleblowers may include:

• Employees in the private, social, or public sectors;
• Service providers, contractors, subcontractors, and suppliers, as well as anyone working under their supervision and direction;
• Volunteers and interns, whether paid or unpaid.

2. Scope of application

According to Article 2 of Law no. 93/2021, an infringement includes:

a) Any act or omission that violates rules contained in the EU acts listed in the Annex to Directive (EU) 2019/1937, national rules that implement, transpose or enforce such acts, or other rules included in legislative acts for their execution or transposition — including those providing for criminal or administrative offenses — in the following areas:

i. Public procurement;
ii. Financial services, products, and markets, and the prevention of money laundering and terrorist financing;
iii. Product safety and compliance;
iv. Transport safety;
v. Environmental protection;
vi. Radiation protection and nuclear safety;
vii. Food and feed safety, animal health and welfare;
viii. Public health;
ix. Consumer protection;
x. Protection of privacy and personal data, network and information systems security.

b) Acts or omissions that harm the financial interests of the European Union, as referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU), as specified in the applicable EU measures;

c) Acts or omissions that violate internal market rules as per Article 26(2) TFEU, including competition and state aid rules, as well as corporate taxation rules;

d) Violent, especially serious or highly organized crime, as well as the offenses listed in Article 1(1) of Law no. 5/2002, of January 11, which establishes measures to combat organized and economic-financial crime;

e) Any act or omission that undermines the purpose of the rules or standards covered by points a) to c).

3. What happens to the report?

Reports are reviewed individually, based on the matters involved, the jurisdiction of authorities, and the applicable legislation, with the following considerations:

• The whistleblower is notified of receipt of the report within seven days, unless they explicitly request otherwise or there are reasonable grounds to believe that such notification may compromise their identity.
• Appropriate measures are taken to verify the allegations made in the report and, if necessary, to end the reported infringement — either through an investigation, legal proceedings, or by forwarding the report to the competent authority.
• The whistleblower is informed of the follow-up actions planned or taken and the reasons for them, within three months from the date of receipt of the report, or within six months if the complexity of the case so justifies.
• The report may be forwarded ex officio to the competent authority, and the whistleblower will be notified of this action.
• The whistleblower may request, at any time, to be informed by the competent authorities of the outcome of the investigation, within 15 days after its conclusion.

4. Whistleblower protection

As stated in Article 21 of Law no. 93/2021, retaliatory acts against whistleblowers are strictly prohibited. A retaliatory act is any act or omission, occurring in a professional context and motivated by an internal or external report or public disclosure, that causes or may cause, unjustifiably, material or immaterial harm to the whistleblower. Threats or attempts to carry out such acts or omissions are also considered retaliation. Article 22 of the same law outlines the support measures available to whistleblowers.

5. Confidentiality and data processing

The identity of the whistleblower, as well as any information that could directly or indirectly reveal their identity, is confidential and restricted to those responsible for receiving or handling the report.

The whistleblower’s identity will only be disclosed in compliance with a legal obligation or a court order.

All provisions of the General Data Protection Regulation (GDPR) must be strictly observed.

6. Internal and External Whistleblowing Channels

All reports and submissions must be made in writing. In accordance with Law no. 93/2021, two distinct channels are available (Internal and External Whistleblowing Channels), accessible independently and autonomously through a dedicated electronic platform.

Through these secure and fully confidential whistleblowing channels, it is possible to report infringements, acts of corruption, or related offenses, as defined by the General Whistleblower Protection Framework and the General Corruption Prevention Framework.