Whistleblower protection and reporting channels in Sweden

Yes, the Act on the Protection of Persons Reporting Irregularities (Sw. Lag (2021:890) om skydd för personer som rapporterar om missförhållanden) (the “Act”) came into effect on 17 December 2021.

Yes, the Act stipulates that private entities with 50 or more employees, calculated at the start of each calendar year, must establish and operate internal reporting channels and procedures for reporting and follow-up. Such entities must also appoint specific independent persons or entities to handle the reports. These independent parties may be external, such as a law firm, and are responsible for acknowledging receipt of the report within seven days, maintaining contact with the whistleblower, following up on the report, and providing feedback to the whistleblower.

Entities with fewer than 50 employees are not required to set up internal reporting channels. However, it may still be advisable to do so to avoid external reporting.

The Act requires the system to allow reports to be made both in writing and orally, and, if requested by the whistleblower, via a physical meeting. A confirmation of receipt of the report must be sent within seven days, and follow-up actions must be communicated to the whistleblower within three months. While there are no specific technical requirements for such systems, using a well-developed technical solution is recommended to facilitate compliance with the Act.

A whistleblower is defined as someone reporting information about breaches encountered in a work-related context. This includes employees, volunteers, trainees, consultants, or shareholders active within the company. The Act applies to reports concerning matters of public interest, such as labour exploitation, money laundering, terrorist financing, bribery, environmental concerns, or consumer protection.

The supervisory authority, the Swedish Work Environment Authority (Sw. Arbetsmiljöverket), may issue an injunction requiring the entity to fulfil its obligations under the Act. This injunction may be combined with financial penalties.

Furthermore, the absence of a whistleblowing system could heighten the risk of reputational damage, particularly if breaches are reported externally or made public without an internal reporting mechanism in place.

Yes, during the implementation of internal reporting channels, provisions concerning negotiation obligations under the Employment (Co-Determination in the Workplace) Act (Sw. Lag (1976:580) om medbestämmande i arbetslivet) must be considered.

Additionally, under the Act, employers must provide clear and easily accessible information on, among other things:
(i) how reports should be made through internal reporting channels, and
(ii) how reports can be made to authorised authorities via external reporting channels, and, where applicable, to EU institutions.

Depending on the organisation's structure and any existing collective agreements, employee representatives (such as unions) may need to be consulted when implementing the system. Please refer to question 4.

Under the Act, whistleblowers protected by its provisions are not held liable for breaching confidentiality obligations, provided they had reasonable grounds to believe that reporting the information was necessary to disclose the misconduct.

However, these protective provisions do not apply to: (i) intentional breaches of confidentiality obligations which, under the Public Access to Information and Secrecy Act (Sw. Offentlighets- och sekretesslagen (2009:400)), restrict the right to communicate and publish information under the Freedom of the Press Act (Sw. Tryckfrihetsförordningen) or the Fundamental Law on Freedom of Expression (Sw. Yttrandefrihetsgrundlagen), or (ii) violations of confidentiality obligations under the Act on Defence Inventions (Sw. Lag (1971:1078) om försvarsuppfinningar).

Further, these protective provisions do not include the right to disclose documents. However, a whistleblower shall not be held liable for breaching provisions related to the gathering of information if they had reasonable grounds to believe that the collection of information was necessary to reveal the misconduct. Nonetheless, this does not apply if the whistleblower, through such collection, commits a crime.

For a whistleblower to be protected when publicly disclosing information, they must have:

1. reported externally in accordance with the Act, but the recipient either did not take reasonable follow-up measures or failed to provide the whistleblower with feedback within three months (or up to six months if specific circumstances justified the delay);
2. reasonable grounds to believe that the irregularity posed an imminent or obvious risk to life, safety, or caused extensive environmental damage or other reasons justifying public disclosure; or
3. reasonable grounds to believe that external reporting posed a risk of retaliation or that the misconduct was unlikely to be addressed effectively.

Yes, the Act provides protection against retaliation for whistleblowers. Entities are prohibited from taking retaliatory action against (i) the whistleblower, (ii) individuals within the entity who assists the whistleblower, such as an elected representative, (iii) individuals within the entity connected to the whistleblower, such as a relative or colleague, or (iv) legal entities the whistleblower owns, works for, or is otherwise associated with. 

Yes, the Act requires, inter alia, that personal data must be disposed of no later than two years after a follow-up case has been closed. Furthermore, all documentation and processing must comply with the General Data Protection Regulation (GDPR), meaning it is essential to review procedures for handling personal data in conjunction with implementing reporting channels.

Companies with 50–249 employees are allowed to share reporting channels, although the contact with the whistleblower must remain separate. However, entities with more than 249 employees are not permitted to share a whistleblowing system with other legal entities, even if they are within the same corporate group. As a result, medium-sized and large corporate groups with existing whistleblowing systems may need to review these systems to ensure compliance with the Act. That said, group companies that have established all necessary separate reporting channels in line with the Act may introduce a voluntary channel for all group companies, provided the separate channels comply with the Act. Additionally, the legal basis for processing personal data through such a voluntary channel must be considered.