Whistleblowers

Whistleblowing on the Chamber of Commerce

The Luxembourg Law of 16 May 2023 implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (hereinafter, the “Law of 16 May 2023”) has the aim of protecting persons in a professional setting who report breaches (these persons are commonly known as “Whistleblowers”; hereinafter, their whistleblowing will be referred to as “Reports” and “Reporting”).

In accordance with this law, the Chamber of Commerce has set up a channel enabling Whistleblowers to make internal Reports on breaches.

What is a whistleblower?

A Whistleblower (hereinafter referred to as such under the terms of the Law of 16 May 2023) is a person who provides information about alleged breaches that may have been committed by the Chamber of Commerce. (See the detailed list of possible Whistleblowers in point 5).

What breaches can be Reported?

Breaches that can be Reported are all acts or omissions that are:

unlawful; or
contrary to the object or purpose of directly applicable provisions of national or European law;

(hereinafter the “Breach(es)”).

In particular, a Report may be about:

criminal activities: for example, organising false invoicing to divert funds belonging to the Chamber of Commerce into personal accounts;
failure to comply with any legal or regulatory obligation: for example, the deliberate failure to declare taxable income to the tax authorities;
bribery or corruption: for example, accepting a bribe or expensive gifts for signing a contract entered into by the Chamber of Commerce;
unauthorised disclosure of confidential information: for example, sending a third party sensitive data relating to the Chamber of Commerce, such as strategic plans;
behaviour that is detrimental to the Chamber of Commerce’s financial situation: for example, knowingly entering into a disadvantageous contract;
conflicts of interest or unlawful acquisition of interest: for example, a senior manager presses for a contract to be awarded to a company in which he holds a stake without disclosing this connection;
deliberate concealment of one of the above-mentioned issues: for example, intimidating an employee into not reporting an illegal activity or destroying documents proving corrupt activities;
a violation of human rights.

The following are examples of situations that are not Breaches that should be Reported in accordance with the Law of 16 May 2023:

disputes regarding purely personal or interpersonal matters unrelated to the public interest, such as a disagreement between the Chamber of Commerce employees or between them and a service provider;
a reprehensible act committed by an employee of the Chamber of Commerce in their private life;

a claim relating to a one-off error by a Chamber of Commerce department with no recurrence or malicious intent.

How should an internal Report be made?

Internal Reporting consists of communicating information orally or in writing about Breaches within the Chamber of Commerce via the internal reporting channel that the Chamber of Commerce has specially set up in accordance with the Law of 16 May 2023.

This internal reporting channel is designed, implemented and managed in a secure manner that guarantees the confidentiality of the Whistleblower’s identity and that of any other person mentioned in a Report.

To ensure that the internal Reporting procedure works as smoothly as possible, the Chamber of Commerce has called on Arendt & Medernach S.A., which is making available its infrastructure for the reporting channel and its expertise in processing Reports.

It should be noted that the Law of 16 May 2023 provides for the possibility of external Reporting.

This consists of communicating orally or in writing information on Breaches which may have been committed within the Chamber of Commerce to an authority other than the Chamber of Commerce itself, namely one of the 22 competent authorities in Luxembourg designated by the Law of 16 May 2023.

Whistleblowers wishing to report Breaches are encouraged to use the internal reporting channel to ensure that the Report is processed as quickly and efficiently as possible.

An internal Report can be submitted as soon as possible after the Breach has occurred or the Whistleblower learns of the Breach or potential Breach:

in writing:

either by email: cdc.whistleblowing@arendt.com
or by post: Arendt & Medernach S.A. c/o Procédures d'alerte, 41 avenue JF Kennedy, L-1855 Luxembourg

or orally, at the Whistleblower’s request (by email or post to the above addresses), in a face-to-face meeting accepted within a reasonable period of time.

The internal Report, preferably in French or English, should indicate:

the nature of the Breach;
the identity of the person(s) concerned being accused of the Breach;
the date(s) and time(s) when the Breach was committed or observed;
the apparent duration of the Breach;
the names of any witnesses to the Breach; and
the measures already taken (if any) by the Chamber of Commerce to prevent or stop the Breach.

How confidential is the Report?

The information provided by the Whistleblower will as far as possible be handled confidentially and in accordance with the Chamber of Commerce’s legal obligations and its obligation to conduct a thorough review of the Report.

If the Whistleblower requests anonymity or has made an internal Report anonymously, their name, gender and any other information that could allow them to be identified will not be disclosed. However, depending on the circumstances, anonymity may mean the Whistleblower cannot be contacted, thus preventing all appropriate and necessary information being obtained in order to investigate the Breach that formed the subject of the internal Report. Similarly, anonymity may prevent full and/or sufficient investigations from being carried out.

Who can make a Report?

Any person who has (or has had) a professional link with the Chamber of Commerce can submit a Report, namely:

current and former Chamber of Commerce employees, trainees and apprentices;
people currently being recruited by the Chamber of Commerce;
employees of contractors, subcontractors and suppliers to the Chamber of Commerce, and persons involved in pre-contract negotiations;
volunteers;
self-employed workers in business contact with the Chamber of Commerce;
members of the governance bodies (elected regular and substitute members of the Plenary Assembly); and
legal entities belonging to Whistleblowers or for which they work, or with which they are linked in a professional capacity.

Under what terms is the Whistleblower protected by the Law of 16 May 2023?

To benefit from legal protection against all forms of retaliation that could dissuade or intimidate Whistleblowers, the Report must be made in good faith and concern Breaches falling within the scope of the Law of 16 May 2023.

Whistleblowers reporting in bad faith are liable to penalties, which may include fines ranging from 1,500 to 50,000 euro, as well as prison sentences ranging from eight (8) days to three (3) months.

What happens once an internal Report has been received?

An acknowledgement of receipt will be sent to the Whistleblower within seven (7) days of receipt of the internal Report.

At the latest within three (3) months following the Report, the Whistleblower will receive feedback on the follow-up measures planned or taken by the Chamber of Commerce to assess the accuracy of the allegations made in the Report and, where appropriate, to remedy the reported Breach. These measures may include an internal investigation, prosecution, action to recover funds, or termination of the proceedings. The reasons for the relevant course of action will also be notified.

As far as possible, the Chamber of Commerce will ensure that once the investigation has been completed, the Whistleblower is informed of the general conclusions of that investigation and of any measures taken or to be taken.

How is personal data protected in cases of Whistleblowing?

The personal data of Whistleblowers and of the persons concerned in the Report and/or the ensuing investigation are processed by the Chamber of Commerce and Arendt & Medernach S.A. in accordance with EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Luxembourg personal data protection laws.

All the information on this processing is available in the leaflets that can be accessed via the links below:

Download the CC information leaflet

Download the Arendt information leaflet

Who should I contact for further information?

If you have any questions about Reporting, you can contact the human resources department of the Chamber of Commerce at: rh@cc.lu.

To receive the Chamber of Commerce’s full procedure on whistleblowing and the protection of whistleblowers, please send your request to rh@cc.lu or to cdc.whistleblowing@arendt.com.

How can we help you?

Pages

Agenda

Trade fairs - Annual Programme 2025-2026

Foreign Trade Programme 2025

Online Workshop : Comment établir son entreprise au Luxembourg?

Information

CNAL - Amendements

Fondation IDEA - Décryptage N°47 : Entretien de Gilles Roth dans Télécran, un post-mortem

Dominique Rizzi (ALS): «Réenchanter le métier de sommelier»

Zwei Millionen Euro für die Immobilienentwicklung in Luxemburg

Les frontaliers français dominent le marché de l’informatique au Luxembourg

PRGD - objets céramiques destinés à entrer en contact avec les denrées alimentaires

PRGD relatif à la protection des animaux utilisés à des fins scientifiques

Révision du Plan national de gestion des déchets : participez à la consultation publique !

Resources

Whistleblowing on the Chamber of Commerce
(version dated 25 February 2025)

Chapters