Whistleblowing and Private Investigations

2. Part I — key rules under both regimes

2.1 The Whistleblowing Act: key takeaways for HR

The Whistleblowing Act transposed EU Directive 2019/1937 into Belgian law for the private sector. It entered into force on February 15, 2023 and applies to a wide range of reportable matters, including breaches of EU law in areas such as public procurement, financial services, anti-money laundering, product safety, environmental protection, data protection, tax fraud, and social fraud. Belgium exercised the option to extend the scope beyond pure EU law violations by adding fiscal and social fraud to the list of reportable matters. In practice, social fraud is broadly interpreted by the authorities and encompasses breaches of social legislation.

Who can report. The Whistleblowing Act protects a broad category of natural persons who acquire information about breaches in a work-related context, including employees, self-employed persons, shareholders, members of a governing body (including non-executive directors), volunteers, trainees, and persons working under the supervision of contractors or subcontractors. Protection also extends to facilitators, connected third parties, and legal entities owned by or connected to the whistleblower.

Three reporting channels. A whistleblower may report (i) through the employer's internal reporting channel, (ii) to an external authority, or (iii) through public disclosure. Importantly, the Belgian legislator chose not to impose a strict tiered procedure: a whistleblower is free to choose the most appropriate channel. However, public disclosure only grants the whistleblower protective status under the Whistleblowing Act in specific circumstances—in particular where internal or external reporting has not led to appropriate follow-up within the prescribed timeframes, where there is an imminent or manifest danger to the public interest, or where external reporting would cause a retaliation risk or be ineffective due to specific circumstances, e.g. a risk of concealment or destruction of evidence or collusion between the authority and the perpetrator.

Obligation to establish an internal channel. Private sector entities with 50 or more employees must set up internal reporting channels and follow-up procedures, after consultation with the social partners.

Operational requirements. The internal channel must ensure the confidentiality of the whistleblower's identity through its design, setup, and management. A reporting manager must be designated. This person must be independent and free from conflicts of interest. The reporting manager must acknowledge receipt within seven days and provide feedback to the whistleblower within three months following such acknowledgement. Anonymous reports must be accepted and followed up by entities with 250 or more employees.

Anti-retaliation. Any form of retaliation against whistleblowers and protected persons is prohibited. The Act contains a broad, non-exhaustive catalogue of prohibited retaliatory measures, including dismissal, demotion, transfer, salary reduction, negative performance assessments, disciplinary measures, intimidation, blacklisting, and reputational harm. Importantly, the burden of proof is reversed: once a whistleblower demonstrates that a report was made and a detrimental measure followed, a presumption arises that the measure constitutes retaliation. It is then for the employer to prove that the measure was duly justified on grounds unrelated to the report.

Compensation. For employees who suffer retaliation, compensation is fixed at between 18 and 26 weeks' remuneration. For whistleblowers in the financial sector, a fixed amount of six months' gross remuneration or actual damages (whichever the victim elects) applies, along with a right to request reinstatement.

Liability shield. Whistleblowers are shielded from liability for disclosing confidential information, trade secrets, or data protected by contractual or statutory confidentiality obligations, provided they had reasonable grounds to believe that the disclosure was necessary to reveal the breach. The Employment Contracts Act has been amended to confirm that a report or disclosure under the Whistleblowing Act cannot constitute gross negligence, serious fault, or ordinary fault for which an employee can be held liable.

Sanctions. Non-compliance with the obligation to set up an internal channel or follow up on reports is punishable by criminal penalties or administrative fines. Obstructing a report, retaliating against protected persons, initiating abusive proceedings, or breaching confidentiality obligations are punishable by imprisonment and fines.

Register. The company must maintain a register of all reports received, stored for the duration of the contractual relationship with the reporter.

2.2 The Private Investigations Act: key takeaways for HR

The PIA entered into force on 16 December 2024, replacing the former Private Detective Act of 1991. It regulates "activities of private investigation," broadly defined as the gathering of information about natural or legal persons or about facts committed by them, carried out by a natural person on behalf of a principal, with the purpose of safeguarding the principal's interests in the context of an actual or potential conflict.

Broad scope. Unlike its predecessor, the PIA applies not only to external detective agencies but also to internal investigation functions within companies—HR departments, compliance teams and any other department that structurally conducts investigations are in principle subject to PIA. This represents an important expansion of regulatory reach.

Licensing requirement. An internal investigation service (interne dienst voor private opsporing) must obtain a prior license from the Minister of the Interior. The license is valid for 5 years and renewable. This requirement is prescribed under penalty of nullity of the investigation. Members of the service must also obtain individual identification cards and satisfy personal requirements, including nationality and residency conditions, absence of criminal convictions, and (yet to be specified) professional training and experience conditions.

Exception for HR departments. Members of an HR department conducting an incident investigation concerning an employee of their own employer are exempted from the license and identification card requirements—but not from the substantive investigation rules. The scope of this exemption remains to be clarified; it is understood to cover non-structural incident investigations by HR, but its precise boundaries are not yet settled.

Mandatory internal regulations. Every employer must, on penalty of nullity, adopt internal regulations governing private investigations of employees (after the involvement of the relevant employee representative body). The internal regulations must be adopted by December 16, 2026.

Prohibited investigation domains. The PIA contains a significantly expanded list of prohibited investigation areas—topics that may not be investigated and about which no data may be processed. These include political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sexual conduct, and health data. Violation is sanctioned by nullity. Investigations related to social conflicts (labour disputes involving social partners) are also prohibited.

Interview safeguards. Interviews—the most common investigation technique—are now subject to strict procedural requirements modelled on police interrogation safeguards. The interviewee must give written consent, must among other things be informed of the purpose of the interview and the use of their statement, must be told that they are not obliged to answer questions, may be assisted by a person of their choice, may terminate the interview at any time, and has the right to review and correct the written record. The investigator must refrain from any question, suggestion, threat, or other conduct that could give the impression that the interviewee cannot answer freely.

Investigation report and data subject rights. Within one month of the last investigative action, a written investigation report must be submitted to the principal. The principal must then, when deciding to act on the report, inform all data subjects whose personal data are processed in the report. Before the principal may act on the report (e.g., proceed with dismissal), data subjects must have been afforded the opportunity to exercise their rights of access, rectification, and erasure. This creates a significant practical challenge for employers contemplating dismissal for serious cause (dringende reden/motif grave), which must under Belgian law be notified within three working days of the employer gaining sufficient knowledge of the relevant facts. Employers must therefore carefully sequence the notification to data subjects and the dismissal process to avoid adverse consequences. One option to mitigate this tension is to inform the interviewee of their rights during the interview itself.

Mandatory reporting to the public prosecutor. Where the investigation reveals facts that constitute or are likely to constitute crimes or offences, the investigator or representative (i.e., the person who accepts the investigative mission) must immediately and in writing notify the public prosecutor. This obligation applies only when the facts are sufficiently clear and not based on vague rumors. The public prosecutor and the investigative judge may order the suspension or even termination of the internal investigation and demand the disclosure of documents from the investigation file. This reporting obligation is not subject to an express sanction of nullity, but it raises significant questions regarding the balance with the company's right against self-incrimination—an unresolved tension that warrants careful case-by-case consideration.

Nullity sanctions. Approximately ten provisions of the PIA are prescribed under penalty of nullity, meaning that breach renders the investigation findings void and unusable as evidence. These include the licensing requirement, investigation of prohibited domains, absence of internal regulations, use of methods reserved for law enforcement, observation in private places, and use of unlawfully obtained information.

Evidentiary consequences. The PIA is classified as a law of public order (openbare orde), which means courts must apply its provisions ex officio. For provisions not expressly prescribed under penalty of nullity, the court retains sovereign discretion over the evidentiary weight to be given to investigation findings—but the public order character creates uncertainty about whether the well-known Antigoon doctrine (allowing courts to admit unlawfully obtained evidence under certain conditions) can still be applied.

Key exceptions. Two exceptions on PIA's scope merit specific attention. First, investigations carried out to comply with legal obligations fall outside the scope of the PIA. How this exception must be interpreted is not entirely clear. For example, follow-up (including investigations) in the context of whistleblowing reports would arguably fall outside the scope of the PIA. However, Belgian legal doctrine is divided in this regard, as both arguments in favour of a broader and a more restrictive interpretation can be found. Second, the professional activities of external counsel (advocaat/avocat) do not qualify as activities of private investigation.

3. Part II — trends we are observing in HR practice

Increased whistleblowing activity. Belgium's whistleblowing rules have led to a noticeable increase in speaking up. The combination of robust anti-retaliation protection, reversed burden of proof, and the availability of external and public disclosure channels has emboldened employees to report concerns—including about matters such as workplace harassment, toxic leadership, and broader corporate culture issues that may or may not fall strictly within the Whistleblowing Act's material scope.

Expanded reporting channels beyond legal requirements. Many companies have voluntarily expanded their whistleblowing channels to cover conduct that goes beyond the strict material scope of the Whistleblowing Act—such as code of conduct violations, and safety incidents. While this demonstrates good governance, it creates complexity: investigations triggered by such broader reports are more likely to fall within the scope of the PIA, since they cannot easily be characterized as activities carried out "in execution of a legal obligation" under the Whistleblowing Act. As noted above, the legal obligations exception to the PIA is not entirely clear as to its precise limits, and in practice its availability must be assessed on a case-by-case basis.

The PIA as a litigation weapon. Companies are already facing cases—particularly dismissals for serious cause—where employees challenge the evidentiary value of internal investigations on the basis that PIA requirements were not met. The nullity sanction means that an employer may have compelling evidence of misconduct but be unable to use it in court because of procedural defects in how the evidence was gathered. This represents an important shift in the dynamics of employment litigation.

Investigations into workplace behavior. Investigations into bullying, harassment, and toxic leadership have expanded significantly. However, the PIA's prohibition on investigating "sexual conduct" and "health data" creates uncertainty about the permissibility of investigating allegations that involve elements of sexual harassment or mental health impact. Similarly, the requirement of consent for interviews means that where a subject refuses to cooperate, the investigation may stall—though employers retain the general right to instruct employees and employees have a duty to cooperate in evidence production, the failure of which may in appropriate circumstances itself justify disciplinary action.

4. Part III — why this is a board-level matter

For directors of (listed) companies, the combined effect of the Whistleblowing Act and the PIA creates several governance imperatives that transcend pure HR management. These imperatives are best understood, by way of illustration, through some of the concrete risks they present: reputational tipping points, the interface with criminal authorities, cross-border governance fragmentation, and potential liability exposure.

4.1 Reputational tipping points

Under the Whistleblowing Act, a whistleblower is always free to make a public disclosure. Public disclosure grants full protective status in specific circumstances (see above). For a (listed) company, this creates a direct pathway from internal HR processes to public, potentially market-moving information.

The board sets the tone for the company's strategy, risk appetite, and corporate culture. A failure of the internal whistleblowing channel—whether due to insufficient resources, slow follow-up, or a lack of trust—can escalate into a reputational crisis. The board itself does not need to manage these channels, but it should satisfy itself that management has them under control.

Based on our experience, we see that boards receive periodic reporting on key whistleblowing metrics—such as report volumes, processing times, closure rates, and the nature of substantiated findings—so that it can fulfil its monitoring role without being drawn into operational detail.

Beyond formal processes, the credibility of whistleblowing channels depends on demonstrated non-retaliation. The board sets the tone from the top but relies on management to implement it. Management should ensure that HR decisions affecting whistleblowers are exceptionally well documented, and the board should be in a position to verify this when needed.

The underlying governance principle is clear: delegate, and trust management to deliver—but follow up. Directors are not expected to lead the day-to-day management of whistleblowing channels. They should, however, periodically satisfy themselves that what has been delegated is being executed properly.

4.2 Interface with criminal authorities

The PIA's mandatory reporting obligation to the public prosecutor means that an internal investigation, once it uncovers indications of criminal conduct, may trigger a parallel criminal process over which the company has no control. As stated, the prosecutor may suspend or even take over the internal investigation and demand disclosure of the investigation file.

For a (listed) company, this creates scenarios that require pre-planned communication strategies. Management should prepare these strategies; the board should be informed and consulted where appropriate, without necessarily leading the process.

In practice, we see that boards approve the internal control and risk management framework. It is not expected to design the operational details. Applied to the PIA context, this means management should prepare contingency scenarios for situations where an internal investigation triggers mandatory reporting—including who communicates with authorities, how information is managed internally and externally. The board should satisfy itself that such planning has been done.

4.3 Cross-border governance fragmentation

Companies with international operations face the challenge of maintaining a coherent global investigation framework while complying with Belgium's stringent local requirements. The PIA's EEA-only licensing regime—with certain limited exceptions, including UK nationals/residents—effectively forces companies to localize their investigation capability. This may conflict with group-level governance and reporting lines.

The implications are direct for compliance functions that traditionally operate on a consolidated basis. Management is responsible for implementing the necessary infrastructure: a licensed internal investigation service (or appropriate reliance on the HR department exemption for non-structural incident investigations), internal regulations adopted within the legal deadline of 16 December 2026, trained investigators who meet the personal requirements, documented interview protocols, and a clear procedure for engaging with the public prosecutor where necessary. The board should follow up on whether this infrastructure is in place, without needing to manage its design or daily operation.

4.4 Potential liability exposure

Depending on what comes to light during an investigation and how the matter is subsequently handled, the company, senior management, or directors may potentially face liability. The nature and severity of potential exposure will vary with the circumstances, including the structural nature of the issues that emerge and/or the personal involvement of the relevant person in the context of the breach.

Therefore, proper governance arrangements are key. For directors, ensuring that adequate oversight mechanisms, clear escalation procedures, and well-documented decision-making are in place remains the most effective way to demonstrate that they have fulfilled their monitoring role.

4.5 Conclusion

The Whistleblowing Act and the Private Investigations Act together represent a paradigm shift in how Belgian companies must handle workplace misconduct. The legal landscape is characterized by broad ambitions, detailed procedural requirements, severe sanctions, and residual uncertainty that will only be resolved through case law and/or further legislative intervention.

For boards of (listed) companies, the key takeaway is this: whistleblowing and internal investigations are no longer purely operational matters that can be delegated entirely to HR or compliance. They are governance topics with direct implications for legal exposure, evidentiary integrity, regulatory risk, potential criminal investigations and corporate reputation. The quality of governance should increasingly be measured by how signals are received, how carefully investigations are conducted, and how transparently accountability is demonstrated.

Our recommendation for boards is to ensure that clear procedures, reporting lines, and oversight mechanisms are in place before potential issues require active management.