The internal reporting channel the EU Directive requires
Under EU Directive 2019/1937, organizations with 50+ workers must operate a secure internal reporting channel. Non-compliance carries fines up to €1,000,000 under national transpositions.
- EU Directive 2019/1937 compliant
- GDPR compliant
- EU-sovereign infrastructure
- No AI
Without a channel, you're exposed
An employee witnesses fraud and has nowhere to report it internally. They go to a regulator, a journalist, or a lawyer. Now you have a compliance violation, a PR crisis, and no audit trail showing you took the Directive seriously. A reporting channel is not a checkbox. It is how you find problems before they find you.
How it works
Step 1: Configure your portal
Set up the organization account, configure your portal's welcome text, report categories, and logo. No technical setup required.
Step 2: Share the link
Give employees your portal link or QR code. They can submit anonymous reports from any browser. No app or account is required.
Step 3: Handle reports securely
When a report comes in, communicate securely with the whistleblower, track your 7-day and 3-month deadlines, and export case files for auditors.
Built for EU compliance
The questions legal and compliance teams ask before approving a reporting channel, answered plainly.
Can reporters stay completely anonymous?
Yes. No account, no IP logging, and file metadata is stripped on upload. Identifying yourself is optional.
Does it track the Directive's statutory deadlines?
Yes. The 7-day acknowledgment and 3-month feedback timers run automatically, and overdue cases are flagged.
Is access to reports limited to the people you authorize?
Yes. Role-based access. Only admins and assigned handlers see a case, and reporters never see a handler's name.
Is report data encrypted and kept in the EU?
Yes. Encrypted at rest and hosted in Nuremberg, Germany. Report data is never moved outside the EU.
Can you take reports made by phone or in person?
Yes. Display a phone number on the portal, and log phone, letter, and in-person reports in one place.
Is there a tamper-evident record of every action?
Yes. The audit trail is append-only. Nothing can be edited or deleted, so you can show a regulator what happened.
Can you set how long data is kept and delete it automatically?
Yes. Choose a retention period from 12 to 60 months. Closed cases are deleted automatically when it expires.
Is there a DPA and a published sub-processor list?
Yes. A public Data Processing Agreement, countersigned on request, plus the full Article 28 sub-processor list.
Evidence for auditors
Four compliance documents available directly from the portal, ready to hand to legal, compliance, or regulators.
Compliance report
Directive 2019/1937 checklist, SLA metrics, data protection measures, and audit trail summary without exposing sensitive report data.
Compliance certificate
Shareable proof that your organization operates an internal reporting channel compliant with Directive 2019/1937 and your national transposition.
Whistleblower policy
Ready-to-adopt internal policy document your organization can publish and communicate to workers.
Privacy notice
GDPR Article 13/14 notice displayed to reporters before submission, pre-filled with your organization's controller details.
Principled infrastructure
No AI on report content.
EthicsPortal does not transmit report content, reporter identity, or case messages to any large language model or AI inference provider. No AI categorisation, summarisation, or translation. No AI sub-processor on the GDPR Article 28 list. A deterministic audit trail records actor and action — not a probabilistic suggestion.
Read the commitment →Pricing
One plan. Everything the Directive requires.
Excluding VAT
Unlimited reports, designated handlers, and file uploads.