Reporting work-related breaches of European Union law

The following persons who are in a work-related relationship with the Estonian Tax and Customs Board (ETCB) will receive the protection of the reporting person upon reporting a work-related breach of European Union law:

• the ETCB's officials and persons who perform work on the basis of an employment contract;
• persons working at the ETCB on the basis of a contract under the law of obligations;
• persons undergoing training at the ETCB;
• persons in the process of entering into an employment or service relationship with the ETCB;
• persons whose employment relationship with the ETCB has ended;
• persons engaged in pre-contractual negotiations or otherwise preparing a contract or persons whose employment relationship has ended;
• persons working with a contractual partner of the ETCB in any of the above forms.

The Act on Protection of Persons Who Report Work-Related Breaches of European Union Law applies to the reporting of breaches of the requirements arising from European Union law which have become known in the course of work-related activities in the following areas:

• public procurement;
• financial services, products and markets, and prevention of money laundering and terrorist financing;
• product safety and compliance;
• tansport safety;
• protection of the environment;
• radiation protection and nuclear safety;
• food and feed safety, animal health and welfare;
• public health;
• consumer protection;
• protection of privacy and personal data, and security of network and information systems;
• breaches affecting the financial interests of the European Union as provided in Article 325 of the Treaty on the Functioning of the European Union (TFEU) and as further specified in relevant European Union measures;
• breaches relating to the internal market, as referred to in Article 26(2) TFEU, in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

The Act on Protection of Persons Who Report Work-Related Breaches of European Union Law does not apply to the reporting of every breach of law. On the basis of the national legislation of the Republic of Estonia, we process the following possible offences of employees and officials as hints:

• non-compliance with the procedures and internal rules of the Estonian Tax and Customs Board;
• any act or conduct contrary to the principles of value and ethics;
• misuse or misappropriation of resources;
• fraud, counterfeiting, corruption: corrupt use of official position, public instrument, influence or inside information, asking for, offering, giving or mediating a bribe;
• decisions taken in a situation of conflict of interest and non-compliance with the obligation to self-recuse; discrimination, harassment, persecution, including harassment at work;
• violation of occupational health rules or occupational health and safety requirements, endangering or harming someone's life or health;
• any crime or failure to perform legal obligations by the Estonian Tax and Customs Board;
• intentionally concealing information relating to any of the above violations.

You can report such violations and read more about their processing on the page Fraud hotline.

• Reports of breaches are received and processed by the Internal Control Department of the Estonian Tax and Customs Board (ETCB), which, if necessary, involves specialists in the field and other competent persons in the process. The Internal Control Department provides feedback to the reporting persons on the receipt of the report of a breach , on the progress of proceedings and on the implementation of follow-up measures.
• The Internal Control Department will send an acknowledgement of receipt of a report of breaches to the reporting person within 7 days of the receipt of the report. If a report does not fall within the scope of the Act on Protection of Persons Who Report Work-Related Breaches of European Union Law, and the protection provided under the Act does not apply to the reporting person, the Internal Control Department will inform the reporting person.
• If the ETCB does not have the competence to address the report of a breach, the Internal Control Department will forward it to the competent authority as soon as possible, but no later than on the fifth working day of the receipt of the report, informing the reporting person thereof.
• The Internal Control Department will give feedback on the follow-up as soon as possible. To an employee or official of the ETCB no later than three months after the receipt of the report of a breach and to a reporting person outside the ETCB, in justified cases, six months after the receipt of the report of a breach. The feedback will include a general overview of the follow-up measures implemented and the outcome of the proceedings initiated on the basis of the report.
• Notification and feedback will not be provided if:
  - the reporting person explicitly prohibited sending the feedback or
  - there is a reason to believe that this would jeopardise the confidentiality of the reporting person or
  - the report of a breach has been submitted anonymously.
• If a report concerns a minor breach in the opinion of the ETCB or if it constitutes a repetitive report of the same content, we are not obligated to follow up and provide feedback.
• The reports of breaches and procedural documents are stored in the document management system of the ETCB for 3 years after giving feedback to the reporting person.
• Phone calls are recorded for the purpose of processing the reported information. Phone call recordings are stored for 30 calendar days.

Protection of reporting persons

The Internal Control Department will ensure the confidentiality of the fact of reporting a breach and of the person who reported the breach and of other persons who expressed their opinion in good faith. Only officials of the Internal Control Department have access to the the reporting channel, reports of breaches and other information on breaches in the document management system of the Estonian Tax and Customs Board (ETCB). The Internal Control Department uses the content of a report only in connection with the processing of a breach and also takes into account the need to protect the confidentiality of the persons concerned. The identity of the reporting person may be disclosed only with the written consent of the person.

The ETCB ensures the protection of the reporting person from the application of retaliatory measures due to the reporting of a breach. Retaliation, an attempt and threat thereof are prohibited at the ETCB.

Exclusion of liability

A reporting person does not incur liability in respect of the legal consequences arising from the disclosure of information provided that they had reasonable grounds to believe that the disclosure of information was necessary for revealing a breach, unless such disclosure of information is punishable as a criminal offence. The disclosure of a trade secret under the same circumstances is considered lawful. Furthermore, the reporting person does not incur liability in respect of obtaining access to information for reporting purposes unless obtaining such access to information is punishable as an offence.

Processing of personal data

In order to ensure protection when reporting breaches of EU law that have become known in the course of work-related activities, personal data collected in the course of addressing reports of breaches are processed in accordance with the EU General Data Protection Regulation, taking into account the specifics of the Act on Protection of Persons Who Report Work-Related Breaches of European Union Law. Upon processing personal data on the basis of the Act on Protection of Persons Who Report Work-Related Breaches of European Union Law, the ETCB restricts the rights of a data subject if this is necessary to ensure the confidentiality of a reporting person.