Do You Need an Ethics Line or Whistleblowing Mechanism in Czechia?

Mgr. Vojtěch Sucharda
Mgr. Vojtěch Sucharda
12.3.2026 | ARROWS law firm

If you operate a company with fifty or more employees in the Czech Republic, or if you fall under specific sectors like financial services (AML), you have a legal obligation to establish an internal whistleblowing system. This requirement is mandatory under Czech Act No. 171/2023 Coll., backed by significant penalties. This article clarifies what you need to maintain for 2026 compliance and how an effective mechanism protects your business.

Photograph captures a lawyer discussing whistleblowing system compliance.

Quick summary

  • Legal mandate : Companies with 50+ employees must have established internal reporting channels. This is required by the Czech Whistleblower Protection Act (Act No. 171/2023 Coll.), which transposed EU Directive 2019/1937.
  • Potential fines : Failure to maintain a functional system can result in penalties up to CZK 1,000,000 per violation, plus exposure to individual whistleblower claims and significant reputational damage.
  • Practical implementation : The system requires appointing a designated "competent person," establishing clear reporting procedures (written, oral, and in-person), ensuring confidentiality, and maintaining proper documentation.
  • Strategic value : Beyond compliance, an effective internal reporting system helps organizations detect and address problems early, reducing exposure to regulatory investigations, litigation, and operational risks.

Understanding what the Czech Whistleblower Protection Act actually requires

The Czech Whistleblower Protection Act (Act No. 171/2023 Coll.), effective since August 1, 2023, represents a permanent shift in how organizations handle employee concerns. By 2026, the initial implementation phase has ended, and authorities now focus on the quality and functionality of these systems.

At its core, the legislation requires organizations of a certain size (obliged entities) to maintain an internal reporting system (IRS). This isn't simply an email address or a suggestion box, but a comprehensive framework encompassing multiple reporting channels, designated personnel, and specific statutory timelines.

The scope of what employees can report under Czech law is deliberately broad. Whistleblowers can report criminal offenses, administrative offenses carrying fines of at least CZK 100,000, and breaches of the whistleblowing law itself.

This extensive scope means that conduct your organization might not have previously considered "whistleblowing territory" falls within protected reporting channels. Violations of European Union regulations in areas like financial services, competition law, and data protection are also included.

Who must maintain this system?

Understanding which organizations fall under the obligation is the first practical step. In 2026, the transitional periods have expired, meaning compliance is expected immediately upon reaching the threshold.

Employers with 50 or more employees are obliged entities, calculated based on the number of employees as of January 1st of the relevant calendar year. If you have 50+ employees regardless of whether they are full-time or part-time, you must have the system in place.

Specific entities must implement the system regardless of employee count. This applies primarily to "obliged persons" under the Anti-Money Laundering (AML) Act (Act No. 253/2008 Coll.). This includes banks, insurance companies, investment firms, and law firms.

Municipalities with more than 10,000 inhabitants and other public institutions defined by the law are also obliged entities.

For multinational organizations operating multiple entities in the Czech Republic, each Czech legal entity must be evaluated separately. A parent company's global whistleblowing system does not automatically satisfy Czech legal requirements for each subsidiary.

Specifically, entities with 250+ employees cannot share a system with the parent company in a way that bypasses the local subsidiary's responsibility. This creates challenges for multinational groups that ARROWS Law Firm regularly advises.

Establishing the internal reporting system

Once you've determined that your organization qualifies as an obliged entity, the question becomes: what exactly constitutes a compliant internal reporting system?

First, your organization must establish multiple reporting channels through which employees and other eligible persons can report violations. The law specifies that reporting must be possible in written forms, oral forms (phone recording or voice message), and in-person meetings.

You cannot simply point employees to a general email address; you must provide a secure channel accessible only to the designated "competent person."

Czech law requires appointing at least one "competent person" (příslušná osoba). This must be a natural person, not a legal entity or a generic department like "HR". This person serves as the gatekeeper for all reports and maintains strict confidentiality.

While the competent person must be a natural person, organizations can contract a third party to perform this role. Larger organizations often appoint an internal employee like a Compliance Officer but may use external counsel for complex investigations.

The law requires that organizations make information about their internal reporting system accessible through remote access, typically on the company website. You must publish the contact details of the competent person and information about external reporting channels.

1. Can our company use a global whistleblowing system already operating in our parent company?
Only with significant modifications. A global hotline often fails Czech specificities, such as the requirement that the competent person must be specifically designated for the Czech entity and unbiased. Furthermore, if your Czech entity has 250+ employees, the Act limits your ability to simply outsource the receipt of reports to a central HQ abroad.

2. We just crossed the 50-employee threshold in January 2026. When is our deadline?
The obligation arises as soon as you meet the definition of an obliged entity. We recommend establishing the system immediately upon anticipating crossing the threshold to avoid a period of non-compliance. Contact office@arws.cz to streamline this setup.

3. If our designated competent person leaves the company, what happens?
The position cannot remain vacant. You must immediately designate a replacement competent person. The previous competent person retains their duty of confidentiality even after leaving the role. All records must be securely transferred to the new competent person.

The hidden complexity of handling reports

Once a report enters your system, a strict statutory timeline begins. The competent person must acknowledge receipt within 7 days and assess the truthfulness of the report within 30 days.

If the competent person finds the report valid, they propose corrective measures to the obliged entity, but management is not given the whistleblower's identity without consent. The management must then implement appropriate steps to fix the issue.

You must maintain records of all reports, dates, assessment results, and corrective measures for 5 years. Only the competent person acts as the custodian of these records.

Protecting the whistleblower against retaliation

The cornerstone of the Act is the prohibition of retaliation. Retaliation is defined broadly as any action or omission in connection with the whistleblower's work that is triggered by the report and causes them harm.

Examples include termination, wage reduction, non-renewal of a contract, transfer to a lower position, coercion, or negative performance reviews.

In a legal dispute, if the whistleblower claims retaliation, the burden of proof reverses. It is up to the employer to prove that the action was taken for legitimate, objective reasons unrelated to the whistleblowing.

This protection extends to "facilitators" (colleagues helping the whistleblower) and related persons, such as family members working in the same company.

Compliance inspection by the Labor Inspectorate

The State Labour Inspection Office (SÚIP) is the supervisory body for most private sector entities. In 2026, inspections are active and often triggered by disgruntled employees.

SÚIP checks include the existence of the system, publicity on the website, functionality of channels, adherence to deadlines, and confidentiality protocols.

Violations regarding the system's establishment or functionality carry fines up to CZK 1,000,000. Retaliation against a whistleblower also carries a fine up to the same amount.

Risk Table: Whistleblowing Compliance Failures and How to Address Them

Risks and Sanctions

How ARROWS helps (office@arws.cz)

System not established or non-functional : Fine of up to CZK 1,000,000 per violation.

Complete implementation : ARROWS Law Firm prepares internal policies, designates competent personnel, and trains your staff.

Identity disclosure or retaliation : Fine up to CZK 1,000,000 per violation, plus civil liability.

Retaliation prevention : We review personnel actions post-report to ensure they are legally defensible.

Failure to meet deadlines (7/30 days): Administrative fines during SÚIP inspections.

Audit & Training : We train competent persons on the strict procedural timelines and assessment methodologies.

GDPR non-compliance : Processing data without legal basis. Potential fines up to CZK 10M+.

GDPR-compliant design : We ensure your whistleblowing notices and DPIA meet GDPR standards.

Corporate Criminal Liability : Failure to prevent crimes.

Exculpation : A functional system acts as a defense strategy, proving the company took "all reasonable efforts."

Anonymous reporting

Under the general Whistleblower Protection Act, private companies are not strictly legally obliged to accept and investigate anonymous reports. However, if an anonymous whistleblower's identity is later revealed, they are retroactively protected.

If you are an AML-obliged entity such as a financial institution or law firm, you must accept and investigate anonymous reports.

ARROWS Law Firm strongly advises accepting anonymous reports regardless of your sector to minimize external risks. Ignoring them often forces the whistleblower to report externally, which causes far greater damage.

The external reporting system

Employees always have the right to bypass your internal system and report directly to the Ministry of Justice via their secure portal. They can also report to relevant authorities like the police or regulators.

If your internal system is trusted and functional, employees prefer it; otherwise, they turn to the Ministry. A high number of external reports is a red flag for the Labor Inspectorate regarding your internal culture.

Executive summary for management

Organizations in the Czech Republic with 50+ employees must maintain a functional whistleblowing system under Act No. 171/2023 Coll. Non-compliance risks fines up to CZK 1,000,000 and significant legal exposure in employment disputes due to the reversed burden of proof.

Beyond compliance, a functional system is your best defense against corporate criminal liability and external regulatory raids. By catching issues internally, you control the investigation.

Conclusion

The Czech Whistleblower Protection Act is now a settled part of the legal landscape. The stakes are substantial. Organizations that treat this as a "paper compliance" exercise risk significant fines and losing control over internal crises.

The lawyers at ARROWS Law Firm have implemented systems for hundreds of Czech and international entities, providing end-to-end solutions. We draft internal directives and privacy notices or serve as the external competent person.

If you need to verify your system's compliance for 2026 or set one up immediately, contact office@arws.cz.

1. We have fewer than 50 employees. Are we exempt?
Generally, yes, unless you are an AML-obliged entity (e.g., financial advisor, real estate agent, accountant). However, voluntary adoption is possible and often recommended for risk management.

2. Can we ban external reporting in employment contracts?
No. Any contractual provision attempting to restrict the right to file a report with the Ministry of Justice or other authorities is void and illegal.

3. What if a report is knowingly false?
A whistleblower who knowingly submits a false report is not protected by the Act and may face a fine of up to CZK 50,000. However, the burden is on you to prove they knew it was false, not just that they were mistaken.

4. Can the competent person be the CEO?
Legally possible, but practically inadvisable due to inherent conflict of interest. The competent person must be able to investigate potentially against the management.

5. How often should we review the system?
We recommend an annual audit to ensure contact details are current, the competent person is trained on the latest SÚIP methodology, and GDPR documents are up to date.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also