Article 22
Reporting of breaches
1.
Member States shall ensure that competent authorities establish effective and reliable mechanisms to enable prompt reporting of potential or actual breaches of national provisions transposing this Directive and of Regulation (EU) 2019/2033 to competent authorities.
Those mechanisms shall include the following:
(a)
specific procedures for the reception, treatment and following up of such reports, including the establishment of secure communication channels;
(b)
appropriate protection against retaliation, discrimination or other types of unfair treatment by the investment firm for employees of investment firms who report breaches committed within the investment firm;
(c)
protection of personal data concerning both the person who reports the breach and the natural person who is allegedly responsible for that breach, in accordance with Regulation (EU) 2016/679;
(d)
clear rules that ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches committed within the investment firm, unless disclosure is required by national law in the context of further investigations or subsequent administrative or judicial proceedings.
2.
Member States shall require investment firms to have in place appropriate procedures for their employees to report breaches internally through a specific independent channel. Those procedures may be provided for by the social partners provided that those procedures offer the same protection as the protection referred to in points (b), (c) and (d) of paragraph 1.