Back to blog
· 4 min read

VisselSignal: EU-Compliant Whistleblowing Made Simple

VisselSignal is a whistleblowing platform built for EU Directive 2019/1937 and Swedish national law — anonymous, secure, and fully compliant out of the box.

visselsignal whistleblowing eu-directive compliance gdpr

Whistleblowing legislation is here

The EU Whistleblowing Directive (2019/1937) requires organizations to provide secure, confidential channels for reporting misconduct. Sweden transposed this into national law, and since December 2023 it applies to all organizations with 50 or more employees.

The requirements are specific:

  • Confidential reporting channels — reporters must be able to submit reports without exposing their identity
  • Follow-up within defined timescales — organizations must acknowledge receipt within 7 days and provide feedback within 3 months
  • Protection against retaliation — whistleblowers are legally protected from consequences
  • Data protection — reports must be handled in compliance with GDPR, with strict access controls and retention limits

Many organizations know they need a system. Fewer know what a compliant one actually looks like.

What VisselSignal provides

VisselSignal is a whistleblowing platform designed specifically for EU Directive 2019/1937 and Swedish national law.

Anonymous reporting

Reporters can submit reports without creating an account and without revealing their identity. There’s no IP logging, no device fingerprinting, no metadata collection beyond the report itself.

Secure two-way communication

Even when a report is fully anonymous, the organization can communicate with the reporter through VisselSignal’s secure message thread. The reporter checks back using a unique case code — no email address required.

Case management

Organizations get a structured workflow for handling reports: receive, acknowledge, investigate, and conclude — all within the legally required timescales. The platform tracks deadlines and sends reminders.

Access controls

Only designated case handlers can access reports. Role-based access ensures that sensitive information stays with the people responsible for investigating it.

Audit trail

Every action on a case is logged for accountability, without compromising reporter anonymity. This protects both the organization and the whistleblower.

Who needs this

Under Swedish law, the following organizations are required to have an internal whistleblowing channel:

  • All employers with 50+ employees (since December 17, 2023)
  • Municipalities and regions
  • Government agencies
  • Companies in regulated industries (financial services, aviation, food safety, etc.)

Even organizations below the 50-employee threshold can benefit from having a reporting channel — it demonstrates a commitment to transparency and gives employees a safe way to raise concerns.

Why not just use email?

A common question: “Can’t people just email us?”

The short answer is no — not if you want to meet the directive’s requirements:

  • Email isn’t anonymous. Even with a throwaway account, email headers contain metadata. IP addresses can be logged by providers.
  • Email isn’t structured. There’s no built-in case management, deadline tracking, or audit trail.
  • Email mixes with everything else. Whistleblowing reports require strict access controls. A shared inbox doesn’t provide that.
  • Email doesn’t inspire trust. A reporter worried about retaliation is unlikely to trust that their identity is truly hidden when sending an email.

A purpose-built platform addresses all of these concerns by design.

The privacy architecture

Whistleblowing is the most privacy-sensitive category of software we build. The stakes are high — a reporter’s identity, if exposed, could lead to retaliation, job loss, or worse.

VisselSignal’s privacy design reflects this:

  • No IP logging on the reporting interface
  • No cookies or tracking scripts
  • Encrypted storage for all report data
  • EU-only data residency — all data stays within the European Union
  • Automatic retention management — reports are deleted according to configurable retention policies, in line with GDPR’s storage limitation principle
  • Minimal data collection — we collect only what’s necessary to process the report

Compliance without complexity

We built VisselSignal because compliance shouldn’t require a six-month IT project. Organizations need a system that works on day one:

  • No complex setup or integration required
  • No dedicated server infrastructure to manage
  • Clear documentation mapping features to legal requirements
  • Affordable pricing that works for both large organizations and smaller employers

The goal is simple: let organizations meet their legal obligations without the overhead.

Getting started

VisselSignal is ready to deploy for your organization.

Visit visselsignal.com to learn more, or contact us if you need help evaluating whether VisselSignal meets your specific requirements.

All posts