Official compliance guide
Legal framework and QReportly operating standard
Extended European compliance and risk management guide — Directive (EU) 2019/1937. Documentation for administrators, legal counsel, and HR managers.
I
Preamble and legal foundation
This technical and legal documentation establishes the mandatory operating standards of the QReportly platform, developed in strict conformity with Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law, together with the national transposition measures adopted by Member States — including Law no. 361/2022 in Romania, the HinSchG in Germany, Legislative Decree 24/2023 in Italy, and Law 2/2023 in Spain.
The QReportly platform functions as a fully secured internal digital reporting channel (Whistleblowing System), providing public and private sector legal entities with the cryptographic infrastructure necessary to prevent, detect, and remediate internal legislative breaches, while simultaneously guaranteeing the whistleblower's complete immunity against all forms of retaliation.
II
Automation of the notification obligation
The mandatory 7-day deadline — Article 9(1)(b) of the European Directive
In accordance with the explicit provisions of Article 9(1)(b) of the European Directive, the organisation bears a mandatory legal obligation to transmit a receipt confirmation of the report to the reporting person within a maximum period of seven days from the date of its reception.
1. Guarantee of background legal protection
To eliminate the risk of human error, omission, or delay — circumstances that may attract severe administrative sanctions — QReportly instantly secures the chronological flow. Shortly after a report is submitted, a courteous receipt confirmation is sent directly in the reporter's secure chat, ensuring strict compliance with the deadline and official validation of the case.
2. Legal nature of the automatic confirmation
This receipt message is drafted in neutral, formal, and courteous language. Its role is strictly limited to the formal validation of the case's reception in the organisation's secure database. It does not constitute an admission of guilt, a validation of the substance of the matter, or a resolution of the case.
The transmission of this confirmation instantly fulfils your company's procedural obligation, leaving the substantive analysis, internal investigation, and substantive resolution exclusively to the Designated Officer or Compliance Department, within the extended three-month period prescribed by law.
Bring your organisation into compliance today
Create your account and activate the secured reporting channel in minutes — no IT installation required.
III
Security architecture and data isolation
Enterprise Multi-Tenant and Row-Level Security (RLS)
QReportly is engineered on an enterprise-grade Multi-Tenant architecture, delivering a level of data segregation consistent with Row-Level Security (RLS) principles.
- Absolute logical isolation: each enrolled company benefits from a fully isolated workspace. Databases, attached files, audit logs, and internal chat communications are individually encrypted using the AES-256 algorithm. It is technically and structurally impossible for one company's data to be accessed by another legal entity within the platform.
- Portfolio management (Workspace Switcher): for law firms, auditors, or external HR consultants managing compliance across multiple clients, the platform provides a secured selector in the header. Switching between companies instantly reloads encryption keys and visual context, ensuring fluid yet perfectly secure and legally delimited management.
IV
Anonymity protocol and data protection
Unlike traditional communication channels (e-mail, conventional telephone lines, or physical drop boxes), which present major security risks and vulnerabilities to cyberattacks, QReportly applies strict anonymisation protocols in accordance with GDPR data minimisation principles:
- Elimination of digital identifiers: the platform does not store, log, or process reporters' IP addresses, geolocation data, or digital fingerprints (browser fingerprinting).
- Sanitisation of attached files: upon upload of supporting documents, QReportly automatically strips hidden metadata (EXIF, document author, software, device serial numbers). The Designated Officer receives only the raw evidentiary content.
- Unique Access Code system: subsequent communication is conducted exclusively on the basis of a unique alphanumeric code generated locally. The whistleblower may return to the chat without disclosing their identity or creating an account with personal data.
V
Role and responsibilities of the Designated Officer
The designation of the Compliance Officer constitutes the functional core of Directive (EU) 2019/1937 and its UK and EU national implementations. The QReportly platform guides this entity through contextual assistance windows and intuitive interfaces.
The Designated Officer bears a legal obligation to act with maximum impartiality. They shall utilise the integrated electronic register within QReportly to maintain strict case records — a register that does not permit retroactive modification of data (immutable audit log), providing incontestable evidence before state inspectors that procedures were followed with due diligence.
Bring your organisation into compliance today
Create your account and activate the secured reporting channel in minutes — no IT installation required.
VI
Commercial guarantees and subscriptions
To balance mandatory legal compliance with cost predictability, QReportly offers clear subscriptions calibrated to organisation size (essential thresholds: 50, 250, and over 500 employees).
Subscription payment is processed centrally and securely through certified payment processors, directly from your organisation's administration panel.
VII
Conclusions and diligence statement
Through the implementation of QReportly, your organisation not only avoids the severe administrative penalties instituted by European and UK whistleblowing legislation, but also demonstrates a robust organisational culture founded on ethics, transparency, and modern corporate governance (ESG Compliance).
The platform represents the most secure, modern, and efficient digital legal shield available on the European market for internal reporting channels compliant with Directive (EU) 2019/1937, GDPR, and applicable transnational standards.
Mandatory workflow of the Designated Officer
Step 1
Reception (Day 0)
Automatic receipt notification / legal validation within 7 days
Step 2
Examination (Days 1–70)
Secured chat communication, evidence collection, internal investigation
Step 3
Resolution (Month 3)
Substantive official response, remedial measures, and case closure
The digital legal shield for your organisation
Join the organisations that have chosen QReportly for full compliance with EU Directive 2019/1937, UK whistleblowing law, and national legislation.