A multinational company headquartered in Frankfurt with subsidiaries in Paris, Milan, Madrid, Amsterdam, and Warsaw asks the natural question: can we run one whistleblower channel for all of them, share investigators across borders, and report up to a single ethics committee? The answer is “yes, with conditions” — but the conditions vary across member states in ways that have surprised more than one large multinational and triggered actual fines in 2024-2025. Here is the practical state of the law in mid-2026.
Direct answer
A multinational can operate a single whistleblower channel across its EU subsidiaries provided each subsidiary remains formally the controller for its own reports, the channel is accessible in each subsidiary’s language, the case handlers competent for each subsidiary are identified, and any cross-border transfer of case content has a documented basis. The French CNIL prefers a per-entity channel with cross-entity sharing only on a case-by-case basis; the German LDI NRW accepts a group channel with explicit Joint Controller arrangements; the Italian Garante issued specific 2023 guidance; the Spanish AEPD has been silent. The Commission’s 2026 implementation report is expected to recommend guidance, not amendment.
The starting position: Article 8 of the Directive
Article 8 of Directive (EU) 2019/1937 imposes the obligation to “establish channels and procedures for internal reporting and follow-up” on every legal entity with 50+ employees. The Directive does not address whether multiple legal entities within a group can share a single channel. Recital 56 anticipates the question and concedes that resource-efficient solutions for medium-sized employers may include sharing of resources within a group; the Commission’s 2021 guidance went further and accepted that a group channel is permissible provided each entity remains accountable for its own reports.
Member states have followed different paths in transposition.
Germany: §14(1) HinSchG and the BMJ position
§14(1) HinSchG explicitly permits the Hinweisgeberstelle to be operated centrally for multiple group companies if the conditions of HinSchG are met for each company. The German Bundesministerium der Justiz published clarifying guidance in 2023 making clear that a parent-company-operated central channel can serve the obligations of each subsidiary, subject to four conditions:
- Each subsidiary is named as a controller (or joint controller) for its own reports.
- The case handler is competent for the subsidiary’s legal context (language, applicable national law).
- Each subsidiary’s report content stays under that subsidiary’s control; cross-entity sharing requires the reporter’s consent or a specific legal basis.
- The audit log is segmented per subsidiary so that each subsidiary can demonstrate its own compliance to a regulator.
The German position is the most accommodating to group channels of any major EU jurisdiction. It is the model most multinationals follow.
France: CNIL’s 2024 opinion and the strict view
The Commission Nationale de l’Informatique et des Libertés issued an opinion in March 2024 (CNIL délibération 2024-019) that complicates group channels. The CNIL accepts a shared platform but pushes back on cross-entity access to case content. Specifically:
- Case handlers in entity A should not, by default, have visibility of cases in entity B.
- Cross-entity access requires a specific necessity case (e.g., a report covers conduct across entities) and must be logged.
- The legal entity to which the report relates is the data controller; the parent operating the platform is a processor for that entity, not a joint controller.
The French model is restrictive. A multinational following the French model needs role-based access in the platform that, by default, walls off each entity’s cases from cross-entity visibility, with explicit case-by-case opening.
Italy: Garante’s Provvedimento 311/2023
The Italian Garante issued Provvedimento 311 on 27 July 2023 specifically addressing whistleblower channels. The Provvedimento accepts group channels but imposes specific safeguards:
- The DPIA must explicitly address cross-entity processing and transfers.
- Reporters must be informed clearly which legal entity will receive their report and which entity is the controller.
- Where the report relates to conduct that crosses entities, the case handler must document the routing decision.
- The audit log must be exportable per entity to ANAC on request.
The Italian model is between the German and French positions: group channels are permitted, with case-management discipline.
Spain: Ley 2/2023 and AEPD silence
Spain’s Ley 2/2023 does not directly address group channels; it transposes Article 8 by reference to the controller obligation. The AEPD has not issued specific guidance through 2026, leaving the position to be inferred from general GDPR principles. The conservative reading aligns with the French CNIL position; the operational reading aligns with the German one. Most Spanish-headed multinationals follow the German model in practice and prepare to defend it.
Netherlands: Wbk and Huis voor Klokkenluiders
The Dutch Wbk does not address group channels directly. The Autoriteit Persoonsgegevens has accepted group channels under standard GDPR Article 26 joint-controller analysis. The Huis voor Klokkenluiders accepts external escalation from any entity in a group regardless of the internal channel structure. The Dutch position is closer to the German one.
Belgium, Luxembourg, Poland
Belgium and Luxembourg follow the French CNIL line closely (Belgian APD and Luxembourg CNPD have issued similar opinions). Poland’s UODO has issued no specific guidance through 2026; the position is unsettled but operationally most multinationals deploy under the German model with Polish-language localisation.
The configuration that survives in all jurisdictions
A configuration that survives the strictest national position (French CNIL) automatically survives the more permissive ones. This is the baseline a multinational should aim for:
Channel architecture. A single platform, with a per-entity URL or sub-route. The reporter sees their entity’s channel; the entity is the controller of that channel.
Access model. Role-based access enforces per-entity walls. A case handler is authorised for one or more named entities and sees only cases assigned to those entities. Cross-entity access is by explicit opening of a case to a named individual at another entity, with an audit-log entry.
Reporter-facing transparency. The reporter is told, at the point of submission, which legal entity will receive the report and which entity is the controller. This is now a default page in Confidly’s reporter onboarding.
DPIA and Joint Controller Agreement. A DPIA covers the group architecture explicitly. A Joint Controller Agreement under Article 26 GDPR is signed between the parent and each subsidiary, specifying the responsibilities of each, the contact point for data subject requests, and the allocation of liability.
Audit log per entity. The audit log can be exported per entity for that entity’s regulator on request. Confidly’s audit-log export takes an entity parameter.
Reporter consent for cross-entity sharing. Where a case touches multiple entities and content needs to be shared, the reporter is informed and asked to consent. Where consent is refused, the case can still be advanced within the originating entity, with cross-entity sharing limited to anonymised pattern-level data.
What’s coming in the 2026 Commission implementation report
The European Commission’s Article 27 implementation report, expected in mid-2026, is widely expected to address group privilege. Industry consultation responses point to two probable outputs:
- A non-binding guidance from the Commission accepting group channels with explicit conditions, intended to converge national DPA positions.
- A proposed clarification (probably soft-law) on cross-entity transfers within an EU corporate group, building on Recital 56.
A binding amendment to the Directive itself is not expected in the 2026 cycle. The next binding revision is scheduled for 2028 in line with the standard five-year review.
What to do this quarter
Practical steps for a compliance officer in mid-2026:
- Map your group structure: which entities are in scope, in which member states, in which languages.
- Pick the strictest national position your group must serve and design the channel to that position. This is usually the French CNIL line.
- Sign Joint Controller Agreements with each in-scope subsidiary.
- Update the DPIA to cover group architecture explicitly.
- Brief the works councils and the local representantes on the per-entity model.
The group-channel question has matured enough that the technical answer is settled and the legal answer follows in most jurisdictions. The remaining uncertainty is on the strictest fringes of CNIL and CNPD positions and will be addressed by Commission guidance in 2026.