1.) Member States shall designate the authorities competent to receive, give feedback and follow up on reports, and shall provide them with adequate resources.
2.) Member States shall ensure that the competent authorities:
a) establish independent and autonomous external reporting channels, for receiving and handling information on breaches;
b) promptly, and in any event within seven days of receipt of the report, acknowledge that receipt unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of the report would jeopardise the protection of the reporting person’s identity;
c) diligently follow up on the reports;
d) provide feedback to the reporting person within a reasonable timeframe not exceeding three months, or six months in duly justified cases;
e) communicate to the reporting person the final outcome of investigations triggered by the report, in accordance with procedures provided for under national law;
f) transmit in due time the information contained in the report to competent institutions, bodies, offices or agencies of the Union, as appropriate, for further investigation, where provided for under Union or national law.
3.) Member States may provide that competent authorities, after having duly assessed the matter, can decide that a reported breach is clearly minor and does not require further follow-up pursuant to this Directive, other than closure of the procedure. This shall not affect other obligations or other applicable procedures to address the reported breach, or the protection granted by this Directive in relation to internal or external reporting. In such a case, the competent authorities shall notify the reporting person of their decision and the reasons therefor.
4.) Member States may provide that competent authorities can decide to close procedures regarding repetitive reports which do not contain any meaningful new information on breaches compared to a past report in respect of which the relevant procedures were concluded, unless new legal or factual circumstances justify a different follow-up. In such a case, the competent authorities shall notify the reporting person of their decision and the reasons therefor.
5.) Member States may provide that, in the event of high inflows of reports, competent authorities may deal with reports of serious breaches or breaches of essential provisions falling within the scope of this Directive as a matter of priority, without prejudice to the timeframe as set out in point (d) of paragraph 2.
6.) Member States shall ensure that any authority which has received a report but does not have the competence to address the breach reported transmits it to the competent authority, within a reasonable time, in a secure manner, and that the reporting person is informed, without delay, of such a transmission.