1. Member States shall ensure that competent authorities establish effective and reliable mechanisms to encourage reporting of potential or actual breaches of national provisions transposing this Directive and of Regulation (EU) No 575/2013 to competent authorities.
2. The mechanisms referred to in paragraph 1 shall include at least:
(a) specific procedures for the receipt of reports on breaches and their follow-up;
(b) appropriate protection for employees of institutions who report breaches committed within the institution against retaliation, discrimination or other types of unfair treatment at a minimum;
(c) protection of personal data concerning both the person who reports the breaches and the natural person who is allegedly responsible for a breach, in accordance with Directive 95/46/EC;
(d) clear rules that ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches committed within the institution, unless disclosure is required by national law in the context of further investigations or subsequent judicial proceedings.
3. Member States shall require institutions to have in place appropriate procedures for their employees to report breaches internally through a specific, independent and autonomous channel.
Such a channel may also be provided through arrangements provided for by social partners. The same protection as referred to in points (b), (c) and (d) of paragraph 2 shall apply.