4 November 2022
Update November 2022
The German Whistleblower Protection Act will be implemented in a timely manner.
The purpose of the Act is to protect whistleblowers from disadvantages in the future. Companies with more than 249 employees must set up and operate a whistleblower system within three months. Otherwise, there is the risk of a heavy fine and the legal leakage of critical company information and know-how. As from 17 December 2023, this obligation will also apply to companies with at least 50 employees.
We have compiled alphabetically the most important questions from the point of view of the respective compliance/legal/human resources department. However, caution is required when dealing with compliance issues, as it always depends on the individual case. Legal advice is just as necessary when dealing with whistleblowers as ensuring confidentiality in the whistleblowing process. The FAQs are no substitute for an examination of the legal situation in the individual case and do not constitute legal advice.
Our whistleblowing experts Dr Oliver Bertram, Isabel Bäumer, Mareike Gehrmann, Dr Martin Knaup, Dr Rebekka Krause and Jan-Patrick Vogel, LL.M. can be contacted through the following channels:
The HinSchG does not establish an obligation for companies to accept anonymous reports. Nevertheless, internal and external reporting offices should also process anonymous reports as long as this does not impair the processing of non-anonymous reports. Allowing anonymous notifications makes sense from a compliance point of view. This optimises the company’s knowledge gain. Not only do anonymous whistleblowers enjoy whistle-blower protection under the HinSchG if their identity is disclosed, but employees also tend to want to report violations anonymously.
In the opinion of the EU Commission, which expressed its opinion on this topic in the summer of 2021, a group-wide central whistleblower system at the parent company does not constitute a permissible allocation of resources. This means that subsidiaries that fall within the scope of application due to their number of employees must (additionally) set up their own decentralised whistleblowing system.
The HinSchG expressly advocates a so-called “group privilege”, i.e. group-wide reporting offices remain permissible.
Considering the contradiction between the HinSchG and the EU Commission’s view, it is advisable to critically question the admissibility of group-wide hotlines.
The HinSchG does not impose an obligation on companies to accept information from persons who do not fall within the personal scope of application, i.e. from outside the company. However, it is advisable to consider this as an option, especially with regard to the obligation to set up a complaints procedure provided for in the Supply Chain Due Diligence Act.
A functioning whistleblower system is a central component of an effective CMS and must therefore be linked to the other elements of a CMS. In addition to identifying compliance violations, the whistleblower system also serves to determine whether the preventive compliance measures taken are effective and whether any misconduct is avoided. To the same extent, a whistleblower system helps to identify necessary adjustments and improvements to the CMS
and, at the same time, to preserve the authority to interpret the facts underlying the respective report in favour of the company concerned.
Yes, the HinschG requires reporting channels to be securely designed, set up and operated in such a way that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is maintained and unauthorised employees are denied access to them.
However, the HinSchG regulates exceptions according to which the requirement of confidentiality does not apply in certain cases (e.g. the identity of a person who intentionally or grossly negligently reports false information is not covered by the protection of confidentiality).
It is also recommended that all staff members authorised to receive and/or process whistleblowing notifications sign a separate confidentiality agreement.
Section 10 HinSchG creates the data processing powers necessary for the work of internal and external hotlines. The processing authorisation allows the reporting offices to both receive and evaluate the personal data contained in the reports. In addition, new personal data may be collected and further processed during the implementation of follow-up measures.
When processing personal data, the internal reporting office shall comply with the rules on data protection. Insofar as the internal reporting office processes personal data in order to fulfil the tasks within its competence, the internal reporting office should not be the data controller within the meaning of the data protection regulations, especially in the case of internal reporting offices operated by an individual.
The legal basis should be sufficiently documented. In addition, full information about the data processing pursuant to Articles 13 and 14 General Data Protection Regulation (GDPR) is required and, as a rule, for all persons whose personal data are processed. Furthermore, a data protection impact assessment must be carried out as part of the implementation.
If external third parties are commissioned to set up and operate the internal reporting office, the requirements for commissioned data processing must be observed, see Article 28 of the GDPR. If processing also takes place outside the EU or the EEA (even if it is only access for support purposes to data in the EU), further safeguards are required to ensure an adequate level of data protection. If the whistleblower system violates these or other data protection requirements, serious sanctions under the GDPR may be imposed.
A whistleblower who discloses information to the public can only invoke the whistleblower protection if the company (internal) and/or the authority (external) have not taken appropriate measures within the timeframe provided for or, in exceptional cases, if there is sufficient reason to believe that the public interest is at risk, there is a fear of reprisals or there is no prospect of clarification.
The HinSchG therefore also protects, as an extreme possibility, the submission of indications to the public, e.g. via social media or to the law enforcement authorities.
The persons responsible for receiving reports at a reporting office shall document all incoming reports in a permanently retrievable manner in compliance with the confidentiality requirement. If the report is made by telephone or other means of voice transmission, a usable audio recording of the conversation may only be made with the consent of the person making the report. This documentation shall be deleted two years after the conclusion of the procedure.
The HinSchG stipulates that the reporting channels must be open to all employees of the company. The term “employee” is interpreted broadly (including executive employees, trainees, temporary workers, persons similar to employees and management bodies). Civil servants are also included. In addition, the reporting channels can also be opened for other persons (cf. statements on “Company externals”).
An external reporting office is an authority to which information about misconduct can be reported verbally or in writing.
The whistleblower may choose whether to first contact the company internally and/or the competent authority externally. He or she may therefore also contact a competent external reporting office directly.
A central external reporting office is to be established at the Federal Office of Justice (BfJ). In addition, the existing reporting systems at the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (Bundeskartellamt) are to be continued as further external reporting offices with special responsibilities.
Companies should intensively support an internal whistleblowing system in order to create the greatest possible incentives for this to be used as a matter of priority and to therefore avoid external whistleblowing as far as possible.
A false suspicion in the context of a report or disclosure can have far-reaching consequences for those affected. The effects may no longer be completely reversible. Therefore, the injured parties are entitled to compensation for the damage resulting from an intentional or grossly negligent false report or disclosure.
Furthermore, the identity of persons who intentionally or grossly negligently report false information is not protected from disclosure under the HinSchG. In the event of such a false report, persons who are the subject of this report have a legitimate interest in obtaining knowledge of the identity of the reporting person in order to be able to assert claims for damages if necessary.
The whistleblower should be informed as comprehensively as possible about the handling of his or her whistleblowing. This includes both an acknowledgement of receipt and an explanation of the follow-up measures planned and taken as well as the results of any investigation.
Within a period of 7 days after receipt of a report, the person making the report must be given confirmation of receipt. Within a reasonable time frame - maximum 3 months - the whistleblower must be given feedback on follow-up measures.
An office within a legal entity in the private or public sector to which information about misconduct can be communicated verbally or in writing, in particular a manager, compliance officer, HR manager, ombudsperson (e.g. lawyers), company employee representative. For better handling of a whistleblowing system, the department/person who performs the function of internal reporting office in the company should be explicitly entrusted with this responsibility.
If the data protection requirements for a cross-border data transfer have been met, the whistleblower system of the parent company can only be used as an additional tool. The subsidiaries and sub-subsidiaries must also maintain a local reporting channel (cf. statements on the “Central whistleblowing system”).
According to the HinSchG, only authorised employees who are responsible for receiving reports or for taking follow-up action on reports may have access to information that reveals the identity of the whistleblower. As a rule, however, the IT department is not responsible for receiving and clarifying reports, so the IT department must be shielded from the content of any reports.
Whistleblower protection cannot be obtained for all reports or disclosures.
Security interests as well as confidentiality and secrecy obligations take precedence over the HinSchG (e.g. Confidentiality obligations of lawyers, notaries or doctors and pharmacists).
However, there are cases in which protection under the HinSchG exists despite existing duties of confidentiality or secrecy. For this to be the case, the person providing the information must have reasonable grounds to believe that the report or disclosure is necessary to uncover a violation.
Persons who have acquired trade secrets or confidential information in a professional context therefore only enjoy protection under the HinSchG if they meet the requirements of this Act and the disclosure of the trade secret was necessary to uncover an infringement within the material scope of this Act. The disclosure of trade secrets or confidential information is therefore permitted.
An ombudsperson system usually involves external lawyers who are available as a contact point for whistleblowers. These lawyers pass on the information to the company, after carrying out a legal “first level check”.
The establishment of an ombudsperson system continues to be a permissible reporting channel.
The HinSchG requires reporting channels to be designed, set up and operated in such a secure manner that not only the confidentiality of the identity of the whistleblower but also that of third parties mentioned in the report is maintained and unauthorised employees are denied access to it. In particular, balancing the protection of the accused on the one hand and the protection of whistleblowers on the other hand often causes problems in internal company investigations.
The obligation to establish internal reporting channels and procedures for internal reporting and follow-up applies to legal entities in the private and public sectors. For municipalities and associations of municipalities, the obligation to establish internal reporting channels is governed by the respective Federal State law.
In addition, some of the obligations of the EU Whistleblower Directive do not first apply from the date of entry into force of the HinSchG, but have already been applicable since 18 December 2021. At the latest three months after the promulgation of the HinSchG, all whistleblower protection obligations will apply to the public sector.
Reprisals refers to any direct or indirect action or omission in a professional context, triggered by an internal or external report or disclosure, which may cause unjustified disadvantage to the whistleblower (e.g. dismissal or suspension, warning, transfer or reassignment, failure to receive promotion, failure to receive training, social exclusion, mobbing, etc.).
If the whistleblower shows that he/she has reported or disclosed violations in accordance with the HinSchG and has experienced a disadvantage following a report or disclosure, it is presumed that this disadvantage is a prohibited reprisal. This means that in such cases the employer must prove that its actions were in no way connected to the report or disclosure made (reversal of the burden of proof).
However, the whistleblower must demonstrate and prove that a measure constitutes a disadvantage.
Failure to establish or operate an internal reporting system may result in a fine. In addition, there is of course the risk of a (legitimate) outflow of know-how due to public reports (especially of business secrets) as well as a risk of reputational damage (cf. “Sanctions”).
Preventing a report and the subsequent communication, taking a prohibited reprisal or intentionally or recklessly disregarding the confidentiality requirement is punishable by a fine of up to EUR 100,000. The negligent breach of the confidentiality requirement is punishable by a fine of up to EUR 10,000. Companies that do not comply with their obligation to set up and operate an internal reporting office face a fine of up to EUR 20,000.
The reference to Sections 30 and 130 Administrative Offences Act makes it possible that the maximum limit for fines can be increased tenfold in the case of serious violations.
The personal scope of application of the HinSchG is broad and includes all persons who have obtained information about violations in connection with their professional activities. In addition to employees (cf. statements on “Employee”), this may also include civil servants, self-employed persons, shareholders or employees of suppliers.
The material scope of application shall include in particular all violations which are punishable by law, as well as violations subject to fines, insofar as the violated regulation serves to protect life, limb, health or the rights of employees or their representative bodies (e.g. occupational health and safety, health protection). In addition, all violations of legal norms that were adopted to implement European regulations are included (extended to a limited extent to national regulations from the respective regulatory area).
It is often not easy for employees to assess whether behavior they have experienced is considered a violation of the law” or “unethical conduct. It is therefore advisable to use clearly formulated policies and guidelines to give employees an unambiguous picture of what conduct is considered worthy of reporting. Complex legal terms should be avoided as far as possible. The same applies to the communication of a transparent understanding of the responsibilities and processes for handling incoming reports in order to gain and maintain the trust of employees in the functioning and effectiveness of a whistleblowing system. To this end, accurate information should be provided to potential whistleblowers in an easily accessible manner. It is therefore recommended that the whistleblowing process be recorded in a guideline/policy (unless a works council agreement is to be concluded anyway) and handed out to all employees.
According to the scope of the EU Whistleblower Directive, only the reporting of violations of certain EU law is subject to its protection. The HinSchG expands the scope of application and includes violations of national law. Violations of criminal law, violations that are subject to fines, insofar as they serve to protect life or health or to protect the rights of employees or their representative bodies, as well as all violations of federal and state law fall within the material scope of the HinSchG.
A whistleblower can be any natural person to whom the reporting channel is open, i.e. any employee of the company and, if applicable, including external persons, and who reports or discloses information on violations obtained in connection with his or her work activity (cf. statements on “Employee”, “Scope of application” and “Company externals”).
It is a core obligation for companies to:
There is extensive protection against reprisals.
As a rule, the works council has a right of co-determination in the implementation of a whistleblower system, i.e. the whistleblower system may not be introduced without the prior consent of the works council. In groups of companies, the competence of the group works council, the central works councils and/or the local works councils must be carefully examined and, in case of doubt, delegation resolutions must be sought.
General overview of the sanctions regime and explaination what companies need to do now
by multiple authors
by multiple authors
by multiple authors