EU Member States should have transposed the EU Whistleblower Directive (“EUWD”) into national law by Friday, 17 December 2021. Like many other EU Member States, the German legislator has let this implementation deadline pass. Many companies, especially those that have not yet implemented a whistleblower system at all, are therefore faced with an uncertain legal situation as from 18 December 2021.
We have compiled alphabetically the most important questions from the perspective of our compliance, legal and human resources departments. However, caution is advised when dealing with compliance issues, since it always depends on the specific circumstances in question. Legal advice is just as important when dealing with whistleblowers as ensuring confidentiality in the whistleblowing process. The FAQs do not replace an examination of the legal situation in individual cases and do not constitute legal advice.
Our whistleblowing experts Dr Oliver Bertram, Isabel Bäumer, Mareike Gehrmann, Dr Martin Knaup, Dr Rebekka Krause and Jan-Patrick Vogel, LL.M. can be contacted through the following channels:
The EUWD does not establish an obligation for companies to accept anonymous reports. However, the fact that employees prefer to report violations anonymously speaks in favour of accepting anonymous reports. If this is not made possible, employees are more likely to turn directly to external reporting bodies. In order to maximise the knowledge gained by the company, it therefore makes sense from a compliance perspective to also allow anonymous reports. Since anonymous whistleblowers also enjoy whistleblower protection under the EUWD if their identity is disclosed, there are good arguments for taking this into account within the framework of a whistleblower system.
The EUWD applies to all private and public employers (e.g. municipalities). However, the obligation to establish internal reporting channels only applies to employers with at least 50 employees. For private employers with 50 to 249 employees, the EUWD also provides for an extended deadline for the establishment of internal reporting channels until 17 December 2023.
The EUWD stipulates that the reporting channels must be open to all employees of the company. The term “employee” is interpreted in a broad sense, i.e. in accordance with EU law (e.g. trainees are also included). Civil servants are also included. In addition, the reporting channels can also be opened to other persons (see details on “external persons”).
The EUWD requires reporting channels to be designed, set up and operated in a secure manner that not only protects the confidentiality of the identity of the whistleblower but also that of third parties mentioned in the report and prevents unauthorised employees from accessing such identity. In particular, striking a balance between the protection of the accused on the one hand and the protection of whistleblowers on the other often causes problems in internal company investigations.
As a rule, the works council has a right of co-determination within the implementation of a whistleblower system, i.e. the whistleblower system may not be introduced without the prior consent of the works council. In group structures, the competence of the group works council, the central works councils and/or the local works councils must be carefully examined and, in case of doubt, delegation resolutions must be sought.
If a whistleblower demonstrates that he/she has reported or disclosed violations in accordance with the EUWD and has been discriminated against, the burden of proof shifts to the person who did the discriminating. This means that in such cases the company must prove that its actions were in no way connected to the report or disclosure made.
A functioning whistleblower system is a central component of an effective CMS and must therefore be linked to the other elements of a CMS. In addition to identifying compliance violations, the whistleblower system also serves to determine whether the preventive compliance measures taken are effective and whether any misconduct is avoided. To the same extent, a whistleblower system helps to identify necessary adjustments and improvements to the CMS and, at the same time, preserves the authority to interpret the facts underlying the respective report in favour of the company concerned.
First of all, it must be examined on which legal basis the data processing can be legitimised. It must be taken into account that due to the lack of group privilege, every company within a group is considered a “third party”, which is why every data transfer within a group of companies requires a legal basis. If the data processing can be justified, the legal basis should be sufficiently documented. Furthermore, a data protection impact assessment must be carried out as part of the implementation. In addition, complete information about the data processing pursuant to Arts. 13 and 14 of the GDPR is required, usually in relation to all persons whose personal data are processed. If the whistleblower system is provided by a service provider, an agreement on commissioned processing must usually be concluded with the service provider. If processing also takes place outside the EU or the EEA (even if it is only access to data in the EU for support purposes), further safeguards are required to ensure an adequate level of data protection. If the whistleblower system violates these or other data protection requirements, serious sanctions may be imposed under the GDPR.
An external reporting office is an authority to which information about misconduct can be reported verbally or in writing.
The whistleblower may choose whether he/she first contacts the company internally and/or the competent authority externally. Accordingly he/she can also contact the external reporting office directly.
However, in the absence of an implementation law, the external reporting office has not yet been designated in Germany. Should this happen in the short term, companies should support an internal whistleblowing system even more intensively in order to set the strongest possible incentives that this is used as a matter of priority and that external whistleblowing is therefore avoided as far as possible.
Reports via the internal whistleblowing system do not necessarily have to be received by a company’s internal whistleblowing team. The first contact can also be external, e.g. lawyers (see “Ombudsman's office”). However, it is still advisable to appoint responsible persons internally when implementing the whistleblowing system, who can then act as contact persons for the external persons after a report has been made.
Whistleblowers can be any natural person to whom the reporting channel is open, i.e. every employee of the company and, if applicable, company outsiders, and who report or disclose information on violations obtained in connection with their work activities.
It is a core obligation for companies to:
If the data protection requirements for a cross-border data transfer have been met, the whistleblower system of the parent company can only be used as an additional tool. The subsidiaries and sub-subsidiaries must also maintain a local reporting channel (see comments on the “central whistleblower system”).
A position within a legal entity in the private or public sector to which information about misconduct can be communicated verbally or in writing, especially a manager, compliance officer, HR manager, ombudsman (e.g. lawyers), company employee representative. For a better handling of a whistleblowing system, the department/person who performs the function of an internal reporting office in the company should be explicitly entrusted with this responsibility.
According to the EUWD, only authorised staff members who are responsible for receiving or following up on reports may have access to information that reveals the identity of the whistleblower. As a rule, however, the IT department is not responsible for receiving and resolving reports, so the IT department must be shielded from the content of any reports.
If the information reported is necessary to uncover a violation in accordance with the EUWD, trade secrets or confidential information may also be reported through the whistleblowing system. In other words, if the company does not have appropriate reporting channels, the company’s proprietary know-how may also be disclosed in other cases without the whistleblower having to fear any consequences (see “Disclosure”).
However, the competent authorities must ensure that these trade secrets are not used or disclosed for purposes that go beyond what is necessary for proper follow-up measures.
Classified information, on the other hand, remains unaffected by the protection of the EUWD, i.e. this information may not be disclosed.
The Coalition Agreement specifically states: “We will implement the EU Whistleblower Directive in a legally secure and practicable manner. Whistleblowers must be protected from legal disadvantages not only when reporting breaches of EU law, but also material breaches of regulations or other material misconduct, the disclosure of which is in the particular public interest. We want to improve the enforceability of claims for reprisals against the damaging party and are looking into counselling and financial support schemes for this purpose.”
It should be highlighted here that
It is up to the company to decide which form of whistleblowing system to set up. Different types of reporting channels are conceivable in principle. For example, in addition to the technical and web-based whistleblowing systems, a designated e-mail address, telephone number or mailbox can also be considered as a reporting channel, whereby the design is quite challenging due to the requirements for confidentiality and feedback, among other things. At the whistleblower’s request, however, a face-to-face meeting with the unit acting as an internal reporting office must also be made possible.
A whistleblower who discloses information to the public can only invoke the whistleblower protection provided for if no appropriate measures have been taken by the company (internally) and/or the authority (externally) within the prescribed time frame, or, in exceptional cases, if there is sufficient cause for the presumption of endangering the public interest, fear of reprisals or lack of perspective of clarification.
If the company does not maintain a suitable whistleblowing system, the whistleblower may therefore also disclose the alleged infringement directly under certain circumstances (e.g. by reporting to the law enforcement authorities or the media). This risk also exists after the transposition period has expired, as the courts must already interpret the national laws in conformity with the Directive.
Yes, the obligation to set up internal reporting channels and procedures for internal reporting and follow-up applies to legal entities in the private and public sectors as well as to municipalities with 10,000 or more inhabitants. In addition, the EUWD has already been directly applicable to the public sector since 18 December 2021 (see comments on “Direct effect”).
An ombudsman system usually involves external lawyers who are available as a contact point for whistleblowers. These lawyers pass on the information to the company, if necessary after carrying out a legal “first level check”.
Yes, the establishment of an ombudsman system continues to be a permissible reporting channel.
All direct or indirect actions or omissions in a professional context that are triggered by an internal or external report or disclosure and that may cause unjustified disadvantage to the whistleblower (e.g. dismissal or suspension, warning, transfer or reassignment, failure to receive promotion, failure to receive training, social exclusion, mobbing, etc.).
After the transposition period has expired, the German courts should interpret the national laws in accordance with the EUWD. If, for example, the courts have to decide on the validity of an employee’s disciplinary action, they would have to take into account the provisions of the EUWD regarding the protection of whistleblowers.
Although the EUWD does not apply directly to private companies, there is a risk of an interpretation in conformity with the EUWD, a (legitimate) outflow of know-how due to public reports (in particular trade secrets) as well as a risk of reputational damage (see comments on “Sanctions”).
Furthermore, it cannot be ruled out that courts will deem the company’s compliance management system ineffective if it does not comply with the requirements of the EUWD.
The whistleblower should be informed as comprehensively as possible about the handling of his/her report. This includes both an acknowledgement of receipt and an explanation of the follow-up measures planned and taken as well as the results of any investigation.
Within a period of 7 days after receipt of a report, the whistleblower must be given acknowledgement of receipt of the report.
Within a reasonable time frame – max. within three months - the whistleblower will be given information on follow-up measures.
The EUWD does not provide for any economic sanctions for the non-establishment of a whistleblower system that complies with the requirements of the EUWD, in particular no corresponding fines (see comments on “Risks”).
Often it is not easy for employees to judge whether actions they have experienced constitutes a“violation of the law” or “unethical behaviour”. It is therefore advisable to use clearly formulated policies and guidelines to give employees an unambiguous picture of what conduct is considered worthy of reporting. Complex legal terms should be avoided as far as possible. The same applies to the communication of a transparent understanding of the responsibilities and processes for handling incoming reports in order to gain and maintain the trust of employees in the functioning and effectiveness of a whistleblowing system. To this end, potential whistleblowers should be provided with relevant information in an easily accessible manner. It is therefore recommended that the whistleblowing process is laid down in a guideline/policy (unless a works council agreement is to be concluded anyway) and handed out to all employees.
In principle, EU Directives only oblige Member States to transpose the content of the EUWD into national law.
Directly applicable, however, are those provisions of a directive that are to be classified as “self-executing”. These are characterised by the fact that they are formulated in such a clear and independent manner free of conditions that no further transposition acts are required in order to determine which claims exist under the directive, because the content of the regulations can already be completely derived from the directive. However, this only applies to the extent that private legal entities are not affected. In this respect, the standards of the EUWD apply directly “only” to public undertakings as of 18 December 2021.
The EUWD does not impose an obligation on companies to accept information from persons who do not fall within its subjective scope of application, i.e. from outside the company. However, it is recommended to consider this as an option, especially with regard to the obligation to set up a complaints procedure provided for in the Supply Chain Due Diligence Act.
According to the scope of application of the EUWD, only the reporting of breaches of certain EU law falls under the protection of the EUWD. This means that whistleblowers who report violations of national law do not fall under the scope of protection. It can therefore be assumed that the German transposition law will go beyond the EUWD, as otherwise effective whistleblower protection is hardly conceivable. In addition, it would be left to the assessment of the employees whether it is a violation of national or EU law or just unethical behaviour. This could lead to a great reluctance to use the whistleblowing system.
Yes, the EUWD requires reporting channels to be designed, established and operated in such a secure manner that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is maintained and unauthorised employees are denied access to it. The draft bill for the Whistleblower Protection Act, which has since failed, contained a fine of up to EUR 20,000.00 for violations of the confidentiality obligation. It is recommended that all employees who are authorised to receive and/or process whistleblowing reports sign a separate confidentiality declaration.
In the opinion of the EU Commission, which commented on this issue in the summer of 2021, a group-wide central whistleblower system at the parent company does not constitute a permissible division of resources, so that subsidiaries that fall within the scope of application due to their number of employees must (additionally) set up their own decentralised whistleblower system.
General overview of the sanctions regime and explaination what companies need to do now