Update February 2023
The German Whistleblower Protection Act (HinSchG) is still in the process of being voted on. The purpose of the Act is to protect whistleblowers from disadvantages in the future. Companies with more than 249 employees must set up and operate a whistleblower system after the Act comes into force.Otherwise, there is the risk of a heavy fine and the legal leakage of critical company information and know-how. As from 17 December 2023, this obligation will also apply to companies with at least 50 employees.
We have compiled alphabetically the most important questions from the point of view of the respective compliance/legal/human resources department. However, caution is required when dealing with compliance issues, as it always depends on the individual case. Legal advice is just as necessary when dealing with whistleblowers as ensuring confidentiality in the whistleblowing process. The FAQs are no substitute for an examination of the legal situation in the individual case and do not constitute legal advice.
The status of the FAQs is the draft law in the version passed by the Bundestag on 16.12.2022.
Our whistleblowing experts Dr Oliver Bertram, Isabel Bäumer, Mareike Gehrmann, Dr Martin Knaup, Dr Rebekka Krause and Jan-Patrick Vogel, LL.M. can be contacted through the following channels:
Download our whistleblower FAQ
Internal and external reporting offices must also process anonymous incoming reports and provide reporting channels for this purpose, which enable anonymous contact and anonymous communication for the whistleblower between the whistleblower and the internal/external reporting office.
Note: The obligation does not apply until 1 January 2025. The EU Whistleblower Directive does not provide for an obligation to accept and process anonymous reports.
According to the previous opinion of the EU Commission, a group-wide central whistleblower system at the parent company does not constitute a permissible allocation of resources. This means that subsidiaries that fall within the scope of application due to their number of employees must (additionally) set up their own decentralised whistleblowing system.
The HinSchG expressly advocates a so-called “group privilege”, i.e. group-wide reporting offices remain permissible. According to this, the internal reporting office of a company can not only be "outsourced" to law firms, for example, but an independent and confidential office can also be established centrally within a group of companies as a third party within the meaning of Section 14 (1) HinSchG. In this context, it is necessary that the original responsibility for following up and remedying an identified violation always remains with the respective group company commissioning the work. Easy access must be guaranteed for persons providing information (e.g. no language barriers).
Considering the contradiction between the HinSchG and the EU Commission’s view, it is advisable to critically question the admissibility of group-wide hotlines.
The HinSchG does not impose an obligation on companies to accept information from persons who do not fall within the personal scope of application, i.e. from outside the company. However, it is advisable to consider this as an option, especially with regard to the obligation to set up a complaints procedure provided for in the Supply Chain Due Diligence Act.
A functioning whistleblower system is a central component of an effective CMS and must therefore be linked to the other elements of a CMS. In addition to identifying compliance violations, the whistleblower system also serves to determine whether the preventive compliance measures taken are effective and whether any misconduct is avoided. To the same extent, a whistleblower system helps to identify necessary adjustments and improvements to the CMS
and, at the same time, to preserve the authority to interpret the facts underlying the respective report in favour of the company concerned.
Yes, the HinschG requires reporting channels to be securely designed, set up and operated in such a way that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is maintained and unauthorised employees are denied access to them.
However, the HinSchG regulates exceptions according to which the requirement of confidentiality does not apply in certain cases (e.g. the identity of a person who intentionally or grossly negligently reports false information is not covered by the protection of confidentiality).
It is also recommended that all staff members authorised to receive and/or process whistleblowing notifications sign a separate confidentiality agreement.
When processing personal data, the internal reporting unit shall comply with the rules on data protection. Insofar as the FIU processes personal data in order to perform the tasks within its competence, especially in the case of FIUs operated by an individual, the individual shall not be the data controller within the meaning of the data protection regulations.
The legal basis for the processing of personal data is Art. 6 para. 1 lit.c GDPR in conjunction with Section 10 HinSchG. The standard also includes the processing of special categories of personal data from Art. 9 GDPR. When processing special categories of personal data for the purposes mentioned in the first sentence, the notification office must provide for appropriate and specific measures to protect the interests of the data subject. Section 22(2) sentence 2 of the Federal Data Protection Act shall be applied accordingly.
The legal basis should be sufficiently documented. In addition, complete information about the data processing pursuant to Arts. 13 and 14 GDPR is required and, as a rule, this must be provided to all persons whose personal data is processed. Furthermore, a data protection impact assessment must be carried out as part of the implementation.
If external third parties are commissioned to set up and operate the internal notification office, the requirements for commissioned data processing must be observed, see Art. 28 of the GDPR. If processing also takes place outside the EU or the EEA (even if it is only access for support purposes to data in the EU), further safeguards are required to ensure an adequate level of data protection. If the whistleblower system violates these or other data protection requirements, serious sanctions may be imposed.
A whistleblower who discloses information to the public can only invoke the whistleblower protection if the company (internal) and/or the authority (external) have not taken appropriate measures within the timeframe provided for or, in exceptional cases, if there is sufficient reason to believe that the public interest is at risk, there is a fear of reprisals or there is no prospect of clarification.
The HinSchG therefore also protects, as an extreme possibility, the submission of indications to the public, e.g. via social media or to the law enforcement authorities.
The persons responsible for receiving reports at a reporting office shall document all incoming reports in a permanently retrievable manner in compliance with the confidentiality requirement. If the report is made by telephone or other means of voice transmission, a usable audio recording of the conversation may only be made with the consent of the person making the report. This documentation shall be deleted three years after the conclusion of the procedure.
The HinSchG stipulates that the reporting channels must be open to all employees of the company. The term “employee” is interpreted broadly (including executive employees, trainees, temporary workers, persons similar to employees and management bodies). Civil servants are also included. In addition, the reporting channels can also be opened for other persons (cf. statements on “Company externals”).
An external reporting office is an authority to which information about misconduct can be reported verbally or in writing.
The whistleblower may choose whether to first contact the company internally and/or the competent authority externally. He or she may therefore also contact a competent external reporting office directly.
A central external reporting office is to be established at the Federal Office of Justice (BfJ). In addition, the existing reporting systems at the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (Bundeskartellamt) are to be continued as further external reporting offices with special responsibilities.
Companies should intensively support an internal whistleblowing system in order to create the greatest possible incentives for this to be used as a matter of priority and to therefore avoid external whistleblowing as far as possible. Companies shall provide clear and easily accessible information to employees on the use of the internal reporting procedure. This must not restrict or impede the possibility of making an external report.
A false suspicion in the context of a report or disclosure can have far-reaching consequences for those affected. The effects may no longer be completely reversible. Therefore, the injured parties are entitled to compensation for the damage resulting from an intentional or grossly negligent false report or disclosure.
Furthermore, the identity of persons who intentionally or grossly negligently report false information is not protected from disclosure under the HinSchG. In the event of such a false report, persons who are the subject of this report have a legitimate interest in obtaining knowledge of the identity of the reporting person in order to be able to assert claims for damages if necessary.
The whistleblower should be informed as comprehensively as possible about the handling of his or her whistleblowing. This includes both an acknowledgement of receipt and an explanation of the follow-up measures planned and taken as well as the results of any investigation.
Within a period of 7 days after receipt of a report, the person making the report must be given confirmation of receipt. Within a reasonable time frame - maximum 3 months - the whistleblower must be given feedback on follow-up measures.
An office within a legal entity in the private or public sector to which information about misconduct can be communicated verbally or in writing, in particular a manager, compliance officer, HR manager, ombudsperson (e.g. lawyers), company employee representative. For better handling of a whistleblowing system, the department/person who performs the function of internal reporting office in the company should be explicitly entrusted with this responsibility.
If the data protection requirements for a cross-border data transfer have been met, the whistleblower system of the parent company can only be used as an additional tool. The subsidiaries and sub-subsidiaries must also maintain a local reporting channel (cf. statements on the “Central whistleblowing system”).
According to the HinSchG, only authorised employees who are responsible for receiving reports or for taking follow-up action on reports may have access to information that reveals the identity of the whistleblower. As a rule, however, the IT department is not responsible for receiving and clarifying reports, so the IT department must be shielded from the content of any reports.
Whistleblower protection cannot be obtained for all reports or disclosures.
Security interests as well as confidentiality and secrecy obligations take precedence over the HinSchG (e.g. Confidentiality obligations of lawyers, notaries or doctors and pharmacists).
However, there are cases in which protection under the HinSchG exists despite existing duties of confidentiality or secrecy. For this to be the case, the person providing the information must have reasonable grounds to believe that the report or disclosure is necessary to uncover a violation.
Persons who have acquired trade secrets or confidential information in a professional context therefore only enjoy protection under the HinSchG if they meet the requirements of this Act and the disclosure of the trade secret was necessary to uncover an infringement within the material scope of this Act. The disclosure of trade secrets or confidential information is therefore permitted.
An ombudsperson system usually involves external lawyers who are available as a contact point for whistleblowers. These lawyers pass on the information to the company, after carrying out a legal “first level check”.
The establishment of an ombudsperson system continues to be a permissible reporting channel.
The HinSchG requires reporting channels to be designed, set up and operated in such a secure manner that not only the confidentiality of the identity of the whistleblower but also that of third parties mentioned in the report is maintained and unauthorised employees are denied access to it. In particular, balancing the protection of the accused on the one hand and the protection of whistleblowers on the other hand often causes problems in internal company investigations.
Yes, the obligation to establish internal reporting channels and procedures for internal reporting and follow-up applies to legal entities in the private and public sectors. For municipalities and associations of municipalities and such employment providers that are owned or controlled by municipalities and associations of municipalities, the obligation to establish internal reporting channels is governed by the respective Federal State law.
In addition, some of the obligations of the EU Whistleblower Directive do not first apply from the date of entry into force of the HinSchG, but have already been applicable since 18 December 2021. At the latest, all whistleblower protection obligations for the public sector take effect from the entry into force.
Reprisals refers to any direct or indirect action or omission in a professional context, triggered by an internal or external report or disclosure, which may cause unjustified disadvantage to the whistleblower (e.g. dismissal or suspension, warning, transfer or reassignment, failure to receive promotion, failure to receive training, social exclusion, mobbing, etc.).
In the event of a violation of the prohibition of reprisals, the perpetrator is obliged to compensate the whistleblower for the resulting damage. For damage that is not pecuniary damage, the whistleblower may demand appropriate monetary compensation.
If the whistleblower shows that he/she has reported or disclosed violations in accordance with the HinSchG and has experienced a disadvantage following a report or disclosure, it is presumed that this disadvantage is a prohibited reprisal. This means that in such cases the employer must prove that its actions were in no way connected to the report or disclosure made (reversal of the burden of proof).
However, the whistleblower must demonstrate and prove that a measure constitutes a disadvantage.
Failure to establish or operate an internal reporting system may result in a fine. In addition, there is of course the risk of a (legitimate) outflow of know-how due to public reports (especially of business secrets) as well as a risk of reputational damage (cf. “Sanctions”).
Preventing a report and the subsequent communication, taking a prohibited reprisal or intentionally or recklessly disregarding the confidentiality requirement is punishable by a fine of up to EUR 100,000. The negligent breach of the confidentiality requirement is punishable by a fine of up to EUR 10,000. Companies that do not comply with their obligation to set up and operate an internal reporting office face a fine of up to EUR 20,000.
The reference to Sections 30 and 130 Administrative Offences Act makes it possible that the maximum limit for fines can be increased tenfold in the case of serious violations.
The personal scope of application of the HinSchG is broad and includes all persons who have obtained information about violations in connection with their professional activities. In addition to employees (cf. statements on “Employee”), this may also include civil servants, self-employed persons, shareholders or employees of suppliers.
The material scope of application shall include in particular all violations which are punishable by law, as well as violations subject to fines, insofar as the violated regulation serves to protect life, limb, health or the rights of employees or their representative bodies (e.g. occupational health and safety, health protection). In addition, all violations of legal norms that were adopted to implement European regulations are included (extended to a limited extent to national regulations from the respective regulatory area).
It is often not easy for employees to assess whether behavior they have experienced is considered a violation of the law” or “unethical conduct. It is therefore advisable to use clearly formulated policies and guidelines to give employees an unambiguous picture of what conduct is considered worthy of reporting. Complex legal terms should be avoided as far as possible. The same applies to the communication of a transparent understanding of the responsibilities and processes for handling incoming reports in order to gain and maintain the trust of employees in the functioning and effectiveness of a whistleblowing system. To this end, accurate information should be provided to potential whistleblowers in an easily accessible manner. It is therefore recommended that the whistleblowing process be recorded in a guideline/policy (unless a works council agreement is to be concluded anyway) and handed out to all employees.
According to the scope of the EU Whistleblower Directive, only the reporting of violations of certain EU law is subject to its protection. The HinSchG expands the scope of application and includes violations of national law. Violations of criminal law, violations that are subject to fines, insofar as they serve to protect life or health or to protect the rights of employees or their representative bodies, as well as all violations of federal and state law fall within the material scope of the HinSchG.
A whistleblower can be any natural person to whom the reporting channel is open, i.e. any employee of the company and, if applicable, including external persons, and who reports or discloses information on violations obtained in connection with his or her work activity (cf. statements on “Employee”, “Scope of application” and “Company externals”).
It is a core obligation for companies to:
There is extensive protection against reprisals.
As a rule, the works council has a right of co-determination in the implementation of a whistleblower system, i.e. the whistleblower system may not be introduced without the prior consent of the works council. In groups of companies, the competence of the group works council, the central works councils and/or the local works councils must be carefully examined and, in case of doubt, delegation resolutions must be sought.
General overview of the sanctions regime and explaination what companies need to do now