Auditors, lawyers, tax consultants and management consultants: Four perspectives. One solution. Worldwide. Find out …
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Countdown to September – The EU Data Act and its implications
Electronic salary statements: BAG allows purely digital provision
Baker Tilly starts the year 2025 with 23 new Directors
Tax CMS in tax audits: BStBK calls for clear regulations
Industry-specific knowledge is essential in order to create the best conditions for customised solutions. Find out …
After ECJ ruling: Financial investors still have no direct access to medical care centers
Hospital reform: New exemption from merger control in the hospital sector
Benefit from bundled interdisciplinary competencies, expert teams and individual solutions. Learn more!
New requirements from the Whistleblower Protection Act require an approach for your company that fulfils all legal requirements. Our experts will develop a roadmap for you with the necessary flexibility.
In order for you to early identify compliance risks and provide for a functioning compliance system, we help you in implementing essential steps in order to avert any resulting sanctions at an early stage.
For many years, our specialists have been engaged in the areas whistleblower protection / whistleblowing systems and are involved in the legislative process on the German Whistleblower Protection Act (“HinSchG”). Our Baker Tilly Partners advise various businesses and groups of companies in this area.
Dr. Stefan Meßmer
Partner
Attorney-at-Law (Rechtsanwalt)
Christine Ostwald
Director
Attorney-at-Law (Rechtsanwältin), Specialist Lawyer in Labor Law
Talk to us. Simply without obligation.
Contact now
The German law on the protection of people reporting breaches (Hinweisgeberschutzgesetz – “HinSchG”) serves to implement the EU Whistleblower Directive. It aims at improving the protection of people reporting breaches, so-called whistleblowers, from the employer’s retaliatory measures. So far, such protection contained many loopholes and was often insufficient. Reporting persons or whistleblowers are now protected under the Whistleblower Protection Act if they, in connection with their professional activities or in the run-up to a professional activity, gained information on possible breaches and report or disclose them to a reporting office. Reports on such information can help to early identify and eliminate misconduct in companies and in public administration.
Whistleblowers are persons reporting or disclosing information on breaches. This includes all persons having obtained information on breaches in connection with their professional activities. Whistleblowers may include:
The Whistleblower Protection Act is applicable to all employers with at least 50 employees. It is irrelevant whether these are full-time or part-time employees. Companies in the financial sector, for example, capital management companies, must implement the Whistleblower Protection Act irrespective of their number of employees.
The Whistleblower Protection Act was published in the German Federal Gazette on June 2, 2023. Employers with generally 50 to 249 employees are subject to an implementation deadline by December 17, 2023. All affected employers with 250 or more employees must already implement the Whistleblower Protection Act by July 2, 2023.
The final version of the Whistleblower Protection Act is available here.
Public-sector employers must also comply with and implement the Whistleblower Protection Act. This includes, for example, municipalities and municipalities associations as well as companies owned or controlled by the public sector.
However, the federal states can decide on certain exemptions. For example, municipalities and municipalities associations with less than 10,000 citizens can be exempt from the obligation to establish internal reporting offices. Furthermore, the states can allow for the internal reporting offices to be operated jointly, provided the are functionally and organizationally independent. Furthermore, the federal states can establish own external reporting offices if they do not wish the federal external reporting office to get involved.
The Whistleblower Protection Act protects the reporting and disclosure of information on breaches being subject to a penalty or (to some extent) a fine. Furthermore, the following is recorded:
For more details, please refer to Art. 2 HinSchG.
Due to the comprehensive list of possible violations and the strict requirements for the reporting system, companies already having established a whistleblower system must also examine if and to what extent they need to adjust their system to the Whistleblower Protection Act’s requirements.
Whistleblowers are not protected in connection with ever report. In order to be covered by such protection, reasonable suspicion or knowledge on actual or potential breaches which have already occurred or are very likely to occur, as well as attempts to conceal such breaches must exist and be reported.
The identity of persons deliberately or grossly negligently reporting incorrect information on breaches is therefore not protected under the Whistleblower Protection Act.
Breaches can be reported to internal and external reporting offices. Insofar, the reporting person has a general right to choose. However, in cases where the breach can effectively be counteracted internally and no reprisals need to be feared, persons should preferably submit their report to an internal reporting office. This also involves that employers being required to establish an internal reporting system should create incentives for reporting persons to first contact the respective internal reporting office before addressing an external reporting office.
Employers must establish and operate at least one internal reporting office within the company which can be contacted by their employees.
The reporting office’s tasks include the establishment and operation of reporting channels, managing the reporting procedure and conducting corresponding follow-up measures.
The persons entrusted with the internal reporting office’s tasks may also perform other functions in addition to these activities; however, they must be independent in connection with the receipt, examination and processing of reports. Possible conflicts of interest must also be excluded. The employers are responsible that the reporting office’s staff has the necessary expertise and must train them (or have them trained) if necessary.
Individual tasks of the reporting office can also be assumed by third parties (e.g., lawyers in their function as external ombudsperson). Several private employers with generally 50 to 249 employees may establish and operate a joint reporting office. If a third party is involved or if a joint reporting office is operated, the employer must still take his own appropriate measures in order to remedy violations.
The Whistleblower Directive stipulates that every group company must have its own reporting office; however, for reasons of practicability and economic efficiency, the German legislator opted for a more generous regulation. Thus, solutions are also possible at Group level.
Furthermore, the internal reporting offices must also provide clear and easily accessible information on internal and external reporting procedures at national and EU level, for example, on the company’s website, on the intranet or otherwise.
External reporting offices are located at certain public authorities. At German federal level, this includes the German Federal Financial Supervisory Authority (“BaFin”), the German Federal Cartel Office and the German Federal Office of Justice. Further external reporting offices can be established at the level of the individual federal states.
If a reporting person does not agree with the report’s processing or with the result of such processing by the initially responsible internal reporting office (for example, because the misconduct has not been remedied), such person can also contact the external reporting office.
Employers must establish various reporting channels by means of which employees and temporary staff provided to the company can contact the internal reporting offices. Such reporting channels must enable reports in oral (e.g., separate telephone number) or text form (e.g., intranet platform, separate email address, complaints box, etc.). Personal meetings between the reporting person and a competent person of the internal reporting office must be enabled as well.
In addition to internal reporting channels, it is also possible to establish additional reporting channels with an ombudsperson.
Ombudspersons are independent, trustworthy external service providers (in most cases lawyers) receiving the reports. They guarantee the reporting persons to keep their identity confidential. Compared to internal reporting channels, it is no problem to file anonymous reports.
The advantage for employers is that the lawyers appointed as ombudsperson already check the report for validity and plausibility and can provide a first legal assessment. Furthermore, they support the internal reporting office during the further procedure. The reporting channels can also be made available to external third parties who are in contact with the respective employer and observe a legal violation within the scope of their professional activities (e.g., suppliers or customers).
In connection with all reporting channels, the reporting person’s as well as all other affected persons’ data must be treated confidentially. The identity of the reporting persons being subject to the report and the other persons mentioned in the report must be protected. There are only few exceptions to this rule.
When using an internal email address or telephone number for the reporting of information, it cannot be guaranteed that other persons (e.g., from the IT department) cannot gain knowledge of the identity of the reporting person or of the report’s content.
Thus, involving external lawyers as ombudsperson or using a digital whistleblower system offers clear advantages and more legal security.
In addition, a data protection impact assessment may become necessary in individual cases, also because the confidentiality requirement conflicts with the data subjects’ rights. It is also important to ensure that the documentation of the course of the procedure complies with data protection requirements and that the obligation to delete data after three years is observed.
Both the external and the internal reporting office should also process anonymous reports. However, there is no obligation to structure reporting channels to the effect that they also allow the filing of anonymous reports. In order to obtain information on any possible non-compliance in good time and to fully meet regulatory obligations, it is advisable to enable anonymous reports.
If the internal reporting office receives a report, it must confirm receipt within seven days.
Subsequently, the internal reporting office must examine whether the report falls within the scope of the Whistleblower Protection Act and whether the report is substantive. In doing so, it stays in contact with the reporting person and requests additional information if necessary.
Following a report, the internal reporting office can conduct internal investigations with the employer, refer the reporting person to other competent persons, close the proceedings for lack of evidence or other reasons, or refer the proceedings to other (internal or external) competent offices for further investigation.
Within three months from confirming the report’s receipt, the internal reporting office must provide the whistleblower with its feedback. Such feedback must include in particular planned or already taken follow-up measures (e.g., referral to the employer’s department responsible for internal investigations or to the competent state authority for further prosecution).
Furthermore, all incoming reports must be documented in accordance with the confidentiality requirements. Such documentation must be deleted three years after the proceedings’ conclusion.
Whistleblowers are protected from professional disadvantages and reprisals. This includes, for example, being ignored for promotion or being dismissed. If a whistleblower suffers any disadvantage in connection with his professional activities, it is generally assumed that this is a case of reprisal. In such case, however, the whistleblower must assert that he suffered the disadvantage as a consequence of a report or disclosure. Subsequently, it is up to the employer to prove the contrary, i.e., that the measures are not related to the report’s filing.
If the prohibition of reprisals is being violated, the person causing the violation is obliged to compensate the reporting person for the resulting damage. In contrast to the original draft bill, however, there is no right to claim compensation for damages other than a financial loss (= damages for pain and suffering).
Whistleblowers are not protected if they intentionally or grossly negligently report or disclose inaccurate information. In such case, the reporting person might even be obliged to pay damages.
Failure to establish an internal reporting office may result in fines of up to 20,000 euros being imposed on the respective employer. Fines of up to 50,000 euros are threatened in the event that communication channels are obstructed, reprisals are imposed, or the whistleblower’s confidentiality is not maintained.
If misconducts are not remedied and if public authorities or other public bodies investigate the matter, this may involve measures under the respective laws that have been violated. Depending on the type of violation, these may be many times more expensive than if an employer had taken action itself.