The German law on the protection of people reporting breaches (Hinweisgeberschutzgesetz – “HinSchG”) serves to implement the EU Whistleblower Directive. It aims at improving the protection of people reporting breaches, so-called whistleblowers, from the employer’s retaliatory measures. So far, such protection contained many loopholes and was often insufficient. Reporting persons or whistleblowers are now protected under the Whistleblower Protection Act if they, in connection with their professional activities or in the run-up to a professional activity, gained information on possible breaches and report or disclose them to a reporting office. Reports on such information can help to early identify and eliminate misconduct in companies and in public administration.
Who is a whistleblower?
Whistleblowers are persons reporting or disclosing information on breaches. This includes all persons having obtained information on breaches in connection with their professional activities. Whistleblowers may include:
- Employees, also former employees, applicants, trainees, temporary workers,
- Third parties such as suppliers, service providers and customers of the company,
- Shareholders and executives.
Who is affected by the Whistleblower Protection Act?
The Whistleblower Protection Act is applicable to all employers with at least 50 employees. It is irrelevant whether these are full-time or part-time employees. Companies in the financial sector, for example, capital management companies, must implement the Whistleblower Protection Act irrespective of their number of employees.
By when must the Whistleblower Protection Act’s requirements be implemented?
The Whistleblower Protection Act was published in the German Federal Gazette on June 2, 2023. Employers with generally 50 to 249 employees are subject to an implementation deadline by December 17, 2023. All affected employers with 250 or more employees must already implement the Whistleblower Protection Act by July 2, 2023.
The final version of the Whistleblower Protection Act is available here.
Do the requirements also apply to the civil service and public-sector companies?
Public-sector employers must also comply with and implement the Whistleblower Protection Act. This includes, for example, municipalities and municipalities associations as well as companies owned or controlled by the public sector.
However, the federal states can decide on certain exemptions. For example, municipalities and municipalities associations with less than 10,000 citizens can be exempt from the obligation to establish internal reporting offices. Furthermore, the states can allow for the internal reporting offices to be operated jointly, provided the are functionally and organizationally independent. Furthermore, the federal states can establish own external reporting offices if they do not wish the federal external reporting office to get involved.
What can be reported?
The Whistleblower Protection Act protects the reporting and disclosure of information on breaches being subject to a penalty or (to some extent) a fine. Furthermore, the following is recorded:
- Breaches of federal and state regulations
- as well as directly applicable legal acts of the European Union and the European Atomic Energy Community, inter alia, in the area of anti-money laundering and terrorist financing, product safety and conformity, transport safety, environmental protection, radiation protection and nuclear safety, consumer protection, data protection, competition law and in the financial sector, or violations in the area of public procurement (public procurement law).
For more details, please refer to Art. 2 HinSchG.
Due to the comprehensive list of possible violations and the strict requirements for the reporting system, companies already having established a whistleblower system must also examine if and to what extent they need to adjust their system to the Whistleblower Protection Act’s requirements.
Are reports subject to certain restrictions?
Whistleblowers are not protected in connection with ever report. In order to be covered by such protection, reasonable suspicion or knowledge on actual or potential breaches which have already occurred or are very likely to occur, as well as attempts to conceal such breaches must exist and be reported.
The identity of persons deliberately or grossly negligently reporting incorrect information on breaches is therefore not protected under the Whistleblower Protection Act.
To whom can breaches be reported?
Breaches can be reported to internal and external reporting offices. Insofar, the reporting person has a general right to choose. However, in cases where the breach can effectively be counteracted internally and no reprisals need to be feared, persons should preferably submit their report to an internal reporting office. This also involves that employers being required to establish an internal reporting system should create incentives for reporting persons to first contact the respective internal reporting office before addressing an external reporting office.
Internal reporting offices
Employers must establish and operate at least one internal reporting office within the company which can be contacted by their employees.
The reporting office’s tasks include the establishment and operation of reporting channels, managing the reporting procedure and conducting corresponding follow-up measures.
The persons entrusted with the internal reporting office’s tasks may also perform other functions in addition to these activities; however, they must be independent in connection with the receipt, examination and processing of reports. Possible conflicts of interest must also be excluded. The employers are responsible that the reporting office’s staff has the necessary expertise and must train them (or have them trained) if necessary.
Individual tasks of the reporting office can also be assumed by third parties (e.g., lawyers in their function as external ombudsperson). Several private employers with generally 50 to 249 employees may establish and operate a joint reporting office. If a third party is involved or if a joint reporting office is operated, the employer must still take his own appropriate measures in order to remedy violations.
The Whistleblower Directive stipulates that every group company must have its own reporting office; however, for reasons of practicability and economic efficiency, the German legislator opted for a more generous regulation. Thus, solutions are also possible at Group level.
Furthermore, the internal reporting offices must also provide clear and easily accessible information on internal and external reporting procedures at national and EU level, for example, on the company’s website, on the intranet or otherwise.
External reporting offices
External reporting offices are located at certain public authorities. At German federal level, this includes the German Federal Financial Supervisory Authority (“BaFin”), the German Federal Cartel Office and the German Federal Office of Justice. Further external reporting offices can be established at the level of the individual federal states.
If a reporting person does not agree with the report’s processing or with the result of such processing by the initially responsible internal reporting office (for example, because the misconduct has not been remedied), such person can also contact the external reporting office.
What is a reporting channel?
Employers must establish various reporting channels by means of which employees and temporary staff provided to the company can contact the internal reporting offices. Such reporting channels must enable reports in oral (e.g., separate telephone number) or text form (e.g., intranet platform, separate email address, complaints box, etc.). Personal meetings between the reporting person and a competent person of the internal reporting office must be enabled as well.
What is an external ombudsperson’s function?
In addition to internal reporting channels, it is also possible to establish additional reporting channels with an ombudsperson.
Ombudspersons are independent, trustworthy external service providers (in most cases lawyers) receiving the reports. They guarantee the reporting persons to keep their identity confidential. Compared to internal reporting channels, it is no problem to file anonymous reports.
The advantage for employers is that the lawyers appointed as ombudsperson already check the report for validity and plausibility and can provide a first legal assessment. Furthermore, they support the internal reporting office during the further procedure. The reporting channels can also be made available to external third parties who are in contact with the respective employer and observe a legal violation within the scope of their professional activities (e.g., suppliers or customers).
What must be observed in terms of data protection?
In connection with all reporting channels, the reporting person’s as well as all other affected persons’ data must be treated confidentially. The identity of the reporting persons being subject to the report and the other persons mentioned in the report must be protected. There are only few exceptions to this rule.
When using an internal email address or telephone number for the reporting of information, it cannot be guaranteed that other persons (e.g., from the IT department) cannot gain knowledge of the identity of the reporting person or of the report’s content.
Thus, involving external lawyers as ombudsperson or using a digital whistleblower system offers clear advantages and more legal security.
In addition, a data protection impact assessment may become necessary in individual cases, also because the confidentiality requirement conflicts with the data subjects’ rights. It is also important to ensure that the documentation of the course of the procedure complies with data protection requirements and that the obligation to delete data after three years is observed.
Is there an obligation to enable anonymous reports?
Both the external and the internal reporting office should also process anonymous reports. However, there is no obligation to structure reporting channels to the effect that they also allow the filing of anonymous reports. In order to obtain information on any possible non-compliance in good time and to fully meet regulatory obligations, it is advisable to enable anonymous reports.
How to handle incoming reports
If the internal reporting office receives a report, it must confirm receipt within seven days.
Subsequently, the internal reporting office must examine whether the report falls within the scope of the Whistleblower Protection Act and whether the report is substantive. In doing so, it stays in contact with the reporting person and requests additional information if necessary.
Following a report, the internal reporting office can conduct internal investigations with the employer, refer the reporting person to other competent persons, close the proceedings for lack of evidence or other reasons, or refer the proceedings to other (internal or external) competent offices for further investigation.
Within three months from confirming the report’s receipt, the internal reporting office must provide the whistleblower with its feedback. Such feedback must include in particular planned or already taken follow-up measures (e.g., referral to the employer’s department responsible for internal investigations or to the competent state authority for further prosecution).
Furthermore, all incoming reports must be documented in accordance with the confidentiality requirements. Such documentation must be deleted three years after the proceedings’ conclusion.
How are whistleblowers protected?
Whistleblowers are protected from professional disadvantages and reprisals. This includes, for example, being ignored for promotion or being dismissed. If a whistleblower suffers any disadvantage in connection with his professional activities, it is generally assumed that this is a case of reprisal. In such case, however, the whistleblower must assert that he suffered the disadvantage as a consequence of a report or disclosure. Subsequently, it is up to the employer to prove the contrary, i.e., that the measures are not related to the report’s filing.
If the prohibition of reprisals is being violated, the person causing the violation is obliged to compensate the reporting person for the resulting damage. In contrast to the original draft bill, however, there is no right to claim compensation for damages other than a financial loss (= damages for pain and suffering).
Whistleblowers are not protected if they intentionally or grossly negligently report or disclose inaccurate information. In such case, the reporting person might even be obliged to pay damages.
Does your company have to expect a fine if it violates the obligations under the Whistleblower Protection Act?
Failure to establish an internal reporting office may result in fines of up to 20,000 euros being imposed on the respective employer. Fines of up to 50,000 euros are threatened in the event that communication channels are obstructed, reprisals are imposed, or the whistleblower’s confidentiality is not maintained.
If misconducts are not remedied and if public authorities or other public bodies investigate the matter, this may involve measures under the respective laws that have been violated. Depending on the type of violation, these may be many times more expensive than if an employer had taken action itself.
