Whistleblowers protection already in place
Before the introduction of the Directive
Germany only had national regulations in place regarding whistleblowers protection, for the financial service sector and regarding the protection of business secrets.
In other domains, whistleblowing protection has been primarily shaped by case law, and is still considered limited compared to the Directive requirements. Basing whistleblowers on case law leads to considerable legal uncertainty for employees who want to expose unlawful conduct, abuse, and dangers in their working environment.
Current implementation status
After a comparatively long legislative process, following an initial rejection of the first draft law by the German Federal States (Bundesrat), the text and scope of the new law has been revised by the Mediation Committee (Vermittlungsausschus) on 9 May 2023.
After its promulgation, the German Whistleblower Protection Act will come in to force on July 2nd, 2023.
Organizations of 250 employees or more with activities in Germany now only have one month to comply with the new requirements of the HinSchG. Organizations with 50 to 249 employees have until December 2023.
Fines can be imposed on employers 6 months later if they have not set up the required internal whistleblowing platform.
Scope of the German Whistleblower Protection Act
Who is affected by the HinSchG?
- Employers with at least 50 employees must set up internal reporting offices that whistleblowers can contact confidentially.
The Whistleblower network will insist that it is not just a mere compliance check.
- Organizations of 250 employees or more have until July 2, 2023, to set up the required internal reporting channels and comply with the HinSchG.
- Organizations with 50 to 249 employees will have until December 17, 2023, to comply.
- Highly regulated companies (listed in Section 12, para. 3 of the HinSchG), such as capital management or insurance companies, are also affected by the Act. They need to set up internal reporting channel regardless of their number of employee.
Which violations are covered by the HinSchG?
To ensure whistleblower protection, the report must meet the following requirements:
- The report must involve a violation falling into one of these categories:
- A criminal offense under German law.
- A violation of a provision protecting life, body, health, or employee rights, punishable by a fine.
- A breach of specific German or EU laws listed in the HinSchG (e.g., money laundering, product safety, environmental protection, consumer rights, data protection, financial services, tax law, etc.).
- The whistleblower must have obtained the information through their professional activities.
- The report must be made through the designated reporting channels provided under the HinSchG. (More details on this below)
Similar requirements apply to the protection of other affected individuals.
The material scope of the Whistleblower Protection Act is limited to information on criminal offenses and certain administrative offences. The following areas are largely excluded from the material scope of application:
- Significant misconduct or grievances below the threshold of clear violations of the law. Whistleblowers point out, among other things, government regulation and control gaps.
- Violations of the law when dealing with matters of national security or classified information.
Who is protected?
The protection granted by the HinSchg covers whistleblowers themselves, as well as any person affected by or being the subject of a whistleblowing report. This also includes the protection of the rights and confidentiality interests of the legal entities involved.
Whistleblowers are understood to include:
- employees, including those whose employment term has already ended, job applicants, interns, and temporary workers
- self-employed persons providing services, freelancers, contractors, subcontractors, suppliers, and their employees
- shareholders and members of management bodies
What protections are put in place for whistleblowers by the HinSchG?
- Prohibition of retaliation and discrimination towards whistleblowers
- Obligation to preserve the confidentiality of the identity of whistleblowers
- Whistleblowers cannot be held legally liable for:
- obtaining or accessing information, unless it constitutes an independent criminal offense
- or for disclosing information subject to a disclosure restriction if the whistleblower had reason to believe that the disclosure of the information was necessary to expose the violation
- Reversal of the burden of proof: the employer must prove that there is no link between an employee’s dismissal and whistleblowing
Main obligations for organizations
- Employers with more than 50 employees must set up internal reporting channels that whistleblowers can use confidentially.
- Internal reporting channels must allow both oral and written reports, including telephone or other voice transmission methods.
- In addition to written and verbal reports, in-person meetings should always be available either with a case manager as a follow-up, or via an externally hired lawyer or ombudsmen
- Internal confirmation of the receipt of the report must be provided to the whistleblower within 7 days
- The whistleblower must be informed about any action taken as a result of their report within 3 months (initiation of internal investigations, forwarding of the report to the competent authority, etc.)
Anonymity and confidentiality requirements
There is no obligation to allow anonymous reports. Companies do not have to design their reporting channels in such way as to enable anonymous reporting, however, if such reports are received, they should still be processed according to the law.
Still, companies must protect the identity of whistleblowers and comply with the GDPR.
External reporting channels is the responsibility of the Federal Office of Justice (BfJ). The main area of responsibility for external reporting within the Federal Office of Justice will be federal and state governments and information from the private and public sectors. In addition, the federal states can also establish their own reporting channels.
Whistleblowers are free to choose if they want to submit their report through the internal reporting channel provided by their organization, or through an external reporting channel.
Internal reporting looses the priority it had previously, putting external and internal reporting as equal options the whistleblower can choose from freely. The HinSchG encourages strongly organizations to create incentives and promote reporting through their internal channel. External whistleblowing offices are also obliged to notify whistleblowers of the possibility of reporting within their organization before processing their reports, in an effort to push internal reporting as well. However, whistleblowers are considered the best judge as to which channel is more trustworthy and suitable for them.
Cross-company internal reporting systems (group solution)
The HinSchG allows for the establishment of a cross-company internal reporting mechanism within a company (referred to as a group solution), but only for companies with fewer than 249 employees. Employers with 250 employees or more are required to establish their own internal reporting system and cannot use the group’s mechanism.
The possibility of using a group reporting mechanism contradicts the position of the European Commission, which states that each company must have its own internal reporting mechanism. However, according to information from the German government, discussions had taken place with the European Commission prior to the adoption of the HinSchG, during which the possibility of using a cross-company reporting mechanism at the group level was confirmed.
Public disclosure and to the media
The domains excluded by the material scope of the Whistleblower Protection Act mentionned above, as well as strict requirements for public whistleblowing, are making journalistic work more difficult.
Disclosures to the media are only protected in a few exceptional cases, above all in the case of an “immediate or obvious endangerment of the public interest” (as stated in paragraph 32).
Sanctions and penalties
In case of non-compliance with the HinSchG, organizations can be fined up to €50,000 with the possibility of even higher fines if certain conditions are met (i.e. failing to protect a whistleblower’s confidentiality, or violating the prohibition on retaliation).
Unlike other laws, the fines are monetary amounts and are not calculated as a percentage of the company’s turnover.
Get a Head Start
Having a flexible platform that can adapt to any legislation and regulations can give you a great head start. With Whispli, you can build up your solution according to your current needs, and modify it at any time.
You can start by complying to the minimum requirement of the EU Directive today and adjust to your local legislation later.
Get in touch with one of our expert and get a guided demo to see how Whispli can help your Organization to comply with the Directive.
You're in Good Company
Whispli is an award-winning platform recommended by partners and clients alikeRead our Latest Customer Success Story: VodafoneZiggo
"Whispli is hands down the most watertight way to catch and manage wrongdoing in your organization. If you're not using it, then you're not serious about preventing fraud or corruption."
Group Risk & Compliance Manager, Topshop Topman
"I have had the opportunity to implement this type of tool in the past and this is the first time I have worked with a partner who knows how to turn this sensitive subject into an opportunity. The platform is clear, modern and easy to use."
Chief Compliance Officer, Auchan Retail
"Exceptional Client Service. Whispli product and customer success teams are its biggest asset. They are flexible, always available for support and ready to stretch beyond their roles to help the clients."
Senior Associate, Ernst & Young