Internal Reporting Office: What does the Whistleblower Protection Act require?
Legal violations rarely occur suddenly. They often develop gradually, remain unnoticed internally for a long time, or are not addressed due to uncertainty. It is precisely at this point that the Whistleblower Protection Act comes in.
The Internal reporting office it is not just a legal requirement but a central instrument of modern ComplianceStructures. It determines whether risks are identified early or only disclosed by external bodies.
The most important points briefly
- Company from 50 employees are obliged to establish an internal reporting office in accordance with the Whistleblower Protection Act§§ 12, 13 HinSchG).
- The internal reporting office allows employees and other authorised persons to, Legal infringements report securely and confidentially.
- Internal reporting offices must ensure firm deadlines, confidentiality, data protection, and protection against retaliation.
- Digital whistleblowing systems support companies in implementing legal requirements efficiently and in an auditable manner.
- Anyone who does not set up an internal reporting office risks a Fine of up to 50,000 Euros (§ 40 Whistleblower Protection Act).
What is an internal reporting office?
One Internal reporting office is a body established within or on behalf of an organisation to receive, process and document reports of legal violations.
It ensures the Confidentiality of the identity of the persons providing information, checks incoming reports in a structured manner and forwards suitable follow-up measures The goal is to identify risks early and address them legally.
Since 2 July 2023, the Whistleblower Protection Act Company from 50 employees to setting up an internal reporting office. For companies with 50 to 249 employees a transitional period applied until 17 December 2023.
The aim of the law is to enable people who rely on Legal infringements to point out in a professional context, to protect effectively while at the same time giving companies the opportunity for internal clarification at an early stage.
What are the reporting channels?
The Whistleblower Protection Act looks both internal and external reporting channels Employees and other entitled persons may freely choose whether to initially contact an internal reporting office or directly a External reporting office turnSection 7(1) of the German Whistleblower Protection Act).
At the same time, transparent and trustworthy internal procedures should be established to encourage whistleblowers to use internal reporting channels, provided that violations can be effectively addressed through these channels and no reprisals are to be feared.
External announcements occur in particular via the at Federal Office of Justice as a centrally established reporting office (§ 19 HinSchGIn special circumstances, industry-specific external reporting bodies are also responsible, for example, at the Federal Financial Supervisory Authority (BaFin) or the Federal Cartel Office.
At the same time, the legislator aims to, Internal communications to promote. Companies are therefore encouraged to design internal reporting offices in such a way that whistleblowers develop trust in the procedure and address grievances internally first.
What are the tasks of an internal reporting office?
Internal reporting offices play a crucial role in maintaining integrity and lawful conduct within organisations. They serve as Central point of contact for staff and other stakeholders to report concerns, irregularities or potential breaches.
In doing so, there is 3 core functions to an internal reporting office:
- Recording of reports
The internal reporting office accepts reports, both written as well as oral Away§ 16(1) HinSchG. It ensures that these messages are treated confidentially, only made accessible to a strictly limited, authorised circle of individuals and, accordingly GDPR as well §11 HinSchG to be stored, meaning only for as long as is necessary and proportionate, and as a general rule for no longer than three years after the conclusion of the proceedings. - Checking the reports
The internal reporting office initiates a Initial check incoming reports. Furthermore, she maintains contact with the whistleblower: she acknowledges receipt of the report within 7 days, asks important follow-up questions regarding the report, and informs the whistleblower of the report's progress. - Clarification and follow-up actions
The reporting office checks the validity of the report, coordinates internal investigations, and submits proposals for appropriate follow-up measures. If necessary, internal specialist departments or external legal experts are involved. The decision on and implementation of measures lies with the company.
Advantages of internal reporting channels for companies
Beyond the legal obligation, internal reporting channels offer a strategic added value for organisations.
They act as Early warning system for legal, organisational, and ethical risks. The possibility of internal whistleblowing gives companies the chance to clarify matters early on, before external bodies or the public become involved.
At the same time, strengthen working reporting structures a transparent corporate culture and increase the trust of business partners, investors, banks, and employees.
These are the Advantages of an internal reporting office In overview:
- early identification of legal violations, compliance risks, and organisational weaknesses
- structured and documented Processing from indications according to fixed statutory regulations
- Risk reduction external notifications, official proceedings, and public reputational damage
- Strengthening transparent and accountable Company culture
- legally compliant implementation the requirements of the Whistleblower Protection Act
- clear responsibilities and processes for handling sensitive disclosures
- improved basis for decision-making for management, compliance and legal departments
The Whistleblower Protection Act lays down a series of requirements for setting up an internal reporting office:
The Whistleblower Protection Act defines concrete requirements to the setup and operation of internal reporting offices.
This includes that reports both In writing as well as oral can be submitted. The receipt of a note is within 7 days to confirm§ 17(1) No. 1 of the HinSchGAt the latest 3 months after the report, persons who have provided information must be informed about any measures taken or planned.
The material scope includes, in particular, infringements of European law and selected areas of national law. Furthermore, Privacy policy and confidentiality within the Whistleblowing system imperatively to guarantee (especially GDPR-compliant). The possibility to Anonymous report it is legally recommended, but not compulsory.
Internal Reporting Office: What are the requirements?
The Whistleblower Protection Act requires that the persons entrusted with the internal reporting office carry out their duties independent perform. Whilst they may undertake further functions within the company, they may only do so provided that this does not Conflicts of interest arising. Instructions which could influence the objective examination of indications are inadmissible.
Companies must therefore ensure organisationally that Internal reporting office works independently and is sufficiently qualified. In addition to basic legal knowledge, in particular, Professional conduct with sensitive information required. Is this Technical knowledge intern not present, it may be replaced by Compliance trainings or external support can be built up.
Requirements for responsible persons
- independent and instruction-free performance of tasks
- no conflicts of interest with other functions
- Confidential and data protection compliant Handling hints
- appropriate communication with whistleblowers
- structured documentation and tracking of reports
A careful staffing of the internal reporting office significantly contributes to the acceptance and effectiveness of the whistleblower system. Company are well advised not to see the staffing of the internal reporting office as a formal obligation, but as an integral part of their Compliance and GovernanceStructure to understand.
External individuals as an internal reporting office – is that possible?
The internal reporting office can also be managed by an external person. One option is to use a Ombudsperson. An ombudsman is an independent body that receives and investigates complaints. To do this, the ombudsman must have sound legal knowledge.
For employees, the barrier to reporting may be lower if they can approach an external person without concern, as ombudspersons are Confidentiality compliant. In accordance with Section 14, Paragraph 1 of the Whistleblower Protection Act (HinSchG), the processing of reports by an ombudsman is legitimate.
Digital support for internal reporting offices: How LegalTegrity supports you
Digital whistleblower systems significantly facilitate the legally compliant implementation of internal reporting offices. They support structured processes, deadline control, and audit-proof documentation.
Solutions such as the whistleblower system from LegalTegrity enable central processing of tips, secure communication with whistleblowers, and data protection-compliant storage of sensitive information.
Advantages of LegalTegrity's Digital Whistleblower System
- allows anonymous reporting
- enables confidential case processing
- encrypts data securely
- Data is securely stored in the Deutsche Telekom Cloud
- available at any time, in real time and from anywhere, provided internet access is available
- guarantees your company legal certainty
- Oral messages are also possible by telephone
Learn in 5 minutes
Before you book a live demo appointment with LegalTegrity, you can get to know our software in just 5 minutes. Request our demo video to get an overview of all the system's important features and customisation options. You will receive the demo video via email.
Organisation of internal notifications: process and follow-up measures
The following diagram illustrates a typical, legally compliant process for internal reporting under the Whistleblower Protection Act. Starting from an observed incident, the report is made via the Internal reporting office received and a structured Initial check subjected. Meanwhile, confidential – and, if necessary, anonymous – communication between the reporting person and the reporting office is guaranteed.
Following this, internal investigations and the derivation of suitable Follow-up actions. The involvement of management is limited to the decision on necessary organisational or legal steps. The entire process is comprehensibly documented and concludes with a timely response to the reporting person.
What data protection requirements apply to the internal reporting office?
The internal reporting office regularly processes personal data of whistleblowers, data subjects, and third parties. Processing is generally carried out on the basis of Art. 6 para. 1 Excellently. c GDPR in conjunction with the obligations from the HinSchG. Companies must ensure, in particular, adequate technical and organisational measures to protect confidentiality, limit data processing to the necessary extent and observe statutory retention periods – generally three years after the conclusion of proceedings.
Internal reporting office according to the HinSchG – frequently asked questions
(The male form used refers to all persons, regardless of gender.)
