Defeated by Whistleblowers?

Schlüssel für Unternehmen beim Whistleblowing

Whistleblower – How can an entrepreneur react in an emergency?

Defeated by whistleblowers? Cambridge Analytica, NSA, Tönnies or Wirecard. What do these organisations have in common? That’s right, they all saw, or see, themselves embroiled in whistleblower scandals. All of them have put their employers in trouble through sensitive disclosures. To be sure, on closer examination the circumstances are individually different. And yet all affected management ask themselves one question: Can I take action against the whistleblower(s)? And if so, how?

In this blog article, you as a managing director will learn what legal consequences you can consider should a whistleblowing case occur in your company. To start with, we will explain the legal framework around whistleblowing cases in order to enable you to classify your scope of action. Clarification, trust and transparency are essential means with which you can put yourself in a strong position as a company and make yourself capable of acting from the legal defensive.

The acceptance of whistleblowing

Increased public debates around whistleblower cases have repeatedly put the phenomenon of whistleblowing on the political agenda in the past. The tenor in debates and legislative amendments, for example the Money Laundering Act, is clear: whistleblowers are entitled to protection from retaliation (XY 376/2014 2013/54). The so-called EU Whistleblower Directive is the most recent and important legislative impetus to continue this trend. Adopted in November 2019, it obliges, among other things, companies with more than 50 employees to set up a whistleblower system. The directive focuses on EU-wide protection rules for whistleblowers and the promotion of the proper transmission of incidents in order to strengthen EU law in an overarching sense. Not many CEOs are therefore faced with the question: What legal means do I have as an entrepreneur in case of whistleblowing?

Protection for whistleblowers

In fact, the EU Directive gives the impression that the resources on the part of the company are limited. It defines exactly which groups of people are entitled for protection. It is not only your employees, but also, for example, customers, suppliers and shareholders who are included in the scope of protection in Article 4 of the Directive. Even supporters of whistleblowers as well as family members should in principle be entitled for protection (Art. 4 para. 3 lit a,b). In general terms, it includes all persons who have obtained information about violations of applicable EU law in a work-related context. This means that people who you have contracted but whose first day of work is yet to come are also entitled for protection.

In addition, the Directive specifically describes the right for protection by standardising which forms of retaliation are prohibited. Here, too, there is comprehensive protection. Dismissal or leave of absence, as often associated, are only one of fifteen defined forms of “retaliation”. In addition, salary reductions, job transfers, negative employee evaluations or refusal to train the employee also count as retaliation, which the employer must prevent for the whistleblower (Art. 19 lit. a-o). What is special is that the protection against such and other forms of retaliation, such as psychological damage, are by no means limited to your employees.

Powerlessness against protection claims?

So what to do about this seamless bulwark to protect whistleblowers? In the following, you will read where the Directive does not apply and how you as an employer can position yourself with measures to minimise your risk of legal disputes and possible compensation payments. While these measures are proactive in nature, we will then explain what reactive legal remedies are available for you.

The EU Directive not only establishes protection rights for whistleblowers. It also establishes rules whistleblowers must follow when reporting. What protection there is for the individual whistleblower is based on a set of principles of conduct, which in turn offer your company opportunities for legal action if a whistleblower goes public without justification.

The extent of whistleblower protection

First of all, the protection for whistleblowers is not unlimited, but is also subject to substantive limitations in addition to compliance with rules of conduct. The Directive describes ten areas of application, such as product safety or public health, which limit the scope of the right to protection (Art. 2 para. 1 lit. a).

If a whistleblower publishes information that does not fall into one or more of these areas, the Directive no longer applies. It is true that these areas cover a wide range of cases. However, there are also gaps. It is therefore all the more important that the anonymity of the whistleblower is guaranteed. This became clear recently in the whistleblower case of the Tönnies canteen. There, the employee of the canteen operator was dismissed after she published a video on YouTube, which revealed the company’s lax handling of the Covid protection measures. Not punishable? If one considers the eighth area of application, public health, the answer could be “yes”. To be more precise: could. Because the Whistleblower Directive does not provide for the application of infection control regulations, which would be necessary for a clear answer.

In perspective, it is up to the legislators of the EU states to close such loopholes when transposing the Directive into national law – or not. For you as an entrepreneur and your whistleblower, this means that violations outside the scope are not protected ex ante by the Directive. In other words, not everything that is reported qualifies the person per se for protection.

Another substantive requirement for the whistleblower is that the information about an EU law violation must be true at the time of reporting (Art. 6 para. 1 lit.1a). In this way, the Directive delimits those reports from the right to protection that are either void or untrue.

Obligations for the employee: The reporting cascade

Apart from that, the principles of conduct mentioned above are relevant for you, which whistleblowers must observe when reporting. Because there are two sides to the coin: On the one hand, the whistleblower’s right to protection. On the other hand, there is the obligation to comply with these rules. The latter are a prerequisite for the whistleblower to be on the safe side legally. Where the whistleblower does not comply with the rules, you as the entrepreneur have the means for legal consequences in your hand. Essentially, there is an escalation cascade, which contains the following three steps:

Internal message

The Directive stipulates as a “fundamental principle” that whistleblowing should primarily take place through internal company channels (Art. 7 para. 1,2). The EU states are encouraged to emphasise the internal reporting channel as the primary channel when transposing the Directive into national law. For you as an entrepreneur, you must have an internal channel for reporting information (Art. 8 Par. 1). This can take various forms, for example also through a designated person or department (Art. 8 para. 5). If you have informed the whistleblower in advance of the existence of this channel and guarantee the person the effective processing of the report, you are basically proactively withdrawing the justification for escalating to the second stage, external reporting.

You don’t have a whistleblowing system yet? Find out more about “Choosing a whistleblowing system” in our blog.

External message

According to the Directive, the whistleblower may also use external channels to submit the report. Either he does this directly on his own initiative or it has previously been unsuccessful in escalation level 1, the internal channel. If the whistleblower has demonstrably no knowledge of the existence of internal channels, he can also use the external channel directly. It is important for you under all circumstances: External does not mean Youtube (see Tönnies), Wikileaks (Chelsea Manning), or The Guardian (Edward Snowden). Instead, the Directive defines the requirements for such external channels in order to enable regulated processing of whistleblowing. For their part, the EU states must ensure that “competent” official bodies are set up to report. If the whistleblower inadvertently chooses the wrong office, the latter must ensure that the report reaches the intended office safely and within a short period of time (Art. 11 para. 6).

In Germany, these channels are to be covered by sector-specific as well as non-specific institutions on the one hand. The former, modelled on Bafin, form a contact point for certain professional groups, although this is still quite unique and other institutions will follow. Sector-unspecific institutions include offices such as the public health department, which would have been the predestined external channel for the Tönnies canteen case. The path to the competent public prosecutor’s office also falls into this category.

Concrete requirements for these bodies are also specified in the Directive, including ensuring confidentiality, integrity and completeness with regard to the notification received (Art. 12 para. 1 lit. a). Furthermore, employees of such bodies must even be trained for the purpose of proper processing of the report (Art. 12 para. 5). As you can see, the existence of such external bodies is advantageous for you in case of doubt, because they can channel grievances in such a way that your company does not come under public scrutiny. They thus represent another important form of de-escalation for you, which you can leverage through transparent communication towards your employees.

Public message

Public reporting is the third escalation stage. Due to the multiplication factors of the media and the simultaneous interest of the public, it is probably the most prominent stage. This is despite the fact that – in an ideal world – it should not be used at all. For the protection of companies, the Directive treats this route as a “last resort”, which by definition should only be used in the following cases:

  1. The whistleblower has already used the internal and / or external channel but has not received feedback within the prescribed time (Art. 15 para. 1 lit. a).
  2. The incident to be reported poses a significant danger with irreversible consequences for the public (Art. 15 para. 1 lit. a i).
  3. The person making the report has reason to believe that the report will not be dealt with effectively or that he or she will face retaliation as a result of the report.

Do you notice anything? With the exception of point two, they have direct levers to prevent public whistleblowing. Apart from that, it is still true that the report must fall within the scope of the Directive in order for the whistleblower to be entitled to protection. If you are on the safe side with the measures described below, you withdraw the whistleblower’s basis for any public reporting. As a result, if the person nevertheless goes public, you will have consequences under criminal and labour law in your hands. The whistleblowing system thus becomes a protective shield for your company.

Measures to prevent escalation

In general, it should be clear for both sides, whistleblower and employer: escalation is avoidable. The following measures will help you to avoid escalation:


Icon Marketing

The most effective means of dealing with whistleblowers is proactive and verifiable communication via the reporting systems you offer. Verifiability can be ensured in the classical sense in the whistleblower’s employment contract. As far as whistleblowing by your own employees is concerned, a clause in the employment contract that draws your employees’ attention to the company’s own channel as well as to external reporting bodies is a remedy. This closes the door to justifications for public whistleblowing based on the lack of an internal channel.

As described above, whistleblowers can affect other groups of people. It is therefore advisable to reflect on their relationships with all stakeholders and, in a second step, to choose the appropriate medium for communicating the reporting channels. For suppliers, this could be the supply agreement, for customers the general terms and conditions, for applicants the non-disclosure agreement.


The more you “empower” potential whistleblowers to use the prescribed channels, the more effective they are against public whistleblowing. Trust in the channels is the key to their actual use. In addition, you also prevent the danger of whistleblowers turning directly to the public with the argument of a lack of confidence in the processing of the whistleblowing. A corporate culture based on integrity helps to breathe life into the paragraph in the employment contract (or similar) on the reference to mandatory reporting channels, so that it does not degenerate into an unread clause. For whistleblowers it becomes tangible, for you it becomes the foundation for legal claims against the public whistleblower.


Finally, transparency in the reporting process is an important vehicle to take the wind out of the whistle of public whistleblowers. Regular, direct exchanges with the whistleblower turn your system from a crystal ball into a clearly regulated communication channel. Your whistleblower thus knows that the report will be dealt with appropriately and that he or she can refrain from further escalation steps. Against this background, the EU Directive has established deadlines that companies must meet when processing the report.

  1. Seven days after receipt, the whistleblower must receive confirmation of receipt of the message (Art. 9 Para. 1 lit. b).
  2. Three months after sending the confirmation, the whistleblower must receive feedback on his or her report (Art. 9 para. 1 lit. b).
  3. If the internal investigations prove to be particularly time-consuming, this period is extended to six months.

If you meet these deadlines, there is still no primary requirement for the whistleblower to leave this reporting channel, so that employment and criminal law consequences could be imposed by you should he or she go public after all.

Labour law consequences in the event of the scandal

So what should you do if the whistleblower has not followed the escalation steps as intended? Your focus should be on preventing exactly this case. If this is not the case, you are free to initiate consequences under labour and criminal law, which are described below if the whistleblower is an employee.

The Admonition

The first option for you in employment law is to issue a warning to the whistleblower. While this remedy can in principle be considered in a number of cases, it is likely to be worthless in the context of whistleblowing for the following reasons. Firstly, the so-called reprimand function, by which the employee is made aware of the breach of contract, has little effect, as practice suggests that whistleblowers are well aware of the breach. On the other hand, because the request function, which aims at the employee’s refraining from the behaviour, is hardly used. Finally, the majority of whistleblowers have already concluded their employment relationship with the company concerned by the time they escalate to the public, which makes a change of behaviour obsolete. Apart from this, various practical problems arise, such as the integration of the whistleblower back into the workforce and a lack of trust on the side of colleagues.

The Warning

In the case of a warning, the warning function is added to warn the whistleblower of dismissal in the event of a repetition. This is also unlikely to be of much help as a legal consequence. You can find out whether a warning is nevertheless possible by asking the following two questions:

  1. Can my whistleblower return to work?
  2. Do I have any guarantee that the whistleblower will report any future incidents in accordance to the Directive?

In the unlikely event that they can answer “yes” to both questions, these funds may be an option.

The Notice of Termination

For all other cases, notice of termination is another option, which can be given for ordinary or extraordinary reasons. While the former is subject to contractually stipulated notice periods, the latter requires important reasons for termination (section 626 (1) BGB). The deliberate, targeted dissemination of internal information to the public, for example, could fall under this, depending on the interpretation. At this point, at the latest, it is clear that the incident and the report will cause damage. In the best case, in the form of costs for filling the position. In the worse case, costs will be added by a possible lawsuit and penalties from the whistleblower; for example, if the reason for dismissal proves to be without evidence. In addition, they have the option of suing for damages. However, this is not very practical, especially in simple employment relationships outside the C-suite.

The risk of reputational damage should not be underestimated in labour law escalations. Such processes quickly become public, as recently shown by the Tönnies case or the Bottrop pharmacist scandal with protracted disputes in the relevant labour courts. In discussions about the exact reason for dismissal, employers in the media spotlight often find themselves in need of explanation.

Criminal consequences in the case of the scandal

Finally, you have the option of taking criminal action against the whistleblower. Before filing a criminal complaint, however, you should carefully consider, with intensive consultation of your legal experts, how great your chances are of winning a lawsuit. The question of “winning” should include the question of possibly awarded claims, as well as the post-litigation risks. The latter can become a boomerang for you if the whistleblower files a counter report and the public prosecutor’s office intervenes; for example, in the case of false suspicion or defamation. Here, too, long-lasting disputes are characteristic, which tie up capital and resources and are only worthwhile in rare cases.

Consequences for external whistleblowers

For external whistleblowers such as suppliers, different rules apply in principle. Where legal entities are involved as whistleblowers, the chain of evidence is usually more complex than for the employed whistleblower. However, the consequences also cover a spectrum from weak to strong means. The first may be an informal discussion in which the partner is admonished to be more careful with business secrets. On the other hand, there is the possibility to terminate the contractual relationship without notice and to claim damages.


In summary, your strongest means for a legally strong position are ex-ante measures that you can take before a scandal arises. As shown, extensive disclosure as well as trust and transparency measures play key roles here. Whistleblowers are entitled to comprehensive protection under the EU Whistleblower Directive. However, this is subject to content-related and procedural rules. If you have taken all the recommended measures, whistleblowers quickly leave their legal scope of action when they turn to the public with their report. Ex-post, i.e. after a scandal has arisen, you then have access to the consequences under labour and criminal law. However, since these rarely run smoothly and always represent a risk of damage, these steps should be carefully considered and prepared. On the other hand, fundamental care in the implementation and communication of your reporting system, whether through contractual clauses or information campaigns, pays off. True to the motto: “Better to have and not need than not have and need“!

Find out about the “Cost of a whistleblowing system” and download our guide “How to comply with the EU Whistleblowing Directive?”.

We would be happy to advise you in a personal demo meeting, simply fill out our contact form.

Why wait any longer?

Compliant in 5 minutes

Our solution fits to your clients?

Join our partner program


gültig für Neukunden bis zum 31.7.2024

Wir schenken Ihnen ein Info-Poster für Beschäftigte i.W.v. 249 €! Sprechen Sie uns an!