German Whistleblower Protection Act (HinSchG): Guideline for the implementation in companies
With this article, we would like to provide you with the most important information on the Whistleblower Protection Act as an implementation of the EU Directive in force since 17 December 2021. We will clarify the uncertainties and reservations about whistleblower systems and provide you as an entrepreneur with clear recommendations for action.
Since the law was passed on May 12, 2023, and came into effect for companies with 250 or more employees on July 2, 2023, companies should act immediately.
Since December 17, 2023, companies with 50-249 employees were required to take action.
The directive compels you to your benefit by prescribing an early warning system for your company and a protective shield for your employees.
Current Information on the Implementation Deadline of the Whistleblower Protection Act
On May 9, the Mediation Committee of the Bundestag and Bundesrat agreed on amendments to the Whistleblower Protection Act. The Bundestag passed the law on May 11, 2023, and the Bundesrat approved the amendments on May 12, 2023. The law was published in the Federal Law Gazette on June 2, 2023. The most important changes are summarized further below in the article.
Implementation Deadline for Companies of Different Sizes
With an implementation period of one month, companies with at least 250 employees have been required since July 2, 2023, to have established a whistleblowing system. Private employers with 50 to 249 employees have been required since December 17, 2023, to set up a whistleblowing system.
Implementation of the Whistleblower Protection Act: this is how German companies must act now
- Companies with 250 or more employees: There is an obligation to introduce a whistleblower system. The implementation deadline expired on July 2nd, 2023.
- Companies with 50 to 249 employees: These companies must also provide their employees with a reporting channel, but they have until 17.12.2023 to do so
- Companies in the public sector, or municipalities and cities with over 10 thousand inhabitants, are also affected by the law. The implementation deadline here already expired in June 2023.
- Reporting systems must allow for written or oral as well as in-person reporting of incidents.
- Within 7 days, a report must be processed or confirmed by the internal reporting office.
- No later than 3 months after reporting, whistleblowers must be informed of the measures taken.
- The areas of application of the Whistleblower Protection Act refer to EU law and national law.
- The whistleblower system must be DSGVO-compliant and protect the identity of the whistleblower.
- The offer of anonymized submission of reports is expressly recommended, but is not mandatory.
- In the event of violations of the law, companies must expect fines of up to €50,000.
Frequently Asked Questions
Companies with more than 249 employees had to implement a whistleblower system
by 2 July 2023. For companies with 50 to 249 employees, the implementation
deadline was 17 December 2023.
In addition to the external reporting channel via the Federal Office of Justice,
companies must provide their employees with an internal reporting channel that fulfils
the legal requirements of the HinSchG. Whistleblowers must be protected from
reprisals.
Since 17 December 2023, the law has required all companies with 50 or more
employees to implement a whistleblower system.
The Whistleblower Directive is intended to facilitate the reporting of, for example,
breaches of compliance guidelines, corruption, violations of competition regulations
or breaches of environmental guidelines. The scope of application of the
Whistleblower Protection Act is therefore EU law, national law in the context of
criminal offences and administrative offences, both in a professional context.
Employees within an organisation can report grievances, violations or ethical
concerns to an internal reporting channel. Its function is to receive reports, conduct
internal investigations and take appropriate action to protect the integrity and well-
being of the organisation and its employees.
No, the HinSchG does not expressly oblige companies to enable anonymous reporting. However, the law stipulates that companies “shall” enable and process anonymous reports. In addition, it is expressly recommended in practice that anonymity be guaranteed. This is the only way to optimally protect whistleblowers.
Companies that do not implement a whistleblowing system or whose reporting
channel does not meet the legal requirements must expect fines of up to €50,000.
German Whistleblower Protection Act: What is whistleblower protection in general?
One of the biggest challenges in implementing the Whistleblower Protection Act in companies is the negative connotation that often resonates with the topic of “whistleblowing”. The term is often associated with betrayal of secrets, especially in Germany, and is therefore interpreted in a very one-sided way. This fails to recognize that it is not generally a bad thing when secrets are revealed – especially if they involve breaches of the law. The difference in terminology between whistleblowing, the submission of valuable information, and leaking, the sharing of sensitive data with the general public, also plays an important role: in the case of leaking, abuses or illegal activities in an organization are usually made public via the press. Whistleblowers, on the other hand, only pass on information to the relevant authorities, usually without going public.
By uncovering breaches of the law in companies, internal whistleblowers become an early warning system. This enables reported problems to be addressed and resolved immediately, instead of one day ending up in the headlines as a scandal without prior notice.
When observing violations of the law, employees have to decide whether to report them or not. Depending on power relations and corporate culture, such a report resulted in personal disadvantages, exclusion or dismissal. As a result, the personal risks of a whistleblower became an often insurmountable hurdle.
To prevent precisely this hesitation, the EU has decided to protect whistleblowers better in future with a Whistleblowing Act. Someone who uncovers a malpractice in the company must not fear discrimination or even have to fear about their job or their future.
Failure to comply with the deadline for implementation of the Whistleblower Protection Act may result in fines
Employers with 250 or more employees were obliged to implement the requirements of the Whistleblower Protection Act by July 2, 2023. For companies with between 50 and 249 employees, the deadline for implementation was December 17, 2023. Internal reporting channels and concepts for the protection of whistleblowers must be set up and operated. If this is not done, companies face fines of up to €50,000.
The final version of the German Whistleblower Protection Act: What applies now?
The following key aspects were not included in earlier versions of the law, but must now be taken into account by companies when implementing it.
Anonymity
According to the Whistleblower Protection Act, there is no obligation to enable the submission of anonymous reports (neither for internal nor for external reporting offices). According to the law, companies should also process incoming reports anonymously. However, the acceptance of anonymous reports is now mandatory according to ISO standards: ISO 37301 on compliance systems, and ISO 37001 on anti-corruption measures. Anyone aiming for these ISO certifications must therefore accept anonymous reports. In the context of the liability issue, the “should” regulation is also a “must” regulation in practice.
Internal/external reports
Whistleblowers have the free choice of submitting a report to the company’s internal whistleblower system (e.g. the ombudsperson) or the external reporting office of the Federal Office of Justice – in special cases also to the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (BKartA). However, companies should explicitly create incentives to primarily use the internal channel. To this end, companies must inform their employees in detail about the possibility and procedure of internal reporting. Only if it is not possible to take effective action against infringements in this way should whistleblowers turn to external bodies
Burden of proof
The law also provides for a reversal of the burden of proof if the reporting person suffers a disadvantage in connection with their professional activity. However, whistleblowers must expressly invoke this in court proceedings. The claim for compensation for whistleblowers has been removed.
Fines
The fines for companies that do not comply with the new requirements by the implementation deadline (17.12.2023) have been reduced from EUR 100,000 to EUR 50,000.
In general, whistleblowers should have the choice between external and internal reporting. Employers are to create incentives for whistleblowers to first contact the respective internal reporting office of the employer before submitting a report to an external reporting office of the Federation or the Land.
Progress to date on the Whistleblower Protection Act
December 2023: Since December 17, 2023, companies with 50-249 employees must have set up a whistleblower system with internal reporting points and have informed employees about the legal situation and the whistleblowing process. From this date, the fines of up to €50,000 specified in the Whistleblower Protection Act will apply in the event of non-compliance.
July 2023: July 2, 2023 was previously the deadline for companies with 250 or more employees to introduce a whistleblower system.
May 2023: On May 9, 2023, the Mediation Committee of the Bundestag and Bundesrat agreed on amendments to the Whistleblower Protection Act. The Bundestag subsequently passed the law on May 11, 2023, and the Bundesrat approved the amendments on May 12, 2023.
December 2022: Now it’s official: on December 16, 2022, the German Bundestag passed the Whistleblower Protection Act. The government draft of the law had only passed the Legal Affairs Committee two days earlier with a need for substantive amendments. The significant changes to the law were quickly waved through by the governing coalition. However, the Federal Council still has to give its approval for the final step towards the Whistleblower Protection Act.
July 2022: The federal government publishes a concrete draft bill.
December 2021: The EU transposition deadline for implementing a national whistleblower protection law expires.
The Whistleblower Protection Act for the protection of whistleblowers
The EU Whistleblower Protection Directive (EU Directive 2019/1937) requires all companies with more than 50 employees to set up a whistleblowing system. This also applies to public authorities and public institutions, companies with a turnover of more than 10 million euros and municipalities with a population of 10,000 or more. For companies between 50 and 249 employees, an extended implementation period until December 2023 is intended. The Whistleblowing Directive and the associated requirements for companies are designed to protect whistleblowers better when they report violations of the law within the company. This is to be ensured by an internal whistleblowing system as a reporting channel, which is to be accessible not only to the company’s own employees, but also to those of distribution partners, customers and service providers.
Whistleblower Protection Act: The implementation of the Whistleblowing Directive
Since it is a directive and not a regulation (as it is with the GDPR), all EU member states must additionally adopt their own national law that ensures the whistleblower protection based on the directive. In this context, the legal requirements of the EU Directive represent the “minimum”.
Many European countries were faster than the German government in implementing the EU directive. Some governments also impose stricter sanctions than Germany. In Poland, managing directors face up to 3 years in prison for failing to comply with the legislation. Other countries, such as the Czech Republic, already require companies with more than 25 employees to implement a whistleblower system.
In Germany, however, companies must not only comply with the HinSchG when dealing with whistleblowers: Since January 1, 2023, the Supply Chain Whistleblowing Act (LkSG) has also stipulated that companies with 3,000 or more employees must enable all employees along the supply chain to submit whistleblowing reports. Since January 1, 2024, this also applies to companies with more than 1,000 employees.
The new Whistleblower Protection Act requires whistleblower systems
The Whistleblower Protection Act defines all persons who are in contact with your company in the course of their work as potential whistleblowers. This means that it applies not only to your employees, but also to customers or suppliers (you can read more about this in our article “What is a whistleblower?”). The company is therefore obliged to provide easy-to-understand information about the reporting options and the processing of reports (e.g. on the company website).
In addition to being able to report in writing and verbally, the company must also enable a personal exchange at the request of the whistleblower. Of course, it must also process the data in connection with the report in compliance with the GDPR. In companies, reports of compliance violations are usually handled by ombudspersons: An ombudsperson is assigned to resolve conflicts, to mediate independently between employees and managers, for example, and to ensure fair procedures in organizations. This also includes the processing of reports.
The Whistleblowing Directive and the German Whistleblower Protection Act do not explicitly oblige companies to allow anonymous reporting. They formulate it as a “should” requirement and thus create a grey area, especially for companies.
However, the recommendation is clear: only anonymity creates sufficient security and trust to reduce the reluctance to report critical observations. The majority of companies that have already implemented whistleblowing systems have opted for reporting channels that include an anonymous reporting option.
Further requirements for companies and authorities imposed by the EU Whistleblowing Directive
However, the Directive does not only require the implementation of whistleblowing systems. It also requires you to establish whistleblowing procedures in your company. By setting specific deadlines during which your company must respond to whistleblowing, the Directive also requires you to manage follow-up actions:
- Within 7 days, your company must confirm the whistleblower that the report has been received.
- You must also inform the whistleblower of any follow-up action taken latest within three months.
Important for these additional requirements is the selection and appointment of an impartial person who is responsible for the reports and the communication with the whistleblower. Depending on the size of the company, this can alternatively be done for your company by an external responsible person, such as a lawyer, in addition to the management or a compliance officer. However, you must ensure that the responsible person is not exposed to any conflict of interest.
The reversal of the burden of proof applies here: In case of doubt, the employer is obliged to prove that a dismissal has nothing to do with the whistleblowing on the part of the employee. This requires complete documentation of the entire process surrounding the whistleblowing – both for the company and for the whistleblower.
Whistleblower protection is corporate protection
The legal requirements of the new Whistleblower Protection Act raise many questions for companies. Find out more about the current status of the Whistleblower Protection Act, legal requirements for whistleblower software and practical implementation in this video clip from our webinar on May 25, 2023.
You are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationWhistleblower Protection Act: Call for implementation of internal and external reporting channels
The EU Directive obliges companies to implement internal and external reporting channels. What is the difference between the channels?
Internal channels
“Internal” in this case means “internal to the company”, i.e. within the legal entity, but this internal reporting channel can also be mapped via an external service provider (such as a software provider and / or a lawyer).
Pro
- Faster flow of information
- Possibility to counteract and solve problems directly internally
- The recipient of the information knows the company and can classify the content of the message more quickly
Contra
- High requirements for security, data protection & processes
- Inhibitions on the part of the whistleblowers 🡪 More communication necessary to create trust
Outsourcing internal reporting channels
Commissioning a third party to implement or manage the internal reporting channel is not only explicitly listed as a legally compliant solution in the guideline, but can also be a practicable compromise in practice: Potential whistleblowers often fear that they will not actually remain anonymous in internal reporting systems or criticise the lack of transparency regarding the processing and responsibility of the reports. “Can’t someone curious from our IT find out that I was the one who filed the report?” is a frequently asked question in this scenario.
Manage internal reporting channels yourself
An internal reporting channel that is independent of the company’s IT infrastructure can resolve these reservations. Companies can also leave the supervision and processing of the reports to lawyers or compliance advisors. Some companies even go so far as not to commission the “lawyer of trust” with whom the company has been working for years. They actively select a “new” lawyer for this task. This can create additional security for employees, as it reduces the likelihood of a conflict of interest.
External channels
The Directive also calls for external channels to be available to the whistleblower in addition to an internal company reporting channel. The instance of the external reporting channel is to be mapped by each EU member state by a regulatory body established for this purpose. Of course, all requirements of the Whistleblower Protection Act also apply to external reporting channels. An external report then triggers an official investigation.
Pro
- Completely independent of the company
- Standardised verification of the messages
Contra
- Company only learns about the internal grievance when it escalates / by initiating an internal investigation 🡪 Incalculable risk for company
- Slower flow of information
The important thing is that companies should point out both channels – internal and external – and employees have the freedom to choose which channel they use to report their observations.
Thus, there is a major incentive for companies to make the internal reporting channel intuitive and accessible at all times and to create trust among employees in this channel. In this way, an official investigation, i.e. the involvement of third parties, can be prevented and the problem can be dealt with and solved internally.
Whistleblower protection in corporate groups
The Whistleblower Protection Act provides for special regulations for groups consisting of a parent company and one or more subsidiaries: In principle, the same regulations apply to subsidiaries as to independent companies, meaning that their employees with 50 or more employees must have access to a whistleblower system. What is special, however, is that subsidiaries with up to 249 employees do not have to set up their own internal reporting office or whistleblower system – they may use the system of their parent company.
Subsidiaries with 250 or more employees must set up their own whistleblower system. You may continue to leave the operation of an internal reporting office to the parent company – however, the subsidiary itself is responsible for ensuring that the confidentiality requirements are met.
Added value of a whistleblowing system for companies
Many entrepreneurs have reservations about anonymous whistleblowing systems, but whistleblowing channels offer companies a number of advantages that should not be overlooked.
- Early detection of grievances: A whistleblowing system enables employees to report potential violations or misconduct at an early stage. This allows companies to react quickly and limit damage. This reduces legal and financial risks and avoids potential penalties or sanctions through early intervention.
- Improving the corporate culture: By implementing a whistleblowing system, the company signals openness and transparency. Employees feel encouraged to raise concerns. This contributes to a positive working environment. If a company provides trustworthy channels, this shows employees that the management takes their concerns seriously and is prepared to respond appropriately.
- Strengthening trust in the organization: By providing legal protection for whistleblowers, employees gain confidence in the integrity of the company. This can have a positive effect on employee loyalty, motivation, willingness to innovate and the image of the company.
- Improving compliance: A whistleblower system supports companies in complying with legal regulations and ethical standards.
Official sources of information on the HinSchG (in German)
- Federal Ministry of Justice and Federal Office of Justice: Legal text of the HinSchG
- Federal Law Gazette on the HinSchG: BGBl. 2023 I No. 140 of June 02, 2023
- Contribution of the Federal Government to the entry into force of the Whistleblower Protection Act on July 2, 2023
- Bundestag procedure on the HinSchG in the DIP (Documentation and Information System for Parliamentary Materials)
- Information from the Federal Office of Justice dated June 2, 2023 on the establishment of external reporting offices
- Topic page of the Federal Ministry of Labor and Social Affairs on the Supply Chain Due Diligence Act (LkSG)
- Corporate Social Responsibility Initiative of the BMAS
- Whistleblower protection as a topic area of Transparency International Deutschland e.V.
- Website of the non-profit Whistleblower Network e.V.
Which reporting systems meet the requirements of a Whistleblower Protection Act?
The simple, widespread “good old grievance box” already fails because of the bilateral communication that is necessary to be able to confirm the whistleblower’s receipt of his report. You can read about other reporting channels in our blog article “The whistleblowing system”.
In practice, however, digital whistleblowing systems have proven their worth:
- Some system providers take care of the conformity with the EU Directive and that even cross-border (including conformity with the national laws in the respective EU member states).
- With the right market analysis, you can find a resource-efficient whistleblowing system for your company that offers not only value for money but also quick implementation in your company. Read more about this in our article "Costs of a whistleblower system".
Start looking for the right whistleblowing system for your company today and make sure when choosing your whistleblowing software that there is no “one size fits all”.
Consequences of violations against the Whistleblower Protection Act
In its statement, the EU explicitly provides for sanctions for those companies that do not set up a whistleblower system. The German Whistleblower Protection Act sets these fines at up to €50,000. This also applies to companies that fail to comply with other whistleblower protection requirements, such as not keeping the identity of the whistleblower confidential or even taking reprisals against the whistleblower.
Irrespective of this, non-compliance with the requirements of the EU Whistleblower Directive has a high price: If the company…
- has no whistleblowing system easily accessible for the whistleblower, …
- has an internal reporting channel, but does not confirm receipt of the report within the specified time to the whistleblower, …
- has an internal reporting channel, but does not inform the whistleblower of the investigation result or follow-up measures in accordance with the deadline,…
… the whistleblower may go public with his information without penalty. He is nevertheless protected under the EU Whistleblowing Directive in these above-mentioned constellations.
Sanctions and Claims for Damages in the German Whistleblower Protection Act
The law provides for compensation for the whistleblower if he or she is not protected from reprisals. However, whistleblowers are also obliged to pay damages if a false report was made intentionally. In addition, companies that do not comply with the requirements of the Whistleblower Protection Act face fines. Unlike in data protection, the right to compensation for pain and suffering for whistleblowers was removed again in the last amendment to the Act.
Steps to take for the implementation of the Whistleblower Protection Act
Entrepreneurs are well advised to take care of the reduction of personal liability now. Because that is what the Whistleblowing Directive actually sets in motion here: an early warning system for your company. A protective shield for your employees. Choose the external service provider you trust to set up this reporting channel in your company and ensure that your employees actually use it.
How you can achieve this? Find out about the next steps and recommendations for action in our guide “Your guide to comply with the EU Whistleblowing Directive in your company”.
Do you have any questions? Feel free to contact one of our experts for a personal consultation.