Latest Update: 28th June, 2023
Whistleblower Protection Act: Guideline for the implementation in companies
With this article, we would like to provide you with the most important information on the Whistleblower Protection Act as an implementation of the EU Directive in force since 17 December 2021. We will clarify the uncertainties and reservations about whistleblower systems and provide you as an entrepreneur with clear recommendations for action.
And we gladly anticipate the outcome: Since the law was passed on May 12, 2023, and will take effect as early as July 2, 2023, for companies with 250 or more employees, companies should act immediately.The directive forces your hand by prescribing an early warning system for your company and a protective shield for your employees.
Update June 2, 2023: Whistleblower Protection Act published in Federal Law Gazette
On May 9, the Mediation Committee of the Bundestag and Bundesrat agreed on amendments to the Whistleblower Protection Act. The Bundestag passed the law on May 11, 2023, and the Bundesrat approved the amendments on May 12, 2023. Since June 2nd, 2023, the law has been published in the Federal Law Gazette.
The most important changes are summarized below in the article.
With an implementation period of one month, companies with at least 250 employees will be obliged to have a whistleblower system in place as early as July 2nd, 2023. Private employers with 50 to 249 employees will be obliged to set up an internal whistleblowing system from December 17, 2023.
However, we recommend a timely and proactive implementation.
Implementation of the Whistleblower Protection Act: this is how German companies must act now
German Whistleblower Protection Act: What is whistleblower protection in general?
One of the biggest challenges in the context of implementing a whistleblower protection law in companies is the negative connotation that often resonates with the topic of “whistleblowing”. The term is associated with betrayal of secrets and is thus interpreted in a very one-sided way. What is not recognised is that it is not generally bad if secrets are revealed – especially if they involve violations of the law. By uncovering violations of the law in companies, internal whistleblowers become an early warning system. This makes it possible to solve reported problems instead of ending up as scandal in the headlines one day without warning.
When observing violations of the law, employees have to decide whether to report them or not. Depending on power relations and corporate culture, such a report resulted in personal disadvantages, exclusion or dismissal. As a result, the personal risks of a whistleblower became an often insurmountable hurdle.
To prevent precisely this hesitation, the EU has decided to protect whistleblowers better in future with a Whistleblowing Act. Someone who uncovers a malpractice in the company must not fear discrimination or even have to fear about their job or their future.
Failure to comply with the deadline for implementation of the Whistleblower Protection Act may result in fines
Employers with 250 or more employees have to implement the requirements of the Whistleblower Protection Act by July 2nd, 2023. For companies with between 50 and 249 employees, the deadline for implementation is December 17, 2023. Internal reporting offices and concepts for the protection of whistleblowers must then be established and operated. If this is not done, companies face fines of up to €50,000.
Which changes were made in the Mediation Committee?
The recommendation of the Mediation Committee of May 9 contains a few significant changes to the law.
There is no obligation to enable anonymous reporting. However, internal and external reporting offices are supposed toprocess such reports.
Reporting parties should preferably use the internal channel if it is possible to effectively deal with violations in this way.
Burden of proof
The reversal of the burden of proof in cases of claimed discrimination remains in force. However, whistleblowers must explicitly refer to this in court proceedings. The right to claim compensation for pain and suffering for reporters has been abolished.
The fines for companies that do not comply with the new requirements was reduced from 100,000 euros to 50,000 euros.
In general, whistleblowers should have the choice between external and internal reporting. Employers are to create incentives for whistleblowers to first contact the respective internal reporting office of the employer before submitting a report to an external reporting office of the Federation or the Land.
Progress on the Whistleblower Protection Act
May 2023: On May 9, 2023, the Mediation Committee of the Bundestag and Bundesrat reached an agreement on whistleblower protection. On May 11, the Bundestag and on May 12, the Bundesrat approved the bill.
December 2022: Now it’s official: On December 16, 2022, the German Bundestag passed the Whistleblower Protection Act. With a need for substantive changes, the government’s draft of the law had passed the Legal Affairs Committee just two days earlier. The significant changes for the law were quickly waved through by the governing coalition. However, the final step in the Whistleblower Protection Act still requires the approval of the Bundesrat.
July 2022: The Federal Government publishes a detailed draft bill.
December 2021: The EU’s transposition deadline for implementing a national whistleblower protection law expires.
The Whistleblower Protection Act for the protection of whistleblowers
The EU Whistleblower Protection Directive (EU Directive 2019/1937) requires all companies with more than 50 employees to set up a whistleblowing system. This also applies to public authorities and public institutions, companies with a turnover of more than 10 million euros and municipalities with a population of 10,000 or more. For companies between 50 and 249 employees, an extended implementation period until December 2023 is intended. The Whistleblowing Directive and the associated requirements for companies are designed to protect whistleblowers better when they report violations of the law within the company. This is to be ensured by an internal whistleblowing system as a reporting channel, which is to be accessible not only to the company’s own employees, but also to those of distribution partners, customers and service providers.
Whistleblower Protection Act: The implementation of the Whistleblowing Directive
Since it is a directive and not a regulation (as it is with the GDPR), all EU member states must additionally adopt their own national law that ensures the whistleblower protection based on the directive. In this context, the legal requirements of the EU Directive represent the “minimum”.
Many European countries were faster than the German government in implementing the EU directive. Some governments also impose stricter sanctions than Germany. In Poland, managing directors face up to 3 years in prison for failing to comply with the legislation. Other countries, such as the Czech Republic, already require companies with more than 25 employees to implement a whistleblower system.
A Whistleblower Protection Act requires whistleblower systems
The Whistleblowing Directive defines all persons as potential whistleblowers who are in contact with your company in the course of their work activities, i.e. not only your employees but also customers or suppliers (read more in our article “What is a whistleblower?”). Therefore, the company is obliged to provide easy and understandable information about the reporting possibilities and the processing of reports (for example on the company website).
In addition to the possibility to report in writing and verbally, the company must also enable a personal exchange at the whistleblower’s request. Of course, the company must also process the data in connection with the report in accordance with the GDPR.
The Whistleblowing Directive does not oblige companies to allow anonymous reporting. It leaves this to the companies or the authorities themselves. The German Whistleblower Protection Act has also attached a “shall” (and not a “must”) to the issue of anonymity as a result of the amendment in the Mediation Committee. However, the recommendation is clear: only anonymity creates sufficient security and trust to reduce inhibitions against reporting per se. The majority of companies that have already implemented whistleblower systems have opted for reporting channels including anonymous reporting.
Further requirements for companies and authorities imposed by the EU Whistleblowing Directive
However, the Directive does not only require the implementation of whistleblowing systems. It also requires you to establish whistleblowing procedures in your company. By setting specific deadlines during which your company must respond to whistleblowing, the Directive also requires you to manage follow-up actions:
Important for these additional requirements is the selection and appointment of an impartial person who is responsible for the reports and the communication with the whistleblower. Depending on the size of the company, this can alternatively be done for your company by an external responsible person, such as a lawyer, in addition to the management or a compliance officer. However, you must ensure that the responsible person is not exposed to any conflict of interest.
The reversal of the burden of proof applies here: In case of doubt, the employer is obliged to prove that a dismissal has nothing to do with the whistleblowing on the part of the employee. This requires complete documentation of the entire process surrounding the whistleblowing – both for the company and for the whistleblower.
Whistleblower protection is corporate protection
The legal requirements of the new Whistleblower Protection Act raise many questions for companies. Find out more about the current status of the Whistleblower Protection Act, legal requirements for whistleblower software and practical implementation in this video clip from our webinar on May 25, 2023. You can request the entire recording here (available in German only).
Whistleblower Protection Act: Call for implementation of internal and external reporting channels
“Internal” in this case means “internal to the company”, i.e. within the legal entity, but this internal reporting channel can also be mapped via an external service provider (such as a software provider and / or a lawyer).
Commissioning a third party to implement or manage the internal reporting channel is not only explicitly listed as a legally compliant solution in the guideline, but can also be a practicable compromise in practice: Potential whistleblowers often fear that they will not actually remain anonymous in internal reporting systems or criticise the lack of transparency regarding the processing and responsibility of the reports. “Can’t someone curious from our IT find out that I was the one who filed the report?” is a frequently asked question in this scenario.
An internal reporting channel that is independent of the company’s IT infrastructure can resolve these reservations. Companies can also leave the supervision and processing of the reports to lawyers or compliance advisors. Some companies even go so far as not to commission the “lawyer of trust” with whom the company has been working for years. They actively select a “new” lawyer for this task. This can create additional security for employees, as it reduces the likelihood of a conflict of interest.
The Directive also calls for external channels to be available to the whistleblower in addition to an internal company reporting channel. The instance of the external reporting channel is to be mapped by each EU member state by a regulatory body established for this purpose. Of course, all requirements of the Whistleblower Protection Act also apply to external reporting channels. An external report then triggers an official investigation.
The important thing is that companies should point out both channels – internal and external – and employees have the freedom to choose which channel they use to report their observations.
The incentive for companies to make the internal reporting channel intuitive and accessible at all times and to create trust among employees in this channel is therefore great. In this way, an official investigation, i.e. the involvement of third parties, can be prevented and the problem can be dealt with and solved internally.
Which reporting systems meet the requirements of a Whistleblower Protection Act?
The simple, widespread “good old grievance box” already fails because of the bilateral communication that is necessary to be able to confirm the whistleblower’s receipt of his report. You can read about other reporting channels in our blog article “The whistleblowing system”.
In practice, however, digital whistleblowing systems have proven their worth:
Consequences of violations against the Whistleblower Protection Act
In its statement, the EU explicitly provides for sanctions for those companies that do not set up a whistleblower system. The German Whistleblower Protection Act sets these fines at up to €50,000. This also applies to companies that fail to comply with other whistleblower protection requirements, such as not keeping the identity of the whistleblower confidential or even taking reprisals against the whistleblower.
Irrespective of this, non-compliance with the requirements of the EU Whistleblower Directive has a high price: If the company…
… the whistleblower may go public with his information without penalty. He is nevertheless protected under the EU Whistleblowing Directive in these above-mentioned constellations.
Sanctions and Claims for Damages in the German Whistleblower Protection Act
The law provides for compensation for the whistleblower if he or she is not protected from reprisals. However, whistleblowers are also obliged to pay damages if a false report was made intentionally. In addition, companies that do not comply with the requirements of the Whistleblower Protection Act face fines. Unlike in data protection, the right to compensation for pain and suffering for whistleblowers was removed again in the last amendment to the Act.
Steps to take for the implementation of the Whistleblower Protection Act
Entrepreneurs are well advised to take care of the reduction of personal liability now. Because that is what the Whistleblowing Directive actually sets in motion here: an early warning system for your company. A protective shield for your employees. Choose the external service provider you trust to set up this reporting channel in your company and ensure that your employees actually use it.
How you can achieve this? Find out about the next steps and recommendations for action in our guide “Your guide to comply with the EU Whistleblowing Directive in your company”.