The German Whistleblower Protection Act (“Hinweisgeberschutzgesetz” or “HinSchG”) will come into force on 2 July 2023. It implements the requirements of the EU Whistleblower Directive (Directive (EU) 2019/1937) and introduces mandatory regulations for the protection of whistleblowers for companies with at least 50 employees.
German companies with at least 250 employees and German subsidiaries of internationally active groups of companies and corporations will be required to implement internal reporting from 2 July 2023. They must also operate a channel for transmitting whistleblows or information about breaches. There is impetus to act quickly but in a considered way. After all, a violation of this obligation will not be subject to a fine until 1 December 2023.
Smaller companies have even longer to act. For companies with 50 to 249 employees, the obligation will not apply until 17 December 2023.
The internal reporting point and the reporting channel according to the German Whistleblower Protection Act
Under HinSchG, companies with at least 50 employees are required to set up an internal reporting point and operate an internal reporting channel to receive and process information about breaches within the meaning of the law. Information about breaches include those relating to criminal offences and certain administrative offences, as well as violations of EU law. They must have come to the knowledge of the whistleblower in connection with their professional activity or in the run-up to a professional activity.
The internal reporting point can be staffed by an employee of the company or a work unit consisting of several employees. However, a third party (e.g., an external lawyer) can also assume this function for the company. According to the explanatory memorandum to the Act, the establishment of a central reporting point within a group of companies is also permissible.
The reporting channel must allow reports to be made verbally or in text form. It must be open to employees and temporary workers assigned to the company as a minimum. In principle, however, it is advisable to also allow reports from persons outside the company, as they may have considerable specialist knowledge regarding breaches by employees.
Anonymous reporting is not mandatory, but it is advisable because it may lower the inhibition thresholds for reporting and enable companies to compete effectively with external reporting routes. It is also advisable to provide a mix of different reporting and contact options, so that potential whistleblowers can submit their information at the lowest possible threshold. In addition to electronic reporting channels, a traditional mailbox can also be used, depending on the individual case.
Free choice between internal and external reporting and threatened disclosure
HinSchG grants whistleblowers a free choice between making an internal or an external report. External reporting points have been established, for example, at the Federal Office of Justice, the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office.
Against this background, a company's goal must be to make its own reporting channels as attractive as possible so that whistleblowers prefer internal reporting to external reporting.
This is because, in addition to the threat of official proceedings in the case of an external report, there is a threat of a public disclosure by the whistleblower if the external reporting point processes the report inadequately. Otherwise, a public disclosure is only permissible in very exceptional cases, such as if there is sufficient reason to believe that there is a risk of irreversible damage. Such a public disclosure can be made, for example, by publishing the violation on social media or notifying the press.
Essential points in the implementation of the law and in the handling of reports
The purpose of the law is to protect whistleblowers. Against this background, it regulates a strict "need to know" principle in the form of the confidentiality requirement, which only is inapplicable in limited exceptional cases, regulated by law. A breach of the confidentiality requirement risks severe fines for the persons involved and the company. When implementing a whistleblowing system, particular attention must therefore be paid to the confidentiality requirement and compliance with it must be ensured by creating appropriate processes and through training for the competent persons of the internal reporting point.
In addition, data protection law also plays a role that should not be underestimated, since a whistleblower system and the subsequent processing of (potential) breaches involve the processing of personal data. Depending on the design of the whistleblowing system, especially if technical reporting channels are set up, the works council (“Betriebsrat”) must also be involved, for example.
In addition, care must be taken to determine how the whistleblower system is communicated and publicised to employees and others in order to build trust and encourage its use.
Policies, processes, and training
The internal reporting point must be able to deal properly with incoming reports. Relevant personnel must therefore have the necessary professional qualifications, which they can obtain and refresh through appropriate training. In addition, a clear process must be designed and followed to ensure that they comply with the procedure set forth in the HinSchG. A clear process also ensures compliance with the confidentiality requirement.
A policy can also inform employees and potential whistleblowers about the procedure and whistleblowing system. It can create trust and implement the information requirements mandated by the HinSchG. In addition, it must ensure, for example, that both whistleblowers and any persons affected by a report are properly informed in accordance with data protection law.
Conclusion
In addition to a wide range of legal requirements, the implementation of a whistleblower system must also meet organisational requirements that should not be underestimated. These go beyond the mere provision of an electronic reporting channel.
In view of the obligations of the HinSchG, affected companies that do not yet have a whistleblower system in place should act quickly. But there is no need to rush to implement something which does not work in practice. The time limit for the application of the penalty offence allows sufficient leeway to introduce an effective and well-considered whistleblower system. Companies that already have a whistleblower system in place should review whether it meets the requirements of the law and make any necessary adjustments.
We are well positioned to help companies prepare and implement changes to their systems and policies. We have experience reviewing existing whistleblower systems and implementing whistleblower systems "from scratch". Our holistic consulting approach takes into account not only the requirements of the HinSchG, but also the labour law and data protection requirements that apply in this context, which should not be underestimated.
If you wish, we can take on the tasks of an internal reporting point and act as ombudspersons. As "case handlers", we will examine and coordinate the handling of reports. We are available to your internal reporting point as a contact for questions and can provide full support to deal with whistleblowing reports and indeed internal investigations. Where necessary, we can help you to quality assure your compliance measures, propose concrete improvements, and implement changes together with you.
