In our WhistleBlog series, we answer the most important FAQs on the topic of whistleblowing and whistleblower protection.
Here companies can find everything they need to know about whistleblowing!
“Whistleblowing” literally means “blowing the whistle”. It refers to so-called whistleblowers who uncover wrongdoings in companies.
The decision to uncover such wrongdoing often requires a great deal of courage and determination. In Germany in particular, the law has so far only insufficiently protected these whistleblowers.
This is now changing with the new Whistleblower Protection Act (HinSchG).
On 16 December 2019, the EU Whistleblower Directive came into force (official name: EU Directive 2019/1937 on the protection of persons reporting breaches of Union law). This is intended to better protect whistleblowers from reprisals for disclosing internal wrongdoing and to guarantee an EU-wide standard for this. Until now, this was only rudimentary and regulated differently in the individual EU states.
The EU member states must transpose the EU Whistleblower Directive into national law. The deadline for implementation is 17 December 2021. Germany has not yet passed a national law on the protection of whistleblowers and has thus let the deadline for implementation pass. The EU Commission therefore initiated infringement proceedings against Germany in February 2022.
With the Whistleblower Protection Act (HinSchG), Germany will now implement the EU Whistleblower Directive.
The German Whistleblower Protection Act (HinSchG) implements the EU Whistleblower Directive.
Aim of the Act
Like the underlying EU Whistleblower Directive, the primary objective of the Whistleblower Protection Act (HinSchG) is to protect persons who have obtained information about violations in connection with their professional activities and report them to an internal or external reporting office. Whistleblowers are protected from any reprisals and retaliation. Furthermore, it is intended to counteract the stigmatisation of persons who disclose internal secrets.
The scope of protection is broader than that of the EU Whistleblower Directive: while the EU Directive only protects the disclosure of violations of EU law, the German Whistleblower Protection Act (HinSchG) also protects the disclosure of violations of national law. The reason for this is that whistleblowers can be sure that they will not suffer sanctions even in complex cases involving violations of EU law as well as German law.
Consequences for companies
Companies in Germany above a certain size must implement the Whistleblower Protection Act (HinSchG). We explain the details in section 5 “To which companies does the new Whistleblower Protection Act (HinSchG) apply?”.
Below we describe a chronology of events to date:
- December 2019 – EU Whistleblower Directive enters into force. Member states have until 17 December 2021 to transpose the EU Directive into national law.
- December 2021 – Deadline to implement EU Directive expires without result. The EU Whistleblower Directive should have been transposed into German law by 17 December 2021. However, the draft laws at the time failed.
- February 2022 – Infringement proceedings against Germany After the German legislator failed to transpose the EU Directive within the deadline, the EU Commission initiated infringement proceedings.
- July 2022 -Federal government adopts a draft of the Whistleblower Protection Act (HinSchG).
- September 22 – Consultation on the draft in the Bundestag. Bundestag and Bundesrat discuss the Whistleblower Protection Act (HinSchG).
- December 22 – Resolution of the Whistleblower Protection Act (HinSchG) by the Bundestag. The Bundesrat has not yet given its consent.
The German Whistleblower Protection Act (HinSchG) will probably be passed in Q1 2023. Once passed, it will enter into force 3 months later.
Companies that fall under the scope of application must therefore be prepared to implement the Whistleblower Protection Act by Q2 2023.
The German Whistleblower Protection Act applies (with regard to the obligation to establish an “internal reporting office”)
- for companies with 250 or more employees from the date of entry into force (expected end of Q4 2022 or Q1 2023) and
- for companies with between 50 and 249 employees from 17 December 2023.
In addition, the Whistleblower Protection Act applies to public sector entities, public authorities and municipalities with a population of 10,000 or more.
Companies that fall under the scope of the Whistleblower Protection Act (HinSchG) must essentially implement the following requirements:
Establishment of an “internal reporting office”
Companies must establish an “internal reporting office” to which employees can turn. The term “employees” refers to workers, trainees and persons similar to employees.
The internal hotline operates reporting channels, manages the reporting procedure and takes appropriate follow-up action in case of relevant reports. The details are covered in the sections on “Requirements for the internal reporting office” (chapter 7) and “Tasks of the internal reporting office” (chapter 8).
Several companies with 50 to 249 employees each can set up a joint “internal reporting office”. This is likely to be of particular interest to corporate groups.
Establishment of reporting channels
Companies must set up internal reporting channels for the “internal reporting office” through which violations can be reported. In principle, violations subject to criminal penalties or fines as well as violations of certain national or European legal provisions may be reported.
The reporting channels must allow reports to be made orally or in text form. At the request of the whistleblower, a personal meeting with the internal reporting office must be made possible within a reasonable time for a report.
There is no obligation to design the reporting channels in such a way that they allow anonymous reporting.
The Whistleblower Protection Act (HinSchG) describes the following requirements and organisational forms for the “internal reporting office”:
- The internal reporting office can be staffed by a person employed by the company (e.g. compliance officer or general counsel) or by an external third party (e.g. external lawyer as ombudsperson).
- The person in question must act independently and have the necessary expertise to assess incoming reports (especially with regard to legal relevance). Such assessments usually require legal expertise.
Important for corporate groups: Several companies within a corporate group, each with 50 to 249 employees, can set up a joint “internal reporting office” (e.g. at the group-wide compliance office).
The “internal reporting office” has the following tasks:
Operation of the internal reporting channels
The “internal reporting office” operates the internal reporting channels through which employees can contact to report information about violations.
Running the reporting system
The internal reporting office manages the reporting procedure. It
- confirms receipt of the report to the whistleblower after 7 days at the latest,
- checks whether the reported violation is relevant,
- maintains contact with the whistleblower,
- checks the validity of the report received and
- requests further information from the whistleblower if necessary.
Taking follow-up action
The “internal reporting unit” shall take appropriate follow-up action. To this end, the “internal reporting office” may in particular
conduct internal investigations
close the case for lack of evidence or other reasons, or
transfer the case to a competent authority for further investigation.
The Whistleblower Protection Act (HinSchG) gives companies the choice of staffing the “internal reporting office” internally (e.g. by an employed person or organisational unit within the company) or externally by a third party (e.g. external ombudsperson).
Outsourcing such a function to an external service provider brings some advantages:
An external service provider is usually cheaper and already brings the necessary expertise, experience and sensitivity due to their profession. Furthermore, there is no risk of possible conflicts of interest. In addition, the company has a liquid (insured) debtor in case of damage.
Reporting channels must allow reports to be made verbally (e.g. telephone) or in text form (e.g. digital whistleblowing system).
The confidentiality of the report and the whistleblower must be guaranteed. Only the “internal reporting office” and supporting persons may have access to the incoming reports. It must be possible to submit anonymous reports.
In practice, whistleblower systems based on digital platforms have proven to be particularly useful as reporting channels for submitting written reports. When selecting an appropriate provider, care should be taken to ensure that the platform meets at least the following requirements (best practices):
- Hosting of the system within the EU and not on servers of US subsidiaries (to ensure the data protection requirements of the GDPR), Certified high-security data centre (ISO 27001)
- Anonymous 2-way communication
- Multilingual
- End-to-end encryption
- 2-factor authentication
- Removal of metadata
If a company does not set up an internal reporting office or does not do so in time, it faces fines of up to 20,000 euros.