FAQ Whistleblower Protection Act

After tough political wrangling, the Whistleblower Protection Act (HinSchG) to implement the so-called Whistleblowing Directive (EU) 2019/1937 has (finally) come into force with effect from 02 July 2023.

Here we answer the most important questions about the protection of whistleblowers and what companies have to consider when implementing the requirements.

Which employers are covered and from when?

The HinSchG covers all private and public employers. However, only employers with at least 50 employees are required to set up internal reporting systems. Employers with generally 50 to 249 employees also have until December 17, 2023, to set up internal hotlines.

Who benefits from whistleblower protection?

The personal scope of application and protection of the HinSchG is broad and includes all persons who have obtained information about (potential) violations in connection with their professional activities. Employees and civil servants (including judges and soldiers), but also members of executive bodies (board members, managing directors), trainees and persons similar to employees are thus protected. The protection also includes shareholders and external parties such as self-employed persons and employees of suppliers.

What is the core of the new whistleblower rights?

In a departure from the previous rules of the game, whistleblowers now do not need to contact the employer in advance if they have discovered a breach of the rules (so-called internal reporting) but may directly involve the competent authority (so-called external reporting). This guarantees the legally enshrined right to choose between both reporting channels.

However, employers "shall" create incentives for whistleblowers to contact the internal reporting office first before reporting to an external reporting office, without, however, limiting or making more difficult the possibility of an external report. Whether an attractive design of the internal reporting channels can suffice as such an incentive remains to be seen in practice.

Which legal violations may be reported?

The catalog of reportable violations in the HinSchG goes beyond the minimum requirements of the EU Directive. In addition to violations that are punishable by law, it also covers violations that are subject to fines, insofar as the violated regulation serves to protect life, limb, health or the rights of employees or their representative bodies (such as the works council); an application case here is, for example, the field of occupational health and safety. Furthermore, violations of regulations that transpose European regulations and requirements into national law and are listed as such in the HinSchG are also included.

What are the organizational requirements for employers?

Employers with, as a rule, at least 50 employees must set up internal reporting offices to which employees can turn to report violations. For certain companies, such as securities trading companies or credit institutions, this minimum threshold of 50 employees does not apply. If employers generally have no more than 249 employees, such internal hotlines do not have to be established before December 17, 2023. 

Among other things, the internal reporting office must confirm receipt of the report to the whistleblower within seven days and inform the whistleblower of the follow-up measures it has taken after three months at the latest. Follow-up measures may include, in particular, the initiation of internal investigations, submission to the competent authority or discontinuation of the matter due to lack of evidence.

Where are the internal reporting offices to be set up?

The internal reporting office can be set up at the employer itself. However, external third parties can also be entrusted with this task. In addition, there are simplifications for employers with generally no more than 249 employees. These can operate a joint internal reporting office or jointly commission an external third party. It is important to note that the obligation to take measures to remedy the violation and the obligation to report back to the whistleblower remain with the individual employer and cannot be delegated away.

Especially for smaller companies that just exceed the threshold of 249 employees (or 50 employees as of December 17, 2023), but also for medium-sized companies as well as German subsidiaries of international groups, it may be a good idea to outsource the internal reporting office. We cooperate with NAVEX WhistleB and support companies in this step with an attractive tool and, of course, with all further and necessary steps of whistleblowing compliance - please contact us.

Can a group-wide reporting office be established?

The HinSchG explicitly wants to enable companies to draw on or bundle central resources already available within the group of companies and declares the use and/or establishment of such group-wide reporting offices to be permissible. In this context, too, however, care must be taken to ensure that the responsibility for pursuing and remedying potential violations remains with the respective local group company. 

This view is not shared by the EU Commission. It is of the opinion that a Group-wide whistleblowing system does not meet the requirements of the Directive and cannot release the respective subsidiaries from the obligation to maintain their own internal channels. Due to these diverging views of the German legislator and the EU body, we recommend that possible alternatives to implementation be examined even if there is easy access to existing resources within the group. A clear (and probably necessarily judicial) clarification of this question of interpretation remains to be seen for the time being.

Are there sanctions if an internal reporting office is not established?

The non-establishment of internal reporting offices contrary to the legal obligation is subject to a fine and can be punished accordingly as an administrative offense; fines of up to EUR 20,000 are to be feared.

If no internal reporting office is maintained, there is also a risk that employees may contact the authorities directly with their observations or consider so-called disclosure. In this respect, the risk of possible reputational damage and the leakage of internal company information and possibly even business secrets should not be underestimated. This shows that internal reporting channels are in the best interest of the company and their introduction should definitely be considered - also independent of the respective company size.

What do the external reporting offices look like?

The HinSchG provides for the establishment of a central external reporting office at the Federal Office of Justice (BfJ). In addition, special reporting systems exist at the Federal Financial Supervisory Authority (BaFin) and at the Federal Cartel Office as further external reporting offices with special responsibility. Optionally, external reporting offices can also be set up at the federal states to which whistleblowers can turn if the respective state administration and the respective local governments are affected. 

The external hotlines also operate reporting channels and are also intended to provide potential whistleblowers with comprehensive and independent information and advice on existing remedies and procedures for protection against reprisals.

The external reporting bodies also confirm receipt of the report to the whistleblower within seven days and inform the whistleblower of any follow-up measures initiated after three or six months at the latest.

What does "disclosure" mean?

Disclosure refers to making information about violations available to the public - usually by going to the press or social networks. While whistleblowers are free to choose between internal and external reporting and can invoke the protection of the HinSchG, the law only protects the disclosure of information to the public in a few exceptional cases that are exhaustively listed in the law. The latter apply, among other things, if in the case of external reporting by the authorities involved no suitable measures have been taken within the timeframe provided, there are sufficient grounds for assuming a threat to the public interest or there is an imminent fear of reprisals.

How are whistleblowers protected?

The law mandates comprehensive protection of the whistleblower against "reprisals" as long as the whistleblower had reasonable grounds to believe that the information he or she reported or disclosed was true and the (alleged) violation concerns a set of rules covered by the HinSchG. Reprisals are acts or omissions in connection with professional activity which are a reaction to a report or disclosure and as a result of which the whistleblower suffers or may suffer an unjustified disadvantage. This includes everything from a transfer to an omission from a salary increase or training trip to a warning and termination, but also, for example, the failure to continue employment for a fixed term.

Caution: The HinSchG imposes a reversal of the burden of proof, according to which a disadvantage is considered a reprisal in the legal sense if it only occurs after a whistleblowing event. Thus, the employer must prove that the whistleblower was transferred for other reasons, was not promoted, was not given a fixed term, etc.

The whistleblower is also entitled to damages if he is subjected to reprisals.

Does the identity of the whistleblower remain anonymous? Must anonymous reports be made possible?

It is true that confidentiality about the identity of the whistleblower (as well as the confidentiality of other persons named in the report) is comprehensively protected in the HinSchG. Nevertheless, internal as well as external reporting offices are explicitly not obliged to also investigate anonymous reports. Instead, the law limits itself to stating that reports received anonymously "should" also be processed.

Since taking anonymous internal reports into account can increase acceptance of and trust in the internal whistleblowing system, this step should be considered in any case. The more attractive the internal reporting channels are, the less incentive there is to make external reports.

What is the role of the works council?

As a rule, the works council has a right of co-determination in the implementation of a whistleblower system, i.e. the whistleblower system may not generally be introduced without the prior consent of the works council. In corporate groups or groups of companies, the competence of the group works council, the central works councils and/or the local works councils must be carefully examined and, in case of doubt, delegation resolutions must be sought.

Do you have any questions?
Contact us!



Thomas Griebe



Matthias Pallentin
Subscribe to our newsletter