On July 2, 2023, the new German Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG) took effect. The law contains comprehensive provisions for the protection of whistleblowers. At the same time, it obliges all companies with at least 50 employees to establish internal reporting channels. This article summarizes the key provisions of the new law.
- The Whistleblower Protection Act requires all companies with 50 or more employees to establish internal reporting channels.
- Whistleblower protections cover allegations of criminal behavior and violations of occupational health and safety regulations, minimum wage regulations, regulations under the Posted Workers Act, and regulations on labor leasing, as well as EU regulations.
- The Whistleblower Protection Act took effect on July 2, 2023.
Scope of Application
The Whistleblower Protection Act covers a wide range of legal violations. In addition to criminal offenses, its scope of application includes but is not limited to violations of regulations for the protection of life, limb, or health and any rights of employees or their representative bodies that are subject to fines. These include, for example, occupational health and safety regulations, minimum wage regulations, regulations under the Posted Workers Act (Arbeitnehmer-Entsendegesetz – AEntG), and regulations on labor leasing (Arbeitnehmerüberlassung). Furthermore, according to the European Union (EU) directive underlying the Whistleblower Protection Act, numerous EU regulations—such as those related to money laundering, product safety, transportation, and food and drug safety, as well as environmental, consumer, and data protection—are also covered.
Whistleblowers who have obtained information about violations of the aforementioned types in connection with their professional activities or during the hiring process and who report them through the designated reporting channels are protected from reprisals and retaliation. Covered whistleblowers include, among others, employees, interns, trainees, freelancers, representatives of corporate bodies, civil servants, temporary workers, and job applicants. The protection also extends to individuals who are otherwise affected by a report or disclosure, such as potential witnesses.
Establishment and Operation of Reporting Channels
According to the Whistleblower Protection Act, whistleblowers may contact both external (governmental) reporting channels and their respective employers’ internal reporting channels. In principle, they have the right to choose which reporting channel (internal or external) to use, although internal reporting channels are generally to be given preference. Going public (so-called “disclosure”) is permitted only if the reporting channels called upon have not reacted adequately or if such disclosure appears to be the only effective way in exceptional cases (e.g., in emergencies or in cases of imminent destruction of evidence, etc.).
The Federal Office of Justice (Bundesamt für Justiz) maintains a central external reporting channel. Additional specialized reporting channels have been established by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht) and the Federal Cartel Office (Bundeskartellamt). Additional reporting channels at the state level are also available. In addition, all employers with at least 50 employees are required to establish internal reporting channels. For employers with at least 250 employees, this obligation applies immediately; for companies with 50 to 249 employees, the law provides for a transitional period for the establishment of internal reporting channels until December 17, 2023, at the latest. Special regulations exist for the insurance and financial sectors, among others.
The Whistleblower Protection Act includes various requirements for the establishment and operation of internal hotlines:
- Internal reporting channels may be operated with the company’s own employees or with external service providers (e.g., providers of digital whistleblowing platforms). In groups of affiliates, the reporting channel may also be established with another group company. Smaller employers with 50 to 249 employees may set up joint reporting channels.
- Persons responsible for operating the internal reporting channels must carry out their tasks independently and have the necessary expertise. If internal reporting channels are operated by an employer’s own employees, the employer must provide appropriate training.
- Each reporting channel must ensure strict confidentiality.
- Internal reporting channels must allow reports to be made either verbally (e.g., by telephone) or in written form (e.g., email). If desired, personal contact must also be made possible, which may also take place via video conference with the consent of the whistleblower.
- According to the requirements of the law, the internal reporting channels do not have to allow anonymous contact and communication with the whistleblower. However, anonymous reports should generally still be processed.
When dealing with incoming reports, several legal requirements must be observed:
- The whistleblower must receive an acknowledgement of receipt no later than seven days after the report.
- It must be determined whether the reported violation falls within the scope of the Whistleblower Protection Act.
- Subsequently, the received report must be assessed for its plausibility.
- Contact must be maintained with the whistleblower, and, if necessary, the whistleblower should be asked for further information.
- Appropriate follow-up action must be taken, such as:
- conducting a more extensive internal investigation with questioning of the parties involved;
- referral of the whistleblower to other (external) agencies;
- closure of the proceedings for lack of evidence or other reasons; and
- submission of the case to a unit responsible for internal investigations within the employer organization or to a competent authority.
- No more than three months after the acknowledgement of receipt, the whistleblower must be given feedback on the processing status.
- Employers must properly document the process. In general, the documentation must be deleted no later than three years after the process has been completed.
Data Protection Issues
In the course of using whistleblower systems, a large amount of personal data of all possible parties involved is inevitably collected or processed. In particular, this involves the following data categories:
- Information about the reporting individual (unless an anonymous report has been made)
- Information on the reported facts, if necessary with references to other persons involved or otherwise affected, witnesses, etc.
- Other data collected through investigations (e.g., data from corporate IT, messages, conversations to clarify the facts of the case)
Frequently, particularly sensitive information subject to Article 9 of the General Data Protection Regulation (GDPR) may be processed in the context of whistleblowing procedures. It is evident that the use of such whistleblowing systems and the related data processing entail major risks for the data subjects. Against this background, maintaining confidentiality with regard to the data collected in the context of whistleblowing systems is imperative.
Access to information collected or processed within whistleblower systems must be restricted to individuals who are responsible for the internal reporting office or who support it (e.g., IT service providers, if necessary). Information about reporting individuals or individuals affected or named in reports must only be processed by the internal reporting office or individuals responsible for follow-up measures (e.g., compliance department). In principle, any disclosure of information about the identity of the whistleblower may take place only if such disclosure is necessary for the implementation of follow-up measures and the whistleblower has given his or her prior consent.
This may result in a contradiction between the special confidentiality requirements of the Whistleblower Protection Act and the so-called data subject rights under the GDPR (e.g., right to information under Article 14 GDPR, if data was not obtained from the data subject, or right to information about the processing under Article 15 GDPR). The Whistleblower Protection Act only partially resolves this contradiction. Based on the confidentiality requirement stipulated in Section 8 of the Whistleblower Protection Act, it can be inferred that, as a rule, it opposes a right to information regarding the data processed within whistleblower systems, and the company is not obligated to provide information when an access request is made. Likewise, the right to information of data subjects under Article 14 of the GDPR may not generally apply since informing a data subject about a report within the whistleblower system may regularly pose a risk of thwarting or complicating further investigations. In this respect, the company’s interest in secrecy is likely to prevail in many cases; however, this might change in the course of the proceedings, so that information about the data subject would have to be provided if the interest in secrecy no longer exists (e.g., if evidence has been secured).
If a third party is commissioned to set up an internal reporting channel, employers may want to pay particular attention to the contractual regulations from a data protection perspective. As a rule, this is likely to be commissioned data processing, so it may make sense to include a corresponding contract for commissioned data processing. Employers may also want to pay special attention to where the processing of personal data takes place (e.g., whether a transfer of data takes place outside the scope of the GDPR).
Before setting up a whistleblower system, a company will generally have to carry out a data protection impact assessment (DPIA) in accordance with Article 35 of the GDPR, as the data processing operations in this context are always expected to pose a major risk to the rights and freedoms of individuals.
Prohibition on Retaliation
Within the scope of the Whistleblower Protection Act, whistleblowers are comprehensively protected against reprisals or retaliatory measures. Any unjustified professional discrimination or threat thereof in connection with a report under the Whistleblower Protection Act is prohibited. This may include but is not limited to terminations, demotions, or refused promotions, as well as changes in job assignments or disciplinary measures. The law provides for a reversal of the burden of proof: If whistleblowers claim to have suffered a disadvantage as a result of a report or disclosure, it is initially presumed, to the detriment of the employer, that the disputed measure constitutes a reprisal or retaliatory action. In addition, whistleblowers can claim damages from their employers in the event of prohibited retaliation.
Violations of the Whistleblower Protection Act may be punished with administrative fines of up to €50,000. However, fines for employers with at least 250 employees that fail to set up reporting channels in violation of the law cannot be imposed until December 1, 2023.
Participation Rights of the Works Council
The participation rights of the works council must be observed when establishing internal reporting channels. Since the establishment of reporting channels is legally required, the right to participate does not extend to the “if” of the establishment. However, the works council may have participation rights regarding the detailed design of the reporting procedure (e.g., based on considerations of order in the company or due to the introduction of a new computer program for managing the reports). The extent to which this also applies if an employer decides not to operate a reporting channel with its own employees but rather uses an external provider—and in doing so, implements only the statutory requirements—has not yet been clearly clarified.
What Employers May Want to Consider Now
- All employers with at least 50 employees may wish to start setting up internal reporting channels as soon as possible. Especially in companies with works councils, a longer implementation period is to be expected.
- Group companies may want to consider examining the possibility of a central reporting channel within the group. Consider defining procedures and responsibilities regarding the operation of the internal reporting channel in accordance with the Whistleblower Protection Act. This could be done, for example, in the form of a corresponding company guideline. In companies with a works council, a shop agreement may be concluded. Companies may also want to take data protection aspects into account.
- If the reporting channel is to be operated internally by an employer with its own employees, the employer may want to establish appropriate structures to ensure the independence of the responsible employees, and provide those employees with sufficient training.
- Consider ensuring that HR personnel are made aware of the prohibition on retaliation. In individual cases, consider carefully documenting the reasons for personnel measures affecting whistleblowers.
- Consider informing employees of the easy accessibility of the internal reporting channel. It will likely be in the company’s interest for employees to use the option of internal reporting (instead of external reporting) in order to remedy any grievances as soon as possible and without negative external impact. Against this background, companies may want to consider establishing anonymous reporting channels as well—even if not required by law.
- Companies that already have in place reporting channels and guidelines for dealing with such reports (e.g., whistleblower hotlines and policies in international corporations) may wish to double-check their compliance with the new Whistleblower Protection Act.