Whistleblower Protection Act (HinSchG)

The obligation to introduce a whistleblowing process at European level arises from Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (“Whistleblowing Directive”). It must be implemented by the German legislator within two years of the Directive coming into force.

The EU Whistleblowing Directive and the resulting German Whistleblower Protection Act (HinSchG) require companies and church bodies with 50 or more employees to introduce an independent whistleblower system from December 18, 2023, through which employees, customers, business partners, authorities, citizens, etc. can provide confidential information about abuses in the company or church body. authorities, citizens, etc. can provide confidential information about irregularities in the company or church body. The possibility for whistleblowers to submit anonymous reports is only included in the law as an optional provision and is therefore no longer a legal obligation.

The whistleblowing system must be implemented via an external provider due to the possibility of confidential reports. Implementing the whistleblower system via the company’s own IT infrastructure does not ensure the confidentiality of the report, as the user can be identified via the IP address and login to the network.


Requirements of the Whistleblowing Directive

The Whistleblowing Directive includes the following requirements, which must be transposed into German law:

  • Companies and church bodies with more than 50 employees are obliged to take measures to protect whistleblowers and set up secure whistleblowing channels and clear reporting processes.
  • The identity of the whistleblower must always be kept secret.
  • Companies or church bodies can either set up and manage their reporting systems through a specially created internal department or commission an external third party to set up and operate the reporting system.
  • Within 7 days of receipt of the report by the reporting person, receipt of the report must be confirmed to the reporting person.
  • The company or the church office must inform the whistleblower in detail within 3 months of the report of how the report has been dealt with and what follow-up measures the company has planned and taken.
  • Whistleblowers must be protected against reprisals (sanctions) of any kind (e.g. suspension, dismissal, demotion or denial of promotion, coercion, intimidation, bullying or exclusion, but also non-renewal of fixed-term employment contracts, damage to reputation, etc.). The reporting of a whistleblower under the protection of the Directive does not constitute a breach of a contractual restriction on disclosure. Liability on any legal grounds whatsoever must be excluded. Whistleblowers should have the opportunity to obtain free and comprehensive information on the available legal remedies and procedures. They must be granted unhindered access to interim legal protection to prevent retaliation under labor law that has already occurred or is still imminent.
  • Not only employees are protected, but also interns, volunteers and the self-employed.
  • There is a reversal of the burden of proof. Previously, the employee/whistleblower had to prove the connection between the report and discrimination in the event of a dispute. Now, the employer/company must explain and, if necessary, prove the (deviating) reason for the alleged discrimination.
  • Internal whistleblowing no longer takes precedence over external whistleblowing. This means that the whistleblower does not have to report the information to the company or church office first, but can contact external offices directly.
  • Sanctions are envisaged for companies or church bodies that obstruct or at least attempt to obstruct reports, take reprisals or disclose the identity of the whistleblower without authorization.
  • In addition, a claim for damages is created for the whistleblower.

In order to maintain confidentiality vis-à-vis the whistleblower and due to the problem of the employer’s reversal of the burden of proof, we recommend not installing the internal whistleblowing office on the company’s or the church’s own IT resources, but instead using an external software solution. This can be made available to you by our law firm.


Services of our law firm

Our law firm can support you in fulfilling the legal requirements of the Whistleblower Protection Act and the Supply Chain Due Diligence Act by providing the following services:

  • Assumption of the function of the internal reporting office in accordance with the Whistleblower Protection Act and the Supply Chain Due Diligence Act
  • Provision of a whistleblower platform for receiving and managing reports from whistleblowers
  • Presentation of the whistleblower platform to the specialist departments, the works council or the employee representatives
  • Preparation of an information letter to employees on the outsourced internal reporting office
  • Creation of a privacy policy for the internal reporting office
  • Appointment of a coordinator in the company or church office who works together with the law firm
  • Legal assessment of whether the scope of application of the aforementioned laws is open
  • Confirmation of receipt of the notification to the notifying person within 7 days
  • Implementation of follow-up measures within a further 3 months
  • Deadline control and monitoring via the whistleblower platform
  • Maintaining the confidentiality of the reporting persons
  • Statistics and reports on the notifications received from whistleblowers

We can offer you a standardized electronic reporting platform that implements both the reporting categories from the Whistleblower Protection Act and those from the Supply Chain Due Diligence Act.

If you have any further questions, please contact our law firm using the contact details provided.