Earlier, the EU enacted a Whistleblowing Directive to foster increased transparency and protect those who raise awareness about misconduct or malpractice within organizations. As an EU member state, Germany had the responsibility to create its national regulations based on the EU directive, which led to the German Whistleblower Protection Act (HinSchG).
The German Whistleblower Protection Act, HinSchG, is a transition of the EU Whistleblowing Directive into the German legal system. In other words, it is a national Whistleblowing Protection Act that aims to encourage transparency in German companies and protect people that report wrongdoings and violations from retaliation.
The HinSchG was adopted by the Bundesrat and Bundestag in mid-May 2023. It was then signed by the Federal President on the 2nd of June 2023 and will thus enter into force on the 2nd of July 2023.
After the Bundestag had agreed on the 11th of May, the Bundesrat passed the new German Whistleblower Protection Act on May 12th. Subsequently, on June 2nd, the Federal President signed the law and, after a four-week transition period, it will come into force on the 2nd of July.
Early 2021: The SPD-led Ministry of Justice presented a draft law, but the CDU/CSU raised various objections that ultimately caused its rejection.
November 2021: In the coalition agreement at the national level, three parties, SPD, Grüne, and FDP, declared their commitment to enforcing the EU Whistleblower Directive at the national level. They intended to take advocacy beyond mere compliance with the minimum requirements set by the EU and extend legislation scope to federal law.
December 2021: Germany didn't manage to implement a Whistleblowing Protection Act before the EU's deadline on December 17, 2021.
February 2022: Due to the exceeded implementation deadline, the EU Commission initiated infringement proceedings against Germany.
April 2022: Minister of Justice Dr. Marco Buschmann presented an updated draft bill (HinSchG-E), which formed the foundation of the draft law.
July 2022: The federal government accepted a draft law.
September 2022: On September 29, 2022, the draft law was discussed in the first reading in the Bundesrat.
October 2022: On October 2022, the Judiciary Committee convened a public hearing, where the draft law received support from most experts. However, further refinements were still needed to ensure sufficient whistleblowers' protection.
December 2022: On December 16, the Bundestag passed Whistleblower Protection Act in the second and third readings. The next and final step is to receive approval from the Bundesrat.
February 2023: At a public hearing on February 10, the Bundesrat didn't approve the draft law due to several points of criticism. Among them are anonymous reporting, the overabundance of the law, and concerns about excessive bureaucracy for small and medium-sized companies.
March 2023: The German Bundestag took a new step towards implementing the EU Whistleblower Directive. However, discussions were interrupted as the bill was unexpectedly removed from the Bundestag's agenda on March 30th. This has prompted the federal government to convene a mediation committee to further address the matter.
May 2023: After the German Bundestag passed the law on May 11th, the Bundesrat also passed the Whistleblower Protection Act (HinSchG) on May 12th, 2023.
June 2023: On the 2nd of June, the law was published in the Federal Law Gazette after being signed by the Federal President. This will therefore come into force on 2nd of July 2023.
Under the EU directive provision, Germany must implement the National Protection Act that ensures legal protection for people reporting violations in the following areas:
Besides the minimum of areas recommended by the Directive, the German National Whistleblowing Protection Act goes further and also includes:
Specifies whom it applies for
All German companies and organizations with 50 or more employees are required to establish a whistleblowing channel. For companies with 50 to 249 employees, there is a transition period until the 17th of December 2023; larger companies, with 250+ employees, must establish a suitable whistleblower channel by the 2nd of July 2023.
Employees must be given the opportunity to file a report both verbally and in writing. Companies can also offer an indirect whistleblowing option via an ombudsman. Anonymous reporting is not a must, yet the law recommends that anonymous reports be received and processed.
According to the HinSchG, companies must establish an internal reporting system by the 2nd of July 2023, through which employees and potentially third parties can report in writing, verbally or in person. Including:
Written reports can be submitted through a digital whistleblowing system, a dedicated email address, a complaint mailbox, or by post;
Verbal reports can be submitted through a form available within a digital whistleblowing system, whistleblowing hotline (phone), or answering machine system;
In-person meetings should always be available either with a case handler as a follow-up or via an externally hired lawyer or ombudsmen.
There are no restrictions on using external reporting as a first choice. However, German law mentions that internal reporting should be a priority. Therefore, all companies should incentivize employees to use internal reporting in the first place.
HinSchG-E sets the minimum requirement for obligatory access to the internal reporting tool: it must be available for the company's own employees and temporary workers. As for job applicants, partners, and other third parties, it is up to companies to define whether they could use their internal system.
Additionally, the Law mentions the obligatory establishment of an external reporting channel, which will be the responsibility of the Federal Office of Justice (BfJ). The main area of responsibility for external reporting within the Federal Office of Justice will be federal and state governments and information from the private and public sectors. Alongside this, the federal states can choose to set up their own offices for external reporting.
Confidentiality of whistleblowers
The Whistleblower Protection Act prescribes all reporting channels to ensure the confidentiality of whistleblowers. Confidentiality is not the same as anonymity; a case handler can know a whistleblower's identity. However, confidentiality implies that only a preapproved amount of people or one person, preliminary appointed by the company to review internal reports, knows a whistleblower's identity and is responsible for maintaining complete confidentiality. Unless whistleblowers express consent or it is a case of a criminal proceeding, their personal information won't be shared with any other 3rd-parties.
Anonymous reports must be reviewed
Companies are not required to establish a reporting channel that allows employees to submit a report anonymously. Nevertheless, the law recommends that anonymous reports be accepted and processed.
Follow-up responsibility within the company
The law also establishes deadlines for actions, such as when a whistleblower receives a confirmation of a submitted report and when is the latest to notify about the results. Whistleblowers must receive confirmation of the submitted report no later than 7 days after, and the update on the outcomes should follow no later than 3 months after.
Companies need to ensure that their feedback contains practical follow-up actions and a responsible person or office that can take it over. Examples of the follow-up action plan can be an initiation of internal investigations, a plan of action aimed at resolving a problem, a reference to procedures, a referral to a competent authority, or a comprehensive explanation in case of completion of proceedings due to lack of evidence or other reasons.
Requirements for the investigation team
Companies need to appoint an internal case handler or an investigation team of several people (in the case of bigger companies) who will be responsible for receiving, investigating, and following up on submitted reports.
The people appointed to the investigation committee can be a compliance manager, legal counsel, data protection officer, finance or HR director, or similar, as long as these people can act independently and have the necessary specialist knowledge. Companies should organize regular training to ensure that case handlers know their responsibilities. Being a whistleblowing case handler is not a full-time job. These people can combine whistleblowing investigation duties with other tasks they were initially hired for.
As an alternative, companies can outsource the receipt and processing of information to external lawyers or ombudspersons, provided they offer appropriate guarantees for maintaining confidentiality and data protection.
Shared systems and outsourcing
The law draft stipulates that organizations with a headcount of 50 - 249 employees are allowed to share whistleblower systems. Further, companies with multiple subsidiaries can share one system. It is possible via a third-party implementation. By being commissioned with the task of an internal registration office, a company can set up an independent and confidential body as a "third party" for its group companies to use the same system. The responsibility for investigating violations remains with the commissioning company.
Additional provision – beyond EU requirements
German National Law extends beyond the set of requirements set by the EU Directive by including more cases.
Mainly, German lawmakers aim to broaden the scope of their draft law to protect whistleblowers from possible legal discrepancies and ensure that a comprehensive policy covers all reports. This expansion seeks to eliminate any confusion or doubts when it comes to those with critical information about wrongdoing, ensuring they feel safe disclosing what needs to be heard without risking repercussions later on.
Read the whole text of the draft law.
Several fundamental principles define whistleblower protection. These principles were both recommended by the EU Directive and are presented in the draft of the German Whistleblower Protection Act
The German Whistleblower Protection Act (HinSchG) aims to protect employees from any form of retaliatory action in the workplace. Such actions as suspension, termination, or denial of promotion must not take place along with subtle tactics such as non-renewal contracts, damage to professional reputation, improper performance evaluation, etc. Disregarding the law can be costly – legal action can ensue if any of these events occur.
The German Whistleblower Protection law reverses the burden of proof to support victims if their claim for retribution against a wrongdoer is challenged. Ultimately, it allows those affected by unjustified mistreatment to seek justice.
In the event of a violation of the protection against reprisals, affected whistleblowers should have access to legal remedies. They should receive adequate material repayment for any losses sustained and reparation for moral damage.
Failure to implement a whistleblowing system may result in a fine, which could also come with reputational damage to a company.
Further, if other requirements are violated, like improper handling of cases or breach of confidentiality, it can lead to heavier fines of up to € 100,000.
It is in companies' interest to stay abreast of the law and have a whistleblowing policy to ensure their operations are compliant. For the whistleblowing policy to function, companies need to set up a whistleblowing hotline where employees can submit their reports.
Here are a few step-by-step recommendations to help you create and implement a whistleblowing system and remain compliant with the Whistleblower Protection Act.
The whistleblowing policy is not just a part of legal compliance, it is also about building the speak-up culture. That's why a whistleblowing policy should be integrated into the organization's value statement.
One of the primary goals of any whistleblowing policy is to convey to employees that their identity is protected and no retaliation or victimization will follow. A whistleblowing policy should clearly define who a whistleblower is and elaborate on the protection they receive when reporting wrongdoing. Further, it should clarify the types of concerns that employees can report, how they can report them, who investigates received reports, and how the communication around reported cases is arranged.
By mentioning the constant training of case handlers and investigation committees, companies show that they approach case investigation and whistleblowers' security with particular importance.
Submitting a whistleblowing report should be easy. Every step in the whistleblowing process should be explained in a way that a whistleblower feels secure about submitting a report. Further, employees should not break their heads looking for a reporting page. Many companies create a dedicated page on their website, which employees can quickly access by clicking on a link from internal resources or typing it in the search request.
There are several ways to organize a whistleblowing hotline: by means of phone, email, in-person meetings, or a digital system. For better resource efficiency and smooth operations, we recommend considering a digital platform for your reporting management system. The right digital whistleblowing platforms are developed in line with the recent legal and data privacy requirements, which means that they:
Companies can supplement it with a phone line or ombudsman, but in most cases, a digital platform covers all companies' needs for whistleblowing compliance, and some digital systems also provide the option for adding phone support.
Need help hitting the deadline? Finding a secure whistleblowing solution in tight timeframes can be challenging, but we're here to help. Get an inside look at how Whistleblower Software meets the German Whistleblowing Protection Act/ HinSchG requirements and manages reports securely - all with one easy solution.