The HinSchG, German Whistleblower Protection Act: The State of Development

Yulia Landbo

Yulia Landbo

Last updated: May 17, 2023 6 min read

Earlier, the EU enacted a Whistleblowing Directive to foster increased transparency and protect those who raise awareness about misconduct or malpractice within organizations. As an EU member state, Germany had the responsibility to create its national regulations based on the EU directive, which led to the German Whistleblower Protection Act (HinSchG).

What is The German Whistleblower Protection Act (HinSchG)? 

HinSchG German Whistleblowing Protection Act.png

The German Whistleblower Protection Act, HinSchG, is a transition of the EU Whistleblowing Directive into the German legal system. In other words, it is a national Whistleblowing Protection Act that aims to encourage transparency in German companies and protect people that report wrongdoings and violations from retaliation. 

HinSchG was adopted by the Bundesrat on May 12, 2023, and should come into force in the middle of June.

The German Whistleblower Protection Act – HinSchG: What Violations Can Whistleblowers Report?

Under the EU directive provision, Germany must implement the National Protection Act that ensures legal protection for people reporting violations in the following areas:

  • Public procurement;
  • Financial services, products, markets, prevention of money laundering and terrorist financing;
  • Product safety and compliance;
  • Transport safety;
  • Protection of the environment;
  • Radiation protection and nuclear safety;
  • Food and feed safety, animal health, and welfare;
  • Public health;
  • Consumer protection;
  • Protection of privacy and personal data, security of network and information systems.

Besides the minimum of areas recommended by the Directive, the German National Whistleblowing Protection Act goes further and also includes:

  • Any penal provision under German law;
  • Breaches of the regulations that protect life, health, and the rights of employees or their representative bodies. The most common cases for this will be regulations in the areas of occupational health and safety, violations of the minimum wage law, etc.;
  • Statements by civil servants that represent a violation of their constitutional obligations to remain loyal to the oaths made to the Constitution;
  • Both illegal and lawful actions or omissions, if they contradict the aim of the regulations in the areas of law;
  • All violations of federal and state legal regulations and directly applicable EU legal acts.

What does the German Whistleblower Protection Act (HinSchG) include? 

  • Specifies whom it applies for 

All German companies and organizations with 50 or more employees are obliged to set up a reporting office. For companies with a headcount of 50 - 249 employees, there is a transitional phase until December 2023; larger companies would have to implement a whistleblowing channel on shorter notice. Currently, the expected deadline for companies 250+ is three months after the draft law is approved by the German Federal Council (Bundesrat). 

  • Whistleblowing channels

Employees must have multiple options to submit reports, both in writing and in verbal form. Companies can also present an indirect whistleblowing option through an ombudsman. Anonymous reports are not yet a must, but they might be in 2025 – it is still up to the final law to decide.

  • Internal Reporting   

According to HinSchG, within an established deadline, companies must adopt an internal reporting system through which employees and potentially third parties can report in writing, orally, or in person. Particularly:

  • Written reports can be submitted through a digital whistleblowing system, a dedicated email address, a complaint mailbox, or by post;

  • Verbal reports can be submitted through a form available within a digital whistleblowing system, whistleblowing hotline (phone), or answering machine system;

  • In-person meetings should always be available either with a case handler as a follow-up or via an externally hired lawyer or ombudsmen. 

There are no restrictions on using external reporting as a first choice. However, German law mentions that internal reporting should be a priority. Therefore, all companies should incentivize employees to use internal reporting in the first place.

HinSchG-E sets the minimum requirement for obligatory access to the internal reporting tool: it must be available for the company's own employees and temporary workers. As for job applicants, partners, and other third parties, it is up to companies to define whether they could use their internal system.

  • External reporting

Additionally, the Law mentions the obligatory establishment of an external reporting channel, which will be the responsibility of the Federal Office of Justice (BfJ). The main area of responsibility for external reporting within the Federal Office of Justice will be federal and state governments and information from the private and public sectors. Alongside this, the federal states can choose to set up their own offices for external reporting.

  • Confidentiality of whistleblowers 

The Whistleblower Protection Act prescribes all reporting channels to ensure the confidentiality of whistleblowers. Confidentiality is not the same as anonymity; a case handler can know a whistleblower's identity. However, confidentiality implies that only a preapproved amount of people or one person, preliminary appointed by the company to review internal reports, knows a whistleblower's identity and is responsible for maintaining complete confidentiality. Unless whistleblowers express consent or it is a case of a criminal proceeding, their personal information won't be shared with any other 3rd-parties. 

  • Anonymous reports must be reviewed

In the first law draft, German companies were only recommended to accept and review anonymous reports. In the amended version, the Federal Parliament (Bundestag) made it obligatory for companies to process anonymous reports as long as this does not get in the way of the non-anonymous reports' priority. 

At the same time, until January 1st, 2025, German companies are not obliged to implement an anonymous channel, making anonymous reporting a controversial area and raising many questions among the experts. The final answer will follow with the final adoption of the Whistleblower Protection Act.

  • Follow-up responsibility within the company

The law also establishes deadlines for actions, such as when a whistleblower receives a confirmation of a submitted report and when is the latest to notify about the results. Whistleblowers must receive confirmation of the submitted report no later than 7 days after, and the update on the outcomes should follow no later than 3 months after. 

Companies need to ensure that their feedback contains practical follow-up actions and a responsible person or office that can take it over. Examples of the follow-up action plan can be an initiation of internal investigations, a plan of action aimed at resolving a problem, a reference to procedures, a referral to a competent authority, or a comprehensive explanation in case of completion of proceedings due to lack of evidence or other reasons. 

  • Requirements for the investigation team

Companies need to appoint an internal case handler or an investigation team of several people (in the case of bigger companies) who will be responsible for receiving, investigating, and following up on submitted reports.

The people appointed to the investigation committee can be a compliance manager, legal counsel, data protection officer, finance or HR director, or similar, as long as these people can act independently and have the necessary specialist knowledge. Companies should organize regular training to ensure that case handlers know their responsibilities. Being a whistleblowing case handler is not a full-time job. These people can combine whistleblowing investigation duties with other tasks they were initially hired for. 

As an alternative, companies can outsource the receipt and processing of information to external lawyers or ombudspersons, provided they offer appropriate guarantees for maintaining confidentiality and data protection.

  • Shared systems and outsourcing

The law draft stipulates that organizations with a headcount of 50 - 249 employees are allowed to share whistleblower systems. Further, companies with multiple subsidiaries can share one system. It is possible via a third-party implementation. By being commissioned with the task of an internal registration office, a company can set up an independent and confidential body as a "third party" for its group companies to use the same system. The responsibility for investigating violations remains with the commissioning company.

  • Additional provision – beyond EU requirements

German National Law extends beyond the set of requirements set by the EU Directive by including more cases. 

Mainly, German lawmakers aim to broaden the scope of their draft law to protect whistleblowers from possible legal discrepancies and ensure that a comprehensive policy covers all reports. This expansion seeks to eliminate any confusion or doubts when it comes to those with critical information about wrongdoing, ensuring they feel safe disclosing what needs to be heard without risking repercussions later on.

Read the whole text of the draft law. 

What is the Current Course of The Whistleblower Protection Act?

Following Bundestag's May 11th approval, the Bundesrat passed the new German Whistleblower Protection Act on May 12th. The law is set to go into effect four weeks from the announcement, which is estimated to be in mid-June 2023. 

A detailed timeline of HinSchG implementation

Early 2021:  The SPD-led Ministry of Justice presented a draft law, but the CDU/CSU raised various objections that ultimately caused its rejection.

November 2021: In the coalition agreement at the national level, three parties, SPD, Grüne, and FDP, declared their commitment to enforcing the EU Whistleblower Directive at the national level. They intended to take advocacy beyond mere compliance with the minimum requirements set by the EU and extend legislation scope to federal law.

December 2021:  Germany didn't manage to implement a Whistleblowing Protection Act before the EU's deadline on December 17, 2021.

February 2022:  Due to the exceeded implementation deadline, the EU Commission initiated infringement proceedings against Germany. 

April 2022:  Minister of Justice Dr. Marco Buschmann presented an updated draft bill (HinSchG-E), which formed the foundation of the draft law.

July 2022:  The federal government accepted a draft law. 

September 2022: On September 29, 2022, the draft law was discussed in the first reading in the Bundesrat. 

October 2022:  On October 2022, the Judiciary Committee convened a public hearing, where the draft law received support from most experts. However, further refinements were still needed to ensure sufficient whistleblowers' protection.

December 2022: On December 16, the Bundestag passed Whistleblower Protection Act in the second and third readings. The next and final step is to receive approval from the Bundesrat. 

February 2023: At a public hearing on February 10, the Bundesrat didn't approve the draft law due to several points of criticism. Among them are anonymous reporting, the overabundance of the law, and concerns about excessive bureaucracy for small and medium-sized companies.

March 2023: The German Bundestag took a new step towards implementing the EU Whistleblower Directive. However, discussions were interrupted as the bill was unexpectedly removed from the Bundestag's agenda on March 30th. This has prompted the federal government to convene a mediation committee to further address the matter.

May 2023:  Following the law adopted by the German Bundestag on May 11, the Bundesrat passed the German Whistleblower Protection Act (HinSchG)  on May 12, 2023. The new law should come into force in mid-June 2023, i.e., four weeks after it is signed. 

How Does the German Whistleblower Protection Act (HinSchG) protect whistleblowers? 

Several fundamental principles define whistleblower protection. These principles were both recommended by the EU Directive and are presented in the draft of the German Whistleblower Protection Act 

No retaliation

The German Whistleblower Protection Act (HinSchG) aims to protect employees from any form of retaliatory action in the workplace. Such actions as suspension, termination, or denial of promotion must not take place along with subtle tactics such as non-renewal contracts, damage to professional reputation, improper performance evaluation, etc. Disregarding the law can be costly – legal action can ensue if any of these events occur.

The proof burden in favor of whistleblowers

The German Whistleblower Protection law reverses the burden of proof to support victims if their claim for retribution against a wrongdoer is challenged. Ultimately, it allows those affected by unjustified mistreatment to seek justice.

Access to legal remedies 

In the event of a violation of the protection against reprisals, affected whistleblowers should have access to legal remedies. They should receive adequate material repayment for any losses sustained and reparation for moral damage.

Consequences of not implementing a whistleblower system according to the German Whistleblower Protection Act

Failure to implement a whistleblowing system may result in a fine, which could also come with reputational damage to a company.

Further, if other requirements are violated, like improper handling of cases or breach of confidentiality, it can lead to heavier fines of up to € 100,000. 

Advice on the next steps for becoming HinSchG compliant 

It is in companies' interest to stay abreast of the law and have a whistleblowing policy to ensure their operations are compliant. For the whistleblowing policy to function, companies need to set up a whistleblowing hotline where employees can submit their reports.  

Here are a few step-by-step recommendations to help you create and implement a whistleblowing system and remain compliant with the Whistleblower Protection Act.

1. Create a whistleblowing policy

The whistleblowing policy is not just a part of legal compliance, it is also about building the speak-up culture. That's why a whistleblowing policy should be integrated into the organization's value statement. 

One of the primary goals of any whistleblowing policy is to convey to employees that their identity is protected and no retaliation or victimization will follow. A whistleblowing policy should clearly define who a whistleblower is and elaborate on the protection they receive when reporting wrongdoing. Further, it should clarify the types of concerns that employees can report, how they can report them, who investigates received reports, and how the communication around reported cases is arranged. 

By mentioning the constant training of case handlers and investigation committees, companies show that they approach case investigation and whistleblowers' security with particular importance. 

2. Remember anonymity

Even though anonymous whistleblowing is not legally required from the first day the German Whistleblower Protection Act comes into force (according to the current draft law), it will be obligatory later in 2025. Taking the initiative to explore anonymous reporting today is a smart move for businesses; it eliminates the need and wastage of resources spent searching in the future. Particularly, as companies will be, anyway, or are already reviewing their possibilities due to the tight deadlines. 

3. Think of convenience for employees 

Submitting a whistleblowing report should be easy. Every step in the whistleblowing process should be explained in a way that a whistleblower feels secure about submitting a report. Further, employees should not break their heads looking for a reporting page. Many companies create a dedicated page on their website, which employees can quickly access by clicking on a link from internal resources or typing it in the search request. 

4. The digital solution for a whistleblowing hotline

There are several ways to organize a whistleblowing hotline: by means of phone, email, in-person meetings, or a digital system. For better resource efficiency and smooth operations, we recommend considering a digital platform for your reporting management system. The right digital whistleblowing platforms are developed in line with the recent legal and data privacy requirements, which means that they:

  • Provide a customizable and secure reporting tool;
  • Protect the identity of reporters by encrypting any personal data;
  • Allow secure communication between reporters and case handlers, even in the anonymous mode;
  • Handle all data according to the highest data security standards.

Companies can supplement it with a phone line or ombudsman, but in most cases, a digital platform covers all companies' needs for whistleblowing compliance, and some digital systems also provide the option for adding phone support.

You can see how it works by taking a short tour through the reporting page.


Need help hitting the deadline? Finding a secure whistleblowing solution in tight timeframes can be challenging, but we're here to help. Get an inside look at how Whistleblower Software meets the German Whistleblowing Protection Act/ HinSchG requirements and manages reports securely - all with one easy solution.