1. Which body of rules govern the status of whistleblowers?

The status of whistleblowers in Germany is primarily governed by European law. The relevant legislation is Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons reporting infringements of Union law (EU Whistleblower-Directive).

The EU Whistleblower-Directive should have been implemented into German law by 17 December 2021 at the latest. After initial draft legislation failed for political reasons, the Federal Ministry of Justice has recently presented a new draft bill for a Whistleblower Protection Act (HinSchG-E) on 13 April 2022. The legislative process is pending. The consultations on the draft bill in the German Bundestag and Bundesrat are expected to take place in the summer of 2022, so the bill can be expected to enter into force in the second half of the calendar year 2022.

The following responses are therefore based on the current draft bill legislation of the Federal Ministry of Justice. At this point, it also remains to be seen whether the government draft will make further amendments to the draft bill of the Federal Ministry of Justice.

If the draft bill should meet specific concerns under European law, this will be pointed out separately in the following.

Last updated on 29/07/2022

  1. Which companies must implement a whistleblowing procedure?

In principle, companies that regularly employ 50 or more employees are obliged to set up an internal reporting system by the time the Whistleblower Protection Act will become effective, (section 12 (1), (2) HinSchG-E). For companies with between 50 and 249 employees, this obligation will only apply from 17 December 2023 (section 42 HinSchG-E).

For certain employers, particularly in the financial and insurance sectors or for data provision companies, the obligation to set up an internal reporting office applies irrespective of the number of employees as of the entry into force of the Act (section 12 (3) HinSchG-E).   

Last updated on 29/07/2022

  1. Is it possible to set up a whistleblowing procedure at a Group level, covering all subsidiaries?

According to the explanatory memorandum of the draft bill of the Whistleblower Protection Act, it is legally permissible to implement an independent and confidential internal reporting office as a "third party" within the meaning of article 8(5) of the EU Whistleblower Directive at another group company (eg, parent company, sister company or subsidiary), which may also work for several independent companies in the group (section 14 (1) HinSchG-E). However, the European Commission has already announced in two statements that a group-wide whistleblower system does not meet the requirements of the EU Whistleblower Directive. It remains to be seen whether the draft law will still be amended at this point in the legislative process. If the German law ends up retaining the outsourcing of the obligation to a third party, which may also be a company belonging to the group, the question of the compatibility of the regulation with EU law will probably arise at a later stage.

The draft bill of the Whistleblower Protection Act in line with the EU Directive further provides that several private employers with between 50 and 249 employees employed on a regular basis may commonly implement and operate an internal reporting office to receive notifications. However, the legal obligation to take action to remedy the violation and the corresponding duty to report back to the person making the report has to remain with the individual employer.   

Last updated on 29/07/2022

  1. Is there a specific sanction if whistleblowing procedures are absent within the Company?

If there are no whistleblowing procedures in the company (ie, an internal reporting system is not implemented and operated), this constitutes an administrative offence punishable by a fine. This fine may amount to up to 20,000 EUR (section 40 (2) No. 2, (5) HinSchG-E.

At this point, it should be noted that there is a high incentive for employers to implement an internal reporting channel, since the external reporting channel is available to the whistleblower in any case. Consequently, if an internal reporting office were not implemented or operated, the whistleblower would be forced to report directly to the external reporting office. As a result, the employer would not be able to make internal corrections without the reported information leaving the company.

Last updated on 29/07/2022

  1. Are the employee representative bodies involved in the implementation of this system? 

Although the implementation of a whistleblower system is based on a legal obligation, the works council only has to be involved under certain circumstances.

At first, the employer is, in principle, already obliged to inform the works council in good time and comprehensively about everything it requires to carry out its duties. This information requirement should enable the works council to review whether co-determination or participation rights exist or whether other tasks have to be carried out according to the German Works Constitution Act (BetrVG).

For instance, instructions concerning the orderly conduct of employees are subject to co-determination. These instructions are intended to ensure an undisturbed work process or to organise the way employees live and work together in the company.  If, in the course of the implementation of a whistleblower system, the already existing contractual obligations are extended or regulations regarding the specific reporting procedure are introduced (eg, in the form of a reporting obligation on the part of employees), the organisational behaviour would be affected and the works council must therefore be involved (section 87 (1) No. 1 BetrVG).

Furthermore, in the context of setting up an internal reporting channel, the draft bill of the Whistleblower Protection Act only stipulates that whistleblowers must be given the option of submitting a report to the whistleblowing system in text form or verbally. This could, of course, also be provided via digital channels - eg, via software- or web-based solutions. Should the introduction and use of such technical equipment in the relevant case allow the employer to monitor the behavior or performance of employees (eg, those who deal with the complaint), further co-determination rights of the works council according to section 87 (1) No. 6 BetrVG can be triggered.   

Last updated on 29/07/2022

  1. What are the publicity measures of the whistleblowing procedure within the company?

The draft bill of the Whistleblower Protection Act does not oblige the company itself to publish any information regarding the internal reporting office or the internal reporting channel implemented. However, the internally implemented reporting office must have clear and easily accessible information available on the external reporting procedure and relevant reporting procedures of European Union institutions, bodies or agencies (section 13 (2) HinSchG-E).

The current explanatory memorandum to the draft bill also contains the more detailed, but not legally binding, reference that the information can be made available via a public website, company intranet or a bulletin board that is accessible to all employees. In this context, it is recommended that the company also refers to the internally implemented reporting office or the internal reporting channel in the same way. This helps to counteract the risk that potential whistleblowers will report primarily via the external reporting channel.

Furthermore, the German Supply Chain Due Diligence Act (LkSG) also provides for the implementation of complaint mechanisms so that the regulatory requirements of companies can also be met through a uniform reporting system. Within its scope of application, the LkSG also provides for the publication of procedural rules for such a reporting system in text form as well as for annual reporting obligations on what measures the company has taken as a result of complaints.

Last updated on 29/07/2022

  1. Should employers manage the reporting channel itself or can it be outsourced?

In principle, the draft bill of the Whistleblower Protection Act intentionally does not specify which persons or organisational units are best qualified to carry out the tasks of the internal reporting office or to manage the corresponding reporting channel. However, the internal reporting office may not be subject to any conflicts of interest and it also must be independent. The EU Whistleblower-Directive mentions, for instance, the head of the compliance department or the legal or data protection officer as possible internal reporting offices.

If, in addition to the (internal) persons responsible for receiving and processing internal reports, other (external) persons have to be involved in a supporting activity, this supporting activity is legally only permissible to the extent that is necessary for the supporting activity. This applies, for example, to IT service providers that provide technical support for reporting channels.

It is also legally permissible to appoint a third party to carry out the tasks of an internal reporting office, including the reporting channel (section 14 (1) HinSchG-E). Third parties may include lawyers, external consultants, trade union representatives or employee representatives.

However, engaging a third party does not relieve the employer of the obligation to take appropriate action to remedy a possible violation. In particular, for follow-up actions to check the validity of a report, there must be cooperation between the commissioned third party and the employer.

Last updated on 29/07/2022

  1. What are the obligations of the employer regarding the protection of data collected related to the whistleblowing procedure?

The internal reporting office implemented by the employer is, initially, authorised to process personal data insofar as this is necessary for the fulfilment of its task under the Whistleblower Protection Act (10 HinSchG-E). The wide-ranging processing authority allows the personal data contained in the reports to be both received and analysed by the reporting office. In addition, new personal data may be recorded and further processed during the implementation of the follow-up measures.

The employer's obligation to protect the data collected in the course of the whistleblowing procedure is then directly based on the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act. This means, for instance, that data processing has to be limited to the extent necessary to fulfil the tasks of the internal and external reporting channel – data minimisation principle, (article 5 (1) lit. c) GDPR).

Finally, the processing of personal data is complemented by the confidentiality requirements of internal (and external) offices, (section 8 HinSchG-E).

Last updated on 29/07/2022

  1. What precautions should be taken when setting up a whistleblowing procedure?

The reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports as well as the persons assisting them in fulfilling these tasks have access to the incoming reports. It must, therefore, be ensured that no unauthorised persons have access to the identity of the person making the report or to the report itself. This has implications for the technical design of the internal reporting channel.

Also, the persons entrusted with running the internal reporting office must indeed be independent in the exercise of their activities and the company must ensure that such persons have the necessary expertise. Therefore, smaller or medium-sized companies should especially assess whether it will be more efficient to assign an experienced external ombudsperson to receive and initially process incoming reports. However, the ombudsperson who takes the call in this case is a witness bound to tell the truth, even if this is, for example, a company lawyer.

As per the present draft bill, there is no legal obligation to design the reporting channels in such a way that they enable the submission of anonymous reports. Companies should therefore assess carefully whether they provide systems that enable anonymous reports, as this may increase the number of abusive reports and make enquiries impossible. On the other hand, some ISO standards require the receipt of anonymous reports. Therefore, should a company seek certification according to these ISO standards, the whistleblower procedure to be set up must allow for the processing of anonymous reports.

Last updated on 29/07/2022

  1. What types of breaches/violations are subject to whistleblowing?

The draft bill´s material scope of application goes beyond European legal requirements. It extends the material scope of application to all violations that are subject to punishment (section 2 (1) No. 1 HinSchG-E). Additionally, violations subject to fines are included insofar as the violated regulation serves to protect life, body, health or the rights of employees or their representative bodies (section 2 (1) No. 2 HinSchG-E). The last alternative covers not only regulations that directly serve occupational health and safety or health protection, but also related notification and documentation requirements, for example under the Minimum Wage Act. Thus, as a result, section 2 (2) No. 2 HinSchG-E covers the majority of administrative offences in the context of employment.

Finally, the draft bill also provides for a list of infringements that predominantly correspond to the relevant areas of law according to the recitals of the EU Whistleblower Directive.

Last updated on 29/07/2022

  1. Are there special whistleblowing procedures applicable to specific economic sectors or professional areas?

The draft bill of the Whistleblower Protection Act itself does not distinguish between different sectors regarding the internal reporting process. However, it contains an enumerative list of regulations from other statutes that take precedence over the Whistleblower Protection Act for the reporting of information on violations; these regulations are therefore lex specialis compared to the Whistleblower Protection Act (section 4 (1) HinSchG-E). Priority special provisions are, among others, regulated by the Money Laundering Act, the Banking Act, the Insurance Supervision Act and the Stock Exchange Act.    

Last updated on 29/07/2022

  1. What is the legal definition of a whistleblower?

A whistleblower is a natural person who, in the context of his or her professional activity or in the preliminary stages of professional activity, has obtained information about violations and reports or discloses it to the – internal or external – reporting offices provided for under the draft bill of the Whistleblower Protection Act (section 1 (1) HinSchG-E).

The draft of the Whistleblower Protection Act also applies to the protection of persons who are subject to a report or disclosure, as well as other persons who are affected by a report or disclosure, (section 1 (2) HinSchG-E).

Last updated on 29/07/2022

  1. Who can be a whistleblower?

Whistleblowers may be employees, but also, for instance, self-employed persons, volunteers, members of corporate bodies or employees of suppliers. In addition to persons who obtain knowledge in advance, such as in a job interview or during pre-contractual negotiations, the scope of protection also includes those for whom the employment or service relationship has been terminated. As a result, the status of a whistleblower is not dependent on formal criteria such as type of employment.

Last updated on 29/07/2022

  1. Are there requirements to fulfil to be considered as a whistleblower?

To be qualified as a whistleblower, the person providing the information must have obtained the information in the context of his or her professional activity or in the preliminary stages of professional activity.

Last updated on 29/07/2022

  1. Are anonymous alerts admissible?

The draft bill of the Whistleblower Protection Act does not state that the employer must set up reporting channels in such a way that anonymous reports are admissible (section 16 (1) HinSchG-E). Also, external reporting offices do not have to process anonymous reports (section 27 (1) HinSchG-E). However, employers are entirely free to choose whether to provide systems that allow for the submission and processing of anonymous reports or not.

Last updated on 29/07/2022

  1. Does the whistleblower have to be a direct witness of the violation that they are whistleblowing on?

In principle, the whistleblowers do not have to be direct witnesses to a violation. However, they must have obtained information about violations in connection with or before their professional activities. Violation information is defined as a reasonable suspicion or knowledge of actual or potential breaches and attempts to conceal such breaches that have occurred or are very likely to occur (section 3 para 3 HinSchG-E). However, only whistleblowers acting in good faith are protected from any discriminatory measures as a result of their report.

Last updated on 29/07/2022

  1. What are the terms and conditions of the whistleblowing procedure?

The whistleblower procedure requires – in its broad outlines – that the personal and material scope of the Whistleblower Protection Act is applicable. Assuming this, the whistleblower must have obtained information about violations in connection with his or her professional activities or in advance of professional activities. In a further step, the whistleblower must report or disclose these violations to the internal and external reporting bodies responsible. The Reporting Office will issue an acknowledgement of receipt to the person making the report within seven days. Within three months of the acknowledgement of receipt, feedback will be provided to the whistleblower on planned and already taken follow-up measures and their reasoning. This information will be documented in compliance with the principle of confidentiality. This documentation will be deleted two years after the conclusion of the proceedings.

Last updated on 29/07/2022

  1. Is there a hierarchy between the different reporting channels?

There is no legally binding hierarchy between internal and external reporting channels. The whistleblower has, in principle, the right to choose whether to report the violations externally or internally. If an internally reported violation is not remedied, the whistleblower making the report is free to contact an external reporting office (section 7 (1) HinSchG-E).

Although article 7(2) of the EU Whistleblower Directive provides that the member states will endeavour "to ensure that reporting through internal reporting channels is given preference over reporting through external reporting channels in cases where effective internal action can be taken against the infringement and the whistleblower does not fear reprisals", such prioritisation of the internal reporting channel cannot be inferred from the German draft bill.

Last updated on 29/07/2022

  1. Should the employer inform external authorities about the whistleblowing? If so, in what circumstances?

Once the reporting process at the internal reporting office is completed, the internal reporting office can take various follow-up actions. In addition to internal investigations, the process can also be handed over to a competent authority for further investigation (section 18 No. 4 HinSchG-E).

Last updated on 29/07/2022

  1. Can the whistleblower be sanctioned if the facts, once verified, are not confirmed or are not constitutive of an infringement?

As a principle, the disclosure of inaccurate information about violations is prohibited under the draft bill of the Whistleblower Protection Act (section 32(2) HinSchG-E). A whistleblower may, however, not be sanctioned if the facts, after being verified, are merely not confirmed or do not constitute a violation in the final analysis. If the information disclosed was incorrect, the following legal consequences will apply:

On the one hand, the whistleblower must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG-E). The whistleblower's liability for damages is based on the fact that a false report or disclosure has far-reaching consequences for the person affected or accused. The effects may no longer be completely reversible. According to the draft bill of the Whistleblower Protection Act, claims for damages resulting from merely negligent incorrect reporting should not arise. Besides, only whistleblowers acting in good faith are protected from further repercussions.

On the other hand, the whistleblower acts improperly if he intentionally discloses incorrect information in violation of the draft of section 32 (2) of the Whistleblower Protection Act (section 40 (1) HinSchG-E). This administrative offence may be punished with a fine of up to 20,000 EUR (section 40 (5) HinSchG-E).

Last updated on 29/07/2022

  1. What are the sanctions if there is obstruction of the whistleblower?

Retaliation against the whistleblower is prohibited under the draft bill of the Whistleblower Protection Act. This also applies to threats and attempts at retaliation (section 36 (1) HinSchG-E). In addition, it is prohibited to interfere or attempt to interfere with reports or communications between a whistleblower and the reporting office (section 7 (2) HinSchG-E).

If the whistleblower was nevertheless obstructed, the following legal consequences will apply: if a retaliation occurs, the person causing the violation must compensate the whistleblower for the resulting damage. However, this does not entitle the whistleblower to an employment relationship, a vocational training relationship, any other contractual relationship, or career advancement.

In addition, taking an illegal reprisal or interfering with the communications between the whistleblower and the reporting office constitutes an administrative offence, which can be punished with a fine of up to 100,000 EUR (section 40 (2) No. 3, (5) HinSchG-E).

Last updated on 29/07/2022

  1. What procedure must the whistleblower follow to receive protection?

To obtain protection, the whistleblower generally has to contact the responsible internal or external reporting offices. Disclosure of information about violations directly to the public is subject to strict conditions. This is only permissible, for example, if there is a risk of irreversible damage or in cases where the external reporting agency has not taken the required measures (section 32 (1) HinSchG-E).

The whistleblower providing the information must further act in good faith (ie, must have reasonable cause to believe, at the time of the report or disclosure that the information disclosed is true, and the information relates to violations that fall within the material scope of the Whistleblower Protection Act (section 33 (1) No. 2 and 3 HinSchG-E)).

Last updated on 29/07/2022

  1. What is the scope of the protection? 

The most fundamental part of the protection is the prohibition of retaliation against the whistleblower. Therefore, the reporting or disclosing of information may not result in unjustified disadvantages such as disciplinary measures, dismissal or other discrimination against the person providing the information. The draft bill of the Whistleblower Protection Act contains a reversal of the burden of proof for proving such discrimination and is accompanied by a claim for damages on behalf of the affected party. It should be noted, however, that the reversal of the burden of proof in favour of the whistleblower will only apply in labour court disputes and not in fining proceedings.

Furthermore, the draft bill of the Whistleblower Protection Act contains an exclusion of responsibility. Thus, a whistleblower cannot be made legally responsible for obtaining or accessing information that he or she has reported or disclosed, unless the obtaining or accessing of the information and the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG-E). In addition, a whistleblower does not violate any disclosure restrictions and may not be held legally responsible for the disclosure of information made in a report or disclosure if he or she had reasonable cause to believe that the disclosure of the information was necessary to detect a violation.

Last updated on 29/07/2022

  1. What are the support measures attached to the status of whistleblower?

At first, the person providing the information may not be subject to legal liability for obtaining or accessing information that he or she has reported or disclosed. This does not apply if the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG-E).

In addition, whistleblowers are protected by a comprehensive prohibition of retaliation. Therefore, any adverse consequences caused by disclosure are prohibited. These include, for example, dismissal, disciplinary measures or salary reductions (section 36 (1) HinSchG-E). Measures that violate the prohibition are void under section 134 of the Civil Code. The prohibition of retaliation is rounded off by a reversal of the burden of proof. According to this, it is presumed that a disadvantage that occurs after a disclosure is retaliation. As a consequence, the person who has disadvantaged the whistleblower has to prove that it is factually justified and was not based on the report or the disclosure (section 36 (2) HinSchG-E).

In addition, the whistleblower is entitled to damages in the event of a violation (section 37(1) HinSchG-E).

Last updated on 29/07/2022

  1. What are the risks for the whistleblower if there is abusive reporting or non-compliance with the procedure?

If a whistleblower abusively reports a violation, this may initially give rise to criminal liability. Possible criminal offences are pretending to have committed a criminal offence (section 145d of the Criminal Code), false suspicion (section 164 of the Criminal Code) or offences of honour (section 185 et seq of the Criminal Code).

The whistleblower providing the abusive information also must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG-E). Furthermore, there may be competing claims for damages, for example under section 823(2) of the Civil Code in conjunction with a protective law.

Moreover, the whistleblower commits an administrative offence if he or she intentionally discloses inaccurate information. This may be punished with a fine of up to 20,000 EUR (section 40 (5) HinSchG-E).

In principle, the whistleblower is free to decide whether he or she reports a violation through the internal or the external reporting channel (section 7 (1) HinSchG-E). However, if a violation is disclosed to the public directly (ie, without first using internal or external reporting channels and without there being an exceptional circumstance for this), the whistleblower is generally not subject to the protection of sections 35 to 37 of the Whistleblower Protection Act. Only in narrow exceptions is the whistleblower still protected, for example, if there is a danger of irreversible damage or comparable circumstances may represent an immediate or obvious threat to the public interest.

Last updated on 29/07/2022

Originally published by IEL Guide to Whistleblowing

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.