European Union: The German Supply Chain Due Diligence Act: New Whistleblowing Legislation

Introduction to The German Supply Chain Due Diligence Act

The Supply Chain Due Diligence Act is a piece of business legislation known in German as Lieferkettensorgfaltspflichtengesetz, or LkSG.

It was passed by the German Federal Parliament on 11 June 2021 after lengthy negotiations with the German Federal Council in June of that year and is due to come into force on 1 January 2023.

Legally, the LkSG legislation requires companies to adapt and update their compliance, purchasing and contract processes on certain human rights and environmental matter, including establishing a reporting mechanism (called "complaints procedure") open to relevant stakeholders.

From our point of view, these adaptations include making a significant introduction of whistleblowing services, so in this article Safecall will look at what senior management and whistleblowing report managers can do to prepare for the coming implementation.

Want us to keep you posted on how LkSG legislation affects whistleblowing?

Register your interest by email button below

Register your interest

What is the aim of the LkSG legislation?

In essence, the Supply Chain Due Diligence Act compels businesses and organisations that operate within Germany to improve their (global) supply chain compliance with human rights and material standards of environmental protection.

The LkSG act does this by placing due diligence obligations on those responsible for activities that fall within its scope.

These obligations within supply chain operations are duties of effort, rather than duties to succeed or guarantee liability.

So, with whistleblowing in mind, that means the LkSG act requires organisations to extend their whistleblowing processes into their (global) supply chain, if the organisation (or any of its significant subsidiaries) operates within Germany and falls in scope of the LkSG act.

Which companies and organisations does the Supply Chain Due Diligence Act apply to?

From 1 January 2023 any company or organisation with a headcount of 3,000+ employees working in Germany, that have a head office, administrative seat or statutory seat in Germany OR any company or organisation with a branch in Germany and usually employs 3,000+ employees in Germany.

From 1 January 2024 any company or organisation with 1,000+ employees working in Germany, that have a head office, administrative seat or statutory seat in Germany OR any company or organisation with a branch in Germany and usually employs 1,000+ employees in Germany.

For the purpose of calculation Group companies are included in the number of employees of the parent company; and temporary workers are only included if their duties exceed 6 months.

But – and this is important – even if a company or organisation with fewer employees is not directly affected by the LkSG act, they might still be affected indirectly.

That's because these companies might still be obliged to enforce best efforts to improve due diligence within their own supply chain, as directed by their customers further up the supply chain.

In other words... just because you don't have to comply, doesn't mean that your customer might not have to.

Because if your customer is in scope of the LkSG act, they are obliged to seek contractual assurance that you (as part of their supply chain) are making best efforts to improve due diligence yourself (including accepting trainings and audits), and that you address the issue in your own supply chain as well.

So, a domino effect will take place.

How will compliance with the Act be enforced?

The LkSG act gives far-reaching powers of intervention to the authorities.

For the LkSG act, the competent authority is the Federal Office for Economic Affairs and Export Control (BAFA).

BAFA can, at the request of an affected person or as a result of its own initiative, impose remedial measures on the business or organisation concerned to ensure compliance. It has wide-ranging powers over information and access and must be supported to enforce the remedial actions.

In addition, trade unions also have the power to conduct litigation on behalf of an affected person.

In both the above cases, the affected person might be anyone along the supply chain, not just the employees of the company or the direct supplier affected.

Further, BAFA has the mandate to actively conduct audits (including information requests and on-site audits) of companies in scope of the LkSG act.

Audits will likely be based on annual LkSG reports those companies have to file to BAFA and publish.

If BAFA considers compliance measures non-existing or inadequate, BAFA can impose hefty administrative fines on the company, as well as in individuals in charge to secure compliance with the LkSG act through the company, namely management.

What are the penalties for violations?

Penalties can be sweeping and heavy depending on the gravity and nature of the violation.

Violation fines for lack of due diligence and reporting can be up to EUR 8 million for companies, and up to EUR 800k for individuals.

Companies with an average turnover of more than EUR 400 million might be fined up to 2% of their average annual global turnover.

Organisations might also be excluded from significant public tenders for up to three years.

While the LkSG Act at present only applies to companies with a German nexus (as explained above), this might change once the proposed EU Corporate Sustainability Directive is implemented. In this case, all EU based companies as well as companies from non-EU countries will fall in scope, subject to certain number of employees (located anywhere) and certain revenues (generated within the EU).

Are there likely to be more Supply Chain Act changes? Can't I just wait to see them first?

Yes, there will be changes... but they are likely to be of adaptation rather than complete changes. Businesses and organisations can't wait until the dust has settled to begin implementation.

For example...

At the instigation of the European Parliament (March 2021), the European Commission has been working toward the creation of a new EU Directive that governs what due diligence obligations are actually required within the environmental, human rights and corporate governance field.

Although these amendments will not be completed until 2024 (at the earliest), the obligations will overlap and amend the LkSG legislation, rather than replace them wholesale. Further, requirements under the EU directive (as proposed) will likely exceed requirements under the LkSG act.

In this regard, Dr. Eike W. Grunert, compliance expert heading the German Compliance practice of Pinsent Masons, says:

"The German Supply Chain Due Diligence Act as well as the proposed EU directive demonstrate the significance of ESG topics for companies. The draft directive also addresses climate protection. Companies should therefore promptly address relevant risks in their supply chain and mitigate them with appropriate compliance measures. Inevitably, this will require a robust whistleblowing process."

So, it's better for responsible businesses to act now and be compliant, rather than wait to see what happens. Further, implementation of due diligence efforts as defined will require significant lead time before processed are effectively implemented as required.

What whistleblowing actions need to be taken?

Responsible businesses have to develop and implement a robust whistleblowing process as part of their Environmental, social and Governance (ESG) compliance, and have to extend this service into their supply chain, to enable all relevant stakeholders launching reports, including own employee, employees of direct suppliers, but also those of indirect suppliers further down the supply chain.

Further, the LkSG act mandates certain specific requirements for the whistleblowing process, including, among other, publicly accessible rules of procedure, impartiality of the person entrusted with the operation, confidentiality, comprehensive (and public) information on accessibility and responsibility, and annual effectiveness review.

By doing so, the organisation can be shown to be making best efforts to comply with the respective due diligence obligation on the complaints procedure as imposed by the new LkSG legislation.

Yes, there will undoubtedly be future changes that will tighten up the legislative demands, but a reliable external whistleblowing provider will ensure that their reporting system and processes are able to adapt to any changes.

Required Process

1. Review your supply chain

Create a database of all your direct third-party suppliers - and indirect suppliers where known - within your supply chain.

Identify any potential human rights and environmental risks within your supply chain database e.g., by filtering out relevant countries, goods or services generally prone to human rights or environmental violations, as reflected through a number of indices and other information. This creates boundaries for risk and demonstrates to authorities (including BAFA) that you have the required defined process.

Approach identified suppliers with a view to collecting more detailed information about risk relevance and any risk mitigation processes they might have.

This action demonstrates to authorities (including BAFA) that you are making best efforts to identify any means of preventing supply chain wrongdoing with regard to human rights or environmental laws.

Collate any information in a uniform manner to enable best practice retrieval, and adhere to the documentation requirements under the LkSG act

2. Identify concrete supply chain risks

Identify any suppliers that exhibit actual human rights or environmental law violation risks.

Note that this might include anyone within your supply chain that has not necessarily had any violations but is still at risk of them because they have no mitigation processes in place.

3. Choose how best to handle any risks

Take an informed decision, based on your analysis, on how to mitigate any risk to your organisation through preventive measures as might be defined in more detail through LkSG legislation, such as a declaration of principle, procurement processes, training, controls, and contractual covenants to be requested from suppliers.

This might involve offering to extend your existing whistleblowing processes into their business.

It might involve requesting the identified suppliers to put in place new compliance measures (including whistleblowing processes) themselves.

Or equally, if a supplier refuses to offer best efforts to comply with the LkSG legislation, it might be wise to look for an alternative supplier.

If the company gains substantiated knowledge about possible violations at indirect suppliers further down the supply chain, measures have to be expanded to those suppliers as well.

4. Put regular supply chain reviews in place

Supply chains change over time. Old suppliers depart, new suppliers arrive.

So, it's not enough to conduct a risk/mitigation exercise with regard to the German Supply Chain Due Diligence Act once. Rather, under the LkSG act it needs to be conducted on a regular basis (as well as ad-hoc if risk-significant circumstances of the business change), and records need to be kept of when they are conducted.

Again, this flags to the authorities that your organisation is making best efforts to ensure there are either no human rights and environmental law violations, or that if they do occur, your organisation has the best possible awareness of when they take place and can rectify them and prevent future damage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.