The German Whistleblower Protection Act is Finally Here – What Do Companies Need to Know Now?
After several attempts, the long-awaited Whistleblower Protection Act came into effect on July 2, 2023. Originally, the Federal Council had refused to approve the law in February 2023, but now the federal and state governments have reached a compromise.
The HinSchG aims to protect individuals who observe and wish to report violations of legal regulations during their professional activities. It prohibits any form of retaliation against whistleblowers. In addition, companies must establish secure channels through which misconduct can be reported.
Now the question arises as to what information companies and the public sector need to be adequately prepared for the Whistleblower Protection Act.
The provisions of the Whistleblower Protection Act apply to which companies?
- Companies with 250 or more employees are immediately subject to the Whistleblower Protection Act, as the new provisions apply to them from the effective date of the law.
- For companies with 50 to 249 employees, there is a deadline until December 17, 2023, to establish a reporting office in accordance with the Whistleblower Protection Act.
- Certain industries such as securities services or insurance must establish an internal reporting office regardless of the number of employees. There is no transitional period for these companies.
Which violations should employees report through the reporting offices?
The Whistleblower Protection Act (HinSchG) does not cover all reports of violations of legal regulations. However, the scope defined by Section 2 of the HinSchG is very extensive.
Violations can be reported against the following regulations:
- Violations of criminal provisions
- Administrative offenses, i.e., violations subject to fines, such as regulations regarding occupational safety and health.
- All violations of national laws of the federal government and the states, serving specific European regulations for implementation, as well as nationally applicable EU legal acts.
- The scope has been expanded to also cover statements by civil servants that are considered a violation of the duty of loyalty to the constitution
What happens in case of non-compliance with the law?
According to §40 of the Whistleblower Protection Act, violations of the fundamental provisions of the law are considered administrative offenses and are subject to fines. The amount of the fine varies depending on the nature of the violation.
- Non-compliance with the Whistleblower Protection Act can be punished with fines of up to 50,000 euros. This includes hindering reporting and communication, unauthorized retaliatory measures, and violation of confidentiality requirements.
- A fine of up to 10,000 euros may be imposed if the confidentiality obligation is negligently disregarded.
- Companies that fail to fulfill their obligation to establish and operate an internal reporting office can be fined up to 20,000 euros.
What options are available to whistleblowers for reporting?
- Companies with up to 250 employees can operate a joint reporting office with other companies.
- The Federal Office of Justice (BfJ) establishes an external reporting office that receives reports from the private sector and the public sector. This reporting office is responsible for the federal government and the states. In certain areas, the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (BKartA) take on specific tasks as specialized external reporting offices with their existing whistleblower systems. Additionally, individual states have the option to establish their own reporting offices.
- According to §14 of the Whistleblower Protection Act (HinSchG), obligated entities can engage external service providers or ombudspersons to perform the tasks of an internal reporting office. This option is particularly relevant for small and medium-sized enterprises, as they often do not have sufficient human resources to meet the extensive requirements.
Is there a priority of internal over external reporting offices?
No. The whistleblower has the option to either contact the company's internal reporting office or the external reporting office established by the authorities.
What rules and deadlines must companies observe upon receiving a report?
The Whistleblower Protection Act establishes the prescribed procedural processes that must be followed upon receiving a report. These include, in particular, the obligation to document, deadlines for feedback to the whistleblower, and further steps such as internal investigations:
- The reporting can be made both orally and in writing, and on the whistleblower's request, it should also be possible to provide the report in person.
- The internal reporting office must confirm the receipt of the report within seven days.
- After confirming receipt, the reporting office is obligated to provide feedback to the whistleblower within three months. This feedback must include detailed information about planned and already taken follow-up measures and explain the reasons for these actions.
- Furthermore, the reports must be comprehensively documented.
Must companies accept anonymous reports according to the law?
There is no explicit obligation to accept anonymous reports. Both internal and external reporting offices are affected by this. A large number of companies that have already implemented whistleblower systems have opted for reporting channels that allow for anonymous reports.
What measures are in place to protect whistleblowers?
In addition to protection against reprisals, the Whistleblower Protection Act includes a significant protective measure in the form of a reversal of the burden of proof in legal disputes. If a whistleblower experiences reprisals after making a report, it is presumed that these reprisals occur due to the report. However, this presumption applies only if the whistleblower explicitly points out the connection. The employer is therefore responsible for proving that there is no connection between, for example, the termination of an employee and their report of misconduct.
What exceptions exist?
The Whistleblower Protection Act does not cover classified information and data subject to medical confidentiality or attorney-client privilege or judicial advisory confidentiality. The Whistleblower Protection Act makes an exception for the confidentiality level "VS-For Official Use Only" when it concerns criminal offenses and these are reported to an internal reporting office. However, this exception does not apply if the tasks of the internal reporting office have been outsourced to a third party.