- much back and forth, the German Whistleblower Protection Act (Hinweisgeberschutzgesetz; HinSchG) was passed by the German parliament on 12 May 2023 and will come into force one month after its announcement (most likely mid-June 2023).
- The HinSchG is intended to create standardization and comprehensive protection for whistleblowers in the implementation of the European Whistleblowing Directive (EU) 2019/1937.
- The HinSchG applies to companies with more than 50 employees and the transition periods are very short:
- Companies with more than 249 employees must establish and operate a whistleblower system after the HinSchG comes into force.
- Companies with 50-249 employees have until 17 December 2023 to set up and operate a whistleblower system.
- The HinSchG applies to any person who has obtained information on violations punishable by law or by administrative fines in connection with their professional activities. Violations punishable by administrative fines only have to be reported insofar as the violated regulation serves to protect life, limb, health or the rights of employees or their representative bodies (eg occupational health and safety, health protection, minimum wage or employee leasing). In addition, certain violations of EU law and German legal norms enacted to implement European regulations (for example anti-money laundering laws and data protection laws) are included.
- Employers must establish at least one internal reporting office. However, reporting offices may be outsourced to external service providers. In this course the works council and the data protection officer need to be consulted.
- The HinSchG imposes procedural requirements towards the whistleblower such as acknowledging the report within 7 days and processing the request and providing feedback to the whistleblower within 3 months.
- The HinSchG provides protection of the whistleblower by prohibiting disclosing the identity of the whistleblower and protecting the whistleblower against any reprisals, retaliation of any kind and pecuniary damages.
- The HinSchG provides for administrative fines of between EUR 10,000 and EUR 50,000 depending on the offence.
Overview of the regulations
- The obligation to establish and operate an adequate whistleblowing system applies to employers with 50 or more employees.
- Employers with between 50 and 249 employees will have an implementation period until 17 December 2023.
- Employers with more than 249 employees must act when the HinSchG comes into force.
Obligations of employer – Establishment of at least one internal reporting office:
- The employer must set up at least one internal reporting office. However, reporting offices may be outsourced to external service providers.
- The reporting office must be confidential and access to reports must be protected from third parties.
- The persons entrusted with the tasks of a reporting office must be independent in the performance of their duties and have the necessary expertise.
- It must be possible for potential whistleblowers to make reports in person, orally or in writing.
- Employers must create incentives for whistleblowers to contact the relevant reporting office. The incentives are not specified in the law.
- In any case, employees must be provided with clear and easily accessible information on how to use the internal reporting procedure.
Obligations of the reporting office:
- The reporting office has to process reports of violations made by persons who, in the course of their professional activities, become aware of violations that are punishable by law or by administrative fines. Violations punishable by administrative fines only have to be reported insofar as the violated regulation serves to protect life, limb, health or the rights of employees or their representative bodies (eg occupational health and safety, health protection, minimum wage or employee leasing). In addition, certain violations of EU law and German legal norms that were adopted to implement European regulations (eg anti-money laundering laws and data protection laws) are also included.
- In case of doubt, the reporting office must always investigate incoming reports, even if the above-mentioned violations cannot be clearly identified.
- Although there is no obligation for the reporting office according to the HinSchG employers should also investigate anonymous reports.
Reporting procedures and deadlines:
- An acknowledgment of receipt of the report must be made to the whistleblower no later than 7 days after receipt by the reporting office.
- The reporting office must then check whether the reported violation falls within the scope of the HinSchG and whether the tip is valid.
- If so, further investigations are to be carried out. If necessary, further information must be requested from the whistleblower.
- After the successful completion of the investigation, the reporting office must take appropriate follow-up action.
- No later than 3 months after the acknowledgment of receipt of the report, the whistleblower must be provided with feedback on the follow-up measures planned and already taken and the reasons for them.
- Exceptions to the feedback requirement apply to sensitive investigations where the disclosure of information could prejudice the investigation or affect the rights of the persons who are the subject of, or named in a report.
- Documentation of information received shall be kept confidential and records should be kept for a maximum of 3 years.
Further to do’s of the employer:
• Consultation of the works council:
- Depending on the structure of the reporting office (eg in the case of a whistleblower hotline), the works council has far-reaching co-determination rights under section 87 para. 1 no. 1 Works Constitution Act (BetrVG) and section 87 para. 87 para. 1 no. 6 BetrVG (introduction and use of technical equipment).
- Employers should consult the works council in good time (to negotiate respective works agreements) to ensure that the system can be introduced in good time.
• Involvement of the data protection officer:
- The data protection officer should be involved at an early stage in order to decide on the following data protection measures:
- Carry out a data protection impact assessment.
- Raise awareness among employees and, if necessary, adjust the duty of confidentiality and the duty to comply with GDPR requirements.
- Use encryption and ensure secure data transfer, restrict access to data in the reporting system to a strict need-to-know basis, create an authorization concept, log data entries.
- Adapting the data deletion policy.
- Preventing a report and the subsequent communication, taking a prohibited retaliatory action or deliberately or recklessly disregarding the obligation of confidentiality is punishable by a fine of up to EUR 50,000.
- Negligent breach of the confidentiality requirement is punishable by a fine of up to EUR 10,000.
- Failure to comply with their obligation to establish and operate an internal reporting office is punishable by a fine of up to EUR 20,000.
- The reference to Sections 30 and 130 of the Administrative Offenses Act allows the maximum limit to be increased tenfold in the case of serious infringements.
Whistleblower protection and how to deal with them:
- Whistleblowers are protected by the obligation of the reporting office not to disclose their identity.
- Whistleblowers shall be protected against reprisals, retaliation of any kind and pecuniary damages. Whistleblowers can claim damages in the case of the violation of prohibition of reprisals. However, there is no provision for compensation for non-material damages suffered by whistleblowers as a result of disclosing certain events.
- Whistleblowers are given extensive protection, and the HinSchG provides for a shift in the burden of proof: In the future, the employer will have to prove that measures taken against employees are not related to the disclosure under the HinSchG.
- On the other hand, a prerequisite for whistleblower protection is that whistleblowers have sufficient reason to believe that the information they reported or disclosed was true at the time of the report or disclosure. In addition, the information must concern violations that fall within the scope of the HinSchG, or at least the whistleblower must have sufficient reason to believe that this was the case at the time of the report or disclosure. Whistleblowers are liable for damages in cases of intentional or grossly negligent false reports or in cases of disclosure of false information.
- There is a legal presumption that a whistleblower’s disadvantage is a reprisal as a result of reporting a violation if the whistleblower claims this.
- Employers must therefore document personnel decisions and the considerations behind them that affect whistleblowers. If the whistleblower alleges that he or she has been disadvantaged as a result of a previous whistleblowing, the employer must be able to prove that the decision does not constitute an unlawful sanction against the whistleblower. This may be relevant, for example, in relation to promotion decisions or in the termination of employment contracts.
- Employers can thus protect themselves from whistleblowers who make a report out of non-objective considerations or to “discredit” others without sufficient suspicion to ward off labor law measures against themselves.
Practical implications and to do for employers
- The HinSchG is expected to come into force mid-June 2023. Employers with 250 employees or more will hardly have any time left for implementation. Smaller employers, must tackle the law with a view to 17 December 2023.
- Employers should become aware of the requirements of the HinSchG as soon as possible and take the following measures:
- In view of potential liability risks, internal reporting offices should be set up without delay and embedded in an appropriate compliance management system.
- Decide whether they want to operate the internal reporting office or outsource it to a law firm/external provider.
- Determine the team responsible for the internal reporting office and the follow-up measures.
- Define the processes from receiving a report to closing the case.
- Consult the works council.
- Consult the company’s data protection officer.
- Draft FAQs and guidelines on the procedure and access to the whistleblower system for the employees.
- Prepare training for the relevant team(s).
- Prepare a data protection impact assessment and data protection notices.