The Whistleblower Protection Act (HinSchG), which came into force in July 2023, has fundamentally changed the rules of the game for whistleblowing in Germany. This article provides an initial guide to the implementation of the Act, explains the key aspects of the Whistleblower Protection Act and discusses why its effective implementation is crucial for compliance and safeguarding corporate reputation.
The Whistleblower Protection Act, which was originally supposed to have come into force in December 2021 and also goes back to an EU Directive, has now become legally effective on 02 July 2023. The non-implementation cost Germany considerable money. However, the now valid law now regulates comprehensive protection of whistleblowers, i.e. internal whistleblowers. The HinSchG provides that companies and other employers with 50 or more employees, such as churches, establish special reporting channels to protect whistleblowers who report information about violations in their work environment. In particular, companies are expected to establish internal reporting channels and internal hotlines to effectively handle incoming reports.
Proper implementation of the Whistleblower Protection Act is critical to protect the rights of whistleblowers while protecting the company from potential legal risks. Companies that do not correctly implement the Whistleblower Protection Act can face heavy fines. In addition, companies that do not comply with the law can also lose their reputation, which can have long-term financial and operational implications.
A whistleblower system is a mechanism that allows employees to report violations of laws or company policies. These reports can be made anonymously to ensure the protection of the whistleblower. The Whistleblower Protection Act requires companies to set up both internal and external hotlines to receive and respond appropriately to reports. The term whistleblower system is commonly equated with whistleblower management software or whistleblower software. However, this only represents a technical-organisational implementation of the requirements, whereas the whistleblower system regulates the entire process.
A violation of the Whistleblower Protection Act can occur in various forms. One of them is the failure to provide appropriate reporting channels for whistleblowers. Another violation could be the failure to respect the confidentiality of whistleblowers or retaliation against whistleblowers. Substantial fines can be imposed for violations of the Whistleblower Protection Act.
The establishment of an internal reporting office is one of the essential requirements of the Whistleblower Protection Act. Companies must establish an internal reporting office that is independent, confidential and effective. This means that the reporting office must be able to receive, evaluate and respond appropriately to reports. In addition, the hotline must be able to protect the identity of whistleblowers. In addition, the reporting office can also process anonymous reports if the employing organisation has opted for the submission of these.
In addition to the internal reporting office, the Whistleblower Protection Act also requires the establishment of an external reporting office. An external reporting office provides employees with an additional option for reporting violations, especially if they fear that their report will not be handled properly internally. The external hotline should be independent, confidential and offer the possibility to report anonymously.
Anonymity plays an important role in the Whistleblower Protection Act. It serves to protect whistleblowers from possible reprisals. In an earlier version, the law stipulated that both internal and external reporting offices must offer the possibility to receive anonymous reports. In principle, this is still the case. If an anonymous report is received, it must also be processed by the reporting office. However, the organisation concerned no longer has to offer an anonymous reporting channel. However, if the anonymous report finds another way into the organisation, it must be taken seriously and followed up. Against this background, the training of the persons responsible for the reporting office (also called case managers) is so crucial and required by law.
The Whistleblower Protection Act regulates very precisely in §11 how reports are to be handled and which documentation and deletion requirements are imposed on reports. These must be observed, otherwise there is a risk of a breach of the rules.
The law stipulates that the hotline must act free of instructions. However, this does not preclude case managers from performing other work in the company. However, conflicts of interest must be avoided, which excludes data protection officers (DPOs) and information security officers (ISOs). Nor should management itself fill this role. In-house lawyers and other compliance specialists should also only be used in some circumstances, as they may need to lead the internal investigation that follows a report and should not be in direct communication with the whistleblower at the same time in order to be able to do so properly and not have to weigh the whistleblower's level of protection against that of the employing employer. Presumably, therefore, the choice will often fall on HR when it comes to running the hotline. In addition to these personnel considerations, technical expertise is also needed to run the reporting centre properly, so that, for example, false reports are detected and cannot cause too much damage, and regular cases are properly evaluated. Last but not least, it should also be mentioned that the operation of the internal reporting centre can also be fully handed over to third parties.
Significant sanctions can be imposed for violations of the Whistleblower Protection Act. These can include fines of up to 50,000 euros. In addition, a violation of the law can also lead to significant reputational damage for the company. However, regardless of the potential damage, companies should address the issue proactively and also focus on the benefits of whistleblowing. Whistleblowers often also act with higher goals.
Failure to comply with the Whistleblower Protection Act can have significant consequences for companies. Apart from possible fines, companies can also lose their reputation, which can lead to financial losses and possible legal consequences. In addition, companies that do not properly implement the law may also face lawsuits from whistleblowers.
The implementation of the Whistleblower Protection Act is an essential prerequisite for effective compliance and the protection of whistleblowers' rights. Companies that implement the law correctly can protect themselves from potential legal risks and preserve their reputation. To learn more, also check out our FAQ guide on the topic.