Two girls are whispering to each other.

Confidentiality requirement for whistleblower reports: When are exceptions allowed?

The Whistleblower Protection Act is an important instrument to protect whistleblowers in Germany. But when is it allowed to deviate from the confidentiality requirement and disclose the identity of whistleblowers? In this article, we will look at the legal provisions that clarify this question.

First, it is important to know that the identity of whistleblowers who intentionally or grossly negligently report false information is not protected. This is stated in section 32(2) of the Whistleblower Protection Act: "The identity of a whistleblower who intentionally or with gross negligence reports incorrect information about violations shall not be protected under this Act." According to Section 38 of the HinSchG, a whistleblower who intentionally or grossly negligently reports or discloses incorrect information is liable to pay compensation for the resulting damage.

For companies, this means that they can also actively combat abusive use of whistleblower channels, which sounds relieving at first.

However, there are also situations in which the identity of a whistleblower may be disclosed under certain conditions, despite the fact that the content of the report is initially not objectionable. § Section 9(2) of the Act lists the cases in which this is permitted:

  • In criminal proceedings at the request of the prosecuting authorities.
  • On the basis of an order in administrative proceedings following a report, including administrative fine proceedings.
  • On the basis of a court decision.
  • By the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) as an external reporting office pursuant to Section 21 to the competent departments within BaFin and, in the case of transactions referred to in Section 109a of the Securities Trading Act, to the bodies referred to in Section 109a of the Securities Trading Act.
  • By the Federal Cartel Office as external reporting office pursuant to Section 22 to the competent specialist departments within the Federal Cartel Office as well as in the cases of Section 49 (2) sentence 2 and (4) and Section 50d of the Act against Restraints of Competition to the respective competent competition authority.

MROS must inform the whistleblower in advance of the disclosure, unless this would jeopardise investigations or proceedings (paragraph 2 of the Act).

In addition, information about the identity of the whistleblower or about other circumstances that allow conclusions to be drawn about the identity of this person may be disclosed if the disclosure is necessary for follow-up measures and the whistleblower has previously consented to the disclosure (Section 9(3) of the Act).

Finally, Section 9(4) of the Act regulates the disclosure of information on the identity of persons who are the subject of a report and of other persons named in the report. Disclosure is permitted under certain circumstances, e.g. if consent has been given or for internal investigations.

In summary, the confidentiality requirement for whistleblower reports may be breached in certain cases. The legal provisions are designed to strike a balance between protecting the identity of whistleblowers and the need to effectively investigate reported violations.

However, in order to preserve the trust of whistleblowers and protect their identity in most cases, strict conditions must be met before their identity may be disclosed. This ensures that the Whistleblower Protection Act fulfils its purpose: To promote transparency and accountability in organisations, while protecting those who are brave enough to expose wrongdoing.

However, it is also important to note that while companies are required under Section 12 and Section 23 of the Whistleblower Protection Act to establish internal hotlines to enable whistleblower reporting, external whistleblowers may also be required to report to an external hotline. However, whistleblowers can also use external hotlines to report wrongdoing. Against this background, it is all the more important to maintain a high level of protection for whistleblowers when I am confronted with information as a company. In the case of data leaks, a later public report by the same whistleblower could lead to my internal vulnerabilities becoming known after the fact. In addition, as a company I have to check very carefully in this context whether an exception to confidentiality is actually appropriate. Because if the report later ends up with the public authorities anyway and it turns out in the course of this that the disclosure made by the company was incorrect because the basis for the disclosure was wrongly assessed, the company could be threatened with penalties due to the breach of the confidentiality requirement as well as possible claims for damages by the whistleblower based on § 37 HinSchG.

Overall, however, this article shows that the Whistleblower Protection Act in Germany provides clear rules for the protection of whistleblowers, but also allows exceptions for the disclosure of their identity under certain circumstances. Understanding these regulations is important for organisations, whistleblowers and the public alike to know and comply with the rights and obligations of all parties under the Act.

Please note that this blog article does not constitute legal advice and cannot replace it in any way. However, if the regulations mentioned seem too onerous for you to implement in your organisation, please contact us. We will help you with the implementation. We would also be happy to take over the operation of the reporting channel and the reporting office for you, so that you no longer need to worry about these regulations. Simply write to us at or call us at +49 (0) 176 72224558.