Image of a businessman in a suite carrying folders with paperwork

Everything you need to know about whistleblowing: A FAQ guide for companies

The EU Whistleblower Directive on whistleblowing has increased the importance of whistleblowing for companies. Companies in the EU are expected to provide methods for whistleblowing and whistleblower protection is extended. We address everything companies need to know in this context. Especially due to the implementation into national law in Germany and Austria by the respective Whistleblower Protection Act (HinSchG), this topic is now indispensable.

What is whistleblowing?

Whistleblowing is when someone uncovers misconduct in an organisation, for example financial irregularities or discrimination. It is often an employee, but it can also be a third party, such as a supplier or customer.

Whistleblowing is done internally, i.e. by a whistleblower within an organisation. For this reason, companies often set up whistleblowing channels, or whistleblowing systems, so that employees can report wrongdoing. An employee's supervisor is another avenue for reporting.

If a person publicly contacts the media, the police or via social media, this is called external whistleblowing. If a person has little confidence in their company's investigation or reporting process, if they have tried unsuccessfully to report internally, or if there is no whistleblowing system in place, they often choose to report publicly. Whistleblowers have the choice of contacting an "internal reporting office" of the company or an "external reporting office" (public authority). In those cases where internal action against the violation can be taken effectively, internal reporting bodies should be preferred

Whistleblowing complaints in themselves relate to conduct that is illegal under a particular piece of legislation, e.g. criminal offences, discrimination or cover-ups. However, whistleblowing rules can also relate to a broader range of compliance and ethics issues. The respective areas of application under which legally regulated whistleblowing in the EU falls are governed by national whistleblower protection laws.

Whistleblowing is also explicitly different from a complaint in the workplace. A whistleblower's report relates to more serious and much broader issues than a complaint, which is a matter of personal interest and has no impact on the wider public or the company as such. That is why the establishment of an internal whistleblowing unit is recommended even for the smallest companies smallest companies that are not legally obliged to establish a whistleblowing channel.

Why is whistleblowing an important issue right now?

Recent scandals and incidents have raised awareness of whistleblowing. The 2007-2008 global financial crisis exposed widespread mismanagement in financial institutions, and the VW Dieselgate incident in 2015 exposed the carmaker's illegal cheating on US emissions tests. Effective corporate whistleblower procedures and channels may have helped prevent both incidents, which cost companies billions of dollars and were perceived as exactly the kind of events they could have been.

Whistleblowers have also become more visible since 2017, when Hollywood celebrities spoke out about allegations of widespread sexual abuse by Harvey Weinstein as part of the #metoo movement. As a result, many companies have put in place more safeguards and mechanisms for employees to report inappropriate or concerning behaviour.

The EU Whistleblowing Directive was introduced by the European Union in 2019 in response to recent crises such as Luxleaks, the Panama Papers and Cambridge Analytica. Once EU member states have implemented the directive across the board, all companies with more than 50 employees will be expected to have a whistleblowing policy and procedure in place, and anyone wishing to report wrongdoing will have legal protection. In Germany, the Whistleblower Protection Act expanded the previously inadequate protection of whistleblowers and transposed the EU Whistleblower Directive (Directive (EU) 2019/1937) into national law. With the approval of the Bundesrat, the Act was published in the Federal Law Gazette on 2 June 2023 and the entire Act came into force on 2 July 2023 inkraft.

Why is whistleblowing beneficial for companies?

Whistleblowers provide a valuable service both to their company and to society at large. Companies can avoid reputational damage and fines if issues can be resolved internally before they are published in the press or on whistleblower platforms. Fines can be very high. In 2019, a record $2.9 billion in fines were imposed on companies under the US Foreign Corrupt Practices Act. In the EU, fines will vary from member state to member state. In Germany, for example, the maximum fine for non-implementation is 50,000 euros. In Austria, the law has been in force since 25 February 2023 and there is no penalty for non-implementation, but this does not exempt companies from liability if whistleblower cases that are publicly reported bring to light abuses that violate other laws. Also, directors are liable if no reporting office has been established internally to receive the cases, but there are later claims for damages by the company against the director.

A whistleblowing system therefore makes it possible to avoid these penalties. A whistleblowing system also benefits the bottom line, as experience shows that violations cost companies and organisations around 7% of their annual turnover. A large proportion of these incidents can be detected through internal reporting, which minimises the financial damage.

Why do companies worry about whistleblowing? - A closer look at 5 misconceptions

Many of the misconceptions surrounding whistleblowing cause companies to be hesitant or even afraid to implement such a system. Many fear that whistleblowers could damage their reputation or that disgruntled employees could use their whistleblowing system to false complaints. file. There is also concern that a misconduct reporting mechanism may be "too effective" and that they will be inundated with information.

Fortunately, these concerns are unwarranted. If a company has a strong internal whistleblowing programme with effective validity checks, relatively few reports will be made to the outside world. Even if it can be assumed that a few whistleblowers have dubious motives, their number is negligible. According to studies, companies receive an average of 34 reports per year (cf. Whistleblowing Report 2021). The likelihood of reporting problems increases with the size of the company, but this does not necessarily mean anything bad, as it only indicates that the organisation has a positive "speak-up culture".

Misconception 1: Whistleblowers damage the company's reputation

Only when whistleblowers report wrongdoings in the company to the public or the media do they harm the company. Therefore, it is crucial that companies encourage whistleblowers to raise issues internally. It is recommended that companies establish internal channels for whistleblowing and actively promote these channels to employees and other stakeholders. Internal whistleblowing channels allow employees to report their concerns directly to the relevant department in the company, which helps to identify and resolve issues at an early stage. This reduces the possibility of reputational damage.

Misconception 2: Whistleblowers are always prosecuted

If a whistleblower raises concerns directly with a third party (e.g. the media), he or she may be prosecuted if, for example, he or she discloses trade secrets. If the whistleblower acts in the public interest, there are exceptions. Such exceptions are specified in the new Whistleblower Protection Act. A whistleblower who reports his concerns through a company-internal reporting channel, e.g. a digital whistleblowing system, has nothing to fear.

Misconception 3: Employees anonymously share false information about their colleagues through whistleblower programmes

According to the 2019 Whistleblowing Report, which surveyed nearly 1,400 companies in Germany, France, the UK and Switzerland, less than 9% of reports received by companies were aimed at harming specific employees or the company. According to the survey, half of all reports deal with compliance-related difficulties, the other reports usually point to other deficiencies in the company. However, when implementing whistleblower systems, it is important to make it clear that abusive reports will not be accepted.

Misconception 4: If you set up a whistleblower system, you will be inundated with reports.

According to studies, companies receive an average of 34 reports per year (see Whistleblowing Report 2021). The likelihood of registering concerns increases with the size of the company. However, receiving multiple reports is not always a bad thing. While it may indicate that there are many problems in the organisation, it may also simply be a sign that employees are engaged or trust the whistleblowing procedures and feel safe doing so.

Similarly, a low number of reports may indicate that there are few problems, but also that the reporting system is ineffective, that company employees do not trust the channel, or that they do not know where to make a report of wrongdoing. To lower the barrier to reporting problems, companies should disclose their reporting channels and procedures via the intranet as well as the website.

Misconception 5: Whistleblowers are subject to the wrath and retaliation of work colleagues

If a whistleblower reports something, the employer is obliged to keep his identity secret (as far as possible). The employer is obliged to protect the whistleblower from reprisals if the whistleblower's name becomes known for any reason. In the Whistleblower Protection Act, which was implemented in July 2023, the legislator also explicitly mentions the protection of whistleblowers (including against bullying and intimidation).

In practice, however, it can be difficult to identify and stop mild forms of bullying, and employees may fear that their names will be revealed. Permission to report anonymously can provide an extra layer of protection that encourages employees to come forward, especially about really sensitive issues. With the help of modern whistleblowing tools such as konfidal's whistleblower software, it is possible to contact anonymous whistleblowers to obtain more data.

When is a whistleblower protected?

An employee's decision to come forward when they observe wrongdoing is their own. Many people who come forward with information are driven to report wrongdoing. While it is against the law for companies to retaliate against an employee who reports wrongdoing, a whistleblower's career can still suffer. It is difficult to detect workplace bullying at a low level. Whistleblowers often work alone, and friends they thought they could trust in the workplace may abandon them to save their own reputations. Whistleblowers nevertheless need courage and tenacity to expose wrongdoing and risk being exposed by their long-time employers or even by their colleagues, even if there is an anonymous whistleblowing system. Whistleblowers have limited legal protection in several European countries. The EU Whistleblowing Directive, which gives whistleblowers in the public and private sectors a broad right to freedom of expression in all European Union member states, is bringing about change in Europe.

The Directive prohibits direct or indirect reprisals against current or former employees, job applicants, supporters of the whistleblower and journalists, including dismissals, demotions and other forms of discrimination. Protected are wide-ranging areas of law, including reporting breaches of EU law such as tax fraud, money laundering or breaches of public procurement, product and transport safety, environmental protection, public health and consumer and data protection.

The whistleblower has the possibility to report an incident either directly to the competent supervisory authority or first internally within the organisation. The original draft law on the HinSchG considered internal and external reports to be of equal value. Now the law recommends giving preference to internal reporting bodies in those cases where effective action can be taken internally against the violation and the whistleblower does not have to fear reprisals. The whistleblower also has the option of going directly to the public if no action is taken on their report or if they have reason to believe that there is a public interest. In each of these situations, they are covered.

When can whistleblowers be prosecuted?

The public exposure of wrongdoing by whistleblowers has sparked a debate about the balance between the public's right to know and the need for secrecy by authorities. For example, federal officials have often been charged under the US Espionage Act for disclosing classified information. Thus, if the information revealed by a whistleblower poses a threat to national security, it may be actionable.

How do data protection regulations relate to whistleblowing?

Compliance officers must follow very strict protocols when processing personal data in light of the EU General Data Protection Regulation (GDPR), especially when it comes to whistleblowing reports and reporters.

The GDPR has a direct impact on the issue of confidentiality of notices. Under the GDPR, companies are not allowed to collect personal data without informing data subjects how their data will be used. This means that companies must inform suspects about whistleblower complaints filed against them. If the GDPR is properly applied, the identity of the whistleblower will also be disclosed to the suspects, removing any remaining secrecy. This could deter potential whistleblowers and lead to fewer reports.

Data protection authorities advise introducing whistleblowing instruments that allow anonymous reports to ensure the confidentiality of whistleblowers' names. Thus, in the case of an anonymous report, the accused need only be informed that a report has been made about him or her. The identity of the whistleblower is kept secret.

Why is whistleblowing often in the news these days?

According to a June 2020 report by, the Swiss Federal Audit Office (SFAO), which hosts the Confederation's whistleblowing reporting office, receives more reports every year. It is interesting to note that last year most reports were submitted by external parties - suppliers, contractors or recipients of subsidies - and not by employees. 148 reports, or almost 80 % of the total, were anonymous.

The UK's Financial Conduct Authority reported a 61% increase in complaints about financial services providers' whistleblowing policies in October 2020. This increase is attributed to increased awareness of whistleblower protection and protocols, but also to the fact that during the COVID 19 outbreak, it was more difficult for employees to figure out how to use internal company channels to report whistleblowing.

Whistleblowing has also become more important in the times of Corona. The government's Corona measures were officially described as a "false alarm" by Stephan Kohn, a member of the German Federal Ministry of the Interior. Disciplinary proceedings have been initiated against Kohn and he is currently being investigated to determine whether he committed official misconduct.

What are the ethical implications of dealing with whistleblowing?

The ethics of whistleblowing can be seen as a complex issue. Fairness and loyalty, two moral principles, are sometimes at odds with each other when someone tells the truth. On the one hand, loyalty and adherence to moral principles (such as whistleblowing) may occasionally clash (e.g. if one has worked for an organisation for many years). It is possible to see whistleblowing as a breach of trust. Because they value fairness and doing the right thing over loyalty to their organisation, many whistleblowers choose to come forward.

A whistleblower's motivation alone determines whether they are a "hero" or a "traitor". Do they want to set the record straight? Is it a matter of public safety? Or is the pursuit of self-interest or financial gain the motivation for the action? Certain types of whistleblowing are financially rewarded in some countries. Hollywood often romanticises and glamorises prominent whistleblowers (such as Julian Assange and Edward Snowden) in its films, which can appeal to people seeking a certain level of notoriety.

Offering an internal, anonymous channel for reporting wrongdoing is a strategy to prevent "unethical" whistleblowing. Because such a mechanism exists, whistleblowers' identities are protected and they are less likely to go to the press outside their organisation, where they might try to make a name for themselves.

Need more information?

If you would like to discuss specific topics in this blog post or explore individual topics further, please feel free to email us at or comment on this post on LinkedIn.