A pile of papers in an investigation process.

How to deal with whistleblower cases? Soundness check, testing schemes and practical implementation

Whistleblowers play an important role in exposing misconduct, wrongdoing or criminal activity within organisations. Effective verification of the validity of reports is crucial to assess the credibility of the information reported and to take appropriate action. Particularly against the background of the Whistleblower Protection Act as it is now valid in Germany and Austria (HinSchG and HSchG), special attention must be paid to this. In this blog post, we present test schemes and go into the practical implementation of the validity test.

Step-by-step check scheme

A structured test scheme facilitates the assessment of the validity of evidence. There are very elaborate test procedures for this from the legal literature alone or from the practice of public prosecutors' offices when it comes to the possible prosecution of criminal offences. However, you do not have to be an expert or a prosecutor to be able to deal with whistleblower cases appropriately. Therefore, the following is a possible procedure that is manageable for smaller organisations in terms of complexity:

1.1 Gathering information

First of all, it is important to document all relevant information of the whistleblower. This includes personal data, the reported facts, persons involved and possible evidence.

1.2 Maintain anonymity and confidentiality

The identity of the whistleblower should be protected to avoid possible retaliation. Ensure that all information is kept confidential and only shared with authorised persons. If the whistleblower has reported anonymously, ensure that his/her identity remains protected and only make the case available to third parties if clarification requires it. In addition, make sure that only parts of the tip are disclosed to third parties so as not to inadvertently reveal the anonymity of the whistleblower through any inferences that may be drawn from the report.

1.3 Initial assessment

Assess whether the reported facts are plausible and whether it is a serious allegation that warrants further investigation. Reports that clearly indicate abuse of the whistleblower channel should be rejected with good reason. However, make sure that you provide sufficient documentation of your actions here as well.

1.4 Assessing credibility

Check whether the whistleblower appears credible and whether there are indications of self-serving motives.

1.5 Gathering evidence

Gather evidence that supports the reported information, e.g. documents, witness statements or electronic data. However, in regular communication with the whistleblower, avoid asking for further evidence of leads. Only if the whistleblower shares them should you include them in your investigation. Ideally, you should avoid turning the whistleblower into a secret investigator who might obtain further evidence for his tip by potentially criminal means.

1.6 Evaluation of the evidence

Evaluate the quality and relevance of the evidence collected and assess whether it is sufficient to substantiate the reported facts.

1.7 Final report and action

Prepare a final report summarising the findings of the validity check and take appropriate action, e.g. internal investigations (conducted by internal or external staff), engaging specialised lawyers or even involving regulatory authorities.

Practical implementation

Successfully conducting a validity check requires careful planning and good time management. Here are some practical tips:

2.1 Clarify responsibilities

Determine who within the organisation is responsible for the validity check, e.g. a compliance department, the in-house in-house counsel or an external representative. Make sure that persons are not entrusted with the validity check who should possibly conduct subsequent internal investigations and that there is also no conflict of interest between their role as the person responsible for the reporting office and their function as the Internal Investigations Unit. Logic dictates that these two tasks should not be carried out by the same person. The reason for this is possible conflicts of interest or bias arising from the fact that cases are processed and examined, thereby revealing details that would already massively narrow the thrust of internal investigations, or in the case of internal data protection officers, they must also monitor the reporting unit with regard to data protection and cannot do so if they are also the reporting unit itself.

2.2 Training and awareness raising

Ensure that the persons responsible for the validity check have the necessary knowledge and skills and are familiar with the relevant laws and regulations.

2.3 Communication and cooperation

Encourage open communication between different departments and promote cooperation to gather all relevant information and take appropriate action. However, when communicating with other departments in obtaining information for validity checks, be careful not to inadvertently disclose details from the original notice.

2.4 Documentation and follow-up

You should carefully document all steps of the validation and ensure that all relevant information can be stored, tracked, and later retraced. Good software helps here by design. However, for the German HinSchG, for example, you can also find the most important documentation requirements in the legal text.

2.5 Continuous improvement

Regularly review the effectiveness of your validity checks and, if necessary, adjust your processes and policies to ensure effective whistleblower screening. For example, if all reports in a defined period of time have received the label "not valid", it is reasonable to suspect that the review processes are flawed. As a rule, it is assumed that between 25-50% of all cases are valid and indicate real wrongdoing.


Careful verification of the validity of reports is critical to ensure that the information reported is credible and relevant. By applying a structured verification scheme and considering practical aspects, organisations can respond effectively to whistleblower cases and take appropriate action. This helps to uncover misconduct and malpractice and to promote a responsible corporate culture.

This presentation does not take into account divergent provisions in individual laws, where applicable, which provide for different procedures or audit processes. Since neither the EU Whistleblower Directive nor the forthcoming Whistleblower Protection Act in Germany and also not the Whistleblower Protection Act in Austria provide explicit procedural requirements for the validity check, companies are free to choose the concrete procedure here. Compliance specialist and lawyer Andreas Trapp from Passau in this video presents a particularly noteworthy and, in the event of a later legal dispute, presumably optimal procedure in more detail.

Based on this, konfidal provides you with a programme-supported validity check, with which you can quickly determine whether a case is more likely to be valid or not by means of scoring values. In addition, the system supports you in finding out whether the case even falls under the legal scope of application of standing laws or whether the case should possibly be reported directly to a public authority. Contact us directly if you would like to learn more about this feature. You can reach us at or at +49 (0) 176 72224558. We are also available here if you are thinking about full outsourcing of your hotline operation.

Please note that this text neither constitutes legal advice nor can or should replace legal advice on the interpretation of individual laws.