The "Act for Better Protection of Whistleblowers" (Hinweisgeberschutzgesetz – HinSchG), which came into force on 2 July 2023, introduced specific legal requirements for employers regarding the handling of whistleblowers and the information disclosed. Employers are now required to provide a reporting channel and protect whistleblowers from reprisals. For HR managers, this primarily means an increased administrative burden.

Personal scope of application

The HinSchG applies not only to protect employees in a personal capacity, but also job applicants, interns and employees of third-party companies (such as suppliers or business partners) who have obtained information about violations in connection with their professional activities and report or disclose this information to an internal or external reporting channel (whistleblowers). In addition, individuals who are the subject of a report or disclosure or who are affected by such a report or disclosure are also protected.

However, only those whistleblowers who report information about violations to the internal or external reporting offices provided for under the HinSchG will fall within the personal scope of the HinSchG. Consequently, employees who do not report information about violations to the appropriate internal or external reporting offices but, rather, make a report to the HR department or works council, for example, do not fall within the personal protection of the HinSchG. It is not clear whether the employee can still benefit from the protection of the HinSchG if the employee submits additional, subsequent reports to the reporting office.

Material scope of application

The HinSchG contains an exhaustive list of the types of disclosures which are protected (Section 2 HinSchG). Violations of legal provisions are covered and include, in particular, the reporting or passing on of information on violations of criminal provisions and violations punishable by a fine, insofar as the provision violated serves to protect life, limb or health or the rights of employees and their representative bodies (Section 2 (1) no. 2 of the Act on Protection against Harassment). This includes provisions of individual labour law (e.g. Minimum Wage Act, General Act on Equal Treatment, Act on Temporary Agency Work) and collective labour law (e.g. non-compliance with the works council's duty to inform, e.g. in the case of a change in operations, Section 121 of the German Works Constitution Act – Betriebsverfassungsgesetz/BetrVG). Unethical or immoral conduct is not covered. In addition, violations of company agreements or internal compliance regulations are also not covered.

Reports or disclosures of violations of certain provisions of EU and national law (e.g. antitrust law, environmental law or product safety regulations) are also protected.

Employers are free to allow their employees to use internal reporting channels to report compliance breaches or employment contract violations that do not fall within the definition of a disclosure for the purposes of the HinSchG. In this case, however, it should be explicitly stated that such reports do not fall within the scope of the protection.

Establishment and organisation of an internal reporting channel

The HinSchG generally applies to all employers, regardless of their size. The HinSchG, imposes a legal obligation on employers with at least 50 employees to set up a secure and reliable internal reporting channel by 17 December 2023. Larger employers, being those with 250 or more employees, were required to comply with this obligation from 2 July 2023 (the date the HinSchG came into force). From 1 December 2023 there is now a risk of fines for non-compliance (Section 40 (2) No. 2, Section 42 (2) HinSchG). Section 3 (8) HinSchG establishes who is to be included in the calculation of the number of employees. It should be noted, for example, that part-time employees are included in full and not just on a pro rata basis. Irrespective of the number of employees, the obligation to set up an internal reporting channel applies to all employers listed in Section 12 (3) HinSchG (e.g. investment service providers, data provision services, etc.).

In accordance with Section 14 (1) HinSchG, an internal reporting channel can either be set up within the employer itself or with a third party which can perform the tasks of an internal reporting channel. Entrusting a third party with the tasks of an internal reporting channel, however, does not release the employer from the obligation to take appropriate measures to remedy any violation.

Section 16 HinSchG contains provisions on the organisation of internal reporting channels. This provision clarifies in particular – and which may be surprisingly for many employers - that the reporting channels do not have to allow for anonymous reporting.

When setting up the internal reporting channels, the legally prescribed procedure for handling internal reports must also be observed (Section 17 HinSchG). According to this, the whistleblower must receive confirmation of receipt of their report within at least seven days. In addition, the reporting office must immediately check the validity of the report received and provide the whistleblower with feedback on the current status within three months of the confirmation of receipt. In this context, the internal reporting office can also forward the report to an authority for further investigation or discontinue the proceedings due to lack of evidence (Section 18 HinSchG).

Data protection also plays an important role in the organisation of internal reporting channels. First, the confidentiality requirement under whistleblower protection law protects the identities of whistleblowers and the individuals who are the subject of the report, as well as those individuals named in the report. These identities may only be disclosed to those responsible for receiving reports or for taking follow-up measures, as well as to those supporting them in the fulfilment of these tasks (Section 8 (1) sentence 2 of the Whistleblower Protection Act). In addition, particular reference should be made to aspects such as the obligation to inform the data subject (Art. 14 GDPR), compliance with deletion deadlines (Section 11 (5) HinSchG) or technical measures to protect the data. The company data protection officer must be involved in the setting up of the internal reporting channel.

If a reporting channel is set up within the company itself, it must be independent. This includes, for example, the requirement that reporting tasks cannot be transferred by right of direction or transfer. However, it is conceivable to integrate the reporting office into the compliance department, provided that this is separated from the wider organisation and personnel (Section 16 (2) HinSchG) and therefore only the supporting employees have access to the incoming reports.

It should be noted that the reporting procedure under the HinSchG exists in parallel with the complaints procedure under the Supply Chain Safety Obligations Act (Section 8 LkSG), the Occupational Health and Safety Act (Section 17 (2) sentence 2 ArbSchG) and the complaints to the works council (Section 84 BetrVG). However, reporting procedures in particularly sensitive economic sectors (Section 4 (1) HinSchG) take precedence over the HinSchG. The provisions of the HinSchG only apply insofar as these specific regulations do not stipulate any requirements (Section 4 sentence 2 HinSchG).

Involving the works council

As the establishment of an internal reporting channel is required by law for employers with at least 50 employees, there is no co-determination right under legislation regarding the works council with regard to its establishment. However, the works council has a right of co-determination in accordance with Section 87 No. 1 BetrVG to the extent that the HinSchG leaves the employer with flexibility, i.e. in the design and organisation of the internal reporting channel. The staffing of the reporting office and the introduction of technical monitoring can also trigger co-determination rights.

Reporting office within the Group

Under the Whistleblower Protection Act, it is permitted to set up a group-wide office reporting office at (only) one company within a group of companies. This was not provided for in the Whistleblower Directive and is still not in line with the EU Commission's view (see BT-Drs. 20/3442, Section III 1.a). Nevertheless, the initiation of infringement proceedings by the EU Commission against Germany seems unlikely and it is also doubtful that companies that have set up a group-wide internal reporting office in compliance with the Whistleblower Protection Act will have action taken against them.

In any case, where there is a group-wide reporting channel, it must be ensured that no additional hurdles are imposed on whistleblowers; in particular, it must be possible to report in the local company's principal language and the whistleblower must be able to be sure that confidentiality - in favour of the reporting person as well as in favour of the persons who are the subject of a report or are named in a report (Section 8 HinSchG) - is guaranteed.

External reporting and disclosure of information

According to the HinSchG, whistleblowers are generally free to choose whether to report to an internal or external reporting office, such as the Federal Office of Justice, BaFin or the Federal Cartel Office (Section 7 HinSchG). The external reporting offices may forward the reported information to a competent authority for the purpose of further investigations (Section 29 (2) no. 4, Section 30 HinSchG).

According to the statutory provisions, the whistleblower should only disclose information to the public as a last resort. However, this is permitted where a previous report was not sufficiently considered (i.e. no follow-up measures were taken or the whistleblower did not receive any feedback on the measures taken, Section 32 (1) no. 1 HinSchG). Immediate disclosure to the public is permitted under the statutory provisions if the report concerns an offence which gives rise to particular risks to the general public (Section 32 (1) No. 2 HinSchG).

In order to avoid external reports and any associated reputational damage, employers should take care to set up an internal whistleblowing system that is as accessible and well-functioning as possible so that whistleblowers can use it easily and, ideally, an internal investigation is made possible first.

Protection of the whistleblower from reprisals

Under Section 33 HinSchG, whistleblowers are protected against reprisals (including the threat and attempt of reprisals) if (i) the internal or external report or disclosure was made in accordance with the legislation, (ii) the whistleblower reasonably believed, at the time of the report, that the reported or disclosed information was true and (iii) the information concerns violations that fall within the scope of the HinSchG. Consequently, the whistleblower is not protected if they have obtained the reported information, for example, through a criminal offence (Section 35 (1) Hs. 2 HinSchG); in particular, where they obtain knowledge through data that is confidential or protected.

Reprisals include all unjustified detriments such as dismissal, transfer, demotion or denial of promotion. The transfer of duties, change of work location, refusal to participate in further training measures or behaviour on the part of the employer for the purpose of intimidation or bullying can also constitute reprisals.

If an unlawful reprisal occurs, despite the statutory prohibition, Section 37 (1) HinSchG provides that a whistleblower can bring a claim for damages. Conversely, the whistleblower is obliged to pay compensation if the report or disclosure is based on incorrect information (Section 38 HinSchG).

Burden of proof

Pursuant to Section 36 (2) HinSchG, it is presumed that, if a whistleblower suffers a detriment after or in connection with making a report or disclosure, this disadvantage is a reprisal within the meaning of the legislation. However, the employer can rebut this presumption by demonstrating that the unfavourable measure in question was not taken because of the report or disclosure, but for other, objectively justifiable reasons, or that the person causing the disadvantage (e.g. HR employee or line manager) had no knowledge that the disadvantaged person was a whistleblower and that the reprisal was therefore carried out completely independently of the making of the report.

Sanctions

Violations of the main provisions of the HinSchG are punishable as administrative offences. Such offences include, in particular, preventing reports, taking reprisals and violating the confidentiality of the identity of whistleblowers (Section 40 HinSchG).

Conclusion: Establishment of the internal reporting channel and effects on contract design

Employers (generally with at least 50 employees) have been aware of the obligation to set up an internal reporting channel in accordance with these requirements following the issue of the Whistleblower Directive.

However, the provisions of the Whistleblower Protection Act can also have an impact on individual contracts, as Section 39 of the Whistleblower Protection Act states that agreements that restrict the rights of whistleblowers are invalid. According to the statutory provisions on general terms and conditions, a confidentiality clause could be considered non-transparent (in accordance with Section 307 (1) sentence 2 BGB) and therefore void, unless the clause expressly provides that a breach of the confidentiality obligation is permitted in order to place a report with an internal or external reporting channel. It remains to be seen how the labour courts will position themselves in this context. However, contracts concluded prior to the entry into force of the HinSchG are protected by legitimate expectations and therefore do not need to be amended.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.