Objective of this guide
This guide was created with the aim of providing companies and organizations with a practical overview as well as concrete instructions on how to implement the Whistleblower Protection Act (HinSchG). We want to ensure that you have all the necessary information and tools at hand to implement and operate an effective and compliant whistleblower system in your organization. This document is intended for decision makers, compliance officers and anyone involved in the process of implementing and managing a whistleblower system.
An overview: HinSchG compactly explained
The HinSchG was introduced to protect people who report violations of legal requirements (whistleblowers) from legal consequences and retaliation. Under certain conditions, it obliges companies to set up internal reporting offices through which violations can be reported - anonymously if necessary. It also regulates how reports are to be handled and specifies the protective measures that apply to whistleblowers. The HinSchG is an essential building block for promoting an open culture of error and whistleblowing in organizations and helps to uncover and remedy unlawful actions at an early stage.
Why the HinSchG is relevant for companies
The HinSchG plays a central role in creating a corporate culture of transparency and integrity. It not only promotes internal dialog and the uncovering of potential wrongdoing, but also signals to the outside world a clear stance on ethical and lawful conduct. An efficiently implemented whistleblower system makes it possible to identify risks and violations at an early stage and act accordingly, thus avoiding financial and reputational damage.
But there are also critical voices. Small companies in particular could feel burdened by the bureaucratic obligation to set up such a channel. In addition, there is a risk that anonymous reports will be abused for personal motives, which could affect the working atmosphere and trust between employees. Anonymity could also lead to an increased number of unfounded complaints, tying up valuable company resources.
Regardless of the differing views, the law is now in force and companies are obliged to implement it. Failure to comply with the HinSchG can result in severe fines of up to 20,000 EUR or even more. In addition, there is a risk of claims for damages by whistleblowers, especially if they suffer disadvantages as a result of their report.
Overall, this underscores the need to take the HinSchG seriously and to deal intensively with the implementation and operation of a whistleblower system. This guide is intended to help companies understand and implement the requirements of the law.
Practical Implementation Guide for the Whistleblower Protection Act
We will now give you a step-by-step guide on how to implement the Whistleblower Protection Act and what needs to be considered during the process.
Step 1: Check relevance
From 50 employees: obligation to set up internal reporting channels and procedures.
Companies with 50 or more employees are required to establish internal reporting channels and procedures for violations. For this purpose, each person employed by the company counts as an employee, regardless of the number of hours worked or the type of employment. For example, if three students share a position, they are counted as three separate employees. Likewise, part-time and temporary workers are included in the count, as the law's protections are intended to apply to them as well as to temporary and contract workers.
To determine the number of employees, there is no set cut-off date. The regular, general employment situation of the company should be taken into account. Both a review of the previous year's staffing levels and a forecast of the expected development for the coming year are relevant. This creates a representative picture of the employment situation, which is used to determine the applicability of the law.
Special case financial companies and authorities
In the context of whistleblower protection, particular attention is paid to both financial companies and public institutions.
Regardless of their size, companies in the financial sector operating in areas such as securities, stock exchanges and capital management are required to implement whistleblower systems. In parallel, public institutions with more than 250 employees are also required to implement internal reporting channels.
By when must internal whistleblower systems be in place?
Companies with at least 250 employees have already been required to establish internal whistleblower systems since 02 July 2023, to ensure adequate protection for whistleblowers. Companies with between 50 and 249 employees have been granted an extended deadline of 17 December 2023 to establish whistleblower systems.
Step 2: Determination of the reporting person (reporting office)
If it has been determined that the establishment of a whistleblower system is mandatory, the next step is to set up the internal reporting office to which potential whistleblowers can turn.
Personnel planning: external vs. internal staffing
When setting up the internal reporting office, companies can choose whether to staff the office with one or more of their own employees, or whether to entrust a third party (external) with the task. However, the external staffing of the "internal reporting office" must not be confused with the "external reporting offices" that are set up by the federal government or the states and are not intended to play any role in the context of this guide.
The implementation of the internal hotline requires careful consideration, particularly with regard to the choice between internal and external staffing of the position.
Advantages and disadvantages
When choosing between internal and external whistleblower staffing, it is critical to consider your company's individual needs and circumstances. In any case, compliance with legal requirements, including data protection regulations, and the expertise of the hotline is necessary to ensure effective protection of whistleblowers.
Flexibility in internal staffing of whistleblower reporting offices.
With regard to the internal staffing of reporting offices, the law gives companies considerable leeway. It does not provide strict guidelines on which person or department within the company should be responsible for receiving reports and taking subsequent steps.
- Employee Roles: Employees assigned to hotlines do not have to work exclusively in this role. However, it must be ensured that these employees can act independently and that there are no conflicts of interest with their other duties.
- Risks: The office of the confidential reporting officer is not without risks. Violations of the confidentiality requirement may result in fines and may be directed against the persons working in the reporting office. In addition, claims for damages under tort law by whistleblowers and affected persons are possible.
Internal staffing of the reporting office
- Cost efficiency: Internal staffing is usually more cost-effective, as often only training measures are incurred as additional costs here.
- Use of existing resources: Companies can leverage existing positions, resulting in efficiency gains and synergies.
- Faster response time: internal hotlines are often more familiar with internal procedures and processes, which can lead to a faster response to tips.
- Employees in coercive situations: Internally staffed employees may find themselves in conflict situations, which can lead to tension.
- Excessive demands: There is a risk that employees will be overwhelmed if they suddenly have to assume responsibility for the correct handling of messages, especially without adequate training.
External staffing of the reporting office
- Independence and neutrality: External hotlines are independent and neutral, which makes it easier for whistleblowers to turn to them without fear of conflict or disadvantage.
- Expertise: External service providers are specialized and have experience in handling notifications as well as in complying with legal requirements.
- Avoidance of conflicts of interest: External reporting points minimize the risk of conflicts of interest that could arise in internal structures.
- Additional costs: The commissioning of external hotlines may incur additional costs.
- Possible information delay: External service providers may not be as familiar with internal processes, which can lead to delays in processing leads.
Requirements for the reporting office
In order for the internal reporting office to function effectively, it is essential that the person or department appointed to this role is able to act independently and is free from potential conflicts of interest. It must therefore be ensured that those whose actions are to be monitored do not themselves assume the role of the reporting office.
Professional expertise and continuity
According to the explanatory memorandum to the Act, the professional competence of the internal reporting office is crucial to building and maintaining the trust of potential whistleblowers.
The selected employee must thus have the "necessary expertise", even if the exact scope of this expertise is not specified. In any case, the responsible person or department must not only be able to competently receive reports and initiate appropriate measures, but also be able to handle sensitive information with the utmost confidentiality.
At a minimum, they should therefore be sufficiently informed about the function, responsibilities and independence of the hotline as well as about the confidentiality requirement. This can be done, for example, through appropriate training.
The exact requirements for the qualification of the employee in question may also depend on the size of the company and the "infringement propensity". In this context, the greater the risks of the respective company, the more qualified the person entrusted with this task should be.
The confidentiality requirements mentioned above form a central principle of the HinSchG. In order to protect the whistleblower and other persons affected, the identity of the whistleblower and the persons who are the subject of the report or are at least named in the report must be treated confidentially. This means that, as a matter of principle, only the reporting person dealing with the case or the person responsible for taking follow-up measures (or the persons supporting them in doing so) may know about the identity of the above-mentioned persons. This principle is fundamental and should therefore be known to all persons involved.
Clear distribution of roles and responsibilities within the reporting office
In order to avoid potential conflicts of interest and to strengthen employee trust in the reporting office, there should be a clear and transparent distribution of roles and responsibilities within the reporting office. The structure should take into account the specific corporate structure and culture and fit into existing structures.
Here, the objective and unbiased processing of all reports by clearly defined roles is crucial.
Possible roles for the reporting office:
Different departments or roles within a company could take on the task of a reporting office, depending on the specific company structure and culture:
- Compliance department: Often with a focus on compliance and ethics, this department can act as a neutral authority, provided it is not itself the subject of the report.
- Human Resources: while it has the advantage of being familiar with employee-related matters, it could be biased when it comes to certain types of reports.
- Data Protection Officer: this role is often trained to keep sensitive information confidential and could therefore be a good fit as long as there are no conflicts of interest.
- Auditor: As a role often tasked with reviewing finances and processes, the auditor might be a good choice if not involved in potential financial improprieties.
- Legal Department: Thanks to their legal expertise, the legal department is often ideally situated as an internal reporting unit. The department has the necessary specialized knowledge to understand legal requirements and to implement them in compliance with the law. However, care must be taken to ensure that it does not tend to minimize potential legal risks to the company, instead of considering the reports objectively. Clear regulations on responsibilities, adequate policies, and transparency can enhance trust in the independence of the legal department.
Works council as reporting office - with caution
Works council members may assume reporting responsibilities, but this should not interfere with their core functions. Encouraging works councils to take on these additional responsibilities can be problematic and employers cannot assign them unilaterally. It is essential that the core functions of the works council are not compromised by additional responsibilities in the whistleblower system and that the allocation of these responsibilities is in accordance with works council constitutional law.
Involve managers as reporting officers
Determining the most appropriate individuals or departments within a company to receive and track reports depends on its structure.
It must always be ensured that their function guarantees independence and conflicts of interest are avoided. Recital 56 of the Whistleblower Directive mentions, for example, the Chief Compliance Officer, the Human Resources Officer, the Integrity Officer, the Legal or Privacy Officer, the Chief Financial Officer (CFO), the Chief Audit Executive or a member of the Management Board.
However, it is important to emphasize that not every management position should automatically be considered suitable for this role. Although the guideline allows for the CFO as a possible reporting officer, this should not be seen as a precedent for all management roles. It must always be ensured that the statutory duties can be performed independently.
Step 3: Setting up the reporting channel
The law allows companies to flexibly decide which reporting channels they want to set up, provided confidentiality is guaranteed. This means that companies can choose to allow written reports that can be submitted by mail, email or through online platforms. Likewise, they can offer the option of making verbal notifications via telephone hotlines or other spoken messaging systems - or both.
IT tools and reporting officer
The implementation of a whistleblower reporting office goes beyond pure IT solutions and requires a clear definition and separation between the technical reporting channel and the persons responsible for processing the reports.
- IT tools: These act as a technical communication interface and are designed to ensure that reports can be made on a secure, anonymous and efficient platform. They offer whistleblowers a platform on which they can submit reports securely and confidently, and can also be used to enable and document the dialog between the whistleblower and the reporting officer.
- Reporting Officer: This is the person or department responsible for processing, investigating and following up on the report. The reporting officer should be able to evaluate reports in an unbiased manner, take appropriate action and ensure the protection of the whistleblower.
In this context, IT tools and technologies are merely a medium or tool for communication between the whistleblower and the reporting officer. They are not sufficient as a stand-alone solution, but should be considered as an integral part of a comprehensive whistleblower system that includes clear processes, policies and safeguards.
When setting up the reporting channel, it is important to take organizational measures to ensure that reporting officers can use the tool in compliance with legal requirements, especially with regard to data protection. In this context, access to the reporting channel should be restricted so that only those persons who are responsible for processing the report can access it (so-called "need-to-know principle").
However, implementation via a (web-based) IT tool is only one of the possibilities. The following communication channels can also be considered:
- Written notifications: Companies can enable written reports through various channels such as mail, email, or online platforms.
- Verbal messages: The ability to deliver verbal messages via telephone hotlines or other spoken messaging systems can also be established.
- In-Person Reporting: If a whistleblower prefers, there is also the option, upon request, to make his or her report in person during physical meetings within a reasonable period of time. Therefore, if an employee prefers to meet in person to make his or her report, the Company is required to arrange this within a reasonable period of time. The exact duration of this period depends on the organizational circumstances and processes in the company and the meeting must be facilitated at the whistleblower's workplace.
Should anonymous reports be allowed?
Although it is not mandatory by law to allow anonymous reporting, this is often recommended in order to establish a comprehensive and effective whistleblower reporting office. The possibility of making reports anonymously can have both advantages and disadvantages, which should be carefully weighed in the context of the specific corporate environment.
Advantages of allowing anonymous reporting:
- Encouraging whistleblowers: A significant proportion of potential whistleblowers prefer to file anonymous reports. This could lead to more people reporting concerns and violations, as they do not have to worry about possible consequences or retaliation.
- Early detection of issues: The ability to report anonymously enables companies to identify potential issues and violations early, before they develop into serious compliance breaches. This can help minimize legal and financial risks.
- Diverse perspectives: By allowing anonymous reporting, companies can receive leads from multiple sources and departments that may have different perspectives and information on internal operations.
- Avoiding reports to external reporting offices: As mentioned briefly above, the federal government or the states establish so-called "external reporting offices" to which whistleblowers can additionally turn (even though they are supposed to prefer the internal reporting offices). These external reporting offices allow anonymous reports, which is why there is a risk that employees will prefer to contact them directly in order to preserve their anonymity. To ensure that reported violations can first be clarified internally, it is therefore advisable to also allow anonymous reports.
Disadvantages of allowing anonymous reporting:
- Risk of abuse: Anonymity may increase the risk of false reporting and abuse. Individuals may report for personal reasons or malice, potentially straining company resources unnecessarily.
- Tracking more difficult: Anonymous reports make it more difficult to identify and track the whistleblower. This may limit the ability to request further information to verify the credibility of the whistleblower.
It is essential that companies consider the specific challenges and needs of their operating environment when deciding whether or not to enable anonymous reporting. This decision should be made in the context of the company's overall whistleblower strategy and policy.
Step 4: Announcement of the reporting channel and test run
After the reporting channel is established, it is critical to clearly communicate the reporting channel to employees. This step ensures that your employees know how to report violations or concerns.
There are several ways to publicize the reporting channel, depending on the size and structure of your organization:
- Intranet or employee portal: An effective method is to provide information on your intranet or employee portal. Create a dedicated page or area where you provide detailed instructions on how to report tips. This could include a link to a dedicated reporting page or contact information for the Confidential Officer.
- Email communication: Send an email to all employees introducing the reporting channel and explaining how they can use it. This can also be repeated periodically to maintain awareness.
- Trainings and workshops: Use internal training or workshops to educate employees about the reporting channel. This provides an opportunity for questions and clarifications.
- Posters and informational materials: Hang posters or informational materials in key areas of your organization that explain the reporting channel and steps for reporting tips.
- Online tools: If using an online platform to receive reports, ensure that the link or instructions for using this tool are communicated and accessible.
By taking these steps, you can ensure that your employees are well informed and comfortable reporting violations or concerns at all times, effectively implementing whistleblower protection in your organization.
Once the reporting channel has been established and communicated, it is critical to establish a clear process for receiving and handling reports. This step ensures that incoming tips are handled appropriately and that confidentiality is maintained.
Verify that the messaging channel is properly set up and functioning. This can be ensured by test messages or a test run to ensure that messages reach the designated trusted person or team.
Step 5: Dealing with reports and violations
What incidents should be reported?
The HinSchG aims to protect whistleblowers who report violations of certain requirements. The law provides a comprehensive list of exactly which requirements are meant. The law mainly refers to violations of particular severity, so that reports of punishable acts are covered in any case. Under certain circumstances, however, violations subject to fines or violations of internal company guidelines may also be sufficient. Since the central task of the reporting office is to assess whether the reported act violates a requirement from the law's catalog, companies should provide clear guidelines and examples of reportable incidents. This also makes it easier for employees - the potential whistleblowers - to recognize violations as such. Typical cases that should be reported include:
- suspected fraud in the accounts;
- manipulation of business records for tax avoidance purposes;
- theft of company property;
- environmental pollution due to improper disposal of chemicals;
- violation of health and safety regulations in the workplace.
The exact definitions and applications of these regulations, as well as their consistency with the Whistleblower Directive, are still a matter of discussion. Companies should ensure that employees know exactly what type of violations should be reported and how the reporting process works to ensure effective whistleblower protection.
What incidents should not be reported?
There are certain incidents that should not be the subject of a report under the whistleblower system because they do not have the severity or relevance of reportable violations. Reports of such cases are unremarkable and should therefore occur as infrequently as possible. To prevent the reporting office from being "paralyzed" by too many unremarkable reports, companies should inform their employees which reports are inadmissible, but without discouraging potential whistleblowers from reporting a case that is difficult to assess or not entirely clear. In any case, the following reports, for example, are irrelevant:
- personal opinion about a colleague, without clear evidence of wrongdoing;
- criticism of the food in the canteen;
- complaints of personal favoritism or injustice that do not constitute violations of law;
- untrue accusations;
- reports of immoral behavior.
These examples illustrate incidents that, while potentially causing workplace dissatisfaction, do not represent the type of serious violations that the whistleblower system is intended to address. It is essential that employees have a clear understanding of what constitutes a notable violation in order to use the system effectively and in the spirit of protecting whistleblowers.
Procedure on receipt of messages
When a report is received, it is critical that the company has a structured process for handling and investigating it. First, the whistleblower must be informed of the receipt of his or her report within 7 days (unless the whistleblower is anonymous). Next, it must be determined whether the reported violation falls within the catalog of the law, i.e., whether it is a "notable" violation, and if so, whether the report of the violation is credible. In parallel, clear communication channels must be established for further correspondence with the whistleblower. In principle, the same channel should be chosen here as the whistleblower has chosen for his or her report. If this is necessary to clarify the case, the whistleblower must also be asked for further information. In addition, a system for documenting all steps and findings in the investigation process should be implemented to ensure transparency and accountability.
Deadlines play an essential role in ensuring that reports are processed promptly and effectively. Establishing clearly defined reporting deadlines for different phases of the process - from initial investigation to final resolution - helps keep the process structured and transparent. Similarly, it is important that these deadlines are established and adhered to both for processing internally and for communicating with the whistleblower in order to build trust in the system. For example, the reporting office must report back to the whistleblower no later than 3 months after acknowledging receipt and inform him or her of any follow-up measures planned or already taken and the reasons for them.
A critical aspect of the whistleblower system is the action taken after a report is investigated. Both feedback to the whistleblower (if the whistleblower's identity is known) and internal action to correct identified issues or conduct further investigation are critical. This could include disciplinary action, changes in processes, or legal action. It is important that these actions are consistent, legally sound and proportional to the violations reported. If there is a lack of evidence or the reported violation cannot be determined for other reasons, the case should be closed. If appropriate, the case may also be delegated to another department or agency.
Termination of procedures after notification
The termination of procedures after a report should also be clear and structured. This includes final communication with the whistleblower, comprehensive documentation of all steps and measures taken, and follow-up to identify possible improvements in the whistleblower system or corporate processes. It is essential that the conclusions and measures taken are carefully analyzed in order to learn from the incident and develop future prevention strategies.
Step 6: Implement required data protection measures
In the context of data protection law, there are several steps to consider:
- Supplementing the records of processing activities (ROPA): Companies must update their ROPA and supplement them with the processing activity of the internal notification office.
- Check service provider: Before working with a service provider, companies should conduct a thorough audit to ensure that the service provider meets data protection requirements.
- Conclusion of a data processing agreement (DPA): It is necessary to conclude a contract regulating the terms and conditions for the processing of personal data by the IT service provider that provides the digital reporting channel tool.
- Conduct a data protection impact assessment (DPIA): If the planned processing of personal data poses a high risk to the rights and freedoms of data subjects, a DPIA is required. This process serves to identify risks and take appropriate measures to minimize them.
- Addition of information requirements: Companies must ensure that they update their privacy policies with regard to the notification procedure in order to transparently present the processing of the data and, if applicable, also the cooperation with a service provider, and to adequately inform the data subjects.
Summary and conclusion
The new HinSchG obliges every company with 50 or more employees to set up a whistleblower reporting channel. For small companies, implementing further compliance measures is not easy. Since legal expertise will not always be available in small companies, recourse should be made to existing structures - e.g. the data protection officer.
It is important to note here that this is not merely a new task of the data protection officer, but a separate and distinct position to be regulated in accordance with the statutory protection objectives.