Whistleblower Protection Act - Urgent need for action for companies
Dr Isabel Jost
10 February 2023
Already now, companies should
- Decide whether to operate the internal reporting office themselves or to outsource it to a law firm/external provider.
- Define the team responsible for the internal reporting office and follow-up measures.
- Define the processes from receipt of a report to completion of the procedure.
- Draft FAQs and guidelines on the procedure.
- Involve the works council.
- Prepare training for the team(s) in charge.
- Involve the company data protection officer.
- Prepare a data protection impact assessment and data protection notices.
What is the status of the legislative process?
The German Bundestag passed the law on 16 December 2022, but the German Bundesrat refused its approval in its meeting on 10 February 2023. It is likely that the law will now be discussed in the Mediation Committee. How long this will take is unclear. It is unlikely that the law will come into force before summer 2023.
What does whistleblower protection mean?
So far, there is no statutory whistleblower protection system in Germany. Although some larger medium-sized companies and corporations have already established whistleblower protection systems on a voluntary basis, these differ considerably in their structures and processes. In smaller companies, there are usually no systems at all:
Henceforward, the Whistleblower Protection Act is intended to create standardisation and provide comprehensive protection for whistleblowers in implementation of the Whistleblowing Directive (EU/2019/1937).
What does this mean for companies?
There is a need for action for all companies with usually at least 50 employees, although the law provides for a longer implementation period as of 17 December 2023 for medium-sized companies with usually 50 to 249 employees.
Obligation to set up an internal reporting office
Companies are obliged to set up at least one internal reporting office. According to the law, failure to set up an internal reporting office in breach of obligations constitutes an administrative offence for which a fine of up to EUR 20,000.00 may be imposed.
Companies may also outsource an internal reporting office to external third parties, such as law firms. In particular for companies in which only a few reports are to be expected or where there is no internal staff capacity to operate the reporting office, this option may be a good way to meet the legal requirements in a cost-efficient manner.
In any case, the internal reporting office must meet the following requirements:
- Only the persons responsible for receiving and processing the reports, as well as those who assist them in fulfilling these tasks, may have access to the incoming reports.
- Reports must be made possible in oral or text form.
- At the request of whistleblowers, a personal meeting with a person responsible for receiving a report from the internal reporting office must be made possible within a reasonable time. With the consent of the whistleblower, the meeting may also take place by means of video and audio transmission.
- Persons entrusted with the tasks of an internal reporting office must be independent in the performance of their duties and have the necessary expertise.
The most recent addition is the obligation for internal reporting offices to create incentives for whistleblowers to first contact the respective internal reporting office before reporting to an external reporting office. The law leaves open exactly what these incentives are to look like. In any case, employers must provide employees with clear and easily accessible information on the use of the internal reporting procedure. However, the possibility of external reporting must not be restricted or made more difficult.
Bodies to be involved before setting up the internal reporting office
Depending on the structure of the reporting office, the works council has extensive co-determination rights under sec. 87 para. 1 no. 1 of the Works Council Constitution Act (Betriebsverfassungsgesetz "BetrVG") and sec. 87 para. 1 no. 6 BetrVG (the introduction and use of technical devices). In order to facilitate an implementation of the reporting office as early as autumn, companies should consult with the works council about this in a timely manner.
However, the company data protection officer should also be involved at an early stage, as the following measures have to be taken from a data protection perspective:
- Carrying out a data protection impact assessment.
- Sensitisation of employees, if necessary adaptation of the confidentiality obligation and obligation to comply with the GDPR.
- Use of encryption and guarantee of secure data transfer, restriction of access to the data of the reporting system on a strict need-to-know basis, creation of an authorisation concept, logging of data entries.
- Adaptation of the deletion concept.
Reports to be processed
Both, reports of violations of EU law and reports of criminal offences and administrative offences under German law are to be processed by the internal reporting office. In addition to violations punishable by law, however, only violations punishable by fines shall fall within the scope of application if the violated regulation serves to protect life, limb or health or to protect the rights of employees or their representative bodies.
In individual cases, it can be very difficult for both the internal reporting office and whistleblowers to assess whether a report falls within the scope of the law. In case of doubt, internal reporting offices are always advised to investigate incoming reports and only not to investigate reports in clear cases.
Shortly before the German Bundestag passed its resolution, an obligation to accept and process anonymous reports was included. For this purpose, reporting channels must be provided that enable anonymous contact and anonymous communication between the whistleblower and the internal reporting office. However, this obligation will only apply from 1 January 2025.
Deadlines and process of handling
Incoming reports are to be processed by the internal reporting office as follows:
- Acknowledgement of receipt for whistleblowers no later than 7 days after receipt of the report.
- Checking whether the reported violation falls within the scope of the law and whether the tip is valid.
- If so: Conduct further investigations, if necessary ask whistleblowers for further information.
- After completion of the investigation: Take appropriate follow-up action.
- Within 3 months after acknowledgement of receipt of the report: Feedback to whistleblower with information on planned and follow-up measures already taken as well as the reasons for them (exception: Information on follow-up measures or reasons would affect internal enquiries or investigations or impair the rights of the persons who are the subject of a report or who are named in the report).
- Documentation of the information received in compliance with the confidentiality requirement for a maximum of 3 years.
Dealing with whistleblowers
The central personal protection of whistleblowers is provided by the obligation of the reporting office not to disclose their identity.
Furthermore, whistleblowers are protected from reprisals and retaliation of any kind. The protection against damages that do not affect the assets of the whistleblower was also included shortly before the German Bundestag passed its resolution. The wide protection of whistleblowers against reprisals can lead to far-reaching consequences, especially for employees of the company, as the law provides for a reversal of the burden of proof. In future, employers will have to prove that measures taken against employees are not related to the disclosure of wrongdoing. It is noteworthy that the explanatory memorandum to the bill also mentions the non-renewal of a fixed-term contract as a possible prohibited sanction of whistleblowers. In the event of possible labour law measures against whistleblowers, employers are therefore advised to document the reasons for this in even more detail.
However, it is positive for companies that whistleblowers are not protected in every case. The prerequisite is always that whistleblowers had sufficient reason to believe that the information they reported or disclosed was true at the time of the report or disclosure. Furthermore, the information must concern violations that fall within the scope of the law, or whistleblowers must have at least reasonable grounds to believe that this is the case at the time of the report or disclosure. The purpose of this provision is to protect companies from whistleblowers who make a report out of trouble or merely to "discredit" others without sufficient suspicion.
In general, the motives of whistleblowers do not play a role. This means that even if whistleblowers make a report for the sole purpose of being protected from measures threatened by the company for other reasons (such as dismissal), they fall within the scope of protection of the law. At least as long as the tip itself does. While whistleblowers cannot prevent threatened measures against them for other reasons, they can considerably increase the burden of justification for companies.
You can find more information on this topic in our #Employmenttalk: Hinweisgeberschutzgesetz.#Employmenttalk: Hinweisgeberschutzgesetz.