Skip to content

UPDATE: Whistleblower Protection Act – Urgent need for action for companies

The plenum of the German Bundestag approved the compromise on the Whistleblower Protection Act on Thursday, 11 May 2023. The German Bundesrat also gave its approval to the draft law on Friday, 12 May 2023. The vote was based on a resolution recommended by the Mediation Committee after the German Bundesrat had refused to approve the law in its session of 10 February 2023. Thus, all that is now outstanding is for the Act to be signed by the Federal President and to be published in the Federal Law Gazette. The law will already enter into force on the day after it has been promulgated. 

For companies, this means that they should deal with the new obligations now and take appropriate measures immediately.

In particular, companies must now immediately:

  • Decide whether to operate the internal reporting office themselves or to outsource it to a law firm/external provider.
  • Define the team responsible for the internal reporting office and follow-up measures.
  • Define the processes from receipt of a report to completion of the procedure.
  • Draft FAQs and guidelines on the procedure.
  • Involve the works council.
  • Prepare training for the team(s) in charge.
  • Involve the company data protection officer.
  • Prepare a data protection impact assessment and data protection notices.

What does whistleblower protection mean?

So far, there is no statutory whistleblower protection system in Germany. Although some larger medium-sized companies and corporations have already established whistleblower protection systems on a voluntary basis, these differ considerably in their structures and processes. In smaller companies, there are usually no protection systems at all.

Henceforward, the Whistleblower Protection Act is intended to create standardisation and provide comprehensive protection for whistleblowers in implementation of the Whistleblowing Directive (EU/2019/1937).

What does this mean for companies?

There is a need for action for all companies with usually at least 50 employees, although the law still provides for a (slightly) longer implementation period as of 17 December 2023 for medium-sized companies with usually 50 to 249 employees.

Obligation to set up an internal reporting office

Companies are obliged to set up at least one internal reporting office. According to the law, failure to set up an internal reporting office in breach of obligations constitutes an administrative offence for which a fine of up to EUR 20,000.00 may be imposed.

Companies may also outsource an internal reporting office to external third parties, such as law firms. This option may be a good way to meet the legal requirements in a cost-efficient manner, particularly for companies in which only a few reports are to be expected or where there is no internal staff capacity to operate the reporting office. It should be noted, however, that the obligation to remedy any malpractices/grievances remains with the company concerned and in particular with its management.

The legislative materials also provide that group companies do not have to set up a separate reporting system for each of their companies that fall within the scope of the law due to the number of employees. Rather, an independent office can be set up at another company of the same group (e.g. parent company, affiliate or subsidiary). A central reporting office within the group is sufficient in this respect. However, the legality of this group privilege is disputed. Some argue that the group privilege violates the provisions of the Whistleblowing Directive and is therefore ineffective. The EU Commission had also made clear in several statements that every independent legal entity, including every group company, must set up its own whistleblowing system. However, this view leads to the absurd scenario in which each group company (which falls within the scope of the law) can designate the same group-external body as an internal reporting office, but the designation of a body within the group would be inadmissible. As long as there is no case law on this questions by the respective supreme courts, group companies should refrain from merely setting up a central office within the group in order to avoid risks, but should rather implement a reporting system – at least additionally –  at each company (which falls within the scope of the law)..

In any case, the internal reporting office must meet the following requirements:

  • Only the persons responsible for receiving and processing the reports as well as those who assist them in fulfilling these tasks may have access to the incoming reports.
  • Making reports must be made possible in oral or text form.
  • At the request of whistleblowers, a personal meeting with a person responsible for receiving a report from the internal reporting office must be made possible within a reasonable time. With the consent of the whistleblower, the meeting may also take place by means of video and audio transmission.
  • Persons entrusted with the tasks of an internal reporting office must be independent in the performance of their duties and have the necessary expertise.

Right of choice

The whistleblower may freely choose whether to contact an internal or an external reporting office.

External reporting offices are operated by the federal government or the federal states. An external reporting office at federal level is established at the Federal Office of Justice. In addition, each federal state can also set up an external reporting office. Furthermore, it is envisaged to establish a specialised reporting office at the Federal Financial Supervisory Authority and at the Federal Cartel Office.

According to the new law, internal reporting offices are obliged to create incentives for whistleblowers to first contact the respective internal reporting office before reporting to an external reporting office. The law leaves open, though, exactly what these incentives are to look like. In any case, employers must provide employees with clear and easily accessible information on the use of the internal reporting procedure. At the same time, the possibility of external reporting must not be restricted or made more difficult. However, following the recent adjustment in the Mediation Committee, the law now also provides that whistleblowers should prefer to report to an internal reporting office in cases where effective internal action can be taken against the violation and they do not fear reprisals. Ultimately, however, this appeal to the employees will have no legal consequences in the event of a violation and is thus purely psychological in nature.

Bodies to be involved before setting up the internal reporting office

Depending on the structure of the reporting office, the works council has extensive co-determination rights under sec. 87 para. 1 no. 1 of the Works Council Constitution Act (Betriebsverfassungsgesetz "BetrVG") and sec. 87 para. 1 no. 6 BetrVG (the introduction and use of technical devices). In order to facilitate an implementation of the reporting office as early as autumn, companies should consult with the works council about this in a timely manner.

However, the company data protection officer should also be involved at an early stage, as the following measures have to be taken from a data protection perspective:

  • Carrying out a data protection impact assessment.
  • Sensitisation of employees, if necessary adaptation of the confidentiality obligation and obligation to comply with the GDPR.
  • Use of encryption and guarantee of secure data transfer, restriction of access to the data of the reporting system on a strict need-to-know basis, creation of an authorisation concept, logging of data entries. 
  • Adaptation of the deletion concept.

Reports to be processed

Both, reports of violations of EU law and reports of criminal offences and administrative offences under German law are to be processed by the internal reporting office. In addition to violations punishable by law, however, only violations punishable by fines shall fall within the scope of application if the violated regulation serves to protect life, limb or health or to protect the rights of employees or their representative bodies.

In individual cases, it can be very difficult for both the internal reporting office and whistleblowers to assess whether a report falls within the scope of the law. In case of doubt, internal reporting offices are always advised to investigate incoming reports and to only refrain from investigating reports in clear cases.

According to the updated version of the law, there is no longer any obligation to also process anonymous reports. The previous "must" provision has been changed to a "should" provision in this regard. In addition, it was expressly clarified that there is no obligation to structure the reporting channels in such a way that they enable the submission of anonymous reports. It should be noted, however, that –irrespective of the conversion into a "should" provision – there may be an obligation to follow up on substantiated anonymous reports in individual cases, as the employer may otherwise face civil and criminal liability risks.

Deadlines and process of handling

Incoming reports are to be processed by the internal reporting office as follows: 

  • Acknowledgement of receipt for whistleblowers no later than seven days after receipt of the report.
  • Checking whether the reported violation falls within the scope of the law and whether the tip is valid.
  • If so: Conduct further investigations, if necessary ask whistleblowers for further information.
  • After completion of the investigation: Take appropriate follow-up action.
  • Within three months after acknowledgement of receipt of the report: Feedback to whistleblower with information on planned and follow-up measures already taken as well as the reasons for them (exception: Information on follow-up measures or reasons would affect internal enquiries or investigations or impair the rights of the persons who are the subject of a report or who are named in the report).
  • Documentation of the information received in compliance with the confidentiality requirement for a maximum of three years, whereby longer recording should be possible if this is necessary and proportionate in accordance with legal regulations. 

Dealing with whistleblowers

The central personal protection of whistleblowers is ensured by the obligation of the reporting office not to disclose their identity.

Furthermore, whistleblowers are protected from reprisals and retaliation of any kind. The protection against damages that do not affect the assets of the whistleblower (i.e. immaterial damages), which had previously been provided for temporarily, has now been cancelled. The wide protection of whistleblowers against reprisals can lead to far-reaching consequences, especially for employees of the company, as the law provides for a reversal of the burden of proof. In future, employers will have to prove that any measures taken against employees are unrelated to the disclosure of wrongdoing. The Mediation Committee has ultimately amended this provision in such a way that the presumption only applies if the whistleblower asserts the discrimination; in practice, however, this should not really be a relief for employers, since a corresponding assertion should always be expected. It is also noteworthy that the legislative materials explicitly mention the non-renewal of a fixed-term contract as a possible prohibited sanction of whistleblowers. In the event of possible labour law measures against whistleblowers, employers are therefore advised to document the reasons for the measures in even more detail. However, it is positive for companies that whistleblowers are not protected in every case. The prerequisite is always that whistleblowers had sufficient reason to believe that the information they reported or disclosed was true at the time of the report or disclosure. Furthermore, the information must concern violations that fall within the scope of the law, or whistleblowers must have at least reasonable grounds to believe that this is the case at the time of the report or disclosure. The purpose of this provision is to protect companies from whistleblowers who make a report out of trouble or merely to "discredit" others without sufficient suspicion.

In general, the motives of whistleblowers do not play a role. This means that even if whistleblowers make a report for the sole purpose of being protected from measures threatened by the company for other reasons (such as dismissal), they fall within the scope of protection of the law – at least as long as the tip itself does. While whistleblowers cannot prevent threatened measures against them for other reasons, they can considerably increase the burden of justification for companies.

You can find more information on this topic in our #Employmenttalk: Hinweisgeberschutzgesetz.#Employmenttalk: Hinweisgeberschutzgesetz.