Skip to content

Whistleblower Protection Act - Urgent need for action for companies

Image of Beatrice Hotze
Beatrice Hotze

Senior Associate


View profile →

Jost Isabel
Dr Isabel Jost



View profile →

20 July 2022

The Whistleblower Protection Act will probably come into force this autumn. For companies, this means that they should already be prepared for the expected regulations and take necessary preparations.

Already now, companies should

  • Decide whether to operate the internal reporting office themselves or to outsource it to a law firm/external provider.
  • Define the team responsible for the internal reporting office and follow-up measures.
  • Define the processes from receipt of a report to completion of the procedure.
  • Draft FAQs and guidelines on the procedure.
  • Involve the works council.
  • Prepare training for the team(s) in charge.
  • Involve the company data protection officer.
  • Prepare a data protection impact assessment and data protection notices.

What is the status of the legislative process?

The draft bill was published in mid-April 2022. The federal states and associations were able to comment on the new draft law until 11 May 2022. It is not yet clear how long the evaluation of the numerous comments received will take, but it is likely that the law will be passed this year. It is expected to come into force in autumn 2022. Major changes to the draft bill are hardly to be expected.

What does whistleblower protection mean?

So far, there is no statutory whistleblower protection system in Germany. Although some larger medium-sized companies and corporations have already established whistleblower protection systems on a voluntary basis, these differ considerably in their structures and processes. In smaller companies, there are usually no systems at all.

Henceforward, the Whistleblower Protection Act is intended to create standardisation and provide comprehensive protection for whistleblowers in implementation of the Whistleblowing Directive (EU/2019/1937).

What does this mean for companies?

There is a need for action for all companies with usually at least 50 employees, although the draft bill provides for a longer implementation period for medium-sized companies with usually 50 to 249 employees.

Obligation to set up an internal reporting office

Under the new law, companies are obliged to set up at least one internal reporting office. According to the draft bill, failure to set up an internal reporting office in breach of obligations constitutes an administrative offence for which a fine of up to EUR 20,000.00 may be imposed.

The draft bill further provides that companies may also outsource an internal reporting office to external third parties, such as law firms. In particular for companies in which only a few reports are to be expected or where there is no internal staff capacity to operate the reporting office, this option may be a good way to meet the legal requirements in a cost-efficient manner.

In any case, the internal reporting office must meet the following requirements:

  • Only the persons responsible for receiving and processing the reports, as well as those who assist them in fulfilling these tasks, may have access to the incoming reports.
  • Reports must be made possible in oral or text form.
  • At the request of whistleblowers, a personal meeting with a person responsible for receiving a report from the internal reporting office must be made possible within a reasonable time.
  • Persons entrusted with the tasks of an internal reporting office must be independent in the performance of their duties and have the necessary expertise.

Bodies to be involved before setting up the internal reporting office

Depending on the structure of the reporting office, the works council has extensive co-determination rights under sec. 87 para. 1 no. 1 of the Works Council Constitution Act (Betriebsverfassungsgesetz "BetrVG") and sec. 87 para. 1 no. 6 BetrVG (the introduction and use of technical devices). In order to facilitate an implementation of the reporting office as early as autumn, companies should consult with the works council about this in a timely manner.

However, the company data protection officer should also be involved at an early stage, as the following measures have to be taken from a data protection perspective:

  • Carrying out a data protection impact assessment.
  • Sensitisation of employees, if necessary adaptation of the confidentiality obligation and obligation to comply with the GDPR.
  • Use of encryption and guarantee of secure data transfer, restriction of access to the data of the reporting system on a strict need-to-know basis, creation of an authorisation concept, logging of data entries.
  • Adaptation of the deletion concept.

Reports to be processed

Both, reports of violations of EU law and reports of criminal offences and administrative offences under German law are to be processed by the internal reporting office. In addition to violations punishable by law, however, only violations punishable by fines shall fall within the scope of application if the violated regulation serves to protect life, limb or health or to protect the rights of employees or their representative bodies.

In individual cases, it can be very difficult for both the internal reporting office and whistleblowers to assess whether a report falls within the scope of the law. In case of doubt, internal reporting offices are always advised to investigate incoming reports and only not to investigate reports in clear cases.

There is no obligation to accept or process anonymous reports. However, there is a considerable self-interest on the part of companies to promote anonymous reports, as in this case the identity protection of the whistleblower, which is associated with high administrative costs, is not applicable.

Deadlines and process of handling

Incoming reports are to be processed by the internal reporting office as follows:

  • Acknowledgement of receipt for whistleblowers no later than 7 days after receipt of the report.
  • Checking whether the reported violation falls within the scope of the law and whether the tip is valid.
  • If so: Conduct further investigations, if necessary ask whistleblowers for further information.
  • After completion of the investigation: Take appropriate follow-up action.
  • Within 3 months after acknowledgement of receipt of the report: Feedback to whistleblower with information on planned and follow-up measures already taken as well as the reasons for them (exception: Information on follow-up measures or reasons would affect internal enquiries or investigations or impair the rights of the persons who are the subject of a report or who are named in the report).
  • Documentation of the information received in compliance with the confidentiality requirement for a maximum of 2 years.

Dealing with whistleblowers

The central personal protection of whistleblowers is provided by the obligation of the reporting office not to disclose their identity.

Furthermore, whistleblowers are protected from reprisals and retaliation of any kind. This can lead to far-reaching consequences, especially for employees of the company, as the draft bill provides for a reversal of the burden of proof. In future, employers will have to prove that measures taken against employees are not related to the disclosure of wrongdoing. It is noteworthy that the explanatory memorandum to the draft also mentions the non-renewal of a fixed-term contract as a possible prohibited sanction of whistleblowers. In the event of possible labour law measures against whistleblowers, employers are therefore advised to document the reasons for this in even more detail.

However, it is positive for companies that whistleblowers are not protected in every case. The prerequisite is always that whistleblowers had sufficient reason to believe that the information they reported or disclosed was true at the time of the report or disclosure. Furthermore, the information must concern violations that fall within the scope of the law, or whistleblowers must have at least reasonable grounds to believe that this is the case at the time of the report or disclosure. The purpose of this provision is to protect companies from whistleblowers who make a report out of trouble or merely to "discredit" others without sufficient suspicion.

However, the motives of whistleblowers do not play a role. This means that even if whistleblowers make a report for the sole purpose of being protected from measures threatened by the company for other reasons (such as dismissal), they fall within the scope of protection of the law. At least as long as the tip itself does. While whistleblowers cannot prevent threatened measures against them for other reasons, they can considerably increase the burden of justification for companies.

You can find more information on this topic in our #Employmenttalk: Hinweisgeberschutzgesetz.

Related expertise