Breaches of law covered by the HinSchG
The HinSchG applies to all breaches that attract penalties under national law as well as to
- breaches that are punishable with fines under national law insofar as the purpose of the provision that has been infringed is to protect life, limb or health or to safeguard the rights of employees or their representative bodies and, in particular, to
- breaches of certain EU legal acts (this includes areas such as corruption, money laundering, public procurement and product safety).
Obligation to establish and operate internal reporting channels
Under the HinSchG, businesses and the public sector are obliged to set up whistleblower systems (establishment and operation of internal reporting channels). There are obligations
- for companies with at least 50 employees;
- irrespective of this limitation, for all private companies in special sectors such as, in particular, the financial services sector, the field of financial products, financial markets and the insurance industry;
- for the German federal and state governments in accordance with the provisions of the highest federal and state authorities;
- for the municipalities and municipal associations in accordance with the respective regional law.
In principle, the requirement to establish the internal reporting channels has been in place since 2.7.2023.
Please note: For companies with fewer than 250 employees, this requirement will only apply from 17.12.2023.
An internal reporting channel is established by entrusting own employees or a third party with the responsibilities. Companies with fewer than 250 employees may establish joint reporting channels for receiving reports.
External reporting and disclosure
Besides communicating via the internal reporting channel, the whistleblower is able to directly contact the external reporting channels (external report) that have likewise been provided for under the law. The Federal Office of Justice (Bundesamt für Justiz) is the competent body for the German federal government. The aim is to establish further external reporting channels.
Please note: Whistleblowers are basically under no obligation to give priority to internal reports.
A third reporting channel is the public disclosure of information about breaches, for example, to the press. However, whistleblowers may only go down this path if they do not get an adequate response to the reports they have provided to an external channel, or if a disclosure is in the public interest, for example.
Arrangements for the internal reporting channel
Internal reporting channels have to give whistleblowers the opportunity to provide information orally or in writing. It has to be possible to provide oral reports via telephone or another type of voice transmission. If the whistleblower wishes to make their report in person then a private meeting with the person who is responsible for receiving the reports at the internal reporting channel has to be facilitated within a reasonable period of time.
The internal reporting channel should also handle reports that are provided anonymously; however, the legislation does not provide for an explicit obligation for employers to do so. Confidentiality of the identity of the whistleblower and any third parties that are mentioned in the report has to be guaranteed. It is necessary to ensure that unauthorised employees are not able to access the report.
Please note: The data protection requirements pursuant to the GDPR and the German Federal Data Protection Act (BDSG) have to be complied with in all cases. Implementing a whistleblower system could trigger the participation rights of the works council or staff council (cf., for example, Section 87(1) no. 1, no. 6 of the German Works Council Constitution Act) – this will depend on the planned arrangements.
Once a report has been received this has to be confirmed within seven days. The reporting channel has to check whether or not the reported breach falls under the material scope of application of the HinSchG and whether or not the report that has been received is substantive. In doing so, the whistleblower can be asked for further information. Subsequently, the appropriate follow-up measures need to be taken; these could be, for example, internal investigations, terminating the procedure because of a lack of evidence or passing it on to the competent authority for further investigation. The whistleblower generally has to get a response within three months.
Measures to protect whistleblowers
The HinSchG provides for a prohibition of retaliation against whistleblowers. The prohibition covers, among other things, suspensions, dismissals, salary reductions or issuing negative employment references. If discriminatory measures are taken against the whistleblower then the employer will bear the burden of proof and will have to demonstrate that the respective measure was not due to the report by the employee. However, the protection of the whistleblower will only apply if they have not passed on false information either deliberately or through serious negligence.
Breaches of the law are punishable with fines; here, it is worth mentioning, in particular, the following offences that are punishable with fines:
- hindering the reporting to/communication with a reporting channel by a whistleblower (fine of up to €50,000)
- retaliation against whistleblowers and protected persons (fine of up to €50,000)
- breach of rule on confidentiality (fine of up to €50,000)
- disclosure of incorrect information (fine of up to €20,000)
- breach of the obligation to establish an internal reporting channel (fine of up to €20,000).
Moreover, the whistleblower would be entitled to compensation in the event that the prohibition on retaliation is breached.