For years, employees who reported the misconduct of their employers faced disciplinary action and even termination of employment. However, the Whistleblower Protection Directive (2019/1937) at the EU law level, laid the foundation for the new whistleblower protection regulations. The German Whistleblower Protection Act (HinSchG) was introduced to the German parliament, the Bundestag, as a 100-page governmental draft. The Act is expected to pass in early 2023, with an implementation date three months later.
Who and what is protected?
The HinSchG provides protection for all natural persons who have obtained information about criminal violations of EU law and/or German law prior to or in connection with their employment. The scope of the act extends to specific violations that may result in fines or other legal repercussions, such as regulations related to preventing money laundering, product and occupational safety, and environmental protection. The HinSchG also protects individuals who are affected by the reporting or disclosure of these violations.
Requirements for employers
The HinSchG aims to create legal certainty and ensure that employers provide a manageable and organized reporting system for whistleblowers. Employers must provide appropriate instructions and documentation of internal reporting offices, with penalties for failing to meet these requirements. The HinSchG also requires the following: setting up and organization of internal reporting offices, identifying an appropriate and competent responsible authority, safe reporting channels, confidentiality and secrecy obligations, and deadlines for providing information and documentation obligations.
Employers must prepare appropriate instructions and proper documentation and information about the process, and penalties apply if they fail to meet the requirements.
Setting up and organization of internal reporting offices
Under the HinSchG all companies with at least 50 employees, and all companies in the financial and insurance sectors and public offices, regardless of the number of employees, are obliged to set up an internal reporting office which the employees may make reports to. In future, these offices will be responsible for operating the reporting channels (which will be set up later), checking the validity of the information and taking follow-up actions (for instance, internal investigations, contacting the affected people and departments). The HinSchG also stipulates the implementation of external reporting offices for specific federal and state authorities. Thus, the draft bill provides for two alternative ways of reporting – the whistleblower is at liberty to choose either.
Appropriate and competent responsible authority
At least one appropriate and competent person (such as the head of the compliance department, the integrity officer, the head of the legal department, the data protection officer or the audit officer) should be identified as the internal reporting officer. Their competence must be ensured by the employer by means of appropriate training. A third party may also be entrusted with the tasks of the internal reporting office. Internal reporting offices may, for instance, employ an ombudsperson or even external lawyers.
Safe reporting channels
The HinSchG obligates employers to ensure the safety and dependability of the internal reporting channels. Whistleblowers should be able to make a report at any time, in writing and/or verbally by telephone or any other method of voice communication. Anonymous reports can, but do not have to, be processed. In addition, it should be possible to request to arrange a meeting with the internal reporting office member responsible for receiving the information.
Confidentiality and secrecy obligations
Internal reporting offices are under a strict obligation to maintain confidentiality. The identity of the whistleblower must be protected, which means that all information that may allow inferences to be drawn regarding the whistleblower’s identity must be kept confidential. This protection also applies with regard to the people who are the subject of the reporting. Such people are not to be provided with any information, nor do they have any right of access under data protection law. However, legal exceptions to the confidentiality obligation are applicable in the case of whistleblowers who provide incorrect information wilfully or as a result of gross negligence. Furthermore, the information may be shared with law enforcement authorities upon request, or be disclosed in subsequent administrative proceedings or on the grounds of a court order where the whistleblower must be informed of the disclosure in advance.
Deadlines, obligation to provide information and documentation obligation
Employees need to be provided with information about alternative external reporting channels and the relevant reporting processes of the EU institutions, bodies, and agencies so that whistleblowers are able to exercise their right to chose the reporting channel they use. The information should be clearly understandable and easily accessible. Upon receiving a report, the internal reporting offices are obliged to inform the whistleblower that their report has been received within 7 days. After three months, the whistleblower should be provided information about the subsequent actions taken or planned and the reasons thereof, the status of the internal investigations and/or their outcomes. At the same time, the reports received and the entire process up to its conclusion should be documented in detail.
Prohibition of retaliation and reversal of the burden of proof
Provided a whistleblower proceeds in accordance with the regulations under the HinSchG, it is prohibited to impose, attempt or threaten retaliation against them. This includes discrimination such as dismissal, demotion, disciplinary actions and also damage to the whistleblower’s reputation. In the event of a dispute, this protection will also apply when dealing with the government authorities and courts. If such an action is taken after a report or disclosure has been made, any future discrimination would be assumed to be reacting to the whistleblowing in favour of the whistleblower. It would be for the employer to prove otherwise.
Penalties in the event of breaches
Serious penalties may be levied in the event of breaches of the provisions of the new HinSchG. A fine of up to 20,000 euros may be imposed in case no internal reporting office is set up, or if such office does not come up to the required standards. A fine of up to 100,000 euros may be imposed for hindering or attempting to hinder reporting. The same applies if unjustified retaliation is taken against a whistleblower or if the identity of a whistleblower is jeopardised through a breach of confidentiality. If no action is taken, even after reporting, the whistleblower may also publicly disclose the information under the protection of the HinSchG.
Compensation in the event of false information
Making false reports can have far-reaching consequences and the repercussions can rarely be fully undone. If an incorrect report or disclosure is made wilfully or as a result of gross negligence, the draft bill provides for compensation claims to be filed by the affected parties.
The new Whistleblower Protection Act marks an important step forward in the protection of whistleblowers in Germany. It aims to create a safe and supportive environment for those who wish to report or disclose violations of law, and to ensure that those who do so are not penalized for their actions. Employers will need to prepare themselves for the new regulations and take the necessary steps to ensure that their internal reporting systems are compliant. With the Act set to come into force in early 2023, it is important for employers to act quickly to ensure that they are fully prepared.