German Whistleblower Protection Law Brings New Obligations for Companies - What Employers Need to Know Now

6 minute read | May.24.2023

Deutsch: Das Hinweisgeberschutzgesetz kommt – Was Arbeitgeber jetzt wissen müssen

With a delay of almost one and a half years, the German legislator has implemented the so-called Whistleblower Directive (Directive (EU) 2019/1937) into German law: In mid-December 2022, the German Bundestag had passed the Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG) in the version proposed by the Legal Committee. The Bundesrat did not approve the law in February 2023. However, on May 12, the Bundesrat has now approved the bill after the original bill was amended in the mediation committee. The law will enter into force in mid-June 2023.

Companies must now immediately review the implementation of whistleblower systems. Failure to do so could result in heavy fines.

What is at Stake?

In the past, German law did not provide any specific protection for whistleblowers or rules on how companies should deal with reports of violations of the law. There was only a ban on disciplinary action: the employer was not allowed to discriminate against an employee by any agreement or measure if the employee exercised his or her rights in a lawful manner. This included reporting violations of the law. However, reports by employees to the press or to authorities about (alleged) violations and grievances against the employer could also lead to dismissal.

The Directive and its implementation in the HinSchG are now intended to provide better protection for whistleblowers who report violations of laws and regulations. This is to be ensured by internal reporting bodies within the companies and external reporting bodies at third parties, as well as the provision of appropriate reporting channels. However, whistleblowers should prefer to use internal reporting channels in the first instance if there is a case where effective internal action can be taken to address the violation.

Which Companies are in Scope?

  • Employers with 50 or more employees must establish internal mechanisms. This obligation will apply from the date of entry into force of the Act, i.e., one month after promulgation. However, even companies with fewer than 50 employees should also consider voluntarily implementing internal whistleblower systems to avoid reports that could potentially jeopardize their reputation.
  • Certain relief is available to mid-sized companies with 50 to 249 employees: They may establish and operate a joint central reporting office and, as an exception, have a grace period until December 17, 2023, to implement these reporting channels. For companies with more than 249 employees, however, the HinSchG will apply immediately after its entry into force, i.e., from mid-June 2023, without a transition period.
  • For companies that are part of a group, it is assumed that an independent and confidential body can also be established in another group company that is responsible for several group companies. For multinationals, this is good news, but it is questionable whether this group privilege is consistent with the Directive’s requirements. The EU Commission strongly denied that such centralized systems were in line with the Directive.

In addition to these reporting offices, there will also be contact points at the Federal Office of Justice, the Federal Financial Supervisory Authority, and the Federal Cartel Office.

Which Violations are Covered by the HinSchG?

The material scope of application of the HinSchG goes far beyond the Directive. While the Directive only covers violations in certain European legal and political areas, the material scope of application of the HinSchG goes beyond this and covers all violations of the law that are subject to penalties and fines.

For example, reports of the following violations are covered:

  • Violations of EU law
  • Violations of national criminal law
  • Violations of regulations that are punishable by fines and that are designed to protect life, limb, and health or to protect the rights of employees or their representatives.

Who is Protected?

Whistleblowers are any natural persons who, in the course of or in preparation for connection their professional activities, become aware of violations of law and report or disclose such information to the reporting channels provided for by law.

Thus, whistleblowers are understood to include, among others, employees, shareholders, employees of suppliers and persons who became aware of violations prior to commencing their employment. This broad scope is consistent with the Directive’s requirements.

The whistleblower is protected only if, at the time of the report, he or she had reasonable grounds to believe that a violation had occurred and that the reported violation fell within the scope of the HinSchG. As long as the report is made in good faith, the protection is not lost if it turns out later that a violation did not actually occur.

How Does this Protection Work in Practice?

  • Anonymous reporting channels should be established, and anonymous reports should be processed – but there is no legal obligation to do so.
  • No (threat of) retaliation: The person making the report must not suffer any disadvantage as a result of the report. This includes, in particular, sanctions under employment law such as transfer, pay cut, warning or dismissal, but also, for example, refusal to renew a fixed-term employment contract or to participate in further training. If there has been a retaliation against the whistleblower, they can claim damages from the employer.
  • Presumption rule: If a whistleblower suffers a detriment in connection with his or her job following a report, it is presumed that this detriment is a prohibited retaliation, if the whistleblower asserts this himself or herself. In this case, the employer has the burden of proving that the detriment was not caused by the whistleblowing. If the employer fails to do so, the action is invalid, and the employee may be entitled to damages. In addition, the employer may be liable for a fine of up to EUR 50,000.
  • Claim for damages of the whistleblower in case of violation of the non-retaliation rule.

Response Obligations Following a Report

The HinSchG establishes certain response obligations following a report, including:

  • Internal reporting offices must acknowledge receipt of a report to the person making the report within seven days.
  • Documentation of reports
  • Verifying the validity of the report
  • Take appropriate follow-up action
  • Within three months of acknowledging receipt of the report, the whistleblower must be informed of the action taken and planned.

To-Do's for Employers

The threat of fines of up to EUR 50,000, with the possibility of even higher fines if certain conditions are met, is the main reason why employers should address this issue and implement whistleblower protection systems if they do not already exist. This is particularly true for companies with more than 249 employees, for which no transition period is provided. Existing systems will need to be reviewed to ensure they meet the legal requirements.

Multinationals with entities in multiple EU member states should assess the local law requirements, given that the Directive gives EU member states some leeway in implementing its regulations. As a starting point, multinationals should be considering the legal requirement in their core markets first. In many cases these concepts can be used with some changes in other EU countries.

For advice on implementing a whistleblower protection system in Germany and other EU member states compliant with the new standards, please contact us.