Data Protection Academy » Data Protection News » Whistleblower Protection Act
HinSchG - Whistleblower Protection Act: national implementation of the EU Whistleblower Directive
The Whistleblower Protection Act (HinSchG) is the German transposition of the EU Whistleblower Directive. Both laws aim to improve the protection of whistleblowers and to implement the Directive on the protection of persons who report infringements of Union law. The Whistleblower Protection Act prohibits any sanctions, reprisals and retaliation against whistleblowers. The German Whistleblower Protection Act has been in force since 02 July 2023. Companies with 50 or more employees must implement a reporting system by December.
Most important information about the Whistleblower Protection Act
- The Whistleblower Protection Act (HinschG) is the national translation of the EU Whistleblower Directive of the EU
- EU member states had to transpose the EU Whistleblower Directive into law at national level by 17 December 2021
- The Whistleblower Protection Act came into force in Germany on 02 July 2023.
- The HinschG protects whistleblowers in the form of natural persons who have obtained information about violations in their professional environment
- Companies with between 50 and 249 employees must establish an internal whistleblower reporting office by 17 December 2023.
- Companies from risk areas (e.g. investment services companies, capital management companies) must implement an internal reporting office regardless of the number of employees.
Content on the topic of the Whistleblower Protection Act:
Important links:
Whitepaper Implementing the Whistleblower Protection Act and the Reporting Office in a Court-Proof Manner
In the white paper Whistleblower Protection Act and Reporting Office, you will find:
- Background to the Emergence of the Whistleblower Protection Act and the Current status
- Duties for companies and the Procedure for internal messages
- The Requirements for reporting points and the Message contents
- Information on Fines
- You will find an Checklist to work off
What is the German Whistleblower Protection Act (HinschG)?
The Whistleblower Protection Act (HinSchG) is the German transposition of the EU Whistleblower Directive. Both laws aim to improve the protection of whistleblowers and to implement the Directive on the protection of persons who report infringements of Union law. The Whistleblower Protection Directive prohibits any sanctions, reprisals and retaliation against whistleblowers.
With the entry into force of the HinSchG, companies with 50 or more employees are obliged to set up a reporting system for legal violations in their daily work. The tasks and admissibility of whistleblowers or whistleblowers had not been clearly clarified in law until the HinSchG came into force on 02 July 2023. In court proceedings, whistleblowing incidents have so far been judged according to the principle of consideration pursuant to § 241 II BGB:
According to its content, the obligation may oblige each party to have regard to the rights, legal interests and interests of the other party.
The Principle of consideration requires employees to report violations internally. When whistleblowers have come forward with such violations, courts have often ruled that the duty of consideration has been violated. The relationship between the public interest in publishing violations and the corporate interest in not publishing them was thus shifted in favour of companies. Whistleblowers came into conflict with contractual obligations and had to fear reprisals. The EU Whistleblower Directive provides legal clarity on which interest is to be protected as a priority. The draft Whistleblower Protection Directive takes effect at the national level and aims to encourage whistleblowers to disclose violations.
Whistleblower Protection Act - current status
The EU member states had to transpose the EU Whistleblower Directive into a law at national level by 17 December 2021. In connection with the EU Whistleblower Directive, there was already a push in Germany in 2019 with the "Act on the Protection of Business Secrets" (GeschGehG) in the area of whistleblower protection. Germany failed to meet the 17 December 2021 deadline for implementation and was subsequently sued by the European Commission. As a result, a mediation committee was convened to reach an agreement between the Bundestag and Bundesrat. The Whistleblower Protection Act (HinschG) has been in force in Germany since 02 July 2023.
Scope of application
The Whistleblower Protection Act first protects all persons who report or disclose violations as well as persons who are the subject or affected by such reports or disclosures. The essential contents of these reports / disclosures are information about:
- Violations that are punishable by law,
- Violations that are subject to a fine, insofar as the violated regulation serves to protect life, limb or health or to protect the rights of employees or their representative bodies,
- other violations of federal and Land legislation and directly applicable legal acts of the European Union and the European Atomic Energy Community
What obligations do companies have?
Companies must set up an internal reporting office, depending on the size of the company. This reporting office is also referred to as a whistleblower system. A whistleblower system is used by so-called whistleblowers to report anonymous information about violations. A whistleblower system is to be understood as a confidential communication channel or reporting channel provided by the company, organisation or public body.
Companies with a maximum of 49 employees
Companies with a maximum of 49 employees have No obligation to set up an internal reporting office. However, the voluntary establishment of a whistleblower system offers an alternative to external reporting and also the opportunity to protect internal processes.
Companies with 50 to 249 employees
Companies with 50 or more employees and up to 249 employees must introduce internal hotlines by 17 December 2023.
Companies with 250 or more employees
Companies with more than 250 employees must provide an internal reporting office when the Whistleblower Protection Act comes into force on 02 July 2023.
Obligated enterprises regardless of the number of employees
Companies from risk areas must implement an internal reporting office regardless of the number of employees. These areas include, among others:
- Investment services company
- Data provision services within the meaning of the Securities Trading Act,
- Exchange operating company within the meaning of the Stock Exchange Act,
- Institutions within the meaning of the German Banking Act and within the meaning of the German Securities Institutions Act,
- Capital management companies and
- Undertakings under the Insurance Supervision Act
Municipalities and municipal enterprises
When setting up and operating internal hotlines, municipalities and municipal enterprises must comply with the provisions of the respective National law direct. The regulations of the Laender implemented so far require the establishment of reporting offices at the municipal level. This does not apply to municipalities and districts with less than 10,000 inhabitants or with less than 50 employees as well as public corporations with less than 50 employees.
What do companies now need to know about the Whistleblower Protection Directive?
The Whistleblower Protection Act provides for three reporting channels:
- The Internal Reporting Office according to §§ 12 ff. HinSchG is the reporting office of the company
- The external reporting point according to §§ 19 ff. HinSchG is the reporting office of the state. The federal government establishes an office for external reports at the Federal Office of Justice (external reporting office of the federal government). For violations in the financial sector, the Federal Financial Supervisory Authority (BaFin) is responsible as an external reporting office. Further external reporting offices can be set up at Land level.
- The Disclosure of information according to § 32 HinSchG offer another possibility for whistleblowers. This means passing on information to the public (e.g. press, media, networks). Whistleblowers can choose this channel if reports via other reporting channels are unsuccessful.
Requirements for reporting points:
§ 8 HinschG
- Reporting offices must maintain the confidentiality of the whistleblower and the person affected by the report.
§ 11 HinschG
- Reporting offices shall comply with the documentation obligation in a permanently retrievable manner while observing the confidentiality requirement.
- Hotlines shall comply with the deletion period of three years, documentation may be kept longer to meet requirements under this Act or other legislation for as long as necessary and proportionate.
§ 16 HinschG
- Reporting offices offer the possibility to report in writing or orally, on request also by meeting in person.
- A hotline may be established by entrusting an employed person, a work unit consisting of several employed persons or a third party.
- Reporting channels may be open to persons who are in contact with the company in the course of their work (e.g. suppliers, customers) and who are not employees.
- There is no obligation to set up anonymous reporting channels.
- Reporting channels shall be designed in such a way that only the persons responsible for receiving and processing the reports and the persons assisting them in the performance of these tasks have access to the incoming reports.
Have messages.
Comply with the documentation obligation
Since 02 July 2023, companies are obliged to implement internal reporting points. As a result, companies must document incoming reports and be able to prove the documentation in the event of an audit. With Robin Data ComplianceOS, document not only the implementation of the internal reporting point, but also incoming reports, measures taken and compliance with deletion deadlines. Find out about the advantages and the process with Robin Data.
Procedure for internal messages
The internal reporting office must, in accordance with §17 HinschG:
- confirms receipt of a report to the person providing the information after seven days at the latest,
- shall examine whether the reported infringement falls within the material scope of application pursuant to § 2,
- keeps in contact with the person who gave the tip,
- checks the validity of the message received,
- requests further information from the person providing the tip-off, if necessary; and
- shall take appropriate follow-up measures in accordance with § 18.
Outsourcing of whistleblower protection systems to third parties
Pursuant to section 14 (1) HinschG, third parties may be entrusted with the tasks of an internal reporting office. Suitable external third parties are, for example, lawyers, consultants, auditors and trade union or employee representatives. These persons may assist in the implementation of measures as a result of a report or a violation, but the duty remains with the company.
Commission Robin Data as a reporting office within the meaning of the Whistleblower Protection Act
Robin Data will set up a reporting office for you through which whistleblowers can submit reports by e-mail or telephone. A dedicated email address and telephone number will be provided for this purpose. We take care of the documentation of the reports and their handling in our ComplianceOS solution.
Whistleblower protection
The protective measures are regulated in section 4 of the HinSchG.
Conditions for the protection of persons providing information
- Internal or external reporting or permissible disclosure
- reasonable grounds to believe that the information reported or disclosed is true
- Information concerns violations within the scope of application of the HinSchG or sufficient reason to believe that this is the case
Prohibition of reprisals
Reprisals or even the threat of reprisals against whistleblowers are prohibited. Reprisals are unjustified disadvantages, e.g. dismissal, denial of promotion, discrimination, mobbing or non-renewal of employment contracts.
Reversal of the burden of proof
The reversal of the burden of proof is to be understood as a safeguard for the whistleblower. If a whistleblower is subject to reprisals after making a report, it is assumed in his or her favour that these reprisals were enforced as a consequence of the report.
The company must prove that there is no connection between the reprisals and the report. The burden of proof is therefore on the company.
Damages
Compensation after reprisals
In the event of a violation of the prohibition of reprisals, the perpetrator is obliged to compensate the person giving the indication for the resulting damage.
Compensation after false report
The whistleblower is obliged to compensate the damage resulting from a deliberate or grossly negligent report or disclosure of incorrect information.
Sanctions and rules on fines
The rules on fines are set out in § 40 HinschG is regulated.
| It is an offence to | Fines |
|---|---|
| ...knowingly discloses incorrect information. | Up to 20,000 euros |
| ...obstructs a message or communication mentioned there. | Up to 50,000 euros |
| ...does not ensure that an internal reporting centre is established and operated. | Up to 20,000 euros |
| ...forbidden to take reprisal. | Up to 50,000 euros |
| ...wilfully or recklessly fails to maintain confidentiality. | Up to 50,000 |
Note
Pursuant to section 42, subsection 2, the fine of up to 20,000 euros for failing to establish or operate an internal reporting channel shall not take effect until the 1 December 2023 in force. So for that long, there is no threat of a fine due to a lack of equipment or operation.
Video on the Whistleblower Protection Act
The German Whistleblower Protection Act has been in force since 02 July 2023. The Whistleblower Protection Act is the German implementation of the EU Whistleblower Directive. Both laws are about better protection of whistleblowers as well as the implementation of the Directive on the Protection of Persons Reporting Breaches of Union Law. The Whistleblower Protection Act prohibits any sanctions, reprisals and retaliation against whistleblowers.
Organisations with 50 or more employees must implement a reporting system by December. Find out exactly what this obligation means for organisations and what solutions Robin Data offers in the video on the Robin Data Hack from 13.09.2023.
Conclusion and recommendation for the implementation of the HinSchG
The Whistleblower Protection Act came into force on 2 July 2023. At the latest now, companies must deal with the establishment of internal reporting offices. It is also important to make the activities carried out verifiable through documentation.
Whistleblower systems are components of a CMS and provide more legal certainty in the company overall. Companies that have not yet established a compliance management system (CMS) should consider the implementation of the Whistleblower Protection Act as an opportunity to address this issue.
In addition to the introduction of a whistleblower protection system or compliance management system, companies / organisations or authorities should define persons who process and respond to reports received. Ideally, the responsible persons also deal with the translation of the requirements of the Whistleblower Protection Act into corresponding processes.
This is also to prevent whistleblowers from making reports public after deadlines have been missed. It is also important to make internal reporting points attractive so that whistleblowers prefer this channel to external reporting. Confidence-building and transparency-promoting measures, such as easily accessible reporting channels and the anonymous submission of reports, should be considered attractive. Inform your staff extensively about the use of whistleblowing systems and the possibilities of the different reporting channels.
Robin Data ComplianceOS® Field Whistleblower Protection
Implement the requirements of the Whistleblower Protection Act in a structured manner with Robin Data ComplianceOS®. Commission us as a reporting office or use our ComplianceOS solution to implement the documentation requirements. Please contact us if you are interested or have any questions.
- DSMS according to GDPR: Structure & practical implementation - 23 April 2025
- AI and data protection in practice - 7 April 2025
- AI REGULATION: Regulation of artificial intelligence - 27 January 2025
This might interest you too:
https://media.robin-data.io/2022/05/23150314/Drittlaender.jpg
343
685
Nadine Porrmann
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Nadine Porrmann2023-01-02 17:16:212025-03-24 13:40:35The Supply Chain Act (LkSG)
https://media.robin-data.io/2022/05/23150307/Betroffenenrechte.jpg
343
685
Caroline Schwabe
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Caroline Schwabe2021-08-02 13:46:382025-03-24 13:40:19What is the TTDSG or TDDDG?
https://media.robin-data.io/2022/05/23150314/Drittlaender.jpg
343
685
Caroline Schwabe
https://media.robin-data.io/2022/07/05140916/Robin-Data_ComplianceOS_white_logo.png
Caroline Schwabe2021-06-10 13:26:032025-03-24 13:39:06The new EU standard contract clauses
