Data Protection Academy » Data Protection News » Whistleblower Protection Act
Whistleblower Protection Act: national implementation of the EU Whistleblower Directive
The Whistleblower Protection Act (HinSchG) is the German transposition of the EU Whistleblower Directive. Both laws aim to improve the protection of whistleblowers and to implement the Directive on the protection of persons who report infringements of Union law. The Whistleblower Protection Directive prohibits any sanctions, reprisals and retaliation against whistleblowers. Currently, no final German law on whistleblower protection according to the EU Whistleblower Directive has been passed. However, EU members have a deadline of 17 December 2021 to transpose the EU Directive into national law. Companies are therefore well advised to deal with the current draft of the Whistleblower Protection Act. It foreshadows a multitude of obligations that companies with 250 or more employees must implement by 17 December 2021 and companies with 50 to 249 employees by 17 December 2023.
Most important information about the Whistleblower Protection Act
- The Whistleblower Protection Act (HinSchG-E) is the national translation of the EU Whistleblower Directive of the EU
- EU member states had to transpose the EU Whistleblower Directive into law at national level by 17 December 2021
- The HinSchG-E protects whistleblowers in the form of natural persons who have obtained information about violations in their professional environment.
- Whistleblowers can freely choose between an internal and an external reporting channel, thus the requirement of consideration according to § 241 II BGB no longer becomes the basis for decision-making for courts
- As long as whistleblowers observe and comply with the requirements of the HinSchG-E when publishing information, they will be protected from dismissal or other disadvantages.
- The HinSCHG-E obliges companies with 250 or more employees to set up a whistleblower reporting system, companies with 50 to 249 employees have an extended deadline until 17 December 2023
Content on the topic of the Whistleblower Protection Act:
What is the German Whistleblower Protection Act (HinSchG-E)?
The Whistleblower Protection Act (HinSchG) is the German transposition of the EU Whistleblower Directive. Both laws aim to improve the protection of whistleblowers and to implement the Directive on the protection of persons who report infringements of Union law. The Whistleblower Protection Directive prohibits any sanctions, reprisals and retaliation against whistleblowers.
When the HinSchG comes into force, companies with 250 or more employees will have to set up a mandatory reporting system for legal violations in their daily work. From 2023, legal requirements are also expected for 50 or more employees. The tasks and admissibility of whistleblowers had not yet been clearly clarified in law. In court cases, whistleblowing incidents were judged according to the principle of consideration pursuant to § 241 II BGB:
According to its content, the obligation may oblige each party to have regard to the rights, legal interests and interests of the other party.
The Principle of consideration requires employees to report violations internally. When whistleblowers have come forward with such violations, courts have often ruled that the duty of consideration has been violated. The relationship between the public interest in publishing violations and the corporate interest in not publishing them was thus shifted in favour of companies. Whistleblowers came into conflict with contractual obligations and had to fear reprisals. The EU Whistleblower Directive provides legal clarity on which interest is to be protected as a priority. The draft Whistleblower Protection Directive takes effect at the national level and aims to encourage whistleblowers to disclose violations.
What is the current status of the Whistleblower Protection Directive?
The EU member states had to transpose the EU Whistleblower Directive into a law at national level by 17 December 2021. In connection with the EU Whistleblower Directive, there was already a push in Germany in 2019 with the "Act on the Protection of Business Secrets" (GeschGehG) in the area of whistleblower protection. The new coalition of SPD, Greens and FDP has already positioned itself in favour of the Whistleblower Protection Act, but has not met the deadline of 17 December 2021 for implementation.
Federal Council does not approve Whistleblower Protection Act
On 10 February 2023, the Bundesrat announced in a briefing that the Federal Government's draft bill for a Whistleblower Protection Act had not received the necessary approval.
The European Commission calls on Germany to implement correctly
On 27 January 2022, the European Commission sent a letter of formal notice to Germany for failure to transpose the Directive. The official note on this can be found on the Website of the EU Commission of 09 February 2022 under item 4 "Justice.
The deadline for transposing the directive in Germany passes
As the new law was not adopted by the deadline of 17 December 2021, whistleblowers can rely on the EU Directive.
Draft bill on whistleblower protection fails
The draft bill of the Federal Ministry of Justice and Consumer Protection on the Whistleblower Protection Act failed in the grand coalition in April 2021.
Draft bill on the Whistleblower Protection Act emerges
At the end of 2020, there was already a draft bill of the Federal Ministry of Justice and Consumer Protection on the Whistleblower Protection Act.
Law on the protection of trade secrets is passed
With the "Act on the Protection of Business Secrets" (GeschGehG), Germany achieved a first advance in the area of whistleblower protection.
EU Whistleblower Directive enters into force
Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting infringements of Union law was adopted on 23 October 2019 and entered into force on 16 December 2019. Member States have until 17 December 2021 to transpose the Directive into national law.
Definition and scope of application
Scope of application
The Whistleblower Protection Directive distinguishes between the personal scope of application (section 1) and the factual scope of application (section 2).
The personal scope of application is regulated in Section 1 HinSchG-E and defines who is protected by the Whistleblower Protection Directive. On the one hand, these are natural persons who have obtained information about violations in connection with their professional or official activities and report or disclose such information to the reporting bodies provided for under this Act ("whistleblowing persons"). In addition, natural persons who are the subject of a report or disclosure, as well as other persons affected by a report or disclosure (i.e. persons accused of misconduct, for example) are also protected. Natural persons from the private sphere are not protected.
Material scope of application
The scope of application includes all reports of violations of laws, ordinances and other regulations of the Federation and the Länder as well as directly applicable legal acts of the European Union. A precise list can be found in § 2 HinSchG-E. The legal areas are extended to corresponding national law, including criminal law and the law on administrative offences.
- EU Whistleblower Directive: Directive of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report infringements of Union law. It is the basis for the implementation of the Whistleblower Protection Directive in Germany.
- Whistleblower Protection Act (also Whistleblowing Directive): Law on better protection of whistleblowers and on the implementation of the Directive on the protection of persons reporting infringements of Union law
- Whistleblowers and whistleblowers: Natural persons who have obtained information about violations in the course of their professional activities and pass it on to the internal or external reporting bodies.
- Whistleblowing: Communication and publication of information on violations in companies.
- Messages:Reports are notifications of information on infringements to internal reporting bodies or external reporting bodies.
- Internal message: the oral or written communication of information on violations within a legal person of the private or public sector;
- External message: the oral or written communication of information on infringements to the competent authorities;
- Reprisals: direct or indirect acts or omissions in a professional context that are triggered by an internal or external report or disclosure and that cause or may cause the whistleblower to suffer an unjustified disadvantage;
What obligations do companies have?
Establishment of a whistleblower system
A whistleblowing system is used by whistleblowers to report anonymous information about violations. A whistleblowing system is to be understood as a confidential communication channel or reporting channel provided by the company, organisation or public body.
- Since 17 December 2021, the companies and organisations with 250 or more employees Provide internal reporting points
- Companies and organisations from 50 and up to 249 employees must introduce internal reporting offices by 17 December 2023 (according to § 12 HinschG-E para. 2 and § 41 HinschG-E)
- For services of municipalities and municipal associations This shall only apply in accordance with the respective Land law.
Further obligations of internal reporting offices
- Appointment of an "impartial person or department" to process and respond to whistleblower reports (section 16 HinschG-E para. 1)
- Compliance with a seven-day deadline after receipt of a tip by the internal reporting office, by confirming receipt of the report to the whistleblower (section 17 HinschG-E para. 1)
- Compliance with a three-month period after confirmation of receipt by the internal reporting office, by providing feedback on measures taken/reactions to the whistleblower (section 27 HinschG-E para. 2).
- Allowing written and oral reports (§ 16 HinschG-E para. 3)
- Allowing a "physical meeting" at the whistleblower's request (section 17 HinschG-E para. 3)
What do companies now need to know about the Whistleblower Protection Directive?
Introduction of a two-tier reporting system: internal and external reporting channels
The EU Whistleblower Directive provides for reporting (definition under Definitions) through two legally equivalent reporting systems. Reporting channels must in particular guarantee confidentiality, anonymity and data protection. Further obligations are listed under 5.1.
- A internal reporting channel is an electronic whistleblowing system in the company or organisation, for example. HinSchG-E lists the requirements for internal reporting channels.
- Rules on external signalling channels are contained in §§ 19-30 HinSchG-E; a central reporting office at federal level is envisaged. Its organisation is to be subject to the Federal Data Protection Commissioner. In the case of breaches in the financial sector, the Federal Financial Supervisory Authority (BaFin) is responsible as an external reporting office. The tasks of external reporting offices are more extensive than those of internal reporting offices; among other things, information and advisory duties are offered.
- The disclosure of information (§ 31 HinSchG-E) offer another possibility for whistleblowers, which means public information to the press, media or social networks. Whistleblowers can choose this channel if they do not receive a response to reports via the other two reporting channels.
Whistleblowers have a right to choose between internal and external reporting channels
Whistleblowers are free to decide whether they want to submit reports via internal or reporting channels. Thus, whistleblowers are free to decide whether they communicate reports via an internal or external reporting channel. Before the Directive came into force, Germany had a "Rücksichtnahmegebot", which required employees to report violations internally first. Section 7 of the Whistleblower Protection Act recommends incentives for the use of internal systems.
There should be no obligation to process anonymous tips
However, the legislator does not want to make it compulsory to follow up on anonymous reports. This is especially to prevent the system from being overloaded and denouncing reports.
Protection of whistleblowers from reprisals
The protective measures are regulated in §§ 32-38 ff. HinSchG-E. Exemplary reprisals (for the definition of the term) are dismissals or disciplinary measures. Violations of the Directive are punishable as administrative offences under section 39 HinSchG-E.
As required by the EU Whistleblower Directive, the Whistleblower Protection Act is intended to shift the burden of proof. This means that employers have the burden of proving that there is no link between a reprisal such as dismissal and the reporting of a violation.
Fines for violations of the prohibition of reprisals
Violations of the Directive are punishable as administrative offences according to § 39 HinSchG-E. Administrative offences can be punished with a fine of 20,000 euros up to 100,000 euros.
Conclusion and recommendation for the implementation of the HinSchG-E
Currently, no final law on whistleblower protection under the EU Whistleblower Directive has been adopted. Nevertheless, members of the EU had to transpose the Directive into national law by 17 December 2021. Companies are therefore well advised to deal with the EU Directive. It foreshadows a multitude of obligations that companies with more than 250 employees will have to implement by 17 December 2021 and companies with 50 to 249 employees by 17 December 2023.
Companies that have not yet established a compliance management system (CMS) should consider the implementation of the Whistleblower Protection Act as an opportunity to address this issue. Whistleblower systems are components of a CMS and provide more legal certainty in the company overall.
In addition to the introduction of a whistleblower protection system or compliance management system, companies / organisations or authorities should define persons who process and respond to reports received. Ideally, the responsible persons also deal with the translation of the requirements of the Whistleblower Protection Act into corresponding processes. In particular, the timely acknowledgement and reaction to reports, the feedback on measures taken and the facilitation of physical meetings should be implemented in terms of processes.
This is also to prevent whistleblowers from making reports public after deadlines have been missed. It is also important to make internal reporting points attractive so that whistleblowers prefer this channel to external reporting. Confidence-building and transparency-promoting measures, such as easily accessible reporting channels and the anonymous submission of reports, should be considered attractive. Inform your staff extensively about the use of whistleblowing systems and the possibilities of the different reporting channels.
- The activity report according to the GDPR - 4 March 2022
- Erasure concept according to the GDPR - 17 December 2021
- Whistleblower Protection Act - 7 December 2021