Data Protection Academy » Data Protection Wiki » The Supply Chain Sourcing Obligations Act

Blue world map with graphics showing the flow of supply chains

The Supply Chain Act: Corporate obligations from 2023 onwards

The products we buy or use every day have sometimes gone through very long, globalised production and supply chains. The longer and more opaque these supply chains are, the more vulnerable they become to human rights violations or environmental degradation. With the aim of preventing these, the Supply Chain Sourcing Obligations Act (LkSG) or also comes into force in Germany on 1 January 2023.

A number of legal requirements arise from the Supply Chain Duty of Care Act. We have summarised in this article who exactly the Supply Chain Act applies to and what requirements affected companies will now have to meet.

Most important information on the Supply Chain Duty of Care Act (LkSG)

  • The Supply Chain Duty of Care Act applies to all larger companies based in Germany, regardless of their legal form:
    • since 01.01.2023 for companies with more than 3,000 employees in Germany.
    • from 01.01.2024 for companies with more than 1,000 employees in Germany.
  • Managing directors will be held more accountable for ensuring compliance with human rights and environmental due diligence in their company's supply chains.
  • The UN Guiding Principles on Business and Human Rights are to be implemented in a binding manner with the LkSG.
  • The legal requirements defined in the LkSG, refer to the entire value chain.The companies in question are affected by the crisis, i.e. both in their own business areas and those of their suppliers.

Whitepaper General Overview of the Supply Chain Act (LkSG)

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

Download the white paper now and benefit:

  • All relevant requirements from the law at a glance
  • Explanation of the new Definitions
  • Important notes on the Implementation of due diligence

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

Background information: What does the German Supply Chain Sourcing Obligations Act say?

The Supply Chain Act obligates companies falling within its scope to adequately observe due diligence obligations with regard to human rights and the environment in their supply chains. The legal obligations of the companies concerned depend on their actual possibilities of influence and specifically relate to three areas of influence:

  • a business area of its own,
  • the actions of a contracting party, and
  • the actions of other (indirect) suppliers.

The due diligence obligations of companies include:

  • Establish a risk management system and conduct a risk analysis
  • Adoption of a policy statement of the corporate human rights strategy
  • Anchoring prevention measures
  • Immediately take corrective action in case of identified violations
  • Establishment of a complaints procedure
  • Documentation and reporting obligation for the fulfilment of due diligence obligations

Why was the Supply Chain Duty of Care Act passed?

In order to improve the international human rights situation, the Federal Government in 2016 had the National Action Plan on Business and Human Rights (NAP) was adopted. Based on the United Nations Guiding Principles on Business and Human Rights, it was intended to promote the sustainable and socially just design of global supply chains and for the first time placed companies in the focus of responsibility. In the NAP, the German government formulated the expectations of German companies that they observe human rights in an appropriate manner (i.e. in accordance with their size, sector and position) in their value and supply chains.

This action plan was a voluntary commitment. However, it turned out that less than 20% of the larger companies actually fulfilled these due diligence obligations. This prompted the German government to make companies legally responsible. Thus, the Supply Chain Due Diligence Act was passed on 22 July 2021.

Areas of application of the Supply Chain Act

How is a Supply chain defined according to LkSG?

The Supply Chain Sourcing Obligations Act applies along the entire supply chain of an affected company. The supply chain refers to all products and servicesthat the company offers. All production steps, from the extraction of raw materials to delivery to the end customer, are to be considered internationally.

The term "supply chain" is interpreted very broadly in the LkSG. Thus, services used, such as transport or intermediate storage of goods, and even auxiliary processes such as cleaning services or even office supplies fall within the scope of consideration.

However, the risk assessments that the company concerned must carry out depend on the actual sphere of influence of the company and are based on the principle of appropriateness. Thus, companies should first focus on direct suppliers and also primarily on the material risks (prioritisation). In the event of a human rights violation in the supply chain, the company concerned does not have to expect sanctions if it makes reasonable efforts.

If, however, a company has concrete indications that suggest a violation of the due diligence obligations of an indirect supplier, it must definitely take action there as and when required.

Which human rights are protected?

The Supply Chain Sourcing Obligations Act is directly oriented towards the UN Guiding Principlesin which human rights are laid down. The law defines typical supply chain risks to which attention must be paid when fulfilling due diligence obligations.

These include, among others:

  • the prohibition of child labour
  • the protection against slavery and forced labour
  • freedom from discrimination
  • protection against unlawful land confiscation
  • occupational health and safety and related health hazards
  • the prohibition of the withholding of a reasonable wage
  • The right to form trade unions or workers' representatives.
  • the prohibition of causing harmful soil or water pollution
  • the protection against torture

In addition Environmental risks taken into accountthat lead to human rights violations, e.g. in the case of emissions of substances that are hazardous to humans and the environment. The Supply Chain Act takes up three international conventions on certain environmental obligations:

  • the Minamata Convention on Mercury
  • the Stockholm Convention on Persistent Organic Pollutants
  • the Basel Convention on Transboundary Movements of Hazardous Wastes and their Disposal

To which companies does the Supply Chain Due Diligence Act apply and from when?

The law applies from 01 January 2023 for companies with registered office or branch in Germanywhich employ 3,000 workers in Germany. From 1 January 2024, the legal requirements of the Supply Chain Compliance Obligations Act will also apply to companies with 1,000 or more employees in Germany.

In addition, the LkSG is also relevant for companies that do not fall within its direct scope of application. They can be indirectly affected if, for example, they are a supplier of a company that is directly responsible under the law. However, companies outside the scope of application of the Supply Chain Due Diligence Act cannot be fined.

Service providers and suppliers should therefore prepare themselves at an early stage to meet the requirements of the LkSG in order to avoid competitive disadvantages.

Impact of the LkSG on SMEs

In principle, all companies are required to implement the due diligence obligations arising from the National Action Plan on Business and Human Rights (NAP). This also applies to those that do not fall directly within the scope of the LkSG.

The Supply Chain Sourcing Obligations Act now obliges Companies of a certain size to check their direct suppliers for compliance with due diligence obligations and to contractually oblige them to do so. This contractual obligation also results in requirements for many small and medium-sized enterprises (SMEs), e.g. to introduce effective monitoring mechanisms to verify compliance with human rights at direct suppliers.

However, the obligations arising from the Supply Chain Act cannot simply be passed on to suppliers, e.g. reporting obligations to BAFA and the public. A supplier also does not have to expect control measures or sanctions outside the legal scope of application. However, in order to maintain existing business relationships and contracts with larger companies, small and medium-sized enterprises must also provide the required evidence. Otherwise, business partners could terminate existing contracts in order to comply with their own due diligence obligations.

What due diligence obligations must companies implement?

Corporate obligations under the Supply Chain Sourcing Obligations Act

The Supply Chain Act imposes the following key obligations on affected companies:

1. Establishing a risk management system and carrying out risk analyses

With the Supply Chain Sourcing Obligations Act, affected companies are placed under the obligation to implement an effective risk management to implement. The risk analysis is the basis of an appropriate and effective risk management. As of the entry into force of the law, the companies concerned must regularly conduct a risk analysis once a year, i.e. also in the first business year. However, risk analyses may also be necessary several times a year for specific reasons. "Risk analyses are obligatory if the risk situation in the supply chains has changed significantly or there are concrete indications of a violation of due diligence obligations.

Pursuant to § 4 para. 4 LkSG, the interests of employees and of persons who may be affected in any other way by the economic activities of the enterprise must be taken into account when establishing and implementing risk management. The term "employees" is to be interpreted very broadly and also includes employed freelancers. "Persons who may otherwise be affected by the economic activities of the enterprise" may be, for example, neighbours or property owners.

Risks identified in the risk analysis within the meaning of the Supply Chain Act are to be avoided immediately by the company concerned through appropriate preventive measures.

2. Adoption of an policy statement

Pursuant to § 6 para. 2 sentence 2 LkSG, the company management must issue a policy statement and make it publicly accessible (e.g. on the company's homepage). The declaration of principles is the management's commitment to respecting social and ecological requirements and must contain all legally required elements completely and comprehensibly in one document. However, references to supplementary documents are possible in individual cases.

The policy statement must be actively communicated to employees, the works council if applicable, and direct suppliers. Passive provision is not permitted by law. In the case of suppliers, the general terms and conditions of delivery are a suitable way of implementing the communication obligation.

This legal requirement results in the task for the management to align and harmonise its own corporate principles with those required by law. The corporate strategy is therefore directly influenced by the Supply Chain Act.

3. Anchoring prevention measures

If relevant risks are identified, they must be countered immediately with preventive measures and according to the principle of appropriateness (i.e. prioritised) according to § 6 para. 1 LkSG. Preventive measures must always be taken when the risks become known in the own business unit or also within the supply chain.

In any case, immediate action must be taken in the following cases:

  • Risk management personnel whose knowledge and experience appear suitable in view of the company's risk profile to draw the company's attention to the risk in question (cf. § 4 para. 3 sentence 1 LkSG),
  • the company identifies a risk when taking into account the interests of the groups of people affected by the economic actions of a supplier in its supply chains (cf. § 4 para. 4 LkSG),
  • the company becomes aware of risks beyond the immediate supplier through an event-related analysis (cf. § 5 para. 4 LkSG),
  • the company becomes aware of risks when it formulates expectations of suppliers in the supply chain as part of the development of a policy statement (cf. § 6 para. 2 no. 3 LkSG),
  • strives for transparency in the supply chain as part of the development and implementation of appropriate procurement strategies and purchasing practices (§ 6 para. 3 no. 2),
  • appropriate measures are taken vis-à-vis direct suppliers within the meaning of § 6 para. 4 nos. 1 and 2 LkSG, or
  • if the company obtains substantiated knowledge within the meaning of § 9 para. 3 LkSG.

4. Taking remedial action

If a violation of the due diligence obligations under the LkSG becomes known, the company concerned must take immediate remedial action. In the event of a violation within the supply chain, companies are encouraged to first find joint solutions with the supplier before terminating the business relationship. After a grievance has been shut down by the remedial action, preventive measures should be taken to ensure that no further violation occurs.

5. Establishment of a complaints procedure

The Supply Chain Sourcing Obligations Act also obliges the companies concerned to set up a Complaint managementto be able to report human rights violations.

The complaints procedure under the LkSG must meet the following requirements:

  • Complaint mechanisms must be publicly accessible
  • The identity of the whistleblower must be protected (incl. data protection) and protection against reprisals
  • Complaint mechanisms should be available & easily formulated in all necessary languages
  • The staff member responsible for the complaints procedure should be sworn to secrecy and be independent in their role
  • There should be an initial notification to the whistleblower and a discussion of the facts of the case.

6. Documentation and reporting obligation

It is important for companies affected by the Supply Chain Act to Recurring risk analyses and assessments, as well as Document preventive measures and remedies accordingly. As an integral part of the overall compliance management, documentation is efficiently possible via a digital management tool such as ComplianceOS® from Robin Data.

The companies concerned are also obliged to submit an annual report no later than four months after the end of the financial year. Report on the compliance with their due diligence obligations to the Federal Office of Economics and Export Control and published online. Company and business secrets must be protected at all times. BAFA creates a digital procedure for submitting the reports.

The report must provide comprehensible information about this:

  • whether and which human rights and environmental risks the company has identified,
  • what the company has done to fulfil its due diligence obligations,
  • how the company assesses the impact and effectiveness of the measures,
  • what conclusions it draws from the assessment for future action.

What impact does the Supply Chain Act have on compliance?

The Supply Chain Act obliges company management to supplement existing compliance management systems with regard to the new requirements. Managing directors are thus placed under a greater obligation to take human rights and the environment into account in their business activities. Since the LkSG not only considers the risks of the company's own business processes, but also those of its suppliers, compliance officers are faced with much more far-reaching risk considerations than before.

Visit our free demos

We regularly offer online demos in which we present our Robin Data ComplianceOS® to you. Get an insight into the structure and functional scope of the digital erasure concept of the Robin Data software. Our experts will give you and other interested parties comprehensive insight and answer your questions.

What sanctions can a company face in the event of a breach of due diligence obligations?

If companies fail to comply with their due diligence obligations under the Supply Chain Due Diligence Act, they face fines of up to 8 million euros or up to 2 per cent of their annual turnover (for companies with more than 400 million euros in annual turnover).

In addition, companies can be excluded from the award of public contracts for up to three years if a fine of a certain threshold value is imposed.

Control and enforcement

The implementation of the law is carried out by the Federal Office of Economics and Export Control (BAFA) which receives far-reaching control powers for this purpose. The companies concerned must submit a report on the fulfilment of their due diligence obligations to BAFA for review no later than four months after the end of the business year.

BAFA also carries out risk-based inspections at companies. It can summon responsible persons, enter business premises and examine documents, as well as give concrete instructions for action to remedy grievances. In addition, the authority can impose coercive penalties and fines.

Companies affected by the Supply Chain Act are supposed to be Principle of appropriateness decide which risks they consider and which measures are appropriate. These considerations must be documented in a comprehensible and plausible manner for BAFA.

Legal uncertainties for companies

The possible risks are clearly defined by the Annex and the definitions of the LkSG. However, the measures that a company takes on the basis of the identified risks cannot be adequately checked for their effectiveness and appropriateness in advance. Therefore, at the beginning of the implementation of the LkSG, it is not possible to assess whether the planned and taken measures are considered sufficient before the report is submitted.

Moreover, the law does not define for whom exactly the complaints procedure is to be made accessible. It stands to reason that the procedure should be open to the public. However, this is not clear at the present time.

The law states that the companies concerned must train direct suppliers on the enforcement of the contractual assurance. However, it is not clearly defined who exactly must be trained.

The law requires that complex contracts be drawn up with direct suppliers in order to comply with the due diligence obligations. Their legal admissibility and the necessary regulatory content are not yet foreseeable.

What is the difference between the EU Supply Chain Act and the German Supply Chain Sourcing Obligations Act?

The EU Commission has in February 2022, a draft EU supply chain law presented. This draft looks much stricter than the German law.
The main differences at a glance:

  • Requirement to cover the entire supply chain
  • Application for companies with 250 or more employees
  • Legal action against violations as well as the definition of damage to the general good are much more far-reaching
  • Significant expansion of due diligence obligations

The draft must then be approved by the European Parliament and the Council. The EU member states then have two years to transpose the directive into national law. In this case, Germany would then have to tighten up its current Supply Chain Act (LkSG) and adapt it to the EU conditions.


Even if the Supply Chain Act imposes further sufficient obligations on the companies concerned, the law is nevertheless an important step towards global compliance with human rights and environmental protection.

With the Supply Chain Act, the legislator has created a way to compensate for its lack of control over foreign companies by imposing due diligence obligations on companies.

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

The activity report according to the GDPR

Templates, whitepapers and implementation of the activity report according to the GDPR. Create the activity report automatically in just a few steps.

Erasure concept according to the GDPR

Samples, templates and examples for your GDPR erasure concept according to DIN 66398. Automatically create the erasure concept.

Record of processing activities

List of processing activities according to Art. 30 GDPR. Explained step by step with extensive information. Data protection made easy.