Whistleblowing System: Considerations for employers

In 2019, the European Union (EU) adopted the European Whistleblower Directive (WBD). The WBD provides a deadline for the national implementation until 17 December 2021, which, however, has not been met in Germany as well as in many other EU member states.

At last, after a long waiting time, the Whistleblower Protection Act (German: “Hinweisgeberschutzgesetz”, short form: “HinSchG”) came into force on 2 July 2023.

I. The most important changes of the Conciliation Committee:

In comparison to the original draft, the Whistleblower Protection Act provides the following changes:

1. The scope of application of the Whistleblower Protection Act is limited to information from the professional context. Only whistleblowers who have obtained information about violations in connection with their professional activity or in the run-up to a professional activity are covered by the Act.
2. No obligation to allow the submission of anonymous reports.
3. The maximum amount of fines for violations was reduced from EUR 100,000 to EUR 50,000.

II. Scope of application

The following companies are obliged to implement a whistleblower procedure:

In addition, secure internal report centres for whistleblowers must be available throughout the EU in public sector institutions, public authorities and municipalities with a population of 10,000 or more.

1. Who is protected?

Not only employees who report wrongdoings are protected, but also applicants, former employees, supporters of the whistleblower and journalists.

2. What is protected?

Whisteblower protection covers reports of wrongdoings in relation to national and EU law, such as tax fraud, money laundering or offences related to public procurement, environmental protection etc. It is required that the report violation relates to the employer or another entity with professional contact to the whistleblower.

3. What is being protected against?

Specifically, whistleblowers have to be protected from reprisals (e.g. dismissal, demotion, intimidation, mobbing or other types of attacks) or threats of reprisals based on their report.
Furthermore, there is a reversal of the burden of proof: employers must prove that there is no causal link between the reprisal and the whistleblowing. However, the whistleblower must claim that the discrimination is a reprisal for the whistleblowing.

III. Requirements for the report centres

The following requirements must be met by the report centres:

1. Independence

The report centres must be independent. In order to achieve this independence, the report centres must be staffed by at least one employee and and one external person.

2. Expertise

In terms of skills, the selected persons must have the necessary expertise, for example through appropriate training. The employees of the internal reporting office must know about the function, competences and independence of the reporting office as well as about the factual scope of whistleblower protection and the confidentiality requirement. Legal training is not required, but of course, it is not harmful either.

3. Reporting channels

There can be written, verbal or electronic reports, e.g. by telephone, as well as the use of a whistleblowing portal.

IV. Guidelines for the processing of reports

Whistleblower can decide whether to use the internal or the external reporting channel. An external report centre will be established at the Federal Office of Justice. However, the use of internal report centres is preferred by the Whistleblower Protection Act.

If a report is submitted by a whistleblower, the following processing deadlines must be observed by the employer:

1. confirmation of receipt must be sent to the whistleblower within seven days.
2. In addition, the report must be followed up and dealt with within three months and a final report with information on the following steps must be prepared for whistleblowers.
3. During the entire reporting process, there is a full documentation obligation.
4. Anonymous reports should be also processed by the report centres. However, there is no obligation to enable the submission of anonymous reports.

V. Fines for violations:

VI. Need for action? – Don’t wait too long!

If your company has more than 50 employees, you should urgently check whether your existing internal processes comply with the requirements of the Whisteblower Protection Act and whether the principles established by case law are observed.

In particular, companies with more than 250 employees should act immediately because the law came into force on 2 July 2023. Since then, they must have set up a reporting system that complies with the law. Otherwise, they could face fines of up to EUR 20,000.

VII. The most important To Dos for you:

1. Check the necessity of a whistleblowing system in your company.
   Ensure the compliance with the mandatory security standards in terms of data protection and guarantee of deadlines.
   
   
2. If you already have implemented a system, please check whether it is sufficient to withstand the legal requirements.
   Be aware of the wide scope of application available to the whistleblower. In fact, any violation of national or EU law can be reported, provided that the violation occurs in a professional context. The professional context is broad and excludes the notification of violations in a private context.
   
   
3. If you have not yet implemented a system, consider whether you want to opt for an internal or external report centre.
   At this point, the advantages and disadvantages must be weighed up and the practicability in your company must be examined.
   
   
4. Implement a whistleblowing system in time – do not wait too long!
   Implement your whistleblowing system early and ensure that is available to every potential whistleblower. Whistleblowing must be encouraged, not hindered.

VIII. To Dos after the submission of a report

1. Dispatch of an acknowledgement of receipt to the whistleblower within seven days.
2. Objective initial overview of the facts and evaluation of the urgency.
3. Analysis of the legal tendency, possible investigative work and communicative with the whistleblower(s).
4. Final recommendation for action or notification of termination of prosecution within three months. Documentation of the (interim) result.
5. Categories of recommendations for action:
   
   1. Duty of the company to act, e.g. because of a criminal offence or a serious violation.
   2. If the facts are vague, employers should initiate concrete investigations, e.g. by conducting interviews, making enquiries or various researches.
   3. No obligation for the company to act because the report is not included within the scope of the Directive or the Act.
6. Initiate appropriate follow-up measures:
   
   1. Carry out internal investigations.
   2. Refer the whistleblower to the competent body.
   3. Discontinue the proceedings due du a lack of evidence or hand over the investigation to the competent body.
   4. Record a closing note.