The EU Whistleblower Directive, which sets uniform standards to better protect whistleblowers, already came into force on 16 December 2019. The EU member states have until 17 December 2021 to transpose the requirements into national law. The German Federal Ministry of Justice [Bundesministerium für Justiz] has presented a corresponding draft bill in the form of the so-called Whistleblower Protection Act [Hinweisgeberschutzgesetz - HinSchG], albeit that the coalition partners have not yet been able to agree on it, as it extends far beyond the requirements of the EU Directive. The legislative process has therefore currently come to a standstill. Nevertheless, the Act will probably be passed in this legislative period. In order to minimise liability risks, affected companies should therefore already prepare themselves for the planned innovations and set up appropriate compliance systems.
What are the obligations and who is affected?
The Whistleblower Protection Act obliges all companies with 50 or more employees (including freelancers) and companies with an annual turnover of 10 million euro or more to set up an internal "whistleblowing hotline" for employees, customers, suppliers and other third parties. Companies in the financial services sector are obliged to set up internal whistleblowing systems regardless of the number of employees. Hence, in practice, the new regulations affect almost all companies. Companies with 50 to 249 employees have an extended period for setting up a whistleblowing system until 17 December 2023. Affected companies are free to decide whether to entrust an internal organisational unit or a third party with the establishment and operation of an internal reporting office.
Whistleblowers' right of choice and their protection against reprisals
In future, whistleblowers will be free to choose whether they contact an internal or external reporting office. Unlike in the past, whistleblowing employees will enjoy very extensive protection against reprisals. For example, dismissals or non-promotions related to the reporting of violations are prohibited. The draft law provides for a reversal of the burden of proof in this respect: for example, if a whistleblower reports a violation in good faith and is subsequently dismissed, the company must prove that this action is not related to his reporting of the violation. Otherwise, the company will be liable for damages.
Threat of sanctions
The violation of several of the obligations under the HinSchG constitutes an administrative offence. In this case, the parties involved face fines of up to 100,000 euro, e.g. if reports are prevented or reprisals taken against whistleblowers acting in good faith.
The actual failure to set up an internal reporting office is not sanctioned. However, in order to avoid whistleblowers turning directly to external reporting bodies or even to the public, it is definitely in the company's own interest to provide the possibility of internal clarification and to also make this attractive for whistleblowers, enabling reports to be followed up in a protected, non-public setting.
Affected companies therefore need to take action. For this reason, we have compiled a to-do list for you below, which also sets out the key points of the proposed legislation:
1. Establishment of an internal whistleblowing system or corresponding modification of an already existing reporting system
- Provision of clear and easily accessible information on external reporting procedures (via intranet, notice board etc.)
- Unrestricted access to the whistleblowing system
- Supervision by independent and qualified person(s):
- An employee (e.g. CCO, member of the legal department, data protection officer), internal organisational unit (e.g. compliance department) or third party (so-called ombudsperson) can be entrusted with the tasks of the internal reporting office
- Avoidance of conflicts of interest
- Regular trainings/seminars
- Protection against access by unauthorised employees to incoming reports
- Preservation of confidentiality, anonymity and data protection
- Allowing reports in oral or text form
- Facilitating a face-to-face meeting at the whistleblower’s request
- Establishment of standardised processes that determine how the plausibility and processing of the reports is to be carried out
Procedure for internal reporting
- Confirmation of receipt within 7 days
- Maintenance of contact with the reporting person
- Verification of the validity of the report received
- If necessary, obtaining of further information and appropriate follow-up action
- Feedback within 3 months on how the report was handled
- Feedback includes notification of follow-up actions planned or already taken, and the corresponding reasons for them
Documentation of the report
- Documentation of all incoming reports in a permanently retrievable manner, in compliance with the confidentiality requirement, by means of an audio recording (with the consent of the parties), by summarising their content in the form of a memo or by means of a complete rough transcription of the wording in the form of a protocol
- The reporting person must be given the opportunity to check the memo or protocol, correct it if necessary and confirm it with his signature
- Observance of deletion obligations upon conclusion of the procedure
Data protection compliant structuring of the reporting procedure
- Processing of personal data by the reporting office must comply with the applicable provisions of the GDPR and German Data Protection Act [Bundesdatenschutzgesetz - BDSG]
- Supplementation of the existing data protection concept may be necessary
Preservation of the co-determination rights of the relevant employee representatives when introducing a new whistleblower system or changing an existing one
- § 87 (1) No. 1 German Shop Constitution Act [Betriebsverfassungsgesetz - BetrVG], if the whistleblower system stipulates reporting obligations
- § 87 (1) No. 6 BetrVG, if - depending on the structure of the reporting procedure - this leads to the introduction or application of technical equipment
(Financial) incentives for using internal channels conceivable
- Incentivising whistleblowers acting in good faith for preferably reporting via the internal reporting system
- Obligation to process anonymous reports - even if not provided for by law
2. Create interface between internal reporting office and HR department
- In light of the reversal of the burden of proof, it is essential that the HR department has extensive documentation that enables it to prove that any disciplinary action is not related to the whistleblowing
- No reprisals against whistleblowers acting in good faith
- Exchange of information between the HR department and the person responsible for the internal reporting office is mandatory