Whistleblower Protection Act - What do companies have to do?

On December 16, the Bundestag passed the Whistleblower Protection Act. The Bundesrat is expected to approve the law in spring 2023, and the law will then come into force immediately.

Under the Whistleblower Protection Act, companies with 250 or more employees must set up channels within three months of the Act coming into force where whistleblowers can report grievances using a secure procedure. For corporate groups, there is the so-called group privilege. This means that there only has to be one whistleblowing office in a group.

For small companies with 50 or more employees, there is a transition period until December 2023.

Companies with fewer than 50 employees are not required by law to establish hotlines, but may be contractually required by contractors to establish reporting channels.

MROS must have very in-depth legal expertise, as investigations and decisions are to be made in a manner similar to an investigative agency. The responsible employees must be independent and receive ongoing training. Internal employees as officers are thus likely to be given similar special positions under employment law as internal data protection officers (keyword: full protection against dismissal).

What is the aim of the Whistleblower Protection Act?

Since employees in companies and public authorities are often the first to notice wrongdoing, they can use their tips to ensure that violations of the law are uncovered, investigated, prosecuted and stopped. Whistleblowers assume responsibility for society and should therefore be protected by the Whistleblower Protection Act against disadvantages that they may face because of their report and that could deter them from doing so.

This can also be an opportunity for companies to uncover and stop illegal and damaging activities in their own companies.

What reporting options must companies make available?

The following reporting channels must be provided by companies:

  • by phone
  • textform
  • personal

A company must make all of these reporting channels available and also provide a way for all reports to be submitted anonymously.

How must a company react after receiving a report?

A company's internal or external reporting office must perform the following procedure upon receipt of a report:

  • It shall confirm receipt of a report to the person providing the information no later than after seven days.
  • It legally examines whether the reported violation falls within the material scope of application according to § 2 HinSchG.
  • She keeps in contact with the person giving the hint.
  • It checks the content and legal validity of the notification received.
  • If necessary, it shall ask the person providing the information for further information.
  • It takes appropriate follow-up measures according to § 18 HinSchG, similar to an investigating authority (settings similar to § 170 Abs.2 StPO or further investigations such as charges, dismissals etc.).
  • It issues status reports to the person providing the information within specified deadlines.
  • It provides transparent information about the procedure.
  • It documents the procedure under the confidentiality requirement and, within the legal deadlines, carries out the necessary destruction of the documentation after the procedure has been completed.

What can a whistleblower report?

A whistleblower may report the following violations:

  • Violations of criminal regulations under German law.
  • Violations subject to fines under German law, for example, violations of
  • in occupational safety and health,
  • in health protection,
  • in the event of violations of the Minimum Wage Act,
  • against requirements of the German Personnel Leasing Act (Arbeitnehmerüberlassungsgesetz).
  • against the Anti-Discrimination Act (AGG)

In addition, all regulations that address the implementation of European legal standards are covered. These include, among others, violations of regulations:

to combat money laundering and terrorist financing,

  • with specifications for product safety and conformity
  • with specifications for road safety
  • with specifications for maritime safety
  • with specifications for the safe transport of dangerous goods by road, rail and inland waterways
  • with specifications for environmental protection,
  • with specifications on radiation protection and nuclear safety,
  • to promote the use of energy from renewable sources and energy efficiency,
  • on food and feed safety, organic production and
  • on the labeling of organic products, on the protection of geographical indications for agricultural products and foodstuffs, including wine, aromatized wine products and spirits, and traditional specialties guaranteed, on the placing on the market and use of plant protection products, and on animal health and welfare, insofar as they concern the protection of farm animals, the protection of animals at the time of killing,
  • concern the keeping of wild animals in zoos, the protection of animals used for scientific purposes, and the transport of animals and related operations
  • on quality and safety standards
  • for the manufacture, presentation and sale of tobacco and related products
  • on the regulation of consumer rights and consumer protection in relation to contracts between traders and consumers and on the protection of consumers in the field of payment accounts and financial services, price indication and unfair commercial practices
  • on the protection of privacy in electronic communications, on the protection of confidentiality of communications, on the protection of personal data in the electronic communications sector, on the protection of the privacy of users' terminal equipment and of information stored in such terminal equipment, on the protection against unreasonable harassment by means of advertising by telephone calls, automatic calling machines,
  • fax machines or electronic mail, as well as via caller ID display and suppression, and for inclusion in subscriber directories
  • on the protection of personal data within the scope of the GDPR
  • on security in information technology
  • on accounting, including corporate accounting
  • on procurement procedures
  • Violations covered by section 4d (1) sentence 1 of the Financial Services Supervision Act against legal tax standards

Is a whistleblower always protected?

Protected is a person,

  • which gives an indication about a violation covered by the law.
  • and who, at the time of the tip-off, had reasonable cause to believe the reported violations were true.

In contrast, the whistleblower is not protected in the event of intentional or grossly negligent disclosure of incorrect information. In these cases, the whistleblower is liable for the resulting damage.

What is the whistleblower protected from?

The whistleblower is protected from

  • Cancellation
  • Denial of a promotion
  • Salary cut
  • Bullying
  • Discrimination
  • Harm in the social media
  • Withdrawal of a license or permit
  • Negative Performance Review.

There is a very comprehensive reversal of the burden of proof in dealing with whistleblowers in this context: employers must prove that adverse actions taken against whistleblowers are not related to the whistleblowing/report.

What must not be reported?

Lawyers, defense counsel in a legally ordered procedure, chamber counsel, patent attorneys and notaries and their employees are not allowed to report information that becomes known to them. In the case of agents who do not belong to these professional groups, extensive regulations must be made which cover not only the company but also their employees in detail.

Furthermore, all information subject to the Business Secrets Act may not be reported as a matter of principle. Only if the person providing the information has sufficient reason to believe that the disclosure or disclosure of the content of this information is necessary to uncover a violation and the requirements of Section 33 (1) Nos. 2 and 3 HinSchG are met (notification in a specific form), may notification be made.

What do companies have to do in concrete terms?

  • Companies must legally educate and continuously train independent, internal persons and use them as a reporting office. If they select an internal person (employee), this person must be independent and possible conflicts of interest must be excluded. If they appoint an internal employee as a reporting office, this person may not perform any other activity in the company, as otherwise conflicts of interest with the "normal" activity may arise.
  • may exist. They can therefore select suitable external third parties with legal expertise to act as a reporting office. These will usually be lawyers, as they have the necessary expertise required by law to be able to examine the complex issues involved. Furthermore, lawyers are obliged to undergo further training and are independent of the company.
  • Companies must separately protect important information in the company as trade secrets within the meaning of the Act on the Protection of Trade Secrets. This is done by means of a special procedure. This special protection of secrets can limit the reporting options for this information.
  • You must set up reporting channels yourself or provided by third parties.
  • They must train their employees on the Whistleblower Protection Act and reporting channels.
  • They must accompany whistleblowers in the process of reporting and comply with the deadlines, actions and steps required by law.
  • You need to cover the reporting channels with secure IT solution.

What can happen if a company does not comply with the Whistleblower Protection Act?

If whistleblowers suffer disadvantages in the company as a result of their reports, the company is obligated to compensate for the resulting damage.

Fines of up to €100,000 are provided for in the event of violations of the Whistleblower Protection Act. The mere absence of a whistleblowing office that complies with the legal requirements leads to a fine of up to €20,000. This can be imposed several times until the office is established.

What can we do for your company?

As a law firm, we relieve your company of all the obligations you face under the Whistleblower Protection Act.

We act as an external reporting office for your company and provide you with a software-based portal. You can integrate this portal on your website or intranet. Whistleblowers can then submit their report in compliance with the law, even anonymously, by e-mail via the portal, by telephone via our whistleblower hotline or in person at our offices. We carry out the required legal checks, initiate the necessary steps, note and observe all deadlines. We conduct correspondence and discussions with whistleblowers and ensure that reports are properly processed and necessary steps are taken.

In summary, we ensure that you comply effectively and legally with the regulations of the Whistleblower Protection Act. With us as an external data protection agency and at the same time as a representative under the Whistleblower Protection Act, costs as well as damages for your company due to abuse of this law can be avoided to a considerable extent.

Please contact us for an individual offer.

Download information.

GoldbergUllrich Lawyers 2022

Attorney at Law Michael Ullrich, LL.M. (Information Law)

Specialist lawyer for industrial property protection

Specialist lawyer for information technology law