Whistleblower protection creates data protection issues.

 Why companies need to take action now – 8 important factors in practice.

Tobias Grambow, Tobias Vößing

Whistleblower protection creates data protection issues.

The Whistleblower Protection Act (HinSchG) will enter into force this year following the presentation of the draft bill by Federal Justice Minister Marco Buschmann in mid-April. Given the very high fines, employers need to be proactive and examine whether they fulfill the requirements.

The draft bill of the German Whistleblower Protection Act (HinSchG-E) represents the second attempt by German lawmakers to translate the EU Whistleblower Directive into national law after the CDU/SPD coalition government failed to do so. This should have taken place by the end of last year to have complied with the deadline. Although German lawmakers have taken a very long time, employers still need to act now rather than waiting until the new law has entered into force as companies face high fines of up to 100,000 euros pursuant to Section 40 of the German Whistleblower Protection Act (HinSchG-E) if, for example, the confidentiality of the whistleblower’s identity is violated intentionally or negligently.

SMEs are also affected

The new regulation aims to protect whistleblowers at companies and public authorities. They are frequently the first to notice misconduct, and can unveil legal violations. This is why the draft bill requires companies with more than 250 employees to implement suitable reporting channels once the law enters into force. As of December 17, 2023, this obligation will also apply to companies with more than 50 employees. Lawmakers primarily aim to protect employees when they report criminal violations involving corruption, money laundering or product safety. In the case of issues involving regulatory violations, these employees shall only receive protection if the regulation concerned serves to protect life, body and health or employee rights. As a consequence, legal laypersons may often be reluctant to report violations because they have difficulties determining the underlying legal basis.

The implementation at companies depends on eight key factors:

  1. Internal or external reporting channel? Companies are required to establish an internal reporting office. However, this internal reporting office can also be a “third party”. Group-wide whistleblower systems are also an option. An internal reporting office can be established by entrusting a person employed by the respective company, a work unit consisting of multiple employees or a third party with the internal reporting office tasks. In addition, the Federal Ministry of Justice and the German federal states will also maintain external reporting offices.
  2. One reporting office responsible for the entire corporate group is sufficient: German lawmakers have now clarified an issue that was previously fraught with much uncertainty. The German Whistleblower Protection Act (HinSchG-E) now states that creating a single reporting office responsible for the entire corporate group is sufficient. However, at the end of 2021, the EU Commission was of the opinion that one central reporting channel was not adequate. As such, it remains to be seen whether the issue will be disputed before the European Court of Justice as a consequence of the German implementation.
    Furthermore, aligning and coordinating any measures with the requirements of the Supply Chain Act also makes sense given that this legislation also requires the implementation of a complaint process.
  3. Determine the communication channel: The law stipulates that reports must be possible verbally or in text form, by telephone, e-mail or via a digital platform, for example. It is essential to ensure that the responsible persons in the company do not have access to the system or the transmitted messages.
  4. Country-specific hotlines? Groups with foreign subsidiaries also have to examine the country-specific requirements. Under certain circumstances, setting up country-specific hotlines to eliminate language barriers may be an effective approach, regardless of the legal requirements.
  5. Anonymous reports permissible? Unlike the EU Whistleblower Directive, German law does not grant priority to reporting via internal channels. If whistleblowers do not trust the internal unit, they can contact the external unit directly. This simplifies access as there is no need to resolve any issues regarding responsibility first.
    Companies are not required to implement the internal reporting channels in a way that enables employees to submit anonymous reports. Nevertheless, anonymous reporting can be provided as an option when designing the internal reporting. There is no right to anonymity at the external reporting office, unless this is expressly stipulated by law. However, if public interests are endangered due to, for example, spoiled meat, whistleblowers enjoy protection even if they disclose this information directly to the press. The draft of the Whistleblower Protection Act (HinSchG) does not necessarily require whistleblowers to report the truth. It is sufficient, if whistleblowers believe the facts to be true. They remain protected even in the case of negligently false disclosures.
    As such, companies are well advised to provide channels for anonymous reports. This would enable them to retain the opportunity to clarify and resolve any problems internally first, before they are disclosed to the public.
  6. Prepare internal policies with responsibilities and procedures: How is the confidentiality and independence of the employees who process the reports safeguarded? How are formal requirements such as confirmation of receipt and feedback obligations organized? What are the escalation and reporting processes? Which documentation issues need to be considered?
  7. Ensure co-determination: However, another aspect also needs to be considered when setting up and designing the whistleblower system: The works council must be involved in designing the whistleblower system. This entitlement arises out of Section 87 (1) no. 6 of the Works Constitution Act (BetrVG) if the whistleblowing system is IT-supported, which one can safely assume. This will always be the case because the Whistleblower Protection Act (HinSchG) stipulates that verbal reporting by telephone must also be possible. Moreover, the works council has the right to co-determination pursuant to Section 87 (1) no. 1 of the Whistleblower Protection Act (HinSchG) (orderly operation of the company).
    The local works council is responsible for the whistleblower organization at companies with only one site. If the company maintains multiple sites, the central works council is usually responsible. An exception may be possible if a separate reporting office is established at each site. The group works council would serve as the contact in the case of a group reporting office.
    Employers who violate the co-determination rights face the risk of claims for injunctive relief. These may involve a temporary injunction, at least in the case of IT-supported systems. Works council involvement takes time, as does the process of concluding a company agreement. An appeal to the arbitration committee could also be an option, and may even lead to court enforcement.
  8. Data protection law implications: When companies establish and use whistleblowing systems, a large amount of personal data and often also sensitive data is processed. Processing the data for the first time can be justified by a legal obligation to implement a whistleblower system pursuant to Art. 6 (1) c) of the General Data Protection Regulation (GDPR).
    Yet how can any follow-up activities be justified under data protection law? Where these follow-up measures directly target the employees who are accused in the report, Art. 88 (1) of the General Data Protection Regulation (GDPR) in conjunction with Sec. 26 (1) of the Federal Data Protection Act (BDSG) should be primarily applicable. However, Section 26 (1) sentence 2 of the Federal Data Protection Act (BDSG) imposes strict requirements on processing operations aimed at discovering criminal acts. If the misconduct described in the report does not exceed the threshold for criminal liability, Section 26 (1) sentence 1 of the Federal Data Protection Act (BDSG) remains applicable.
    Companies should utilize their obligation to inform the works council with a view towards data protection: For example, it could be possible to define permissible conditions for such follow-up measures in a company agreement. This applies all the more to companies which are not yet legally required to implement a whistleblower system.
    The guidelines from the data protection supervisory authorities on whistleblowing hotlines: Internal company warning systems and employee data protection provide additional assistance for the data protection-compliant implementation.
    If companies intend to use an external provider when implementing an IT-based whistleblower system, it is important that the provider fulfills the requirements of the data protection supervisory authority. A data protection impact assessment is mandatory.

In view of the high fines, companies with 50 or more employees need to take action now and implement an internal reporting system while observing the co-determination rights of their works council. Implementing the legal requirements is a complex matter as it involves closely connected labor law, data protection, and compliance issues. Proactively approaching the employee representatives and working to achieve a company agreement that also addresses the data protection concerns is both strategically effective, and will also save time.