Whistleblower systems for companies

Whistleblower systems for companies

A whistleblower system is the core of an effective compliance concept. We advise on and accompany the implementation and ongoing development of such systems. The accompanying legal and organizational framework is multi-layered and complex. We ensure that companies are aware of the key aspects.

Why do companies need whistleblowers?

“Whistleblowers – traitors or heroes?” reflects just how heated the discussion about the value or worthlessness of whistleblowers and the associated whistleblower systems has become.

The term “whistleblower” refers to people who report information about misconduct in the workplace or the misconduct of individuals in organizations in general. They report this information to the responsible body. These issues can involve criminal offenses, such as corruption, fraud, embezzlement, money laundering or other violations.

Whistleblowers aim to prevent and put an end to the misconduct within the company or the organization. Responsible whistleblowers also have an interest in limiting the damage, which benefits companies. As early as 2005, the International Chamber of Commerce highlighted the importance of effective whistleblower systems to prevent and detect criminal offenses against the economy in its ICC Guidelines on Whistleblowing.

This opinion has not changed.

Case law of the European Court for Human Rights

In a case from Germany in 2011, the disclosure of misconduct by a whistleblower became a landmark decision by the European Court for Human Rights (ECtHR). The court regarded the protection of whistleblowers as an integral aspect of the freedom of speech in accordance with Article 10 of the European Convention on Human Rights (ECtHR, decision dated July 21, 2011 – 28274/08, Heinisch v. Germany).

Since then, the European Convention on Human Rights has repeatedly examined the issue and reached differing conclusions. One example was when the ECtHR, in a decision dated February 16, 2021 – 23922/19 (Gawlik v. Liechtenstein), ruled that the immediate dismissal of a doctor who acted as a whistleblower, was lawful. The whistleblower reported his suspicion of a serious criminal offense by a superior directly to the prosecutor’s office, having forgone a thorough internal investigation.

Case law of the Federal Labor Court

According to the landmark decision by the Federal Labor Court (BAG) in 2003, employees must consider the business interests of their employers to a reasonable extent when whistleblowing (BAG, decision dated July 3, 2003 – 2 AZR 235/02). Employees can violate their obligation to consider their employer’s business interests if a criminal complaint against an employer or the employer’s representatives is an inappropriate reaction. Accordingly, whistleblowers currently have little protection before German labor courts.

Directive (EU) 2019/1937

On December 16, 2019 Directive (EU) 2019/1937 entered into force in the European Union (EU Whistleblower Directive). It regulates the protection of persons who report breaches of Union law. This represents the EU legal framework for the protection of whistleblowers.

Article 2 (1) of the EU Whistleblower Directive governs the specific areas of application. This encompasses the following areas:

  • Financial services, financial products and financial markets, as well as prevention of money laundering and the terrorist financing,
  • Product safety,
  • Transport safety,
  • Environmental protection,
  • Food and feed safety,
  • Animal health and welfare,
  • Public health,
  • Consumer protection,
  • Protection of privacy and personal data as well as the security of network and information systems.

EU member states can extend their right to whistleblower protection to further areas.

The personal scope of the EU Whistleblower Directive covers whistleblowers who are active in the private or in the public sector and who have acquired information about violations within a professional context. The protection not only extends to the whistleblowers but also includes the affected persons who are the subject of the report along with colleagues and family.

Mandatory implementation of a whistleblower system

According to Art. 8 of the EU Whistleblower Directive, companies with 50 or more employees, every company in the financial services industry, as well as legal entities in the public sector will be required to establish an internal whistleblowing system. These internal reporting channels must enable reporting in written, verbal or personal form.

All of the information submitted must be in written form or documented in a permanent and accessible form through the creation of an audio recording. The receipt of the report must be confirmed after seven days.

Internal reporting, external reporting and disclosure

The EU Whistleblower Directive stipulates three levels when reporting misconduct:

Whistleblowers are always free to decide whether to submit the report to an internal body (e.g. hotline, external law firm, ombudsperson’s office or digital whistleblower system) within the company or whether they contact a responsible, external reporting body/authority. However, the member states are also urged to encourage whistleblowers to initially submit the report internally. Disclosure is generally of secondary importance and is not necessary until after an internal or external report. In exceptional cases such as an immediate or obvious risk to public interests, whistleblowers may also directly disclose information about misconduct.

Confidentiality obligation and data protection aspects

The confidentiality of the identity of whistleblowers and third parties mentioned in the report must always be guaranteed. Companies must implement external reporting channels that guarantee the completeness, integrity and confidentiality of the information.

With regard to the processing of personal data, Art. 17 of the EU Whistleblower Directive stipulates that the processing must comply with the General Data Protection Regulation (GDPR).

Restrictions to the protection of whistleblowers

In order to prevent abusive reports, as well as thoughtless false reports, Art. 6 EU Whistleblower Directive stipulates two essential requirements for the protection of whistleblowers:
They must

  1. have had reasonable grounds to believe that the information reported was true at the time of reporting; and
  2. have submitted the reports via the reporting channels stipulated in the Directive.
Protective measures for whistleblowers

Protection against reprisals and threats of reprisal is a central element and both are prohibited by Art. 19 EU Whistleblower Directive. Typical reprisals include dismissal, non-renewal or early termination of a fixed-term employment contract, relocation/changes to working conditions and suchlike. In addition, Member States must provide supporting regulations for whistleblowers.

Whistleblowers are also protected against liability, provided there is due cause for the report or disclosure. In this case, the burden of proof is reversed in favor of the whistleblower: The person who performed the disadvantageous activity must prove that this activity was carried out with adequately justified reasons.

Draft of the Whistleblower Protection Act

In Germany, the transfer of the EU Whistleblower Directive into national law has already begun. However, to date (as of November 26, 2020) only a draft of the Whistleblower Protection Act (HinSchG) exists. The draft reinforced the whistleblower protection stipulated by the EU directive. Accordingly, the Whistleblower Protection Act would not only cover violations of European law, but also violations of German law. Therefore, a extensive implementation was planned. In particular, the draft mentions violations that are criminal offenses or subject to fines. Furthermore, two equal, parallel reporting channels were defined: The person submitting the report would have had the right to choose whether to contact internal or external reporting bodies. The aim was to enable whistleblowers to contact an external reporting office if a violation that was initially reported internally was not redressed.

In April 2021, it became clear that the draft of the law would not be passed during the 19th legislative period of the German Bundestag. As a consequence, the draft Whistleblower Protection Act (HinSchG) will not be implemented at present.

The Supply Chain Due Diligence Act – LkSG will come into force on January 1, 2023 and will govern the due diligence obligations based on the UN Guiding Principles on Business and Human Rights. These obligations include measures to comply with human rights and environmental protection requirements, both in the company’s own business operations and within the supply chain of companies above a certain size that are based in Germany.

These obligations stipulated by the Supply Chain Due Diligence Act require companies to establish a whistleblowing system. In accordance with Sections 3 and 8 of the Supply Chain Due Diligence Act, companies must implement a complaint procedure.

This procedure enables company employees to report human rights and environmental risks or violations in their own area of the company, as well as those of indirect and direct suppliers. The complaint procedure can be effectively implemented via a digital whistleblower system.

How should companies implement whistleblower protection?

Companies should orient their activities on case law and legislation

When implementing whistleblower protection, companies should primarily orient their approach on case law and the legal requirements. The EU Whistleblower Directive is directed at EU nations and these countries must implement it via their own national law. At present, the Whistleblower Protection Act (HinSchG) as the implementation of the EU Whistleblower Directive has failed in Germany. However, after December 17, 2021 (which marks the expiry of the transfer deadline), whistleblowers may have the option of directly invoking the EU directive towards the state.

To date, the European Court of Justice (CJEU) has rejected the direct application of an EU directive to companies. Correspondingly, whistleblowers are unable to directly invoke the EU Whistleblower Directive with regard to their employer. Nevertheless, during the course of legal proceedings, whistleblowers could demand that the court interpret German law in accordance with the EU Directive. One example would be proceedings before labor courts involving protection against dismissal, in which dismissed whistleblowers invoke the protection of the EU Whistleblower Directive.

Does the works council have a say in whistleblower protection?

When introducing a whistleblower system, companies must observe the works council’s right of co-determination pursuant to Section 87 (1) No. 1 and No. 6 BetrVG. The right of co-determination applies to the introduction of the whistleblowing system (hotline, software, etc.) as it concerns company procedures and the behavior of the employees when they submit a report at the company, and also as regards the introduction and use of technical systems.

Can whistleblower protection be reconciled with the Business Secrets Act?

Business secrets as defined by Section 2 No. 1 Business Secrets Act (GeschGehG) are subject to special protection. This level of protection may also become relevant for whistleblower reports. In this case, Section 5 No. 2 Business Secrets Act is pertinent.

The procedure begins with the discovery of an unlawful act, professional or other misconduct. Reporting the issue must serve to protect the general public interest. Section 23 Business Secrets Act states that, in this case, there is no violation of business secrets and, therefore, no criminal liability.

Can whistleblower protection be reconciled with data protection?

The data protection framework for whistleblower protection is derived from the General Data Protection Regulation (GDPR).

Pursuant to Article 16 RL (EU) 2019/1937 (EU Whistleblower Directive), the confidentiality of the whistleblowing process is guaranteed. This means that hotlines must keep the identity of whistleblowers confidential. Therefore, the whistleblowing procedure may be carried out anonymously.

Art. 17 EU Whistleblower Directive states that whistleblowing should comply with the GDPR. This could create a dilemma. According to Art. 14 of the GDPR, the employees who are named or even accused in a report must be informed about the purposes of the data processing and the identity of the whistleblower. This must take place no later than one month after the report. Furthermore, the employees concerned have a right to information regarding the content of the report which concerns them in accordance with Art. 15 GDPR. This is contradicted by Art. 16 EU Whistleblower Directive, which stipulates that the identity of whistleblowers does not have to be disclosed.

Art. 23 (1) of the GDPR may offer a solution in this case: The rights and obligations pursuant to Art. 14 and Art. 15 GDPR may be restricted by legal provisions if the measures are necessary and proportionate. These can consist of measures for the prevention, investigation, detection or prosecution of criminal offenses (Art. 23 (1)(d) GDPR) or for the enforcement of civil claims (Art. 23 (1)(j) GDPR). In this case, the identity of whistleblowers would not have to be kept confidential. The pertinent legislation could be established by a future Whistleblower Protection Act.

Best practice for whistleblower protection at companies

Whistleblowing Management System Guidelines to ISO 37002

ISO 37002 was published in July 2021. This was the first ISO standard from the International Organization for Standardization focused entirely on whistleblowing management. It should serve to assist organizations with guidelines, recommended practices, and practical guidance when it comes to establishing a whistleblower system.

The standard does not concern the whistleblowers themselves, but rather how to effectively deal with reports of misconduct:

  • Receive reports,
  • assess and
  • classify reports and their processing.

ISO 37002 is written as a guideline. The standard can also be combined very effectively with other standards, such as organizational management (ISO26000) and anti-corruption (ISO37001), compliance (ISO37301), as well as other management systems.

Necessity of implementing a whistleblower system

German law (Section 93 AktG, Sections 3 and 8 Supply Chain Due Diligence Act), the international standard ISO 37301 (ex ISO 19600) for compliance management systems as well as ISO 37002 state that the management is responsible for corporate compliance.

The extraterritorial application of various crucial foreign laws also plays a role in this regard: In this context, companies need to bear in mind the UK Bribery Act, British anti-corruption law as well as the US Federal Sentencing Guidelines, which are the guidelines for sentencing by United States federal courts. Persons violating the UK Bribery Act face prison sentences of up to ten years or fines with no upper limit. Fines of this nature can also be imposed on companies. Accordingly, companies are recommended to establish a suitable compliance management system (CMS) with adequate procedures to prevent and deter corruption risks in accordance with Section 7 (2) of the UK Bribery Act. In practice, this prevention leads to reduced sentences by the courts. A CMS of this nature typically includes an internal whistleblowing system.

Similarly, the penalties a company faces can be mitigated by (i) an effective compliance and ethics program and (ii) self-reporting, cooperation or assumption of responsibility in accordance with Chapter 8 of the U.S. Federal Sentencing Guidelines. In this case, the company’s internal whistleblower system also represents an essential element.

There is an increasing trend among companies to establish a CMS for specific areas such as an HR compliance management system. In turn, these systems also need to include an internal whistleblowing system.

In general, it is clear that companies will always benefit from being informed of any misconduct via internal reporting channels as early as possible.

Overview of the elements of a whistleblower system



Setting up the responsible body

An independent internal compliance department is often established within the company and serves as the body responsible for a whistleblowing system. To effectively implement this department, it needs to be supervised by an independent and qualified person, namely a compliance officer.

Adequately staffing the department is also essential. The department should generally consist of at least two responsible persons. This enables the department to effectively record and respond to reports of possible misconduct. Furthermore, the responsible persons also need to be suitably qualified and possess sufficient legal knowledge to successfully assess the facts, and to efficiently and effectively evaluate reports by means of internal investigations.


Establishing a compliance culture within the company

According to the International Compliance Standard ISO 37301, a standardized compliance culture throughout the company is an essential prerequisite for an effective compliance management system. A binding and company-wide standardized Code of Conduct is a key factor when establishing a whistleblower system. This represents the first step towards implementing corporate compliance. Where possible, the management should understandably describe the whistleblower system process in Code of Conduct. Answers to the following questions are also important aspects:

  • What may be reported?
  • Which body should employees report violations to?
  • How is a report documented?
  • Who carries out the necessary internal investigations to examine the misconduct?
  • What sanctions are possible and mandatory in response to compliance incidents?


Establishing an internal reporting channel

Companies have diverse options when it comes to establishing a mandatory internal reporting channel:

  • Provide a whistleblower hotline:
    Reports can be submitted to internal contacts within the company or external contacts. In practice, a whistleblower hotline is not always recommended. Firstly, documenting the messages is difficult in this regard. Secondly, experience has shown that employees frequently use these hotlines for labor law issues and complaints, etc. However, this is not the purpose of a whistleblower hotline. Thirdly, cost factors, such as the set-up costs and personnel costs to operate the hotline, can play a role.
  • Establish an IT-based whistleblower system:
    This is the realm of external providers, in particular. IT-based whistleblowing software has advantages over a whistleblower hotline. A digital system frequently enables the efficient management and documentation of incoming reports. Moreover, whistleblowers are able to submit reports with complete anonymity. In addition, these systems are available worldwide and at all times. Many providers utilize software that meets the demanding standards for internal reporting, in particular as concerns restricting access authorization and data protection.
  • Utilize external experts
    Due to their professional duty of confidentiality, lawyers fulfill one key criterion to serve as ombudspersons. They can also work in parallel with a whistleblower hotline or IT-based whistleblowing system. When lawyers serve as ombudspersons, they guarantee consistent neutrality due to their position. As a consequence, they frequently enjoy greater trust and acceptance among potential whistleblowers. This has a positive impact on a company’s compliance culture.


Communication and training at companies

According to the ISO 37301 and ISO 37002 standards, regular communication with all employees and training within the company are crucial for a successful whistleblowing system. Accordingly, employees and compliance officers require training, in particular as regards to the specific content of the Code of Conduct and the whistleblowing system.

Employee satisfaction surveys assessing the whistleblowing system represent a useful tool to improve the joint compliance management system.


Documentation & investigation – Dealing with the reports

Art. 18 EU Whistleblower Directive stipulates that all reports received, including verbal reports (such as those provided via whistleblower hotlines) must be documented in accordance with the confidentiality obligations set forth in Art. 16 EU Whistleblower Directive.

Simple documentation of the reports is not always adequate to enable effective resolution. Particularly at medium-sized and large companies, categorizing and prioritizing the reports by type and the reasons for the reports is an effective solution. After the report has been received, an investigation needs to be carried out to fully resolve the compliance incident. The investigation can be conducted both internally and externally by a law firm or an external authority (if necessary).

The Guidelines on Whistleblowing provided by the International Chamber of Commerce specifically recommend the use of an independent law firm to deal with and investigate whistleblower reports. ISO 37301 further supports this approach, stating that the investigation process should be independent, fair and managed by competent experts without any conflict of interest.


Monitoring, analysis and improvement

Ultimately, the regular analysis and monitoring of the whistleblower system or the compliance management system as per the ISO 37301 standard play an important role.

The compliance department has to continuously and consistently monitor the whistleblower system in order to ensure that compliance objectives are fulfilled. Furthermore, the performance and effectiveness of the whistleblower system need to be assessed on a regular basis. The objective must be to continuously improve the system’s suitability, appropriateness and effectiveness.

Wie können wir helfen?

Unser Team von arbeitsrechtlich spezialisierten Compliance-Expert:innen hat langjährige, umfangreiche und praktische Erfahrung in der Entwicklung, Einführung und Umsetzung der Instrumente, mit denen Unternehmen ein aktives und proaktives Whistleblowing-System implementieren können.

Das BUSE Compliance-Team steht Ihnen zur Verfügung, damit Sie Ihre Unternehmensziele erreichen. Wir helfen Ihnen dabei, Compliance-Risiken bereits zum Zeitpunkt ihrer Entstehung zu vermeiden. Wenn sich Compliance-Risiken realisiert haben, unterstützen wir Sie dabei, Gefahren schnell zu identifizieren und nachhaltig zu neutralisieren.

Basierend auf der langjährigen operativen Erfahrung unserer Team-Mitglieder implementieren wir strategische, flexible und praxiserprobte Konzepte, die höchsten Standards und Qualitätsanforderungen genügen. So gelingt es unseren Mandanten, die Anforderungen an ein Hinweisgeber-System zu erfüllen – in Deutschland, in der Europäischen Union und weltweit.