Whistleblowing systems for companies

Whistleblower systems for companies

A whistleblower system is the core of an effective compliance concept. We advise and support the implementation and further development of such systems. The legal and organizational framework is multi-layered and complex. We ensure that companies are aware of the key aspects.

Why do companies need whistleblowers?

“Whistleblowers – traitors or heroes?” reflects just how heated the discussion about the value or drawback of whistleblowers and the associated whistleblower systems has become.

The term “whistleblower” refers to people who report information about misconduct in the workplace or the misconduct of individuals in organizations in general. This information is reported to a responsible authority and can involve criminal offenses, such as corruption, fraud, embezzlement, money laundering or other violations.

Whistleblowers aim to end or prevent misconduct within the company or the organization. Responsible whistleblowers also have an interest in limiting the damage caused by misconduct, which benefits companies. As early as 2005, the International Chamber of Commerce highlighted the importance of effective whistleblower systems to prevent and detect criminal offenses against the economy in its ICC Guidelines on Whistleblowing.

Case law of the European Court of Human Rights

In a case from Germany in 2011, the disclosure of misconduct by a whistleblower became a landmark decision by the European Court for Human Rights (ECtHR). The court regarded the protection of whistleblowers as an integral aspect of freedom of speech in accordance with Article 10 of the European Convention on Human Rights (ECtHR, decision dated July 21, 2011 – 28274/08, Heinisch v. Germany).

However since then, the European Court for Human Rights has repeatedly examined the issue and reached differing conclusions.

One example was when the ECtHR, in a decision dated February 16, 2021 – 23922/19 (Gawlik v. Liechtenstein), ruled that the immediate dismissal of a doctor, who acted as a whistleblower, was lawful. The whistleblower had reported a suspicion of a serious criminal offense by a superior directly to the public prosecutor’s office. However, the ECtHR criticized the whistleblower for not having carried out a careful internal investigation of his suspicion beforehand. In the case of such an omission, the whistleblower is not entitled to protection.

Case law of the Federal Labor Court

The Federal Labor Court (BAG) also stressed the protection of whistleblowers acting with justification in its leading decision from 2003. When whistleblowing, employees are obliged to take into account the business interests of their employer to a reasonable extent (BAG, ruling dated July 3, 2003 – 2 AZR 235/02).

The Directive (EU) 2019/1937

On December 16, 2019 Directive (EU) 2019/1937 (EU Whistleblower Directive) entered into force in the European Union. It regulates the protection of persons who report breaches of Union law.

Article 2 (1) of the EU Whistleblower Directive governs the specific scope of application. This covers the following areas:

  • Financial services, financial products and financial markets, as well as prevention of money laundering and the terrorist financing,
  • Product safety,
  • Transport safety,
  • Environmental protection,
  • Food and feed safety,
  • Animal health and welfare,
  • Public health,
  • Consumer protection,
  • Protection of privacy and personal data as well as the security of network and information systems.

The personal scope of the EU Whistleblower Directive covers whistleblowers who work in the private or public sector and have acquired information about violations in a professional context.

Obligation to establish a whistleblower system

According to Article 8 of the EU Whistleblower Directive, companies with 50 or more employees, any companies in the financial services industry, and legal entities in the public sector will be required to set up an internal whistleblowing system in the future. These internal reporting channels must enable reporting in written, verbal, or personal form.

Internal reporting, external reporting and disclosure

The EU Whistleblower Directive provides for three levels when reporting misconduct: Internal reporting, external reporting to the responsible authority, or disclosure and reporting to the public.

In principle, whistleblowers are free to choose whether the report is addressed to an internal reporting body within the company or whether they contact an external responsible reporting body/authority.

The focus of the Directive is the protection against reprisals and their threat, both of which are prohibited by Article 19 in the EU Whistleblower Directive.

Whistleblowers are also protected from liability, provided there is reasonable cause for the report or disclosure.

The Whistleblower Protection Act

In Germany, the EU Whistleblower Directive has been implemented into national law by the Act for Better Protection of Whistleblowers and the Implementation of the Directive on the Protection of Persons Reporting Breaches of Union Law (Whistleblower Protection Act – HinSchG) of May 31, 2023. The HinSchG entered into force on July 2, 2023. Initially, the obligation to set up an internal reporting body applies only to companies with more than 250 employees. From December 1, 2023, the regulation of administrative offenses under Section 40 HinSchG will apply, and from December 17, 2023, companies with 50 or more employees must also set up an internal reporting body.

Obligation to establish internal reporting body

With the introduction of the Whistleblower Protection Act, there are essentially three stages for whistleblowing:

Pursuant to Section 12 HinSchG, the employer must ensure that at least one internal reporting body is set up, to which employees and temporary workers can approach (internal reporting body). This obligation applies – with exceptions – only to employers with at least 50 employees.

Pursuant to Section 16 HinSchG, the internal reporting channel can be designed in such a way that it is also open to persons who, in the context of their professional activities, are in contact with the respective employer obliged to set up the internal reporting body or with the respective organizational unit. The internal reporting body should also process incoming reports anonymously. However, there is no obligation to design reporting channels in such a way that they allow anonymous reports to be submitted. Internal reporting channels must additionally allow reports to be made verbally or in written form.

Preference of the internal reporting body

Whistleblowers can choose whether to contact an internal reporting body in accordance with Section 12 HinSchG or to an external reporting body pursuant to Sections 19 et seq. HinSchG. Employees should be informed that in cases where the violation can be effectively remedied internally, they should give preference to reporting to an internal reporting body and that they should not fear reprisals. If an internally reported violation has not been remedied however, the whistleblower is free to contact an external reporting body. In exceptional cases, such as when there is an immediate or obvious threat to public interests, whistleblowers are also allowed to disclose the information regarding misconduct directly, according to Section 32 HinSchG.

Procedure for reporting

If a report is received by the internal reporting body, it is obliged to act in accordance with Section 17 HinSchG:

  1. Confirm the receipt of the report to the person providing the information within seven days,
  2. Verify whether the reported violation is a protected report,
  3. Keep in contact with the person who made the report,
  4. Check the validity of the report received,
  5. Request further information from the person providing the report, if necessary; and
  6. Follow up.

The internal reporting body must provide feedback to the whistleblower within three months of confirming receipt of the report or, if receipt has not been confirmed, at the latest within three months and seven days after receipt of the report. In this feedback, the whistleblower must be informed both of planned follow-up measures and which follow-up measures have already been taken and why.

Follow-up measures that the internal reporting office can undertake are based on Section 18 HinSchG. According to this:

  1. Carry out internal investigations at the employer or at the respective organizational unit and contact relevant persons and departements,
  2. The person making the report can be referred to other responsible bodies,
  3. The procedure may be closed due to lack of evidence or for other reasons, or
  4. Handed over for further investigation.

The procedure is then handed over to a function responsible for internal investigations of the employer or respective organizational unit, or to a responsible authority.

The procedure for reporting to an external responsible body differs, in this case, the procedure is based on Section 28 HinSchG. External responsible bodies are obliged to confirm the report immediately, or at the latest after seven days. An exception exists if the whistleblower expressly waives this obligation or if there is sufficient reason to believe that confirmation of receipt would impair the protection of the whistleblowers identity. In addition, external responsible bodies are obliged to inform the whistleblower of the possibility of internal reporting. Thereafter, the external responsible bodies must also check whether the report is protected by the law and whether the validity of the report is verified before any follow-up action can be taken. The external responsible bodies are also obliged to provide the whistleblower with feedback within three months at the latest; in the case of more extensive processing, the deadline is six months. If the deadline is extended, this must be communicated to the whistleblower.

According to Section 3 (5) HinSchG, disclosure refers to making information about violations available to the public (e.g., the media). According to Section 32 HinSchG, information may only be disclosed if the whistleblower has first reported to an external responsible body and no follow-up action has been taken within the required deadlines or if the whistleblower has not received any response at all. Furthermore, the whistleblower must have had sufficient reason to believe that:

  1. The violation may pose an immediate or obvious threat to the public interest due to an emergency, the risk of irreversible damage, or similar circumstances,
  2. There is a risk of reprisals in the event of an external report, or
  3. Evidence could be suppressed or destroyed, there could be agreements between the external responsible authority and the violator or, due to other special circumstances, the chances are low that the external reporting office will initiate effective follow-up measures pursuant to Section 29 HinSchG.
Confidentiality requirement and data protection aspects

Pursuant to Section 8 HinSchG, reporting bodies must maintain the confidentiality of the whistleblowers identity, the persons who are the subject of a report, and any other persons named in the report.

Pursuant to Section 10 HinSchG, the reporting bodies are entitled to process personal data insofar as this is necessary for the fulfillment of their tasks. In this case, the reporting bodies must provide for special and appropriate measures to protect the interests of the data subject. The processing of special categories of personal data (e.g. health data) is permissible if appropriate and specific measures are provided for in accordance with Section 22 (2) sentence 2 Federal Data Protection Act (BDSG) to protect the interests of the data subjects.

Protective measures for whistleblowers

According to Section 36 (1) HinSchG, reprisals directed against whistleblowers and threats thereof are prohibited. Typical reprisals would be dismissal, non-extension or early termination of a fixed-term employment contract, change of workplace or working conditions, etc.

If a whistleblower is discriminated against due to a report or disclosure, the person who has caused the discriminating disadvantage to the whistleblower bears the burden of proving, pursuant to Section 36 (2) HinSchG, that the adverse action was based on reasonably justifiable grounds or that it was not based on the report or disclosure. The whistleblower therefore only has to state that there is a connection between the disadvantage and the whistleblowing and does not have to prove this assertion. This provision may result in risks for the employer. It is therefore advisable to assign the responsibility for implementing personnel measures to persons other than those who handle the reports via the whistleblower system. In this way, it may be possible to prove in a legal dispute, e.g. after termination, that there was no connection between the whistleblower’s report and the person being terminated. However, if the person responsible for the dismissal had knowledge of the report, the reasons for the termination and all material circumstances of the actions should be documented particularly thoroughly and carefully.

Restriction of the protection of whistleblowers

In order to prevent abusive reports as well as frivolous false reports, Sections 33 et seq. HinSchG set out three essential requirements for the protection of whistleblowers:

They must:

  1. Have made the reports through the reporting channels provided for by law,
  2. Have had reasonable grounds to believe that the information reported was true at the time of reporting; and
  3. The information must concern violations that fall within the scope of HinSchG, or the person providing the information had reasonable grounds to believe that this was the case at the time of the report.
Compensation after reprisals and after a false report

The law prohibits imposing any reprisals on a Whistleblower. If this prohibition is violated, the whistleblower is entitled to claim damages in accordance with Section 37 HinSchG. However, violation of the prohibition of reprisals does not establish a claim to an employment relationship or such.

In order to prevent the whistleblower from making imprudent reports without first checking the information carefully, Section 38 HinSchG governs the whistleblower’s obligation to compensate for damages. This obligation applies after a false report if, damage has resulted from a deliberate or grossly negligent report or disclosure of incorrect information.

Fine for administrative offense

Whistleblower shall be liable for an administrative offense pursuant to Section 40 HinSchG if he or she discloses false information.

Furthermore, according to Section 7 (2) HinSchG it is an administrative offence for a person to obstruct a report or a communication, to fail to set up or operate an internal reporting body despite an obligation to do so, or to take reprisals despite the prohibition.

In addition, an administrative offense shall be given if confidentiality has not been maintained. It is irrelevant whether this is done intentionally or negligently.

Administrative offenses can be punished with a fine of up to € 50,000, depending on the type of administrative offense.

The Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG), which has been in force since January 1, 2023, regulates due diligence obligations based on the UN Guiding Principles on Business and Human Rights. These obligations include measures to comply with human rights and environmental protection requirements, both in the company’s own business operations and within the supply chain of companies above a certain size that are based in Germany.

These obligations, stipulated by the Supply Chain Due Diligence Act, require companies to establish a whistleblowing system. In accordance with Sections 3 and 8 of the Supply Chain Due Diligence Act, companies must implement a complaint procedure.

This procedure enables company employees to report human rights and environmental risks or violations in their own area of the company, as well as those of indirect and direct suppliers. The complaint procedure can be effectively implemented via a digital whistleblower system.

How should companies implement whistleblower protection?

When implementing the protection of whistleblowers, companies should primarily orient their approach on case law and the statutory requirements. The Whistleblower Protection Act (HinSchG) came into force on July 2, 2023. Therefore, in addition to the EU Directive, since that date the German law also applies.

Does the works council have a say in whistleblower protection?

When introducing a whistleblower system, companies must observe the works council’s right of co-determination pursuant to Section 87 (1) No. 1 and No. 6 German Works Constitution Act (BetrVG). The right of co-determination applies to the introduction of the whistleblower system (hotline, software, etc.) as it concerns company procedures and the behavior of the employees when they submit a report at the company, and also the introduction and use of technical systems.

Is whistleblower protection compatible with trade secret law?

Trade secrets as defined in Section 2 No. 1 of the German Trade Secrets Act (GeschGehG) are subject to a special level of protection. This level of protection may also become relevant for whistleblower reports. Section 5 No. 2 GeschGehG is pertinent. In addition, Section 6 (1) HinSchG regulates the prerequisites for the permitted disclosure of trade secrets to a reporting office or even public disclosure.

The procedure begins with the discovery of an unlawful act, professional or other misconduct. Reporting the issue must serve to protect the general public interest. Section 23 GeschGehG states that, in this case, there is no violation of business secrets and, therefore, no criminal liability.

Is whistleblower protection compatible with data protection?

For whistleblower protection, the data protection framework is derived from the General Data Protection Regulation (GDPR).

According to Section 8 HinSchG, the confidentiality of whistleblowing is guaranteed. This means that the reporting body must treat the identity of whistleblowers as confidential. Acting as a whistleblower may therefore be carried out anonymously.

According to Section 10 HinSchG, the processing of personal data by reporting bodies is permitted. In addition, however, a difficulty may arise because, according to Article 14 of the GDPR, the involved employees who are named or even accused in a report must be informed about the purposes of the data processing as well as the identity of the whistleblower. In principle, this must be done no later than one month after the report. In addition, employees involved have a right to information about the content of a report concerning them in accordance with Article 15 of the GDPR. This is contradicted by the fact that according to Section 8 HinSchG, the identity of whistleblowers does not have to be disclosed.

Section 9 HinSchG offers a solution here: Information about the identity of whistleblower may be disclosed in criminal proceedings, at the request of the prosecuting authorities, due to administrative proceedings, including administrative fine regulations, and based on a court decision, as well as to the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (Bundeskartellamt). Information may also be disclosed if this is necessary for follow-up measures or if the whistleblower has previously consented to the disclosure.

Overview of the elements of a whistleblower system



Establishment of the responsible body

Pursuant to Section 14 (1) HinSchG, an internal reporting body can be established by setting up a work department that is responsible for the required tasks of the internal reporting body. However, this can also be a company-internal third party, e.g. a specialized law firm. The persons responsible for the internal reporting body must be independent in the performance of their duties. They may also perform other tasks and duties in addition to their work for the reporting body however, according to Section 15 HinSchG, it must be ensured that this does not lead to conflicts of interest.

In addition to this according to Section 15 HinSchG, employers must ensure that the persons entrusted with the tasks in the internal reporting body must have the necessary specialist knowledge.


Establishment of a compliance culture in the company

According to the International Compliance Standard ISO 37301, a standardized compliance culture throughout the company is an essential prerequisite for an effective compliance management system. A binding and company-wide standardized Code of Conduct is a key factor when establishing a whistleblower system. This represents the first step towards implementing corporate compliance. Where possible, the management should thoroughly describe the whistleblower system process in Code of Conduct. Answers to the following questions are also important aspects:

  • What may be reported?
  • Which body should employees report violations to?
  • How is a report documented?
  • Who carries out the necessary internal investigations to examine the misconduct?
  • What sanctions are possible and mandatory in response to compliance incidents?


Setting up the internal reporting channel

Due to the obligation under Section 16 HinSchG to set up an internal reporting channel, companies have several options:

  • Provide a whistleblower hotline:
    The contact persons for whistleblowing can be both internal and external to the company. When taking this approach, it can be difficult to document reports recieved. In addition, experience shows that such hotlines are often also used by employees for labor law issues, complaints, etc. which is not the purpose of a whistleblower hotline. And lastly, the cost factor (set-up costs, personnel costs for operations) can play a role.
  • Establish an IT-based whistleblower system:
    This is the realm of external providers IT-based whistleblowing software has advantages over a whistleblower hotline. A digital system often enables the efficient management and documentation of incoming reports and moreover, whistleblowers are able to submit reports with complete anonymity. In addition, these systems are available worldwide and at all times. Many providers offer software capable of meeting the demanding standards for internal reporting, in particular concerns such as restricting access authorization and data protection.
  • Utilize external experts
    Due to their professional duty of confidentiality, lawyers fulfill one key criterion to serve as ombudspersons. They can also work in parallel with a whistleblower hotline or IT-based whistleblowing system. When lawyers serve as ombudspersons, they guarantee consistent neutrality due to their position. As a consequence, they frequently enjoy greater trust and acceptance among potential whistleblowers. This has a positive impact on a company’s compliance culture.


Communication and training in the company

According to the ISO 37301 and ISO 37002 standards, regular communication with all employees and training within the company are crucial for a successful whistleblowing system. Accordingly, employees and compliance officers require training, in particular with regards to the specific content of the Code of Conduct and the whistleblowing system.

Employee satisfaction surveys assessing the whistleblowing system represent a useful tool in improving the joint compliance management system.


Documentation & investigation – message handling

Pursuant to Section 11 HinSchG, all incoming reports, including verbal reports (e.g., within the scope of whistleblower hotlines), must be documented in accordance with the confidentiality obligations pursuant to Section 8 HinSchG.

Simple documentation of the reports is not always adequate to an enable effective resolution, particularly in medium and large-sized companies. Categorizing and prioritizing the reports by type and the reasons for the reports can be an effective solution. After the report has been received, an investigation needs to be carried out in order to fully resolve the compliance incident. The investigation can be conducted both internally and externally, by a law firm or an external authority (if necessary).

The Guidelines on Whistleblowing provided by the International Chamber of Commerce specifically recommend the use of an independent law firm to deal with and investigate whistleblower reports. ISO 37301 further supports this approach, stating that the investigation process should be independent, fair and managed by competent experts without any conflict of interest.


Monitoring, analysis and improvement

Ultimately, the regular analysis and monitoring of the whistleblower system or the compliance management system as per the ISO 37301 standard play an important role.

The Compliance Department has to continuously and consistently monitor the whistleblower system in order to ensure that compliance objectives are fulfilled. Furthermore, the performance and effectiveness of the whistleblower system need to be assessed on a regular basis. The objective must be to continuously improve the system’s suitability, appropriateness and effectiveness.

How can we help?

Our team of compliance experts specializing in labor law has many years of extensive, practical experience in developing, introducing and implementing the tools that companies utilizeto implement an active and proactive whistleblowing system.

The BUSE Compliance Team is here to assist you in order to ensure that you achieve your corporate objectives. We help you to avoid compliance risks before they even arise. If compliance risks have occurred, we then assist you with rapidly identifying and sustainably neutralizing the corresponding dangers.

Drawing on the long-standing operative experience of our Compliance Team members, we implement strategic, flexible and proven concepts that fulfill the highest standards and quality requirements. This enables our clients to successfully meet the requirements for a whistleblower system in Germany, in the European Union and worldwide.