Whistleblowing is a term that is not used uniformly. The understanding of the terms and the legal frameworks for dealing with whistleblowers vary internationally. In Germany, the Whistleblower Protection Act (the “Act”), transposing the EU Whistleblower Directive (the “Directive”), has now fully entered into force. The following FAQs explain the key rules that international HR departments need to observe.
I. General
1. What is the legislative objective of the Act?
The Act establishes the improvement of the protection of whistleblowers through the obligation to establish a whistleblowing reporting system as part of corporate compliance responsibilities under corporate law.
2. What is the central innovation of the Act?
The central innovation of the Act is a cross-sector and cross-legal form obligation to set up a whistleblowing reporting system. Previously, such an obligation existed only for financial institutions and was recommended in the German Corporate Governance Codex (GCGC).
3. What is the background of the Act under European law?
The Act transposes the Directive into German law. The implementation deadline expired on December 17, 2021. Due to its late implementation, infringement proceedings were initiated against Germany.
4. When does the Act come into force?
The Act already entered into force on July 2, 2023. However, for private employers with fewer than 250 employees, the obligation to establish reporting offices has only applied since December 17, 2023. The Act does not apply to employers with fewer than 50 employees.
II. Personal and material scope of application
1. Who is included in the personal scope of application as a whistleblower?
“Whistleblowers” are natural persons who in connection with their professional activities or in the advance of professional activities, have obtained information about violations and report or disclose them to the reporting offices provided for under the Act in accordance with the provisions of the Act. Subsequent reporting after the violation has been reported elsewhere does not retroactively fall under/broaden the scope of protection. The identity of those whom the whistleblower includes in his or her report (e.g., witnesses) is also protected.
The Directive mentions, as examples of potential whistleblowers: employees; civil servants; self-employed persons; shareholders; volunteers; interns; suppliers; third parties associated with the whistleblower who could suffer reprisals in a professional context; job applicants; persons whose employment has been terminated in the meantime; legal entities under the control of the whistleblower; and members of the company’s governing bodies. The personal scope of application is therefore very broad.
If an employee reports a violation to the works council, it is not covered by the scope of application because the works council – unless explicitly determined – is not a reporting body provided for by law.
2. Which reports of violations of the law are covered by the material scope of application?
The material scope of application may be met if the person providing the information had sufficient reason to believe that the reported or disclosed information was true at the time it was provided.
The information must relate to violations of European law regulations or violations of German regulations. Since the Directive does not cover national regulations, the German legislator decided against a complete whistleblower protection for violations of German law and only included violations that are subject to criminal penalties or fines where the violated regulation serves the protection of life, limb or health or the protection of the rights of employees or their representative bodies. In particular, the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz – AGG) and internal company compliance regulations are not included.
3. What are the exceptions to the material scope of application?
Notifications or disclosures of information concerning security interests or which are subject to confidentiality obligations (e.g. consultancy secrecy, medical confidentiality) are excluded. A report concerning business secrets is only permissible if additional requirements are met.
4. What is the relationship between the Act and other laws?
Some legal provisions have priority over the Act (e.g. provisions of the Money Laundering Act, the Banking Act, the Securities Trading Act and the Stock Exchange Act).
Because the law applies to members of the administrative, management, or supervisory bodies of companies, as well as their shareholders, it is currently unclear whether there are any reporting restrictions pursuant to corporate law confidentiality duties or other law.
It also remains unclear how the Act relates to the right to information under data protection law pursuant to Art. 15 GDPR, although the Directive explicitly permits a restriction of the right to information. Unfortunately, the German legislator has even stated that the current legal protection is sufficient in the Act’s explanatory memorandum. As such, it is now up to the courts to determine the relationship between the Act and Art. 15.
III. Reporting process
1. Do internal reporting offices need to be established?
Employers usually having at least 50 employees must establish and operate an internal reporting office. Certain companies must operate an internal reporting office regardless of the number of employees (e.g. investment services).
2. How should internal reporting offices be set up?
The establishment can be done by the employer itself or delegated to a third party. Private employers usually having 50-249 employees can operate a joint office. Even a works council can serve as an internal hotline if explicitly determined.
3. Must third parties also be given the opportunity to contact the internal reporting office?
The internal reporting office only needs to be opened to employees, i.e. not to third parties. For this reason, it is not necessary to give third parties the opportunity to contact the internal reporting office. Therefore, for example, providing the internal reporting office`s e-mail address to third parties is not mandatory.
4. May one internal reporting office in a corporate group be created?
The German legislator has fortunately clearly chosen legal wording that allows this. However, since the Directive itself is unclear and the issue is disputed among the member states, we have probably not heard the last word on this. The Act could yet be found to be invalid or – as we know from vacation law – could ultimately be interpreted against this wording.
5. What procedure should be followed in the case a whistleblower making a report to the internal reporting office?
– Receipt of the report must be confirmed within seven calendar days.
– The reporting office must check the evidence.
– Any necessary follow-up actions are to be taken.
– Feedback on follow-up action taken must be provided within three months of acknowledging receipt of the report.
6. To which office must the whistleblower report the violation?
The whistleblower may contact internal and external reporting offices. He or she should give priority to the internal reporting office if this enables the whistleblower to take effective action against the violation and there is no fear of retaliation. If the internal reporting office has taken follow-up action, a report to the external reporting office is inadmissible.
7. The Act requires the employer to incentivize reporting via the internal reporting office as opposed to reporting via the external reporting office. In addition, the employer must provide clear and easily accessible information on the use of the internal reporting procedure. Are these the same obligations or is there a difference?
Although the obligations are very similar, the difference is that the “incentives” obligation can be interpreted more broadly. It can be more than just providing information about the use.
8. How should the whistleblower’s data be handled?
Reporting offices must maintain the confidentiality of the identity of the whistleblower and the persons who are the subject of the report, as well as the persons named in the report (in practice, the relevant names must be kept secret). Exceptions exist if the person intentionally or grossly negligently reports incorrect information about violations, disclosure is ordered by the authorities or is necessary for follow-up measures, or the person concerned consents.
9. Are there any provisions in German law that would prevent a whistleblower report being dealt with at the parent company level in the U.S. (as opposed to being dealt with at the subsidiary level in Germany)?
The whistleblower report can be dealt with at the company level in the U.S. if and insofar as all data protection regulations are complied with.
10. How is the notification to be documented?
Reports are to be documented by the person receiving the report in a permanently retrievable manner in compliance with the confidentiality requirement. If a report is submitted by telephone, the audio recording or a verbatim record may only be made with the consent of the person making the report. Practically, therefore, a summary content log is likely to be appropriate. The documentation should be deleted three years after the conclusion of the proceedings. The documentation may alternatively be kept for longer if this is necessary and proportionate.
11. What follow-up measures may a reporting office take?
Internal reporting offices have the task of investigating reports, checking their validity and helping to remedy any violations. To this end, they can, in particular, conduct internal investigations and contact the persons and entities concerned. However, the Act does not provide an exclusive catalog of possible follow-up measures. If an allegation is not confirmed, the proceedings must be discontinued.
12. When may the whistleblower disclose a violation to the public?
Disclosure is possible if
– an external report was initially submitted, but no timely follow-up action was taken or no response was received, or
– there is reasonable cause to believe that the violation poses an imminent or obvious threat to the public interest because of an emergency, the threat of irreversible harm, or similar circumstances; or
– there is a risk of retaliation or inadequate follow-up in the event of external reporting.
IV. Protective measures
1. How is the whistleblower protected?
Responsibility for the procurement of the information is excluded insofar as the act of procurement does not itself constitute a criminal offense. This means that the dissemination of the information does not constitute a breach of duty and does not make a whistleblower susceptible to a warning or termination.
Retaliation against the whistleblower is prohibited. If the whistleblower claims to have suffered a disadvantage as a result of a report or disclosure, there is a rebuttable presumption that the disadvantage suffered is a retaliation. Retaliations can be, for example, dismissals, suspensions, denial of a salary increase or participation in further training, etc. Here, the Directive covers any conceivable action against whistleblowers. These protective rights may not be restricted on the basis of deviating agreements.
In practice, who becomes aware of the whistleblower should be documented to avoid retaliation. Because of the rebuttable presumption that any measure (e.g. not being promoted) is carried out as retaliation, the employer has to collect evidence to refute this presumption if challenged. If the decision maker (e.g. HR) had no knowledge of the whistleblower (e.g. if the Compliance department alone dealt with the whistleblowing report), evidence of this will likely be sufficient to rebut the presumption.
2. What are the requirements for the protection of persons providing information?
– Firstly, the report must have been made to an internal or external reporting office or the disclosure must be permissible in accordance with the requirements of Section 32 of the Act,
– there must be reasonable grounds to believe that the information is truthful, and
– the reported violations must fall within the scope.
3. How can the presumption of retaliation be rebutted?
It must be shown that the detriment was based on sufficiently justified reasons (objectively comprehensible reasons) or that the report or disclosure was not the cause of the detriment. In practice, as is known from the General Equal Treatment Act, this is likely to depend considerably on the line of case law which develops.
V. Sanctions
1. In what cases must the employer pay a fine?
– In the case of obstruction of communication between the whistleblower and the reporting office,
– failure to establish internal hotlines, as well as
– violations of the requirement of confidentiality or the prohibition of retaliation.
On the other hand, the intentional disclosure of inaccurate information is also subject to a fine.
2. Do fines depend on the annual turnover?
No, fines are fixed up to 500,000 EUR.
3. Are there additional cost risks due to damages?
Yes, damages are also to be paid to a whistleblower in case of retaliation. If the whistleblower has suffered financial disadvantage, e.g., because he or she was not promoted due to retaliation, these are to be compensated. In this case, the whistleblower can claim the difference in salary. Similar case law is known in Germany from the AGG, under which employees regularly sue for damages because they were disadvantaged because of gender (e.g. a man has been promoted in a team containing mostly women). The German courts are generally very employee-friendly, which makes it difficult for the employer in individual cases to prove that a certain measure was taken for legitimate reasons and not in retaliation against the whistleblower.
VI. Aspects of Works Constitution Law
1. Is there an element of co-determination?
The establishment and design of internal reporting offices is subject to the co-determination provisions of Section 87 para. 1 No. 1 of the Works Council Constitution Act. The reason for this is that the employer controls the behavior of the employees beyond their actual work performance by specifying the procedure for reports (Ordnungsverhalten).
Most establishments will likely include technical systems such as special whistleblowing software. Such technical systems are also subject to co-determination, Section 87 para. 1 No. 6 of the Works Council Constitution Act.
2. To what extent may the works council have a co-determination right?
Insofar as the establishment of the reporting office is a legal obligation, the introduction itself is not subject to co-determination. What is subject to co-determination is the design of the internal reporting office procedure (the “how” of the design).
There is no right of co-determination regarding the specific staffing of the position because the staffing of positions is assigned to entrepreneurial freedom. Nor may this be undermined by the right of co-determination in the case of transfers (Versetzung).