New whistleblower protection law – Companies required to implement a whistleblowing system
Who is affected?
Companies and organisations with at least 50 employees will be required to set up a whistleblower protection system. However, a grace period applies to institutions with up to 249 employees. They have until 17 December 2023 to implement a whistleblower protection system.
Irrespective of the number of employees, implementation is mandatory for capital management companies, investment service providers, credit institutions, and insurance companies.
Government agencies have been required to set up a whistleblower system since 17 December 2021, as they are directly subject to the EU Whistleblower Directive.
What are the relevant infringements?
The new draft law is intended to protect whistleblowers revealing any of the following:
- Crimes under German law
- Penalties for violations where the infringed regulation is intended to prevent the loss of life, physical injury, damage to health, or protect the rights of employees or their representative bodies. These include, for example, regulations involving the following areas:
- Workplace Safety
- Minimum wage law
- Health protection
- Law on Temporary Agency Work
- Obligations to inform and provide information to bodies such as the works council and business committees
Information on infringements of European regulations and their national implementation, including those from the following legal areas, also fall under the protection of the new Whistleblower Protection Act:
- Money laundering and the financing of terrorism
- Product safety and compliance requirements
- Environmental protection
- Consumer protection and rights
- GDPR
- IT security
- Shareholder rights
- Accounting regulations for corporations
- Procurement law
In particular, the draft law goes beyond the previous requirements of the German Anti-Money Laundering Act (GwG) and the regulatory requirements of the German Insurance Supervision Act (VAG) and German Banking Act (KWG) by imposing stricter requirements on the reporting system and by encompassing a far greater number of legal infringements. Companies that already have a whistleblower system will therefore need to adapt this to meet the new requirements.
How should the system work?
The draft law aims to ensure that whistleblower activities are channelled in a regulated manner so that, above all, the information is first handled internally and not immediately shared with the media.
Whistleblowers should be able to choose between an internal company system and external reporting offices of the federal government or the federal states as well as the central financial regulatory authority (BaFin) and the central anti-trust regulatory authority (Bundeskartellamt). According to § 16 of the draft law, the internal reporting channels must be designed in such a way that access is only granted to those persons responsible for receiving and processing the reports. Measures must be implemented to ensure that no unauthorised person has access to either the identity of the person providing the information or to the information itself.
Employees should be given the opportunity to provide information orally, in writing, or, if requested, in person. Setting up an internal system can be done in several ways:
- Establish a hotline for handling complaints
- Provide an opportunity for an in-person meeting
- Implement a whistleblower system that enables written complaints, preferably with the assistance of digital tools
If an infringement is reported, the internal reporting office must confirm this to the whistleblower within seven days. Within three months of this confirmation, the internal reporting body must inform the whistleblower of the actions that were taken or are planned, such as initiating an internal compliance investigation or forwarding a report to a law enforcement agency.
According to § 15 of the draft law, the persons receiving information at the internal reporting office must be independent and have the necessary technical expertise. These persons do not have to work exclusively in the reporting office but can also perform other duties within the company. However, it must be ensured that this does not lead to conflicts of interest.
The new draft law does not require corporations to implement a separate reporting system in each subsidiary. Here the draft differs greatly from the EU Directive to be implemented. To minimise possible hindrances such as language barriers in international enterprises, the Directive stipulates an internal reporting unit for each group company. The German legislature has, for practical and economic reasons, decided to take a different approach. Therefore, nothing currently stands in the way of German companies wanting to establish a corporatewide reporting system.
Smaller companies, each with up to 249 employees, will be able to set up a joint reporting centre with other companies.
Companies also have the option of outsourcing the implementation and operation of an internal reporting unit to an external service provider.
Anyone refusing to implement an internal company whistleblower system risks a fine of € 20,000 in accordance with § 40 paragraph 2 no. 2 of the draft law.
How are whistleblowers protected?
In general, a whistleblower should be able to choose whether to report incidents anonymously or by giving their name. However, the current draft law does not require companies to establish an internal reporting channel for anonymous reports. It remains to be seen whether this regulation will change during the legislative process. Maintaining a system that allows anonymous reporting is always viewed as building more trust, and it encourages employees to step forward and actually use such a system.
Regardless of reporting channel, the personal data of whistleblowers and other affected persons must always be treated confidentially.
However, caution should be exercised when setting up a less expensive solution. If an internal email address or telephone number is used for people to confidentially report an infringement, there is no guarantee that others (such as IT staff with admin rights whose role doesn’t involve receiving these reports) can’t access the system and identify the whistleblower or what they are reporting. However, this security loophole conflicts with the stipulations of the new regulation, which states that only those responsible at the reporting centre are allowed to access the system and the messages conveyed. It is therefore advisable to use an external telephone number of an ombudsperson, an email address outside of one's own company system, or a digital whistleblower system of an external provider.
However, the protection provided by the whistleblower system does not apply to persons who intentionally or on the grounds of gross negligence report incorrect information about alleged violations and thus abuse the system. § 38 of the draft law even allows for damage claims should this occur.
If whistleblowers disclose their identity, caution should be exercised with respect to measures taken by the HR department.
To protect whistleblowers from reprisals such as dismissal or bullying, the law provides for a far-reaching reversal of the burden of proof in § 36 of the draft law. If informants are disadvantaged in connection with their professional duties, there is a presumption that such discrimination constitutes a reprisal. Informants can pursue damage claims in this case. In the future, employers will have to demonstrate that any employment measures involving whistleblowers are unrelated to the infringements they reported.
Another point to note is that a person reporting an infringement cannot be held legally responsible for obtaining the information which he or she has reported, provided that this does not constitute a criminal offence.
If you have any other questions about setting up a whistleblower system, please feel free to contact us. We will be happy to assist you with the measures needed to satisfy the legal requirements, and offer the following services:
- We can provide you with an internal whistleblower policy or a broader compliance policy if you wish.
- We’ll gladly assume the role of ombudsman/external lawyer of trust and handle whistleblower reports from your employees, insuring confidentially.
- If infringements are reported, we can perform preliminary checks and thereby a plausibility check.
- We support you during investigations, also through IT-based research, and provide counsel on legal issues.
- We offer whistleblower and compliance training for you and your employees.
- We have our own digital solution for your whistleblower system with 24/7 accessibility, anonymity, and end-to-end encryption of all communications.