Published on 10.02.2023
The EU Whistleblower Directive should have been transposed into national law by 17 December 2021, but it was only last week, on 1 February 2023, that the National Council finally passed the Whistleblower Protection Act (HSchG). It will now be referred to the Federal Council and is expected to enter into force by the end of March at the latest.
Who is affected by the implementation obligation and what are the deadlines?
The HSchG obliges companies with 50 or more employees to set up an internal reporting channel for anonymous reporting. For companies with 50-249 employees, significant parts of the law will not come into force until 17 December 2023, with a grace period. A six-month transitional period from the date of entry into force has been granted for companies to establish internal and external bodies.
What measures need to be implemented and what needs to be taken into account?
- Establishment of an internal reporting channel through which employees can make personal reports upon request, either in writing or orally, through which. The receipt and treatment of reports must be unbiased, impartial and independent of instructions. The internal channel must be available to whistleblowers in addition to external hotlines, such as the reporting channel at the Federal Office for Preventing and Combating Corruption or the one at the Financial Market Authority.
- Compliance with precise specifications on the registration procedure: A report’s receipt must be confirmed in due time. The content of the report is to be assessed for veracity, whereby obviously false information is to be rejected, and abuse is to be prevented accordingly. Follow-up measures must be taken in accordance with the law and the whistleblower must be informed accordingly.
- Compliance with information obligations: Potential whistleblowers must be provided with appropriate information on the internal reporting channel and the reporting procedure. Therefore, a policy for the internal whistleblower protection solution must be produced that fulfils the legal requirements.
- Maintenance of confidentiality and compliance with the General Data Protection Regulation (GDPR): In addition to the strict requirements of the new law, the confidentiality and identity of whistleblowers and the persons affected by the information must be protected. Furthermore, compliance with the GDPR must be guaranteed. Whistleblowing systems must be technically and organisationally suitable in accordance with Article 25 of the GDPR. In addition, changes, queries and transmissions in particular must be logged. If group solutions are implemented, it should also be noted that companies must regularly conclude Article 26 GDPR agreements.
What are the implications of the HSchG and what should companies expect for violating it?
The far-reaching protection provided by the HSchG includes, among other things, exemption from liability for the consequences of justified reports and broad protection against reprisals in the workplace.
In the event of violations, both companies and whistleblowers face administrative fines of up to EUR 20,000 (or EUR 40,000 in the case of a repeat offence) per violation. Punishable offences include obstructing whistleblowers, taking reprisals, violating confidentiality or knowingly providing false information.
Our experts will be happy to advise you on implementing a tailor-made whistleblower protection solution as well as on how to handle reports.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.