Whistleblower protection and reporting channels in Germany

Yes, there will be a German law on whistleblowing very soon. The German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) has been passed and promulgated by the German legislature and will come into force on 2 July 2023.

Yes, the German Whistleblower Protection Act stipulates that certain employers (including all private entities) which regularly employ 50 or more workers are required to establish and operate internal reporting channels (interne Meldestellen).

Employers within the meaning of the Act who regularly employ between 50 and 249 workers have until 17 December 2023 to establish such channels. As there is no such transitional period for employers with 250 or more workers, the obligation applies to them immediately once the Act comes into force.

Employers who regularly employ fewer than 50 workers do not have to establish internal reporting channels. Doing so might be advisable, however, in order to minimise the risk of external reporting, as workers are free to decide whether to report internally or externally.

In accordance with the Act, workers shall preferably use internal reporting channels in cases where breaches can be addressed effectively internally and where they do not fear retaliation.

Please note that sector-specific laws remain in force in some sectors, requiring companies to establish an internal whistleblowing system independently of their size (e.g. credit institutions).

The German Whistleblower Protection Act provides for penalties of up to EUR 20,000 for failing to establish or operate an internal reporting channel.

It is also advisable to establish an internal reporting channel in order to minimise the PR risk of whistleblowers making information public. If a whistleblower makes information public, the company might suffer a loss of reputation.

If there is a works council in the company, its right of co-determination must be ensured.

In most cases, establishing a whistleblowing system will trigger the works council’s right of co-determination because it relates to the rules of operation and/or the conduct of employees at the business unit (section 87(1) no. 1 German Works Constitution Act (Betriebsverfassungsgesetz, BetrVG)). This right of co-determination applies if the whistleblowing procedure stipulates how, when and to whom a report must be made about which circumstances.

In addition, the right of co-determination regarding the introduction and use of technical devices designed to monitor the behaviour or performance of employees (section 87(1) no. 6 German Works Constitution Act) might also be triggered.

Please note that the German Whistleblower Protection Act contains the following provisions on the design of an internal reporting channel, amongst others:

• The reporting channel must be operated by an independent and competent person or department.
• The reporting channel must provide employees with clear, easily accessible information on external reporting procedures and relevant reporting procedures of EU institutions, bodies, or agencies.
• The reporting channel must be available for the reporting of breaches punishable by penalties or fines and other breaches of German and European legal provisions as listed in the draft Act.
• Both employees and temporary agency employees must have access to the reporting channel.
• Only the persons responsible for receiving and processing the reports and the persons assisting them in the performance of these tasks may have access to the incoming reports.
• It must be possible to make reports in writing or orally. Oral reports must also be possible by telephone or other means of voice transmission. If requested by the reporting person, an in-person meeting must be arranged within a reasonable time.
• The reporting channel should also process anonymous reports received. There is no obligation, however, to facilitate anonymous reporting.
• Receipt of a report must be confirmed after seven days at the latest.
• The reporting channel must check the admissibility of the subject and the validity of the allegations made, maintain contact with the reporting person and, if necessary, request further information.
• The reporting channel shall take follow-up action (e.g. internal investigations) as appropriate.
• The reporting channel shall inform the reporting person about follow-up measures planned or taken, as well as the reasons for them, within three months after confirmation of receipt.

If the company has a works council, employees will likely have to be involved. For further details, see the answer to question 4.

There is no local law that generally prohibits employees from disclosing information on breaches externally.

However, there are certain restrictions on employees regarding public disclosures.

Firstly, all employees are bound by a duty of loyalty and consideration towards their employer. They are therefore required to protect their employer's trade and business secrets. No explicit provision in the employment contract is necessary for this to apply.

Secondly, since 2019 a duty of confidentiality has also been stipulated in the German Trade Secrets Act (Geschäftsgeheimnisgesetz, GeschGehG), which transposed the Directive on the Protection of Trade Secrets. Lastly, there are some further provisions in sector-specific acts.

If the disclosure of information on breaches falls within the scope of the duty of loyalty and consideration, in most cases the employee must try to find an internal remedy or make an internal report before making such information public. Otherwise, the employee risks being legally dismissed for breach of contract. The German Trade Secrets Act even criminalises certain breaches of confidentiality and stipulates sanctions of up to a maximum of three years' imprisonment. Finally, depending on the circumstances, the employer might be entitled to claim damages from the employee.

According to the German Whistleblower Protection Act, however, whistleblowers are entitled to disclose information on breaches to the public under certain conditions. They are protected from retaliation if they do so.

Other than the German Whistleblower Protection Act, special protection from retaliation exists only in certain sectors, e.g. the financial sector.

The German Whistleblower Protection Act prohibits retaliation against reporting persons. If a reporting person suffers a detriment in a work-related context and claims that it is due to reporting or public disclosure in accordance with the Act, it will be presumed that the detriment was prompted by reporting or public disclosure (Beweislastumkehr, reversal of the burden of proof).

Please note that the relevance of this reversal of the burden of proof in Germany is uncertain. In accordance with German dismissal protection law, the employer must explain the reasons for the dismissal in detail and may only refer to certain grounds for dismissal. The German Act against Unfair Dismissal (Kündigungsschutzgesetz, KSchG) only allows dismissals for operational reasons, reasons based on the employee’s conduct or reasons relating to the employee’s person.

Against this background, it appears unlikely that the German Whistleblower Protection Act will have a significant impact on dismissal cases. A noticeable change will likely only occur regarding dismissals during the probationary period, as an employer does not need a reason to dismiss an employee during this time under the German Act against Unfair Dismissal.

Internal and external reporting channels are only authorised to process personal data insofar as this is necessary for the fulfilment of their tasks as specified in the German Whistleblower Protection Act. In addition, the processing of special categories of personal data is allowed – as an exception to Article 9 of the General Data Protection Regulation (GDPR) – if necessary for the fulfilment of the tasks of a reporting channel. However, specific protective measures must be taken in such cases.

Furthermore, the GDPR and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) must be complied with. In particular, the principle of data minimisation under Article 5 GDPR must be observed. This means that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Furthermore, companies must comply with their duty to provide information under the GDPR. A reporting channel may also trigger other obligations under the GDPR, such as the obligation to conduct a data protection impact assessment under Article 35 GDPR.

No.

In accordance with section 14 para.1 of the German Whistleblower Protection Act, an employer may entrust a employee, a group of employees (i.e. a work unit) or a third party with the tasks of an internal reporting channel. Such a third party may also be a company belonging to a group of companies.

In accordance with section 14 para. 2(1) of the German Whistleblower Protection Act, in the context of establishing internal reporting channels, entities in the private sector which employ between 50 and 249 employees may pool resources regarding the receipt of reports and investigations to be carried out.

In any case, a joint whistleblowing system would also have to comply with the GDPR.