On July 2, 2023, the new German Whistleblower Protection Act came into effect. The law contains comprehensive provisions for the protection of whistleblowers. At the same time, it obliges all companies with at least 50 employees to establish internal reporting channels. In the following the key provisions are summarized for you:

Scope of Application

The Whistleblower Protection Act covers a wide range of legal violations. In addition to criminal offenses, its scope of application includes but is not limited to violations of regulations for the protection of life, limb or health and any rights of employees or their representative bodies that are subject to fines. These include, for example, occupational health and safety regulations, minimum wage regulations, regulations under the Posted Workers Act, and regulations on Labor Lease. Furthermore, according to the EU directive underlying the Whistleblower Protection Act, numerous EU regulations, such as those related to money laundering, product safety, transportation, food and drug safety, as well as environmental, consumer, and data protection, are also covered as well.

Protected Individuals

Whistleblowers who have obtained information about violations of the aforementioned type in connection with their professional activities or during the hiring procedure and who report them through the designated reporting channels are protected from reprisals and retaliation. This includes, among others, employees, interns, trainees, freelancers, representatives of corporate bodies, civil servants, temporary workers and job applicants. The protection also extends to individuals who are otherwise affected by a report or disclosure, such as potential witnesses.

Establishment and Operation of Reporting Channels

According to the Whistleblower Protection Act, whistleblowers can contact both external (governmental) reporting channels and internal reporting channels of their respective employers. In principle, they have the right to choose which reporting channel (internal or external) to use, although internal reporting channels are generally to be given preference. Going public (so-called disclosure) is only permitted if the reporting channels called upon have not reacted adequately or if such disclosure appears to be the only effective way in exceptional cases (e.g. in emergencies or in cases of imminent destruction of evidence, etc.).

The Federal Office of Justice maintains a central external reporting channel. Additional specialized reporting channels are established at the Federal Financial Supervisory Authority and the Federal Cartel Office. Additional reporting channels at the state level are also possible. In addition, all employers with at least 50 employees are required to establish internal reporting channels. For employers with at least 250 employees, this obligation applies immediately; for companies with 50 up to 249 employees, the law provides for a transitional period for the establishment until December 17, 2023 at the latest. Special regulations exist for the insurance and financial sectors, among others.

The Whistleblower Protection Act includes various requirements for the establishment and operation of internal hotlines:

  • Internal reporting channels may be operated with the company’s own employees or with external service providers (e.g., providers of digital whistleblowing platforms). In group of affiliates, the reporting channel may also be established with another group company. Smaller employers with 50 to 249 employees may set up joint reporting channels.
  • Persons responsible for operating the internal reporting channels must carry out their tasks independently and have the necessary expertise. If internal reporting channels are operated by own employees, employers must provide appropriate training.
  • The reporting channel must ensure strict confidentiality.
  • Internal reporting channels must allow reports to be made either verbally (e.g., by telephone) or in written form (e.g. email). If desired, personal contact shall also be made possible, which may also take place via video conference with the consent of the whistleblower
  • According to the requirements of the law, the internal reporting channels do not have to allow anonymous contact and communication with the whistleblower. However, anonymous reports should generally still be processed.

Handling Reports

When dealing with incoming reports, several legal requirements must be observed:

  • The whistleblower must receive an acknowledgement of receipt no later than seven days after the report.
  • It must be determined whether the reported violation falls within the scope of the Whistleblower Protection Act.
  • Subsequently, the received report must be assessed for its plausibility.
  • Contact must be maintained with the whistleblower, and if necessary, they should be asked for further information.
  • Appropriate follow-up action must be taken, such as:
    • Conducting a more extensive internal investigation with questioning of the parties involved;
    • Referral of the whistleblower to other (external) agencies;
    • Closure of the proceedings for lack of evidence or other reasons;
    • Submission of the case to a unit responsible for internal investigations within the employer organization or to a competent authority.
  • At the latest three months after the acknowledgement of receipt, the whistleblower must be given feedback on the processing status.
  • Employers must properly document the procedure. In general, the documentation must be deleted no later than 3 years after the procedure has been completed.

Data Protection

In the course of using whistleblower systems, a large amount of personal data of all possible parties involved is inevitably collected or processed. In particular, this involves the following data categories:

  • Information about the reporting individual (unless an anonymous report is made)
  • Information on the reported facts, if necessary with references to other persons involved or otherwise affected, witnesses, etc.
  • Other data collected through investigations (data from corporate IT, messages, conversations to clarify the facts of the case)

Frequently, particularly sensitive information subject to Article 9 General Data Protection Regulation (GDPR) may be processed in the context of whistleblowing procedures. It is evident that the use of such whistleblowing systems and the related data processing entail major risks for the data subjects. Against this background, confidentiality with regard to the data collected in the context of whistleblowing systems must be given particular importance.

Access to information collected or processed within whistleblower systems should be restricted to individuals who are responsible for the internal reporting office or support it (e.g., IT service providers, if necessary). Information about reporting individuals or individuals affected or named in the reports should only be processed by the internal reporting office or individuals responsible for follow-up measures (e.g. compliance department). In principle, any disclosure of information about the identity of the whistleblower may only take place if such disclosure is necessary for the implementation of follow-up measures and the whistleblower has given his or her prior consent.

This may result in a contradiction between the special confidentiality requirements of the Whistleblower Protection Act and the so-called data subject rights under the GDPR (e.g., right to information under Art. 14 GDPR if data was not obtained from the data subject or right to information about the processing under Art. 15 GDPR). The Whistleblower Protection Act only partially resolves this contradiction. Based on the confidentiality requirement stipulated in Sec. 8 of the Whistleblower Protection Act, it can be inferred that, as a rule, it opposes a right to information regarding the data processed within whistleblower systems, and the company is not obligated to provide information when an access request is made. Likewise, the right to information of data subjects under Article 14 of the GDPR may not generally apply since informing the data subject about a report within the whistleblower system may regularly pose a risk of thwarting or complicating further investigations. In this respect, the company’s interest in secrecy is likely to prevail in many cases – however, this may change in the course of the proceedings, so that information of the data subject would have to be provided if the interest in secrecy no longer exists (e.g., if evidence has been secured).

If a third party is commissioned to set up an internal reporting channel, particular attention must be paid to the contractual regulations from a data protection perspective. As a rule, this is likely to be commissioned data processing, so that a corresponding contract for commissioned data processing should be concluded. Special attention should also be paid to where the processing of personal data takes place (e.g., whether a transfer of the data takes place outside the scope of the GDPR).

Before setting up a whistleblower system, the company will generally have to carry out a data protection impact assessment (DPIA) in accordance with Art. 35 GDPR, as the data processing operations in this context are always expected to pose a major risk to the rights and freedoms of individuals.

Prohibition on Reprisals

Within the scope of the Whistleblower Protection Act, whistleblowers are comprehensively protected against reprisals or retaliatory measures. Any unjustified professional discrimination or threat thereof in connection with a report under the Whistleblower Protection Act is prohibited.  This may include but not limited to terminations, demotions, refused promotions, as well as changes in job assignments or disciplinary measures. The law provides for a reversal of the burden of proof: If whistleblowers claim to have suffered a disadvantage as a result of a report or disclosure, it is initially presumed, to the detriment of the employer, that the disputed measure constitutes a reprisal or retaliatory action. In addition, whistleblowers can claim damages from the employer in the event of prohibited reprisals.

Administrative Fines

Violations of the Whistleblower Protection Act can be punished with administrative fines of up to EUR 50,000. However, fines for employers with at least 250 employees who fail to set up reporting channels in violation of the law cannot be imposed until December 1, 2023.

Participation Rights of the Works Council

The participation rights of the works council must be observed when establishing internal reporting channels. Since the establishment of reporting channels is legally required, the right to participate does not extend to the “whether” of the establishment. However, the works council may have participation rights regarding the detailed design of the reporting procedure, e.g. based on considerations of order in the company or due to the introduction of a new computer program for managing the reports. The extent to which this also applies if the employer decides not to operate the reporting channel with its own employees but by means of an external provider, and in doing so implements only the statutory requirements, has not yet been clearly clarified.

What Employers May Want to Consider Now

  • All employers with at least 50 employees may wish to start setting up an internal reporting channel as soon as possible. Especially in companies with works councils, a longer implementation period is to be expected.
  • In group companies, the possibility of a central reporting channel within the group may be examined.
  • Procedures and responsibilities regarding the operation of the internal reporting channel should be defined in accordance with the Whistleblower Protection Act. This could be done, for example, in the form of a corresponding company guideline. In companies with a works councils, a shop agreement may be concluded. Data protection aspects should also be taken into account.
  • If the reporting channel is to be operated internally by an employer with own employees, appropriate structures should be established to ensure the independence of the responsible employees. In addition, sufficient training should be provided.
  • HR personnel should be made aware of the prohibition of reprisals. In individual cases, the reasons for personnel measures affecting whistleblowers should be carefully documented.
  • The possibility of easy access use of the internal reporting channel should be advertised internally. It will regularly be in the company’s best interest for employees to use the option of internal reporting (instead of external reporting) in order to remedy any grievances as early as possible and without negative external impact. Against this background, the establishment of anonymous reporting channels may be considered as well – even if not required by law.
  • Companies that already have in place a reporting channel and guidelines for dealing with such reports (e.g., whistleblower hotlines and policies in international corporations) may wish to doublecheck compliance with the new Whistleblower Protection Act.



Browse More Insights

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now