Go to navigation Go to content Go to footer

All Information on the Whistleblower Protection Act

Below is a summary of the Whistleblower Protection Act. We have compiled the most important information and provisions for you in a clear and concise format to provide you with a comprehensive overview of this law and its requirements.

What is the Whistleblower Protection Act?

The Whistleblower Protection Act (Hinweisgeberschutzgesetz or HinSchG) came into effect on June 2, 2023, with the aim of protecting "natural persons who, in connection with their professional activity or in anticipation of professional activity, have obtained information about violations and report or disclose them to the reporting offices provided for in this Act (informing persons). In addition, persons who are the subject of a report or disclosure, as well as other persons affected by a report or disclosure, are protected" (HinSchG §1).

The Law includes:

Protection from Retaliation: Whistleblowers are protected from professional disadvantages, discrimination, or termination when they report violations.

Confidential Reporting: Whistleblowers can initially report violations internally to their own organization. The organization must then take appropriate measures to investigate the reported violation.

External Reporting: If internal reports are not handled appropriately, whistleblowers can report violations to external authorities or entities, such as regulatory bodies.

Anonymity: Whistleblowers can remain anonymous under certain conditions while reporting violations.




What obligations arise for companies under the Whistleblowing Law?

It must be ensured that there is at least one internal reporting entity available to which employees can turn. Certain employers are subject to specific regulations. The obligation to establish a reporting entity typically applies only to employers with at least 50 employees.

Securities service providers, stock exchange operators, financial sector institutions, and others are required to establish a reporting entity regardless of the number of employees.

What's Whistleblowing?

Whistleblowers," also known as informants, are individuals who disclose important information from a secret or protected context to the public or expose wrongdoing. The wrongdoing or crimes disclosed by whistleblowers include, among others, corruption, insider trading, human rights violations, data abuse, or general hazards that the whistleblower has become aware of in their workplace or other contexts. In general, this mainly pertains to activities in politics, government agencies, and business enterprises.

(Definition: bundesregierung.de, translated to english)

What protections are in place for whistleblowers who report an issue?

The German Whistleblower Protection Act focuses on preventing improper retaliatory actions such as terminations, salary reductions, or discrimination. If such sanctions occur, local authorities are involved to assess their appropriateness. The company must provide a detailed explanation and demonstrate that the sanctions are not related to the report.

In cases of suspected retaliation, whistleblowers are entitled to compensation under the Whistleblower Protection Act. Obstruction of the whistleblower and similar offenses can result in fines of up to one million euros.

The German Whistleblower Protection Act applies only to lawful reports. False or unfounded accusations mean that the whistleblower is not protected by the law. The relevant authorities must proceed with great care when examining reports, as disputes often involve conflicting statements. A grossly negligent or unlawful report can seriously damage the company's reputation and may also lead to legal consequences. In such cases, the company is protected against misuse.

What are the responsibilities of the reporting entities?

The establishment of a reporting entity can be carried out by internal employees, working groups, or third parties taking on this responsibility. Multiple private employers have the option to establish a shared reporting entity, with each employer being individually responsible for measures and feedback. It is essential that individuals assigned to the reporting entity act independently and do not have conflicts of interest.

The reporting entity is authorized to review reports and take appropriate follow-up measures. It serves as the operator of reporting channels, conducts the reporting process, and takes necessary actions thereafter. Furthermore, it provides clear and easily accessible information on external reporting procedures and relevant EU reporting procedures. Additionally, it ensures that individuals assigned to the reporting entity have the necessary expertise.

For employers establishing an internal reporting entity, the creation of reporting channels is required. These channels allow employees, agency workers, and other relevant individuals to report violations. The reporting channel may also be open to external contacts and process anonymous reports, if desired. Access to the received reports is limited to individuals responsible for receiving and processing them or performing supporting functions. Reports can be submitted both orally and in writing. When necessary, it is possible to arrange personal meetings, either in person or through video conferencing.

How are internal reports processed?

The internal reporting entity must acknowledge the receipt of a report within seven days and maintain contact with the reporting person throughout the process. It assesses the relevance of the reported violation within the scope of its responsibilities. The reporting entity actively communicates with the reporting person and may request additional information when necessary. The reporting entity initiates appropriate follow-up actions in accordance with § 18 of the Whistleblower Protection Act. Within three months after receiving the report, feedback is provided, including planned and executed follow-up actions, along with their justifications. Care is taken to ensure that ongoing internal investigations or inquiries are not compromised.

The reporting entity can take the following steps as follow-up measures: It may conduct internal investigations within the employer or the relevant organizational unit and contact relevant individuals and entities. It also has the option to refer the reporting person to other competent authorities. In the case of insufficient evidence or other reasons, the process may be concluded. Alternatively, it may be transferred for further investigation to an internal investigative unit or a competent authority.

What areas are defined in the law?

For which violations protection is granted to informants is anchored in §2 of the Whistleblower Protection Act (HinSchG). This includes:

  • All instances of a criminal offense,
  • Administrative offenses, insofar as they relate, for example, to health protection, occupational safety, or employee rights,
  • Other violations of federal law, state law, or EU law, insofar as they pertain, for instance, to regulations on product safety, health protection, environmental protection, animal welfare, data protection, IT security, or consumer rights.

What is NOT covered by this law?

The law does not cover the following reports or disclosures:

  • Information related to national security, military, or security-sensitive areas.
  • Information from intelligence services or government agencies during security clearances.
  • Reports related to public contracts and concessions under EU Treaty Article 346.
  • Reports that breach confidentiality or security obligations for classified information, except for certain internal reports.
  • Reports that violate attorney-client privilege, medical confidentiality obligations, or obligations of other professional confidentiality holders.
  • Reports made by individuals in professional or contractual relationships with professional confidentiality holders.