Compliance & Investigations

German Whistleblower Protection Act – 12 Frequently Asked Questions

After the first attempts to adopt the German Whistleblower Protection Act ("WPA") failed, it has now passed the legislative process. Today, 2 July 2023, it has finally come into force. The WPA sets out the requirements for companies based in Germany to establish a corporate whistleblowing system. This includes the implementation of an internal reporting channel, the procedure for handling reports as well as follow-up actions.

Learn more about the new and far-reaching law and its impact on German companies in our FAQs:

Question 1: Are you obliged to set up an internal reporting channel?

Question 2: Whose reports do you need to process?

Question 3: Which reports do you need to process?

Question 4: Do you have to allow for reports to be submitted in a specific way?

Question 5: Who is responsible for operating the reporting system?

Question 6: What are the confidentiality and data protection requirements?

Question 7: Are there any specific deadlines that must be met?

Question 8: What are the main steps when a report is made?

Question 9: How should employees be informed about the (internal) reporting channels?

Question 10: Do you have to involve the works council (“Betriebsrat”)?

Question 11: How do you build employees’ trust in the reporting system?

Question 12: What should be considered regarding disciplinary actions against whistleblowers?

 

> Question 1: Are you obliged to set up an internal reporting channel?

Generally, all companies with 50 or more employees are obliged to set up an internal reporting channel. However, small and medium-sized companies with 50 to 249 employees have time until 17 December 2023 to set up their reporting channel. The number is determined by taking the existing workforce and its future development into account; ultimately, the headcount is crucial.

> Question 2: Whose reports do you need to process?

Reports from employees of the company. Employees within the meaning of the WPA include employees in atypical employment relationships, trainees and self-employed persons who are economically dependent (quasi-employees).

There is no legal obligation under the WPA to follow up on reports from third parties. However, it is widely acknowledged that due to their duties of care the directors of a company have to pursue all substantiated reports of any significant violation. Furthermore, the German Act on Corporate Due Diligence in Supply Chains requires companies with 3,000 (January 2024: 1,000) employees to establish a reporting mechanism, which needs to be open to third parties, such as suppliers. It is therefore advisable to open up the internal reporting system to reports from all persons who may perceive violations in connection with their professional activities, e.g. former employees, job applicants, colleagues/relatives of employees, customers, suppliers.

> Question 3: Which reports do you need to process?

The scope of the WPA is restricted. We recommend expanding this to include information on further violations and serious misconduct. A de-minimis rule should be considered.

The WPA encompasses reports regarding:

  • violations that carry a criminal penalty;
  • violations that can be penalized with a fine, in so far as the violated provision aims to safeguard (i) the physical integrity and health of a person or (ii) workers’ rights and their representative bodies;
  • other violations against specific acts of European or German law;
  • violations of public procurement law, financial services supervision, and of specific tax provisions or the attempt to avoid specific tax provisions;
  • violations of the Digital Markets Act;
  • statements by civil servants which constitute a violation of their loyalty to the constitution.

> Question 4: Do you have to allow for reports to be submitted in a specific way?

The internal reporting channels must allow for the possibility of written and/or oral reports (e.g. telephone hotline, online platform on the internet/intranet, e-mail, postal mail). At the whistleblower's request, the employer has to set up a face-to-face meeting within a reasonable time frame.

The barriers to using the internal reporting channels should be as low as possible for the whistleblower, since he or she is also allowed to directly contact the authorities via the external reporting channels. When choosing a reporting system, employers should, for example, consider: (i) the availability of the system around the clock (e.g. in the case of a telephone hotline, via an answering machine), (ii) the possibility of contacting the whistleblower (e.g. in the case of postal mail, contact is only possible if the whistleblower provides contact information) and (iii) the extent to which the process can be automated.

In Germany, there is no legal obligation to open up the internal reporting channel to anonymous reports. The WPA simply “recommends” doing so (“shall process anonymous reports”). Allowing anonymous reporting could motivate whistleblowers to use the internal reporting channels in sensitive cases rather than directly contacting authorities via the external reporting channel. In addition, it builds trust in the whistleblowing system as a whole.

> Question 5: Who is responsible for operating the reporting system?

An independent person or department designated for this purpose should operate the reporting system (receipt, communication, follow-up action). Alternatively, a contracted external third party (e.g. external reporting platform providers, external consultants, auditors, ombudspersons) can operate the reporting channel.

The procedural steps can be carried out by the same person/department. Different persons/departments can also be appointed in each case. In any case, conflicts of interest with regard to the processing of reports should be avoided.

> Question 6: What are the confidentiality and data protection requirements?

The identity of the whistleblower and third parties mentioned in the report must be treated confidentially. This also applies to any other information from which the identity of the reporting person may be directly or indirectly deduced. Employers should lay down clear and strict authorizations on a “need to know” basis.

The identity of the whistleblower may only be disclosed if this is required by a national authority or by law (e.g. in criminal or administrative proceedings). Additionally, the identity of the whistleblower is not protected if the whistleblower makes a report in bad faith.

Personal data must be deleted if no longer relevant. Personal data which are manifestly not relevant for the handling of a specific report must not be collected or, if accidentally collected, must be deleted without undue delay. An effective system should be implemented to ensure the deletion of personal data.

> Question 7: Are there any specific deadlines that must be met?

The whistleblower must receive an acknowledgement of receipt within seven days. The whistleblower must receive feedback on further progress within a reasonable timeframe, at the latest within three months after receipt of the report / the acknowledgement of receipt.

Employers should provide sufficient resources (personnel/technical) to meet deadlines and maintain a process for effective deadline management.

> Question 8: What are the main steps when a report is made?

  1. Acknowledging receipt within seven days
  2. Checking whether the report falls within the scope of the WPA
  3. Staying in touch with the whistleblower
  4. Checking the validity of the report
  5. Requesting further information from the whistleblower if necessary
  6. Taking follow-up actions (see next question)
  7. Providing feedback within three months
  8. Complying with recordkeeping and confidentiality requirements

> Question 9: How should employees be informed about the (internal) reporting channels?

The employer should provide clear and easily accessible information on the use of the internal reporting system. In addition, the WPA requires employers to inform employees about the procedures for external reporting to the competent authorities.

The information can be published on the company website, posted in a prominent location accessible to all employees and/or covered in training sessions. A whistleblowing policy that includes the essential information on the internal reporting system is helpful.

> Question 10: Do you have to involve the works council (“Betriebsrat”)?

Depending on how the system is designed, the consent of the works council is often required, in particular if an electronic system is introduced. It is generally advisable to involve the works council if one exists. This can also increase employee acceptance of the system.

> Question 11: How do you build employees’ trust in the reporting system?

Whistleblowers' trust in the internal reporting system is an essential prerequisite for an effective compliance system. The main drivers are:

  • Permanent accessibility of the reporting channel.
  • Training the responsible persons in handling reports and communication with whistleblowers.
  • Defining a process with clear responsibilities and minimum requirements for the respective step.
  • Publishing clear and easily accessible information on the internal reporting procedure.
  • Management's commitment to the reporting system.

> Question 12: What should be considered regarding disciplinary actions against whistleblowers?

Any form of retaliation against whistleblowers is prohibited. However, this does not mean that whistleblowers are granted immunity for their own wrongdoings. Whistleblowers can still be subject to disciplinary actions.

Ideally, those making decisions regarding disciplinary action should not know the identity of the whistleblowers and this should be documented accordingly. If the whistleblower's identity is known, the reasons for any disciplinary action should be carefully documented.

Forward