Whistleblowing in Germany
Background
In the EU member states, the protection of whistleblowers has so far been subject to different regulations. The Whistleblowing Directive, which was finally published in the Official Journal of the EU on 26 November 2019, was the subject of long negotiations at European level. The Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law is intended, on the one hand, to create uniform standards for whistleblower protection and, on the other hand, to comply with the interest of companies in integrity and secrecy. The implementation deadline for the Directive by the Member States has already expired on 17 December 2021.
After the EU Commission initiated infringement proceedings against several Member States, including the Federal Republic of Germany, in early 2022, the Federal Ministry of Justice submitted a new draft bill for an "Act for Better Protection of Whistleblowers and for the Implementation of the Directive on the Protection of Persons Reporting Breaches of Union Law" (so-called Whistleblower Protection Act, Hinweisgeberschutzgesetz – HinSchG) in April 2022 which the Federal Cabinet adopted with slight modifications in July 2022. After further discussion in Parliament and referral to the Legal Committee (Rechtsausschuss), the German Parliament (Bundestag) passed a HinSchG on 16 December 2022 - almost exactly one year after expiry of the transposition deadline - which had undergone some not insignificant changes at the last moment due to the recommendation of the Legal Committee. On 10 February 2023, however, the Federal Council (Bundesrat) refused to approve the bill at the instigation of the CDU/CSU-led federal states. The Federal Government therefore appealed to the Conciliation Committee (Vermittlungsausschuss) which formally adopted a proposed agreement between the positions of the Federal Government and the Federal States on 9 May 2023. This compromise is accompanied by further changes compared to the draft bill and reverses some of the changes initiated by the Legal Committee. The German Parliament confirmed the compromise of the Conciliation Committee in its session on 11 May 2023. The Federal Council immediately followed this in its plenary session on 12 May 2023. The act was finally published in the Federal Law Gazette on 2 June 2023 and entered into force on 2 July 2023.
In the following, we outline the most important provisions of the HinSchG.
Key points of the HinSchG
The HinSchG is intended to ensure that persons reporting information on breaches are not discriminated against, thereby giving them legal certainty. This is to be achieved through the following key provisions:
Scope
The protection provided by the Directive covers a number of areas where whistleblower exposures are intended to improve the enforcement of EU law. Whilst the personal scope of the Directive is broad, the material scope is limited to the reporting of infringements in specific areas. The HinSchG goes beyond this.
- The personal scope of the HinSchG covers so-called "persons reporting information". This refers to all natural persons who, in connection with their professional activities or in the preliminary stages of professional activities, have obtained information about breaches and report or disclose them to the whistleblowing reporting units provided for under this act. Thus, the personal scope includes not only employees but also other groups of people such as self-employed individuals, shareholders and employees of suppliers. According to the legislative reasons to the act, persons reporting information whose employment relationship has been terminated in the meantime and persons whose employment relationship has not yet commenced and is in a pre-contractual stage are also to be included in the scope of application. Moreover, persons affected by a report or disclosure are also protected.
- The material scope of the HinSchG has been expanded in relation to the Directive, in particular by including criminal law and certain administrative offences in the scope of application, insofar as the breached provision serves to protect life, limb, health or the rights of employees or their representative bodies. According to the legislative reasons, this is intended to avoid inconsistencies that might otherwise occur and to ensure that the whistleblower protection system is manageable.
In addition to the criminal law and certain administrative offences, the HinSchG lists certain areas of law which fall into the scope of application if breached. These areas of law, also mentioned in the Directive, include, for example, public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, product safety and compliance, transport safety, protection of the environment, radiation protection and nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection and protection of privacy and personal data and security of network and information systems. In this respect, the material scope is already applicable if there is a breach of legal provisions of the Federal Republic or the Federal States. In addition, breaches of directly applicable legal acts of the European Union or the European Atomic Energy Community as well as breaches of EU and national provisions of antitrust law are covered. Based on the recommendation of the Legal Committee, reports of statements by civil servants that breach the duty of loyalty to the Constitution have finally been included in the scope of application of the HinSchG.
It was clarified that only those breaches are covered that relate to an employer or other entity with which the whistleblower had professional contact.
Establishment of whistleblowing reporting units
Under the HinSchG, there are two ways (internal and external) how whistleblowers can report information on breaches and between which whistleblowers should be able to choose:
- The establishment and operation of internal whistleblowing reporting units for whistleblowers are mandatory for private companies and public sector organisational units with in general at least 50 employees. For certain companies, the obligation also applies regardless of the number of employees, e.g., for investment services companies, stock exchange operators or credit and financial services institutions.
The task of the internal whistleblowing reporting units is to operate appropriate reporting channels, to check the validity of the reported information on breaches and to take follow-up measures. The establishment of anonymous reporting channels is not required by law. However, the internal whistleblowing reporting units should process incoming anonymous reports.
The internal whistleblowing reporting unit can be established by delegating its tasks to a person employed by the employer or the respective organisational unit, to a work unit consisting of several employed persons or to a third party. Several private companies with in general 50 to 249 employees should also be able to operate and set up a joint whistleblowing reporting unit. This is supposed to enable the so-called “group solution” according to which the internal whistleblowing reporting unit of a company cannot only be outsourced to law firms, for example, but can also be centrally established within a group at an independent and confidential unit at a group company.
Within three months of the reporting, the internal whistleblowing reporting unit should provide the person who reported the information on a breach with information on the follow-up measures planned and already taken, as well as the reasons for these measures.
Initially, no priority of the internal over the external whistleblowing reporting unit was stipulated. According to the compromise reached in the Conciliation Committee, however, whistleblowers should prefer to report to an internal whistleblowing reporting unit in cases where effective internal action can be taken against the breach and the whistleblowers do not have to fear retaliation. - An external whistleblowing reporting unit at federal level is established at the Federal Office of Justice. This central point of contact is intended to function in the sense of a "one-stop-shop" and relieve whistleblowers from having to deal with assessing the competent authority. The external federal whistleblowing reporting unit is provided with comprehensive competences insofar as the Federal States do not set up their own whistleblowing reporting units.
The Federal Financial Supervisory Authority (BaFin) is the competent external whistleblowing reporting unit for reporting certain breaches (e.g., of accounting regulations, regulations governing the rights of shareholders of public limited companies or regulations of the German Securities Acquisition and Takeover Act). In addition, the Federal Cartel Office (Bundeskartellamt) acts as the competent external whistleblowing reporting unit for information on breaches of national or European regulations on competition.
Like the internal whistleblowing reporting units, the external whistleblowing reporting units have to establish and operate reporting channels, check the validity of a reporting and take follow-up measures. Also, within the framework of this public reporting system, the whistleblower should be given feedback within a reasonable time frame of a maximum of three months (or six months in complex cases). In addition, the external whistleblowing reporting unit should immediately inform the person who reported the information on a breach of the result of the investigation triggered by the reporting once it has been completed.
A whistleblower who reports information on breaches to the public should only be protected if he or she either filed an external report and no appropriate follow-up measures were taken within the time limits for a response or if he or she has not received any feedback on the taking of appropriate follow-up measures. Furthermore, a whistleblower is entitled to protection when disclosing a breach if he or she had reasonable grounds to believe that the breach could endanger the public interests because of an emergency, the risk of irreversible damage or similar circumstances, the threat of retaliation if the external reporting channel is used, or the suppression or destruction of evidence.
Protection measures
In order to protect whistleblowers from retaliations such as mobbing, discrimination or dismissal, the HinSchG in particular provides for the following protection measures:
- Provided that the whistleblower had reasonable grounds to believe that the disclosure of the information was necessary for revealing a breach, the reporting or disclosure of the information will not be considered a breach of a (contractual) restriction on disclosure of information and the whistleblower will not incur liability of any kind in this respect.
- Retaliations against a whistleblower (e.g., labour law sanctions such as dismissal) are prohibited. A procedural reversal of the burden of proof applies here: If, following a reporting or disclosure, a whistleblower suffers a disadvantage in connection with his or her professional activities, this disadvantage will be deemed a prohibited retaliation. However, this only applies if the person reporting the information on a breach himself or herself claims to have suffered a disadvantage due to the reporting or disclosure. In this event, the person who took the detrimental action (usually the employer) must in turn prove that the disadvantage was based on sufficiently justified reasons or that it was not based on the reporting or disclosure.
- In the event of a breach of the prohibition of retaliation, the person who took the detrimental action is obliged to compensate the person who reported the information on a breach for the damage suffered. Contrary to the recommendation of the Legal Committee, whistleblowers should not be able to claim adequate monetary compensation for non-financial damages. A breach will not constitute a claim for the establishment of an employment relationship, a training relationship or any other contractual relationship or promotion.
The protection of whistleblowers is subject to certain restrictions. For example, anyone who does not have reasonable grounds to believe that the information on breaches reported was true at the time of reporting is not protected. In addition, the person who reported the information on a breach is obliged to compensate for the damage resulting from the intentional or grossly negligent reporting or disclosure of incorrect information.
Sanctions
Implementation process in Germany and practical advice
The act has entered into force already one month after its promulgation on 2 July 2023 and not - as originally intended - only three months after its promulgation.
Companies must now consider that there is an obligation to establish and operate internal reporting channels since the act has entered into force. However, the act provides for a transitional regulation for private companies with in general 50 up to 249 employees. For these companies, the obligation to establish internal whistleblowing reporting units will only apply from 17 December 2023. All other companies must now review their reporting systems if already in place as is the case in many companies as part of compliance systems and adjust them if necessary. In order to operate reporting systems effectively and in compliance with the various legal requirements - for example in terms of employment law and data protection law - companies and groups should take actions immediately to meet the requirements of the HinSchG which already apply since 2 July 2023.
