DE
Important facts
- From how many employees is an internal reporting office required by law?
- Employers with more than 50 employees and public bodies with more than 10,000 inhabitants must operate an internal reporting office.
- How high is the average loss of turnover for companies due to undetected breaches?
- Studies show that companies without functioning reporting systems lose an average of around seven percent of their annual turnover due to undetected compliance violations.
- What percentage of whistleblowers use anonymity in practice when it is offered?
- Studies show that a clear majority of whistleblowers (73.2 percent) choose the anonymous route if this option is technically available.
- Can an anonymous report to the authorities lead to a search in the company?
- According to current case law, sufficiently specific and comprehensible anonymous criminal complaints can be sufficient to trigger investigations by the public prosecutor's office and searches in the company.
- What fines can be imposed if a company does not set up an internal reporting office?
- The Federal Office of Justice may impose a fine of up to EUR 20,000 for failure to set up or operate a legally required internal reporting office.
Executive Summary
The Whistleblower Protection Act (HinSchG), which came into force on July 2, 2023, obliges German companies with 50 or more employees to set up internal reporting offices to protect whistleblowers from reprisals. Although the law does not formally require the technical provision of anonymous reporting channels, it clearly stipulates that reports received anonymously must be processed. This clear requirement makes an anonymous solution indispensable in practice, as companies without a technical feedback channel can hardly meet the strict legal processing deadlines and feedback obligations in a legally secure manner.
From a business perspective, an anonymous reporting channel proves to be a strategic success factor for protecting a company's reputation and minimizing financial risks. As around 73 percent of all whistleblowers prefer anonymity, such a channel drastically lowers the inhibition threshold for internal reports and acts as a valuable early warning system to uncover compliance violations before they escalate to external authorities or the press. Digital whistleblowing systems have established themselves as best practice here, as they enable an encrypted, two-way dialog with anonymous whistleblowers around the clock and at the same time safeguard legal confidentiality and documentation obligations.
Companies that ignore the legal requirements or do not operate a proper reporting office risk sanctions. The fines range from up to 20,000 euros for not having a reporting office to 50,000 euros for actively obstructing reports or taking reprisals against whistleblowers. Furthermore, as specific anonymous reports are already sufficient to trigger official searches in the company, the implementation of a legally compliant, trustworthy whistleblower system is an important investment in the security and integrity of every company.
Never miss an update on the HinSchG again.
New specialist articles, regulatory updates and practical tips, straight to your inbox. Once a week, no spam.
What does the HinSchG say about anonymous reports?
The Whistleblower Protection Act makes a strict distinction between two different aspects:
- Provision of an anonymous reporting channel (technical possibility)
- Processing of anonymous incoming reports (dealing with information received)
Recommendation instead of obligation: the legal wording
There is no explicit legal obligation with regard to technical provision. According to Section 16 (1) HinSchG, there is no obligation to design the reporting channels in such a way that they enable the anonymous submission of reports. Companies can therefore theoretically rely on purely named reporting channels, which also applies to external reporting offices in accordance with Section 27 (1).
However, this freedom of choice only applies as long as no stricter special legal regulations apply. In the financial sector, for example for banks, securities service providers or insurance companies in accordance with Section 12 (3) HinSchG, much stricter requirements may apply that make anonymous channels mandatory.
The binding processing obligation
However, the situation is completely different when it comes to processing incoming information. The law formulates a clear requirement here: The internal reporting office should also process reports received anonymously. If an anonymous report is received, whether by letter, email or another medium, it must not be ignored under any circumstances, but must be fully investigated.
The same obligations apply to processing as for notifications by name:
- Confirmation of receipt within seven days
- Checking the validity of the notification
- Appropriate follow-up measures in accordance with § 18 HinSchG
- Feedback to the whistleblower after three months at the latest
In the case of anonymous reports, feedback is practically only possible if there is a technical feedback channel, for example via a digital whistleblower system with an anonymous mailbox.
Why an anonymous reporting channel pays off in practice
Even without an explicit legal obligation to provide them, the practical advantages and international standards, such as ISO 37301 for compliance and ISO 37001 for anti-corruption, speak clearly in favor of the anonymous approach.
Greater willingness to use and trust
Anonymity drastically lowers the inhibition threshold for whistleblowers. Studies show that around 73.2 percent of whistleblowers opt for anonymity if this option is actively offered. A functioning anonymous channel effectively protects the company from high losses.
Statistically, companies lose up to seven percent of their annual turnover on average due to undetected breaches. Internal anonymous reports are therefore an invaluable early warning system.
Avoidance of reputational damage
Such a channel also protects the company's hard-earned reputation. Swift internal clarification prevents whistleblowers from turning directly to external authorities, prosecutors or even the press. Under certain conditions, such public disclosure is even protected by law if no adequate internal channel exists within the company.
Strengthening the speak-up culture
Finally, offering an anonymous reporting option strengthens the entire speak-up culture in the company. It signals transparency, openness and appreciation and protects the identity of employees from subtle discrimination, bullying or social isolation within the team.
A look at how well known the law is underlines the need for action:
Surveys show that in companies with up to 250 employees, only around 39% of employees are even aware of the law, and in larger companies the figure is only 38%. Low-threshold, anonymous access helps to reduce fears of contact.
Obligations, deadlines and technical challenges
As soon as an anonymous report reaches the company, the full statutory processing obligation applies. Ignoring it is illegal and the required processing steps correspond exactly to the requirements for named reports.
Statutory deadlines for feedback
In concrete terms, this means that a confirmation of receipt must be sent to the whistleblower within seven days. This is followed by a substantive review of the validity of the report and the initiation of appropriate follow-up measures in accordance with Section 18 HinSchG. After three months at the latest, the whistleblower must receive feedback on the measures planned or already taken.
Confidentiality and documentation obligations
In addition, companies must comply with the strict confidentiality requirements set out in Section 8 HinSchG, according to which the identity of the whistleblower, the person concerned and other parties involved must be strictly protected and only those responsible may be granted access. The documentation obligation pursuant to Section 11 HinSchG also applies in full: every report must be documented in a permanently retrievable form, whereby these documents must be deleted in accordance with data protection regulations three years after the official end of the procedure. In addition, the law requires regular training and the provision of clear, easy-to-understand information on internal reporting channels for all employees.
Technical and organizational implementation
In practice, this presents companies without the right system with an enormous challenge. How can a confirmation of receipt or feedback on content be sent to a person whose identity and contact details are unknown?
Digital whistleblowing systems as best practice
For this reason, around 73% of private companies in Europe already rely on digital whistleblowing systems. These cloud platforms are accessible around the clock and encrypt all data in such a way that the whistleblower remains completely undetected, but can remain in constant, secure dialog with the responsible compliance officer via a protected digital mailbox. A large majority of around 85% of companies already enable their whistleblowers to remain completely undetected.
The role of ombudspersons
Alternatively, companies can also involve an external ombudsperson, such as a lawyer, who acts as a neutral filter. As legal professionals have a right to refuse to testify, this approach offers an extremely high level of confidentiality protection, even vis-à-vis government agencies. Smaller companies with 50 to 249 employees also have the option of setting up a joint reporting office with other companies.
Sanctions and the limits of whistleblower protection
The Federal Office of Justice (BfJ) is responsible for prosecuting administrative offenses under the HinSchG throughout Germany. Anyone who disregards the minimum legal requirements must expect tangible consequences.
Heavy fines for violations
The law provides for graduated fines depending on the severity of the offense. Simple failures can result in fines of up to 10,000 euros. If, for example, no internal reporting office is set up or operated at all, fines of up to EUR 20,000 may be imposed. If reports are actively obstructed or reprisals are taken against whistleblowers, drastic fines of up to 50,000 euros may be imposed. In addition, there is considerable reputational damage and the risk of civil claims for damages.
Consequences in practice
The fact that the issue is taken very seriously by the authorities and the judiciary is demonstrated by the figures from the federal government's external reporting office for 2024. 1,802 reports were received there in total, which led to 23 internal investigations. Of 71 cases forwarded to the public prosecutor's offices, 33 led directly to real investigations. A look at the highly regulated financial sector shows similar dimensions: BaFin's specialized whistleblower office has already received around 9,000 reports since 2016. Recent court rulings, such as a decision by the Nuremberg-Fürth Regional Court in 2025, also confirm that sufficiently specific anonymous reports are completely sufficient to justify official searches at the company.
A look at the highly regulated financial sector reveals similar dimensions:
BaFin's specialized whistleblower office has already received around 9,000 reports since 2016. Recent court rulings, such as a decision by the Nuremberg-Fürth Regional Court in 2025, also confirm that sufficiently specific anonymous reports are completely sufficient to justify official searches at the company.
The limit of protection: Deliberate false reports
However, the protection of the law is not a free pass for denunciation. It only applies if the person providing the information had reasonable grounds to believe that the information was true at the time of reporting. Anyone who knowingly or through gross negligence reports or discloses incorrect information is acting in breach of the law, loses all protection under the HinSchG and is liable to pay damages to the company concerned.
Who is protected and to whom does the law apply?
The obligation to set up an internal reporting office applies to all companies and employers with 50 or more employees and to public bodies with a community size of 10,000 or more inhabitants. The transitional periods for smaller companies expired in December 2023, meaning that the obligations now apply in full.
The protected group of persons is deliberately very broad. The law not only protects the company's own employees, trainees and interns, but also applicants, former employees, freelancers, external service providers and persons in supplier and project constellations. The only requirement is that they must have obtained the reported information in a professional context. Persons who support the whistleblower confidentially or are directly affected by a report are also protected by the law.
Conclusion
To summarize: Anyone who relies on a purely named reporting channel is taking a considerable legal and economic risk. The law does not formally force you to technically offer anonymous channels. However, the obligation to process and respond to incoming anonymous reports in a timely manner makes a professional system with an anonymous feedback channel unavoidable in practice. Offering a secure, data protection-compliant anonymous reporting channel not only protects whistleblowers, but also reduces the risk of escalation and sanctions for the entire company.
Protect your company and your employees. Contact us today to find a legally compliant and trustworthy solution for your whistleblowing system!
Frequently asked questions
No, there is no legal obligation to actively provide anonymous reporting channels in the Whistleblower Protection Act. In Section 16 (1), the Act formulates a "target provision" according to which anonymous reports should be processed, but does not oblige companies to technically set up the channels for anonymous submissions. However, an important exception applies to the financial sector: banks, insurance companies or securities service providers may very well be obliged to offer anonymous channels due to special legal requirements.
Yes, absolutely. The law distinguishes between the provision of the channel and the processing. As soon as you receive an anonymous report by any means, be it by post, a general e-mail address or a registered letter, you must check it just as carefully, confidentially and in accordance with the same legal requirements as a named report.
Exactly the same deadlines apply as for notifications by name. You must confirm receipt of the report within seven days. After checking the content and initiating follow-up measures, you must provide the whistleblower with feedback on the current status or the result after three months at the latest. In practice, it is almost impossible to meet these deadlines in a legally compliant manner for anonymous submissions without a digital mailbox with a two-way feedback channel.
In accordance with Section 11 of the Whistleblower Protection Act, all incoming reports must be permanently accessible and documented in strict confidentiality. However, this documentation may not be kept indefinitely: It must be deleted in compliance with data protection regulations exactly three years after the official conclusion of the respective procedure.
The scope of protection of the law is extremely broad. It is not limited to the company's own permanent employees, trainees or interns. Applicants, former employees, freelancers, self-employed persons, suppliers and service providers and their employees are also protected. The only requirement is that they must have obtained the information about the breach in the course of their professional activities. Persons who support the whistleblower in confidence are also protected by the law.
The protection of the HinSchG only applies in the case of good faith. Anyone who knowingly or through gross negligence reports untrue information is committing an administrative offense. In such a case, any protection of identity for the whistleblower expires. In this scenario, the person concerned is also obliged to compensate the company for any damage incurred.
Matthias Klein
LinkedInESG compliance expert - lawcode GmbH
Matthias Klein advises companies on the implementation of supply chain laws such as the CSDDD and supports the implementation of digital solutions for legally compliant supply chains. His specialist articles on the lawcode blog combine regulatory depth with practical recommendations for action.
