Documentation obligations according to HinSchG: What, for how long, in what form?

Executive Summary

The documentation obligations under Section 11 HinSchG oblige internal and external reporting offices to record all incoming reports in a permanently retrievable manner and in strict compliance with the confidentiality requirement. The receipt, content, communication, review and follow-up measures are documented and can only be accessed by the responsible persons.

The form depends on the reporting channel: Text messages are stored in the original, verbal messages only with consent as an audio recording or verbatim record, without consent as a content record. The retention period is three years after the conclusion of the procedure. At the same time, processing periods of seven days apply for the confirmation of receipt and three months for the feedback, in complex cases up to six months.

Complete documentation protects the company, particularly with regard to the reversal of the burden of proof in accordance with Section 36 (2) HinSchG. Violations of the confidentiality requirement are punishable by fines of up to 50,000 euros, as well as reputational damage and civil law claims.

What needs to be documented?

The Whistleblower Protection Act requires comprehensive documentation of the entire reporting process. This serves to ensure traceability, legal certainty and the protection of all parties involved. Internal and external reporting offices are equally obliged under Section 11 (1) HinSchG to document all incoming reports in a permanently retrievable manner, in compliance with the confidentiality requirement under Section 8 HinSchG.

The following aspects are central to this:

• Receipt of the report: Date and time of receipt of the report and confirmation of receipt to the whistleblower within seven days
• Content of the report: the reported information on violations that fall within the material scope of application pursuant to Section 2 HinSchG, including substantiated suspicions
• Communication with the whistleblower: any contact, in particular queries and feedback on planned or already taken follow-up measures
• Examination of the notification: the assessment of whether the infringement falls within the scope and whether the notification is valid
• Follow-up action taken: any steps taken to investigate or remedy the breach, internal investigations, referrals to other bodies or closure of proceedings
• Reasons for the decisions: transparent justification of why certain measures were taken or procedures completed
• Personal data: as far as necessary for the fulfillment of tasks

The confidentiality requirement and its exceptions

The confidentiality requirement under Section 8 HinSchG is at the heart of all documentation. It protects the identity of the whistleblower, the persons who are the subject of a report and other persons named in the report. The identity may only be disclosed to those responsible for receiving or following up the report and their supporters. This requirement applies regardless of whether the reporting office is responsible for the incoming report at all.

9 HinSchG lists clearly defined exceptions in which identity information may be passed on:

• at the request of the criminal prosecution authorities in criminal proceedings
• on the basis of an order in subsequent administrative proceedings, including fine proceedings
• on the basis of a court decision
• with separate, textual consent of the person providing the information for each individual disclosure

In addition, protection does not apply if the whistleblower intentionally or through gross negligence reports incorrect information. The Reporting Office must always inform the whistleblower before disclosing the information, unless this would jeopardize ongoing investigations or proceedings.

How long do documents have to be kept?

Section 11 (5) HinSchG clearly regulates the retention period: the documentation is deleted three years after the conclusion of the procedure. The period therefore does not begin with the receipt of the notification, but only with the conclusion of the procedure, a point that is often misunderstood in practice.

Longer storage is possible if this is necessary and proportionate to fulfill the requirements of the HinSchG or other legal provisions. Typical constellations are

• ongoing criminal or civil proceedings
• Retention obligations under tax or commercial law
• Disciplinary follow-up measures

Strict processing deadlines, which must also be documented, must be adhered to at the same time as storage. The reporting office must confirm receipt of a report within seven days at the latest. The whistleblower must receive feedback on planned or implemented follow-up measures no later than three months after confirmation of receipt. In complex cases, this period may be extended to up to six months, whereby the reasons for the extension must be communicated.

In what form must reports be documented?

The form of documentation is prescribed in detail in the law in order to guarantee the authenticity and immutability of the information. As a general rule, all incoming reports must be documented in a permanently retrievable manner. This means that the information must remain available and legible throughout the entire retention period. The law distinguishes between three permissible forms of documentation, depending on the reporting channel.

Text-based reports are received in writing, for example via an online portal, email or letter, and are stored in the form in which they are submitted. The decisive factors are permanent retrievability and a confidential storage location.

Reports transmitted by telephone or voice may only be documented as an audio recording or as a complete transcript (verbatim record) with the consent of the person making the report. If no consent has been given, the report must be documented by means of a summary of the content prepared by the person processing the report.

In the case of face-to-face meetings in accordance with Section 16 (3) or Section 27 (3) HinSchG, a complete and accurate recording may be made and kept with the consent of the whistleblower, either as an audio recording or as a verbatim record.

Irrespective of the form, an important right of correction applies: the person providing the information must be given the opportunity to check the minutes, correct them if necessary and confirm them by signature or in electronic form. If an audio recording is used to prepare a report, it must be deleted as soon as the report has been completed. Digital whistleblowing systems are particularly suitable for the written form, as they optimally meet the requirements of permanent retrievability, security and confidentiality.

Why documentation according to HinSchG is so important

Careful documentation is the backbone of a functioning whistleblowing system and offers whistleblowers and companies significant advantages.

It initially protects the company legally and helps to avoid fines: Violations of the obligation to set up an internal reporting office or reprisals can result in fines of up to 50,000 euros. Complete documentation proves compliance with legal obligations.

Documentation is particularly important with regard to the reversal of the burden of proof under Section 36 (2) HinSchG. If a whistleblower suffers discrimination in connection with their professional activity and claims to have suffered this discrimination as a result of a report, it is presumed that this is a reprisal. The employer must then prove that the discrimination was based on sufficiently justified reasons and not on the report. Without precise documentation, this proof is hardly possible.

In addition to legal protection, the documentation fulfills other central functions:

• Strengthening transparency and trust among employees, business partners and the public. The company thereby signals that it takes grievances seriously
• Early warning system for risks: Documented indications reveal where unlawful practices or financial risks exist before major damage occurs
• Verifiable compliance: processes and responsibilities become auditable and traceable
• Basis for external reporting: External reporting offices such as the Federal Office of Justice publish annual reports on reports received in accordance with Section 26 HinSchG

What happens if the documentation obligation is breached?

Section 40 HinSchG does not provide for an independent sanction for pure documentation deficiencies, but links fines to related obligations. The fines are staggered depending on the severity of the violation:

• Up to EUR 50,000 for willful or reckless breach of the confidentiality requirement pursuant to Section 8
• Up to EUR 20,000 for failure to set up an internal reporting office in accordance with Section 12
• Up to 10,000 euros for negligent breach of confidentiality

In addition, there is reputational damage, civil law claims and, in particularly serious cases, criminal law consequences.

Practical examples: How to achieve legally compliant documentation

What the documentation obligations look like on a day-to-day basis depends heavily on the reporting channel selected and the company. Five typical constellations.

Example 1: Anonymous reporting via a digital whistleblowing system

Max notices that expenses are being systematically overcharged in his company's finance department. He wants to report the incident, but fears reprisals and therefore uses the internal, digital whistleblower system. He fills out a form, describes the fraud in detail and uploads anonymized evidence. The system generates login data for him for secure, anonymous communication and automatically sends him a confirmation of receipt within seconds, which is also documented.

The internal reporting office, a specially trained team, receives the report via the system and documents all processing steps with a time stamp: from the initial check of validity to the anonymous query via the system. After an intensive review, the reporting office initiates measures and provides Max with feedback within the three-month period. The entire case history is stored permanently for retrieval and automatically deleted after three years.

Example 2: The verbal report with content log

Julia reports in a personal conversation with the internal reporting office that her line manager has repeatedly discriminated against her. She refuses an audio recording or a verbatim report, but agrees to a verbatim report. The reporting office sends her a written confirmation of receipt within seven days and then draws up a detailed content log with the key points of the report, the people involved and the reported violation. Julia receives the report for review, corrects it and confirms it.

All further steps, such as checking the validity, internal investigation, measures, feedback, are documented in writing and filed in a protected file. The challenge with manual or semi-manual documentation is that the effort involved is significantly higher, sources of error are more likely and compliance with all deadlines requires strict internal control mechanisms. Proof of permanent retrievability and confidentiality requirements are also more complex than with a specialized digital system.

Example 3: The medium-sized plant manufacturer (180 employees)

An employee reports a suspected bribery payment in purchasing by email. The internal reporting office saves the email in an access-restricted tool, documents all subsequent steps and closes the procedure after eight months. The deletion date is clear from this: three years after the conclusion of the procedure.

Example 4: The telephone message in a bank

A whistleblower calls the Compliance department and does not want an audio recording. The person responsible draws up a record of the content, has it confirmed electronically by the whistleblower and stores it confidentially. A later correction by the whistleblower is possible at any time.

Example 5: The face-to-face meeting with audio recording

A former supplier reports data protection violations at a personal meeting and agrees to an audio recording. A verbatim record is made of this; the audio recording is then deleted immediately. The minutes remain archived for three years after the conclusion of the proceedings.

Digital solutions for efficient documentation requirements

Many companies rely on digital whistleblowing systems to fulfill their documentation obligations under the Whistleblower Protection Act efficiently and in compliance with the law. These offer a variety of functions that optimize the entire reporting process:

• Secure reporting channels: anonymous, pseudonymous or named reports with GDPR-compliant, end-to-end encrypted communication. This strengthens the trust of whistleblowers
• Automated deadline management: seven-day and three-month deadlines are monitored automatically
• Structured case management: clear dashboard for managing and prioritizing cases. All processing steps, responsibilities and interactions are documented seamlessly and in an audit-proof manner
• AI support (optional): modern solutions analyse, categorize and anonymize incoming messages and even suggest remedial measures
• Multilingualism: often available in over 30 languages, particularly relevant for internationally operating companies or groups with subsidiaries
• LkSG compatibility: many systems not only cover the HinSchG, but also support the complaints procedure under the Supply Chain Due Diligence Act

Conclusion

The documentation obligations under the Whistleblower Protection Act are a central component of the law and are indispensable for companies. Careful, transparent and timely documentation not only protects whistleblowers from reprisals and discrimination, but also protects the company from legal and reputational risks. Those who apply the three permissible forms - text report, audio recording or verbatim report and content report - properly, adhere to the three-year period following the conclusion of proceedings and consistently maintain confidentiality are on the safe side legally. By using modern digital whistleblowing systems, these requirements can be met efficiently, compliance strengthened and an environment of trust and integrity promoted.