DE
Important facts
- Can the fines for a company be even higher than the 50,000 euros mentioned?
- Yes, the German Administrative Offenses Act (OWiG) can even increase the financial penalty for legal entities tenfold under certain conditions.
- Who in the company bears personal financial responsibility for fines imposed in an emergency?
- The fines are primarily directed against the company, but the management is personally liable if it has failed to set up the reporting office or protect against reprisals in breach of its duties.
- Why does the timely outsourcing of the reporting office to a service provider protect against fines?
- An external service provider guarantees the expertise and independence required by law, which means that expensive fines due to technical errors in the processing of reports are avoided from the outset.
- What financial risk do companies face in addition to official fines in the event of reprisals?
- In addition to fines, the company is threatened with uncapped civil claims for damages by the whistleblower concerned for all financial and professional disadvantages suffered.
- Is there a financial grace period in the event of a breach of the obligation to set up the reporting office?
- No, the transitional periods have long since expired, which is why the absence of an internal reporting office can be sanctioned for all companies with 50 or more employees from the first day of the audit.
Executive Summary
The Whistleblower Protection Act (HinSchG), which has been in force since mid-2023, obliges German companies with 50 or more employees to set up an internal reporting office for whistleblowers in order to ensure legally secure protection against reprisals. Violations of these legal requirements can result in fines of up to 50,000 euros, whereby the law differentiates according to the severity of the offense: While failure to set up a reporting office or knowingly reporting false information is punishable by up to 20,000 euros, serious breaches of duty such as obstructing reports, prohibited reprisals or deliberate breaches of confidentiality cost up to 50,000 euros. Even negligent identity disclosure can result in fines of up to 10,000 euros.
Liability lies primarily with the management, whereby the financial framework for legal entities can even increase tenfold in serious cases via the Administrative Offenses Act (OWiG). In addition to official sanctions, which in the private sector are pursued by the respective state authorities, companies face civil law claims for damages in the event of discrimination against whistleblowers as well as a demanding reversal of the burden of proof, whereby the employer must prove that professional disadvantages did not constitute a prohibited retaliatory measure. In order to proactively avoid these fines and irreversible reputational damage, affected companies must establish reporting channels, strictly adhere to legal deadlines such as the seven-day confirmation of receipt and three-month feedback period, deploy expert personnel or outsource the tasks to a qualified external service provider with confidence.
Never miss an update on the HinSchG again.
New specialist articles, regulatory updates and practical tips, straight to your inbox. Once a week, no spam.
What does the Whistleblower Protection Act regulate?
The HinSchG, which came into force on July 2, 2023, transposes the EU Whistleblower Directive into German law. The aim is to provide seamless protection for people who report legal violations or serious wrongdoing in a professional context. The scope of protection extends far beyond the core workforce and also includes trainees, interns, applicants, former employees, self-employed persons and service providers along the supply chain.
Deadlines and obligations according to company size
Depending on the size of the company, different deadlines applied for the implementation of internal reporting points.
- Companies with 250 or more employees were already obliged to implement this immediately from July 2, 2023, which also meant a direct fine if the reporting office was missing.
- Smaller companies with 50 to 249 employees, on the other hand, had a transitional period until December 17, 2023, whereby the fines for a missing reporting office in this segment became applicable from December 1, 2023.
- Public bodies such as cities and municipalities with a population of 10,000 or more also had to provide corresponding whistleblower systems from the beginning of July 2023.
- For specific regulated industries, such as the financial sector, the obligation to set up an internal reporting office even applies from day one, regardless of the number of employees.
Which violations are covered by the HinSchG?
Before discussing the fines in more detail, it is worth taking a look at the material scope of application. This is because not every discrepancy in the company is automatically a reportable violation within the meaning of the law. Section 2 HinSchG, which clearly defines the scope of protection, is decisive.
At its core, the HinSchG covers three broad categories.
- Firstly, any criminal offense under German law, including classic offenses such as fraud, bribery, embezzlement or falsification of documents.
- Secondly, certain administrative offenses subject to fines, but only if the violated regulation serves to protect life, limb, health or the rights of employees or their representative bodies.
- Thirdly, numerous areas of regulation shaped by EU law in which the public interest is particularly high.
These EU-relevant areas include money laundering prevention and terrorist financing, product safety and product conformity, road, rail, water and air traffic safety as well as environmental, radiation and nuclear safety. The catalog is supplemented by food and feed safety, consumer protection, public health, data protection in accordance with the GDPR and IT security requirements for digital services. Violations of competition law, the tax law of corporations and commercial partnerships, public procurement law above the EU thresholds and the Digital Markets Act (DMA) are also covered.
Important in practice:
Whistleblowers do not have to prove the violation in court. Reasonable grounds for suspicion and suspected cases are also protected, provided there was sufficient reason to believe at the time of the report that the reported facts are true and fall within the scope of the law. Pure team conflicts, disagreements about the distribution of tasks or a harsh tone, on the other hand, do not automatically fall under the protection of the HinSchG, even if they should of course be taken seriously internally.
The fine levels at a glance
The law makes a clear distinction between different levels of sanctions in Section 40. The severity of the respective violation is decisive for the classification and the amount of the fine. The spectrum ranges from minor negligence to systematic violations of the basic principles of the law.
The maximum level: up to 50,000 euros in fines
This highest level of sanction applies to the most serious breaches of the law. It applies in particular when a report is actively obstructed or communication between the whistleblower and the reporting office is disrupted. It also applies to anyone who takes or threatens reprisals against whistleblowers or attempts to do so. An intentional or reckless breach of the duty of confidentiality regarding the identity of the whistleblower is also punishable by a fine of up to 50,000 euros.
The middle level: Up to 20,000 euros in fines
The middle level essentially concerns structural omissions and misuse. This includes the deliberate disclosure of incorrect or false information by a whistleblower with the intent to deliberately harm the organization or third parties.
The failure of a company to set up and operate an internal reporting office contrary to the legal requirements is also sanctioned within this framework.
The negligence level: Up to 10,000 euros in fines
The lowest level applies to negligent errors in the handling of information. This applies in particular to the negligent breach of the duty of confidentiality. Anyone who discloses the identity of the person providing the information or other parties involved without direct intent, but due to a lack of care, risks a severe fine of up to 10,000 euros.
Penalties for violations in detail
Maximum protection for confidentiality and freedom from reprisals
The highest level of up to 50,000 euros protects the two most important pillars of the law:
- the confidentiality of the identity
- and freedom from reprisals.
Anyone who actively sabotages a report, intimidates, transfers or terminates a whistleblower must expect the highest penalty. As even the attempt and threat of reprisals are punishable, the threshold for sanctions is extremely low.
Reprisals include all discrimination under employment law or professional discrimination such as bullying, loss of salary or denial of promotion. The identity of the reporting person must be absolutely protected. Anyone who deliberately or even recklessly passes on data in this regard also risks up to 50,000 euros.
Reprisals in practice: from open conflict to subtle discrimination
Reprisals are strictly prohibited under Section 36 HinSchG, including threats and attempts. The law itself deliberately defines the term broadly: it covers all actions or omissions in connection with professional activities that constitute a reaction to a report and cause or may cause an unjustified disadvantage to the whistleblower. It is precisely this breadth that makes the provision so controversial for companies.
In practice, reprisals initially include obvious measures such as dismissals with or without notice, warnings, transfers, suspensions or withdrawal of responsibilities. In addition, there is workplace bullying, deliberate isolation within the team, arbitrary poor performance evaluations or the sudden refusal of promotions, salary increases and bonuses. More subtle forms such as the refusal of training, the removal of privileges, a change in shift allocation or the non-renewal of a fixed-term contract can also be seen as reprisals, depending on the context.
The situation is also delicate outside the current employment relationship. A negative reference for a former employee, the withdrawal of a job offer that has already been made or the sudden termination of a business relationship with a supplier can all constitute the same offense.
The decisive factor is not the form, but the connection with the report, and it is precisely this connection that the law already legally presumes in favor of the person making the report in accordance with Section 36 (2) HinSchG.
More than just your own employees: Who is actually a "whistleblower"?
The risk profile for companies is broader than many management teams assume. The personal scope of application of the HinSchG is deliberately broad and extends well beyond the active core workforce. All natural persons who obtain information about violations in connection with their professional activities are protected.
Specifically, this includes employees regardless of hierarchy, function or contract type, trainees and interns, working students and temporary workers. Civil servants, freelancers, self-employed persons and service providers along the supply chain are also protected. Applicants also enjoy protection and, very importantly, so do former employees, i.e. people after their employment relationship has ended.
For companies, this means
Fines and claims for damages are not only threatened in the event of reprisals against active employees. Bad information given to a new employer about an ex-employee, a suddenly withdrawn job offer to an applicant or pressure on a supplier can also constitute reprisals punishable by a fine. Anyone who underestimates the number of persons entitled to protection risks making expensive misjudgements in day-to-day business.
Lack of structures and abuse of the system
Companies with 50 or more employees that have simply not set up an internal reporting office or do not operate one in accordance with the regulations are acting in breach of the regulations. Fines of up to 20,000 euros may be imposed.
On the other hand, the law also protects companies from malicious abuse. The same sum of up to 20,000 euros can therefore also apply to whistleblowers who can be proven to have knowingly made false allegations. Such false reports also lead to the immediate loss of any legal protection status and can result in considerable claims for damages.
The HinSchG is not a one-sided law that only sanctions companies. It also expressly protects organizations from abusive whistleblowing. Anyone who knowingly discloses false information about alleged violations is committing an offense under Section 40 (1) HinSchG and risks a fine of up to 20,000 euros. This puts the offense on the same level as the lack of an internal reporting office.
In addition to the official sanction, Section 38 HinSchG provides for a civil liability for damages. Anyone who intentionally or through gross negligence reports or discloses incorrect information is obliged to fully compensate the injured company for the resulting damage.
In addition, whistleblowers who knowingly pass on false information lose any right to protection under the HinSchG. They can therefore invoke neither the confidentiality requirement nor the protection against reprisals. The reversal of the burden of proof under Section 36 (2) also does not apply in their favor.
It is important to be aware of this symmetry and to state it clearly in internal communication materials. It protects companies against misuse of the reporting system as a means of exerting pressure under employment law and at the same time provides security for whistleblowers acting in good faith: anyone who reports on the basis of sufficient evidence and in good faith remains protected even if the suspicion is subsequently not confirmed. Communicating this differentiation clearly lowers the inhibition threshold for honest reports and at the same time discourages abusive accusations.
The risk of unintentional errors
Even those who do not act maliciously can be prosecuted. A merely negligent breach of confidentiality, for example by carelessly passing on information among colleagues or inadequately secured documents, can still result in a fine of up to 10,000 euros.
This shows that companies are forced to introduce strict technical and organizational measures to prevent data leaks.
Who is liable for infringements and what other consequences are there?
The responsibility for compliance with the HinSchG lies primarily with the management or company management. They must implement functioning processes and ensure that no discrimination takes place within the company.
Increased fines and civil liability
In addition to direct fines, there are other serious consequences. The Federal Office of Justice (BfJ) is responsible for prosecuting violations committed by federal authorities or federal agencies. In the private sector, on the other hand, responsibility for fine proceedings lies with the relevant state authorities of the federal states. Regardless of the authority, the fines for legal entities and associations of persons can even be increased tenfold under certain circumstances via the Administrative Offenses Act (OWiG).
In addition, there is the threat of civil liability: if reprisals are proven, the perpetrator is obliged to pay the whistleblower full compensation for all financial and professional disadvantages incurred in accordance with Section 37 HinSchG.
The reversal of the burden of proof and the threat of reputational damage
The statutory reversal of the burden of proof under Section 36 (2) HinSchG is particularly challenging for employers. If a whistleblower suffers professional disadvantages such as dismissal or transfer following a report, it is legally presumed that this is a case of prohibited retaliation. In the event of a dispute, the company must fully prove that the measure was based on purely objective, justified reasons.
The risk of a massive loss of reputation should also not be underestimated. The lack of trustworthy internal channels often drives whistleblowers to external authorities or directly to the press, which leads to a loss of control over crisis communication and permanent damage to the company's image.
How companies avoid fines and ensure compliance
In order to effectively avoid fines, companies should set up their internal processes in a structured and legally compliant manner.
The first step is to set up an internal channel that can reliably receive written, verbal and, if desired, personal messages.
Compliance with legal deadlines and guarantee of expertise
Once a report has been received, a confirmation must be sent to the whistleblower within seven days at the latest. Those responsible then have a maximum of three months to provide the whistleblower with substantive feedback on any follow-up measures planned or already taken.
In extremely complex cases, this period can be extended to up to six months for internal investigations as part of the documentation, but feedback should always be provided as quickly as possible.
To this end, it is imperative that independent and verifiably trained persons are commissioned to operate the reporting office in order to rule out conflicts of interest. Every report and all subsequent steps taken must be documented in an audit-proof and data protection-compliant manner.
One obligation that is often underestimated in practice concerns documentation. The HinSchG requires complete and comprehensible documentation of every report received and all subsequent measures taken. Only this audit-proof record makes it possible for supervisory authorities, courts and internal compliance functions to verify the effectiveness of the reporting system at a later date.
The retention period is clearly regulated: The documentation is deleted three years after completion of the respective procedure. Longer storage is only permitted if this is necessary and proportionate to fulfill the requirements of the HinSchG or other legal provisions. In the case of verbal reports made during a face-to-face meeting, an audio recording or verbatim record may be made with the consent of the reporting person. The whistleblower must then be given the opportunity to check the minutes, correct them if necessary and confirm them.
Violations of the documentation obligation are not directly listed as an administrative offense in Section 40 HinSchG. In practice, however, documentation gaps have a considerable impact: They make it more difficult to prove that the company has complied with its obligations and can lead to conviction in the event of a dispute, for example in the event of suspected reprisals and the statutory reversal of the burden of proof, because it is simply no longer possible to provide evidence to the contrary. Clean documentation is therefore not just a compliance exercise, but direct protection against civil liability.
Anonymous options and the possibility of outsourcing
Even if the law does not stipulate a strict obligation to provide completely anonymous reporting channels, the processing of anonymous reports is strongly recommended in practice. It significantly lowers the inhibition threshold for important information.
Companies with 50 to 249 employees can also pool resources and set up a joint reporting office. Alternatively, it is possible to outsource the tasks of the internal reporting office completely to a qualified external service provider, such as an ombudsperson. However, the ultimate responsibility for remedying the grievances remains with the company in any case.
Conclusion
The legal provisions of the HinSchG clearly show that the legislator is serious about whistleblower protection. Fines of up to 50,000 euros, combined with claims for damages and the risk of a reversal of the burden of proof, can threaten the existence of companies.
A professionally set up whistleblower system is therefore not an annoying bureaucratic evil, but a necessary safeguard. It acts as an internal early warning system that uncovers irregularities before they reach the public and protects the integrity and economic stability of your company.
Is your internal reporting office absolutely legally compliant? Avoid expensive fines and have your compliance structures checked by experts. Request your non-binding consultation now!
Frequently asked questions
The provisions on fines have been in force for large companies with 250 or more employees since July 2023. The threat of fines for a missing reporting office for smaller companies with 50 to 249 employees has been in effect since December 1, 2023.
Yes, the law also expressly criminalizes the threat and attempt of reprisals as well as the obstruction of reports. These preliminary stages can also be punished with severe fines.
The Federal Office of Justice (BfJ), based in Bonn, is responsible for prosecution in the area of federal authorities. For private companies, responsibility generally lies with the respective state authorities or the district governments of the federal states.
Yes, companies with 50 to 249 employees may operate a joint reporting office. However, the obligation to rectify any breaches identified remains with the individual company.
If a whistleblower knowingly passes on false information, the legal protection does not apply. There is a risk of fines of up to 20,000 euros as well as civil claims for damages by the company concerned.
No. The law does not make the provision of anonymous reporting channels mandatory. It is merely recommended that anonymous reports be processed and permitted in the system.
Larissa Ragg
LinkedInMarketing Managerin · lawcode GmbH
Larissa Ragg verantwortet die Content-Strategie bei lawcode und erstellt Fachbeiträge zu den Themen EUDR, ESG-Compliance, HinSchG, Supply Chain und CSRD. Ihre Beiträge auf dem lawcode Blog machen komplexe regulatorische Anforderungen verständlich und liefern Unternehmen praxisnahe Orientierung.
