DE
Important facts
- Can a central reporting office be operated for the entire Group?
- Although resource sharing is permitted, subsidiaries with 250 or more employees must provide their own reporting system, the operational operation of which may be outsourced to the parent company.
- Who is liable if the parent company processes the information centrally?
- Even with a central reporting office, legal responsibility cannot be delegated. It is and remains the respective subsidiary that must rectify the irregularity and protect the whistleblower.
- From what number of employees does the obligation apply to the subsidiaries?
- Every legally independent legal entity within a group of companies must offer an internal reporting office from a threshold of 50 employees.
- What technical and data protection requirements apply to the Group software?
- The whistleblowing software must be multi-client capable in order to ensure strict and GDPR-compliant data separation between the individual subsidiaries.
- Can the HinSchG obligations be combined with other compliance requirements?
- Cleverly configured software can be used highly efficiently as a central complaints channel that simultaneously bundles the requirements of the Whistleblower Protection Act, the Supply Chain Act (LkSG) and ESG reporting.
Executive Summary
For groups of companies, the HinSchG certainly offers scope for efficient, centralized solutions, provided that the implementation is precise. While smaller subsidiaries (50-249 employees) may operate a joint reporting office, units with 250 or more employees must have their own systems. In both cases, however, operations can be run centrally via the holding company.
The decisive factor: legal responsibility always remains with the local subsidiary. In order to avoid liability risks and GDPR violations, client-capable software for strict data separation is absolutely essential. However, if implemented correctly, the legal obligation becomes a strategic advantage. A well-structured, centralized system reduces costs and can be easily expanded to meet other requirements such as the German Supply Chain Act (LkSG) or ESG reporting.
Never miss an update on the HinSchG again.
New specialist articles, regulatory updates and practical tips, straight to your inbox. Once a week, no spam.
The legal situation
To understand why Group-wide implementation is so challenging, it is worth taking a look at the legal framework: This is where the European directive meets national legislation, some of which differs.
The EU Commission's strict interpretation
The EU Whistleblower Directive pursues a clear objective: the whistleblower should be protected in the best possible way directly on site. The EU Commission has therefore made an unequivocal statement: there is no blanket "group privilege". Every legally independent subsidiary with 50 or more employees needs its own reporting channel.
The reason for this is simple and understandable: The EU wants reports to remain in the direct working environment. Anyone who reports grievances should feel understood, both linguistically and culturally. If an employee had to contact a distant parent company, the inhibition threshold would simply be too high.
The German special approach: resource sharing according to § 14 HinSchG
The German legislator has recognized this impractical and extremely cost-intensive EU approach and has opted for a more company-friendly solution in the HinSchG, the "group privilege through the back door".
According to Section 14 (1) HinSchG, it is permissible for companies to entrust third parties with the tasks of the internal reporting office. The trick: another group company can also act as a "third party" within the meaning of the law. This means that the parent company, as the central service provider (third party), may operate the reporting office throughout the Group, receive information, clarify the facts (investigation) and recommend follow-up measures.
Beware of the pitfall: liability cannot be outsourced
Although the operational work can be transferred to the group headquarters, legal responsibility can never be transferred. The HinSchG (Section 14) draws a clear line here: the respective subsidiary always remains responsible in the end. It must guarantee that the reported grievance is rectified, that the whistleblower receives their feedback in a timely manner (confirmation of receipt after 7 days, feedback after 3 months) and that absolute confidentiality is maintained.
Attention thresholds: The critical distinction by company size
Even if Section 14 HinSchG permits the sharing of resources within the group in principle, a dangerous legal trap lurks in practice: the permissibility of a central solution depends massively on the size of the respective subsidiary. The EU Commission has clearly drawn red lines here (most recently with a clarification in 2025), which the German law adapts as follows:
- 50 to 249 employees: Joint reporting office permitted. According to Section 14 para. 2 HinSchG, these companies may set up and operate a genuine joint internal reporting office. The parent company may bundle the operational receipt and initial review as a "shared facility". However, the ultimate legal responsibility (rectification of the irregularity) remains with the subsidiary.
- From 250 employees: A separate reporting office is mandatory. A mere "shared facility" is not permitted for these large subsidiaries. Each of these legally independent units must provide its own functioning internal reporting system. A mere reference to a superordinate group hotline violates the EU Directive. The solution: The subsidiary may outsource the operation of its (own) reporting office to the holding company as a service provider, but this requires strict technical client separation in the system.
Centralized vs. decentralized: a comparison of operating models
The legal framework gives rise to two possible operating models for corporate groups.
Decentralized solution: Each company (50 employees or more) runs its own system
In this model, each subsidiary (e.g. GmbH, AG) with 50 or more employees operates its own internal reporting office.
- Advantages: The separation of liability is absolutely clean. Data transfers between group units, which are often tricky under data protection law, are no longer necessary. Local works council agreements can be concluded precisely.
- Disadvantages: The approach is an enormous administrative and financial burden. Compliance officers (reporting office officers) must be appointed, trained and released from their duties for each subsidiary. License costs for software multiply.
Central group solution: The reporting office at the parent company
Here, central staff units (e.g. Group Compliance or Group HR) of the holding company take over the operational tasks for the protection of the reporting entity.
- Advantages: Massive cost savings through synergy effects and resource sharing. Incoming reports are processed more professionally by specialized, experienced investigators from the parent company. There is a uniform compliance standard throughout the entire group of companies.
- Disadvantages / requirements: Mandatory need for technical multi-client capability of the whistleblowing software. Reports must be strictly assigned to the respective subsidiary. There is a high need for legal explanations during setup (contracts for order processing).
Practical example: How a medium-sized holding company implements the HinSchG with legal certainty
In order to make the abstract requirements of § 12 and § 14 HinSchG tangible, we look at "Muster Holding GmbH". There are three legally independent companies under its umbrella:
- Subsidiary A (logistics): 120 employees.
- Subsidiary B (Marketing): 40 employees.
- Subsidiary C (Production): 600 employees.
The initial situation:
The deadline of 17.12.2023 has passed. Subsidiary A and Subsidiary C exceed the threshold of 50 employees and fall under the mandatory scope of the HinSchG (Section 12 HinSchG). Subsidiary B is below this threshold and has no legal obligation.
The legally compliant solution:
Muster Holding GmbH opts for a central reporting office for the subsidiaries, operated by the holding company's "Group Compliance". For this purpose, it uses digital, multi-client capable whistleblowing software such as Hintbox.
The software is configured in such a way that the whistleblower must select which company (subsidiary A or C) their report relates to before submitting it.
The notification ends up in the parent company's system, but is legally and data-wise isolated. The holding company concludes a service agreement and a data processing agreement (DPA) with subsidiaries A and C. Subsidiary B is integrated into the system on a voluntary basis in order to create a homogeneous compliance culture. The managing directors of A and C remain legally liable and are informed immediately by the holding company reporting office in the event of valid compliance violations so that measures can be taken.
Legal and technical risks of the group solution
Anyone who carries out the outsourcing to a third-party reporting office incorrectly falls into serious liability traps.
The liability trap for managing directors (directors' and officers' liability)
If the managing director of a GmbH subsidiary (e.g. subsidiary A) blindly relies on the parent company "taking care of it", he is violating his own supervisory and organizational duties. If the whistleblower's information is delayed at group headquarters, confidentiality is breached or retaliatory measures against the whistleblower are not prevented, the subsidiary may face fines of up to EUR 20,000 per unit in accordance with Section 40 (2) No. 2 HinSchG.
Far more dangerous for the managing director: if the company suffers damage (reputation, fines) due to this non-compliance, the managing director can be held personally liable (directors' and officers' liability pursuant to Section 43 GmbHG or Section 93 AktG). He must monitor the work of the parent company.
Data protection (GDPR) and the Group-wide data flow
Another huge risk is data protection. There is no "group privilege" in the GDPR either. Whistleblower data is highly sensitive. The holding company and the subsidiary may not simply exchange case files at will.
The strict need-to-know principle and the Group confidentiality requirement apply. If the parent company processes the data for the subsidiary as a "third party", a data processing agreement (DPA) in accordance with Art. 28 GDPR is mandatory. In addition, the technical platform must guarantee that administrators in subsidiary A have no access rights to the data of subsidiary C (multi-client capability).
Step-by-step: Establishing a legally compliant reporting office
In order to efficiently master the requirements of the HinSchG, corporate groups should go through this tried and tested process:
1. analyze company structures and threshold values
Check which of the subsidiaries (as independent legal entities) regularly have 50 or more employees (Section 12 HinSchG). It should be considered whether the company is affected by exceptions for the financial sector (Section 12 (3) HinSchG), where the obligation may apply regardless of the number of employees.
2. define operating model (centralized/decentralized) and software
It makes the most sense to opt for resource sharing. To map this in a legally compliant manner, a mailbox or a simple e-mail address is insufficient. This requires dedicated whistleblowing software that offers genuine multi-client capability, so that each subsidiary is managed as a separate client, while the head office is operationally active (while maintaining rights management).
3. conclude internal responsibilities and service contracts
In addition, it should be defined who at the parent company is authorized to view the information. Legally compliant service level agreements (SLAs) should be used to delegate tasks in accordance with Section 14 HinSchG. An order processing agreement (AVV) between the holding company (processor) and the subsidiary (controller) is also useful.
4. communication to the workforce in the subsidiaries
Transparency is mandatory. The employees of the subsidiaries must be clearly informed that the reporting office is operated by the parent company. At the same time, the whistleblower must be assured that their identity will remain strictly protected in accordance with the confidentiality requirement and that no unauthorized persons at the group headquarters will be able to gain access.
Best practices for group structures: three often overlooked success factors
Co-determination in the Group: Involving the works council at an early stage
The implementation of a digital whistleblowing system is not purely an IT or compliance project, as it is subject to a high degree of co-determination. According to Section 87 (1) No. 6 BetrVG (introduction of technical monitoring equipment) and, if applicable, No. 1 (order in the company), the works council has a mandatory right of co-determination. In corporate groups, the strategic question often arises here: is a group works agreement (KBV) sufficient or do the local works councils of the subsidiaries have to agree?
Practice shows: Anyone planning a central reporting office at the parent company should definitely get the group works council on board in order to avoid a patchwork of individual local agreements. Early onboarding of employee representatives creates trust and prevents time-consuming blockades during the rollout in the subsidiaries.
Strategic synergies: Combining HinSchG, LkSG and ESG reporting
Anyone who looks at the Whistleblower Protection Act in isolation is wasting massive efficiency potential. For many medium-sized and large corporate groups, the obligations under the Supply Chain Due Diligence Act (LkSG) and the requirements of the CSRD Directive in ESG reporting apply in parallel. Section 8 of the LkSG explicitly requires a company-internal complaints procedure for human rights and environmental risks.
The absolute gold standard: avoid expensive isolated solutions! A smart, multi-client capable group reporting office should be configured in such a way that it simultaneously functions as a LkSG complaints channel and as an ESG feedback tool. This not only significantly reduces software and administration costs, but also creates a single point of truth for the entire group-wide compliance management.
Resolve conflicts of interest: Ensuring the independence of the Reporting Office
In the case of a centralized group solution, the Group Compliance or Group HR department of the holding company usually takes over case processing. But what happens if a report implicates the management of the parent company or the case handlers themselves? Section 15 of the HinSchG stipulates that the persons appointed must be professionally independent. In the event of bias, internal investigations are simply not permitted. To mitigate this operational risk, the system and internal process must define clear escalation routes.
In the event of a conflict of interest, it must be possible to redirect the report to a completely neutral body. This is where the seamless connection of an external legal ombudsperson comes into play, who takes over in the event of a case and guarantees a legally secure clarification even at the highest management levels.
Conclusion
Despite initial resistance at EU level, a central reporting office for the entire group of companies is not only possible, but is also the absolute standard for medium-sized and large companies under the German Whistleblower Protection Act. Outsourcing operational activities to the parent company saves time and money and ensures professional case management.
However, the key to success lies in error-free technical and legal separation. A software solution that is unable to map these group structures in a multi-client capable manner will inevitably lead to data protection breaches and compliance liability cases for management.
With the Hintbox whistleblowing software, you can easily implement a highly secure, fully multi-client capable corporate solution.
They bundle resources in the parent company, maintain an overview at all times and at the same time ensure that each subsidiary is fully compliant with the HinSchG and GDPR.
Frequently asked questions
Yes, this is easy and highly recommended. Although there is no obligation for smaller companies under the HinSchG, voluntary affiliation strengthens the uniform compliance culture and covers gray areas (e.g. Supply Chain Act) at an early stage.
Yes, due to the GDPR transparency obligations, the whistleblower must be clearly informed when submitting the report that the processing ("outsourcing") is carried out by a central office (e.g. the parent company).
Caution is advised here! The relief under Section 14 HinSchG only applies to subsidiaries under German law. Foreign subsidiaries are subject to the respective national law transposing the EU Directive, which may strictly prohibit such a group privilege.
Absolutely, Section 14 (1) HinSchG permits outsourcing to any "third party". An external legal ombudsman for the entire group of companies is one of the most legally secure options, as he is subject to the lawyer's duty of confidentiality.
No. Although the law permits postal reporting channels, a central mailbox in a corporate structure rarely meets the strict requirements for confidentiality protection, GDPR-compliant data separation and documentation obligations per subsidiary. A digital, multi-client-capable platform is essential.
Matthias Klein
LinkedInESG compliance expert - lawcode GmbH
Matthias Klein advises companies on the implementation of supply chain laws such as the CSDDD and supports the implementation of digital solutions for legally compliant supply chains. His specialist articles on the lawcode blog combine regulatory depth with practical recommendations for action.
