DE
Important facts
- What is the Whistleblower Protection Act?
- The HinSchG is a law for better protection of whistleblowers who report grievances or illegal practices in companies.
- Since when has the law been in force?
- The Whistleblower Act was passed on May 12, 2023 and came into force on July 2, 2023.
- What is the aim of the law?
- It protects whistleblowers from disadvantages such as dismissal or discrimination. At the same time, it obliges companies to set up an internal reporting office through which information can be submitted and checked confidentially.
- Who is affected?
- The Whistleblower Protection Act applies to companies with 50 or more employees. It also applies to public bodies, for example cities and municipalities, as soon as they have more than 10,000 inhabitants.
- What are the legal obligations for companies?
- Employers are obliged to set up internal reporting channels, train employees and ensure that the identity of whistleblowers is protected.
- What can be reported?
- Criminal offenses and certain violations subject to fines as well as other areas according to § 2 HinSchG.
- How are companies liable for inadequate measures?
- Fines of up to 50,000 euros are to be expected.
HinSchG at a glance
The Whistleblower Protection Act (HinSchG) protects people who report legal violations in a professional context. It covers a wide range of breaches, from corruption and fraud to data protection violations and breaches in regulated areas such as money laundering prevention or environmental regulations.
The aim is to uncover grievances earlier and protect whistleblowers from discrimination. The law has applied to companies with 250 or more employees since July 2, 2023, and to companies with 50 or more employees and public bodies since December 17, 2023.
Affected companies are obliged to set up an internal reporting office and establish secure procedures for receiving, reviewing and reporting back information. Reports can be received verbally or in text form; alternatively, an external reporting office is also available. Although anonymous reports do not have to be actively facilitated, they must be processed when they are received.
Violations of the HinSchG can be punished as an administrative offense. Depending on the severity, fines of up to €10,000, €20,000 or up to €50,000 for serious violations such as obstructing reports or reprisals against whistleblowers can be imposed.
Whistleblower Protection Act - definition, background & objectives
Definition and meaning of the law
The Whistleblower Protection Act, or HinSchG for short, is legislation designed to ensure the protection of individuals who report information about wrongdoing or illegal activities within a company. These whistleblowers are also known as whistleblowers. The law is central to promoting transparency and integrity in business processes.
The HinSchG obliges companies above a certain size to set up a secure reporting channel for whistleblowing. This allows employees to report violations or concerns confidentially. At the same time, the law makes it clear that anyone who makes a report does not have to fear any disadvantages, such as dismissal, bullying or other forms of retaliation.
Creation and publication in the Federal Law Gazette
The HinSchG transposes the EU Whistleblower Directive, which was adopted in October 2019, into German law. As Germany missed the EU transposition deadline of December 17, 2021, the EU initiated infringement proceedings.
After a failed draft under the grand coalition, the traffic light coalition included the HinSchG in its coalition agreement. The Bundestag passed the law on December 16, 2022, but the Bundesrat blocked it in February 2023. After being referred to the Mediation Committee, the HinSchG was finally passed on May 12, 2023 and came into force on July 2, 2023(Federal Law Gazette 2023 I No. 140).
The law requires companies to set up secure and confidential reporting channels and implement transparent processes so that reports are properly processed and investigated and whistleblowers are protected from retaliation.
Relationship to the EU Whistleblower Directive
The German Whistleblower Protection Act is closely linked to the EU Whistleblower Directive. The EU has thus created a common framework so that whistleblowers are better protected throughout Europe and companies must offer secure reporting channels. The Whistleblower Protection Act transposes these requirements into German law and thus strengthens protection for anyone who obtains and reports information about breaches.
The EU Whistleblower Directive obliges companies above a certain size to set up and operate internal reporting channels. The identity of whistleblowers must remain confidential and discrimination should be prevented.
The Whistleblower Act implements these requirements in Germany and makes it clear how companies must comply with them in practice. This enables companies to expand their compliance structures in a targeted manner and at the same time ensure greater transparency and integrity in everyday working life.
Objectives of the Whistleblower Protection Act
The aim of the Whistleblower Protection Act is to provide legal protection for people who expose wrongdoing in companies. This rule is important to promote a culture of transparency and responsibility in the corporate world. The Act creates a formal framework to ensure that whistleblowers are protected from retaliation, such as dismissal or discrimination. At the same time, companies are obliged to set up internal reporting systems in order to process reports efficiently and confidentially. The background to the law lies in the need to combat corruption, fraud and other unethical practices that can jeopardize the reputation and integrity of companies.
Protection of whistleblowers from reprisals
The Whistleblower Protection Act ensures that individuals who report grievances in companies (whistleblowing) are protected from possible reprisals. This protection is important because it is the only way to create an environment in which employees can report information openly and without fear of negative consequences. The law also provides that whistleblowers are legally protected in the event of dismissals, professional discrimination or other reprisals, for example. These measures strengthen trust in internal reporting processes and encourage more people to actively promote integrity and transparency.
Paragraphs of the HinSchG in detail
§Section 36 regulates the prohibition of reprisals against whistleblowers and provides for a reversal of the burden of proof. Reprisals, including threats and attempts at reprisals, are prohibited. If a person learns in connection with their professional activity that they have passed on information about a violation and are therefore discriminated against because of a report under this law, it is assumed that this is reprisal. In this case, the burden of proof is reversed: the discriminating person must prove that the measure is based on legally justified reasons or is not related to the report.
§Section 37 HinSchG regulates compensation for damages after reprisals: If someone violates the prohibition of reprisals, they must compensate the whistleblower for the damages incurred. At the same time, the law makes it clear that this does not give rise to any entitlement to (new) employment or certain professional advantages.
§Section 38 regulates compensation for damages due to a false report. The person providing the information is liable for damages resulting from the intentional or grossly negligent reporting of incorrect information.
§Section 39 declares that agreements that restrict the rights of persons providing information or protected persons in accordance with this law are invalid.
Promoting the detection of grievances
The Whistleblower Protection Act creates the conditions for whistleblowers to report information at an early stage so that it can be investigated and remedied before a problem turns into tangible damage. In practice in particular, breaches often remain undetected for a long time: because responsibilities are unclear, because employees shy away from conflict or because the fear of negative consequences prevails. By bindingly ensuring confidentiality and protection against reprisals, the law significantly lowers this inhibition threshold.
For companies, this means that information no longer just appears randomly, but ends up in the right place via a clear process. They can be recorded, checked and followed up in an organized manner. This means that problems can often be stopped at an early stage, such as illegal practices, gaps in the process or unnecessary financial risks.
There is also an important learning effect: if certain reports accumulate, this shows quite clearly where rules are unclear, controls are lacking or management and corporate culture should be readjusted.
This effect is also relevant from an external perspective. The sooner organizations identify and rectify grievances internally, the lower the risk of issues escalating, for example through official proceedings, media coverage or court cases. The law therefore not only acts as a protective law for whistleblowers, but also as an early warning system that can strengthen integrity and trust in organizations and markets as a whole.
Strengthening compliance in companies
With the HinSchG, compliance has become a real management task in many companies. Companies must create reliable reporting channels, define clear responsibilities and ensure that reports are processed confidentially, fairly and within the specified deadlines. In this way, compliance does not stop at paper and guidelines, but becomes tangible in everyday life: A report is received, checked, documented, feedback is given and concrete measures are taken at the end.
In practice, the law strengthens three things in particular:
- Reliable processes and responsibilities: Who receives reports, who checks, who decides and who implements measures must be clearly defined. This reduces the risk of "bogging down" or informal side channels and creates a comprehensible, auditable process.
- Better risk management: reports provide valuable information for compliance and risk management. They show where controls are not effective, where there is a need for training or where particular risk clusters are located (e.g. purchasing, sales, data protection, occupational health and safety). This enables compliance to prioritize more specifically and deploy resources more effectively.
- Culture and trust effect: A well-functioning whistleblower system sends a strong signal internally: misconduct is not covered up, but dealt with fairly, confidentially and without "punishing the messenger". This strengthens psychological security and promotes a corporate culture in which rules, values and responsibility are actually practiced.
In the long term, a good whistleblowing system has two advantages: Violations are detected earlier, reducing legal and financial risks. At the same time, it strengthens the company's reputation with employees, business partners, authorities and the public.
Compliance is therefore not only a protective shield, but also an important building block for responsible and sustainable corporate governance.
Companies affected
Obligated companies by size and sector
The obligation to set up and operate an internal reporting office applies to most companies with 50 or more employees. For large companies with 250 or more employees, the obligation has applied since it came into force; smaller companies (50-249 employees) had a transitional period until December 17, 2023.
In addition, there are special cases in which the obligation may apply regardless of the number of employees, particularly in certain regulated sectors (e.g. financial services providers).
Practical relevance for SMEs: Companies with 50-249 employees may operate a joint Whistleblower Protection Act reporting office (e.g. in a group of companies or together with other companies). However, the responsibility for follow-up measures and remedial action remains with the respective company.
Public institutions and their duties
The law also applies to public institutions as well as cities and municipalities with a population of more than 10,000 people. These have also had to provide corresponding whistleblower systems since the beginning of July 2023.
For federal or state authorities, the highest authorities determine the corresponding organizational units. This obligation also applies to municipalities and companies under municipal control, but is subject to the respective state laws.
Who enjoys protection as a whistleblower?
The personal scope of application is deliberately broad. Protected are for example:
- Employees (regardless of hierarchy, function or contract type)
- Trainees, interns, working students
- Applicants and persons after the end of the employment relationship (e.g. ex-employees)
- Freelancers, service providers, temporary workers and persons in supplier and project constellations, provided that access to information is job-related
This makes it clear that the Whistleblower Protection Act is not just an "employee law", but also covers many constellations relating to projects, outsourcing and supply chains in which violations typically become apparent.
Important: The protection does not automatically apply to every criticism or internal conflict, but only if a report concerns a violation within the meaning of the law (see § 2 HinSchG).
Abuses that fall under the HinSchG
The law regulates the reporting and disclosure of information on various types of legal violations. These include violations subject to criminal penalties and fines, in particular those relating to the protection of life, health and employee rights. It also includes legislation to combat money laundering, product safety, road safety, environmental and data protection regulations. In addition, regulations on competition and tax law as well as the protection of the EU's financial interests are taken into account. The law therefore applies comprehensively to numerous areas of public and economic life in order to ensure transparency and compliance.
The HinSchG protects information on legal violations that occur in the professional environment.
Violations of EU and national laws
Essentially, any criminal offense under German law is generally reportable (e.g. fraud, bribery, breach of trust, forgery of documents). In the case of administrative offenses (fines), the scope of application is narrower. The protection applies above all if the violated regulation serves to protect life, limb or health or the rights of employees or their representative bodies.
Practical examples:
- Systematic violations of occupational health and safety (e.g. lack of protective measures, ignored risk assessments)
- Violations involving fines relating to employee rights (e.g. certain co-determination/information obligations, depending on the standard)
In addition to criminal and fine cases, the HinSchG also covers violations of a number of regulatory areas under EU law that are particularly heavily regulated and have a high public interest. These include, among others:
- Money laundering prevention & terrorist financing
- Product safety and product conformity
- Traffic safety (road, rail, air, sea)
- Environmental protection, radiation protection and nuclear safety
- Food/feed safety, animal health and animal welfare (depending on the context)
- Consumer protection and public health
- Data protection/privacy (GDPR) as well as IT security requirements and the security of network and information systems
In these areas in particular, breaches are often difficult to see through, as there are many rules, many parties involved and often external service providers. In practice, such problems often only come to light when someone points them out internally. For example, when documents are "whitewashed", checks are simply suspended or obligations along the supply and value chain are not complied with.
Practical examples:
- Suspicion of unlawful sanctions/money laundering circumvention in payment transactions or sales
- Product safety risks that are known internally but not addressed (e.g. missing tests, incorrect conformity information)
- Data protection incidents (unauthorized access, data leakage, circumvention of deletion/access processes) or IT security deficiencies in digital services
A major practical point: whistleblowers do not have to prove everything in court first. Suspicious activity reports can also be protected if there was sufficient reason to believe at the time of the report that the information is correct or falls within the scope of application.
Corruption and fraud
Corruption and fraud are among the most frequent and serious violations in companies and public institutions. The HinSchG ensures that such cases can be reported safely without whistleblowers having to fear professional disadvantages. The inhibition threshold is often high here in particular: several people are often involved, processes are deliberately concealed and anyone who raises an issue can quickly expect a headwind.
Corruption includes not only traditional bribery, but also seemingly minor benefits, invitations or favors if they are used to improperly influence decisions. Fraud often manifests itself in the form of false invoices, sham invoices, misappropriated funds or deliberately withheld information. Areas such as purchasing, sales, funding management and cooperation with external partners are particularly susceptible. Manipulations in public tenders, tax violations, anti-competitive behavior and violations in the digital sector can also be reported via the whistleblower system, provided they fall within the material scope of the law.
For companies, the HinSchG is therefore not just a question of legal compliance, but a real protection factor: those who recognize and eliminate corruption and fraud risks at an early stage often prevent costly consequential damage, criminal proceedings and loss of trust.
What can be reported? Types of violations and grievances
Violations and irregularities that endanger the public interest, such as corruption, fraud, violations of laws and regulations, violations of EU law and other serious irregularities, can be reported. This also includes suspected cases. The HinSchG only protects reports that fall within the material scope of application (Section 2) - internal policies are only covered if they are related to such a violation.
A non-exhaustive list of violations and grievances:
- Violations of criminal law: Any criminal offense under German law can be reported.
- Administrative offenses: Violations that are punishable by a fine and affect the protection of life, limb, health or the rights of employees can be reported.
- Violations of EU law: Violations of directly applicable EU legislation, e.g. in relation to money laundering, product safety, environmental protection, data protection, etc.
- Violations of laws and regulations: Violations of all federal and state legislation adopted to implement European regulations.
- Other serious irregularities: breaches of internal rules that jeopardize the public interest, e.g. human rights violations, fraud, corruption, data protection violations, environmental crimes.
- Statements made by civil servants: Statements that constitute a breach of the duty of loyalty to the constitution.
- Violations in the area of money laundering, financing of terrorism, insider trading.
Right to choose between internal and external reporting: The HinSchG grants whistleblowers the right to choose between internal and external reporting. Whistleblowers can either contact an internal reporting office (as described in Section 12 HinSchG) or an external reporting office (as described in Sections 19 to 24 HinSchG). As a rule, whistleblowers should prefer to report internally if they are certain that effective action can be taken internally against the violation and do not have to fear reprisals. If no internal remedy has been found, external reporting remains an option.
What is not covered by the HinSchG?
The Whistleblower Protection Act protects reports of certain legal violations that are defined in the law. Not every discrepancy in everyday working life is automatically a "whistleblower case" within the meaning of the Whistleblower Protection Act. Although many issues are important for management, HR or corporate culture, they do not necessarily fall within the scope of legal protection.
This is an important distinction, because otherwise false expectations can quickly arise: Anyone who reports something does not automatically have HinSchG protection just because it was "unfair" or "unpleasant". Conversely, the following also applies: an issue can still be taken seriously and clarified internally - even if it does not fall within the legal scope of application.
Typical examples that are not automatically relevant to the HinSchG
Conflicts within the team, poor communication, a harsh tone or disagreements about the distribution of tasks are frequent reasons for complaints. They can put a lot of strain on the working atmosphere - but are not automatically HinSchG reports as long as there is no specific legal violation behind them.
Unprofessional behavior or poor management is annoying and can have internal consequences. For the Whistleblower Protection Act, however, the decisive factor is whether a relevant violation is associated with it (e.g. discrimination according to legal standards, occupational health and safety violations, etc.). Without this connection, it usually remains a topic for internal conflict resolution or HR.
"You hear there's something going on" or "I think someone is doing something illegal" is often not enough as a basis. Whistleblowers do not have to prove everything - but there should be comprehensible evidence. Pure speculation is problematic because it can quickly turn into false accusations.
What happens in private life and has no connection to work or the organization does not fall under the HinSchG. The decisive factor is the professional context: Was the information obtained in the course of work and does it concern the company or the work context?
Important for practice: This distinction does not mean that such issues are "irrelevant". On the contrary: many of these cases belong in other processes - e.g. management meetings, HR, conflict management, equal opportunities/complaints offices or works councils. However, they are not automatically covered by the HinSchG.
A good whistleblowing process makes precisely this transparent: it explains clearly which issues should be reported via the whistleblowing system - and where it is best to go with other concerns. This reduces frustration, protects everyone involved and ensures that genuine compliance cases are processed quickly and cleanly.
Implementation & obligations for companies
The HinSchG sets out clear requirements for employers: they must set up an internal reporting channel through which employees can report violations securely and confidentially, easily accessible and in compliance with data protection regulations. Incoming reports must be investigated quickly, neutrally and thoroughly by trained staff, with proper documentation and regular feedback to the whistleblower.
In addition, the law prohibits any reprisals against whistleblowers. Employers are obliged to take active steps against this and to inform the entire workforce about their rights and the existing protection mechanisms.
Companies that consistently implement these obligations benefit twice over: trust grows in everyday working life and compliance is firmly anchored in the company.
How to implement step by step
The internal reporting offices ensure that there are appropriate reporting channels (§ 16), that incoming reports are processed according to the intended procedure (§ 17) and that suitable follow-up measures are subsequently taken (§ 18). In addition, they provide employees with clear and easily accessible information about which external reporting offices exist and which procedures at EU institutions may be relevant.
Those responsible for an internal Whistleblower Protection Act reporting office must act independently in their work and may perform other tasks at the same time, provided this does not lead to conflicts of interest. Employers are obliged to ensure that these persons have the necessary expertise. This regulation also applies accordingly to organizational units of the federal or state governments.
The procedure is explained in detail in Section 17 of the Whistleblower Protection Act. The internal reporting office confirms receipt of a report within seven days and checks whether the reported violation is relevant in accordance with Section 2. Throughout the entire procedure, it remains in contact with the whistleblower, checks the report for validity and requests further information if necessary.
After the check, the internal reporting office must provide feedback within three months. Or at the latest three months and seven days after receipt if receipt has not been confirmed. This feedback must explain what measures are planned or have already been implemented and why. Ongoing internal investigations must be taken into account and the rights of the persons concerned must be protected.
As follow-up measures pursuant to § 18, the internal reporting office may in particular:
- conduct internal investigations at the employer or at the respective organizational unit and contact affected persons and work units,
- refer the whistleblower to other competent bodies,
- close the proceedings for lack of evidence or for other reasons, or
- hand over the procedure to the responsible work unit or a competent authority for further investigation.
Training and clear information on the reporting channels are mandatory under the HinSchG. They are also the key to ensuring that the system is actually used on a day-to-day basis. Employees need to know what rights and obligations they have and which channels they can use to submit reports safely.
Good training also helps to recognize warning signals early on and to classify incidents correctly. This allows information to be reported in a structured and comprehensible manner - without uncertainty or fear of making mistakes. This not only supports compliance with legal requirements, but also strengthens trust in internal processes and shows that the company takes transparency and integrity seriously.
The central principle is the confidentiality requirement, which is enshrined in Section 8. This requirement ensures that the identity of whistleblowers is protected at all times, creating a safe environment for reporting possible violations.
Reporting offices are obliged to treat the identity of the following persons confidentially:
- the whistleblower if the reported information concerns relevant violations or the whistleblower has reason to believe that this is the case;
- the persons named in the notification; and
- of all other persons named.
The identity of the whistleblower may only be disclosed to those who receive the report or implement follow-up measures and, if applicable, to their direct supporters. This confidentiality always applies, even if it later transpires that another body was responsible for the report.
External reporting offices
The HinSchG sets out clear requirements for external reporting offices in order to ensure the protection of whistleblowers and the proper processing of reports:
- Independence & neutrality: External reporting offices must work independently and free of conflicts of interest.
- Confidentiality: The identity of whistleblowers and other parties involved must be strictly protected - unauthorized disclosure of information is not permitted.
- Accessibility: Several contact options and comprehensible information on the reporting procedure must be provided.
- Expert review & feedback: Reports must be carefully checked, appropriate follow-up measures must be initiated and whistleblowers must be informed within the specified deadlines.
- Documentation: Every report and measure must be recorded in a comprehensible manner to ensure transparency and the effectiveness of the system.
- Protection against reprisals: Clear protective measures must ensure that whistleblowers do not have to fear any disadvantages.
Responsible external bodies and their tasks
An independent external federal reporting office has been set up at the Federal Office of Justice (Section 19 HinSchG), which is organizationally separate from the rest of the area of responsibility. It is responsible for all cases unless other external reporting offices are relevant in accordance with Sections 20-23 HinSchG. For example, the Federal Cartel Office (Section 22 HinSchG) is responsible for reporting violations of EU and German competition law as well as the Digital Markets Act (DMA). In addition, the federal states can set up their own reporting offices for state and municipal administrations.
External reporting offices first check whether the reported facts fall within the scope of the HinSchG (Section 2 and Section 5). Under certain conditions, parties involved may be granted access to the file, whereby confidentiality and the rights of third parties must be respected. Whistleblowers receive feedback after three months at the latest - in complex cases, an extension of up to six months is possible.
Every external reporting office is obliged to publish an annual public report (Section 26 HinSchG), which must not allow any conclusions to be drawn about whistleblowers or the companies concerned.
Requirements for the protection of confidentiality
The HinSchG Act requires external reporting offices to take a particularly strict approach to confidentiality. They must ensure that both the identity of the reporting person and the information transmitted are protected from unauthorized access.
The most important requirements for the reporting office include
- the confidentiality obligation to protect the identity of the whistleblower;
- the use of secure communication channels to maintain this confidentiality;
- as well as comprehensive data security through encryption in accordance with current data protection standards.
Access rights should be strictly regulated so that only authorized persons can access the information in order to prevent unauthorized access. It is also essential to offer anonymity options to further ensure the protection of whistleblowers.
Cooperation with internal reporting offices
External reporting bodies must communicate their reporting procedures clearly and comprehensibly - internal reporting bodies can use them to fulfill their duty to inform in accordance with Section 13 (2) HinSchG. They are obliged to provide employees with precise information on external reporting channels, including relevant reporting systems of EU institutions and bodies. This ensures that all employees know how and where they can safely report violations without fear of reprisals.
Disclosure to the public or media - when is it protected?
In addition to internal and external reporting, the Whistleblower Protection Act also recognizes a third option: disclosure, i.e. the passing on of information to the public, for example to the media or via other public channels.
However, it is important to note that this form is not automatically protected. The law sets out clear requirements for this.
Disclosure may be protected in particular if:
- an internal or external notification has previously been made and
- no appropriate measures have been taken within the specified time limits, or
- there are immediate or obvious dangers to the public interest, for example if damage cannot be averted in time, or
- the whistleblower has reasonable grounds to believe that an external report could result in reprisals or evidence being covered up.
The hurdles for protected disclosure are deliberately higher than for internal or external reports. The legislator wants to ensure that the intended reporting channels are used first - unless there are good reasons to go public directly.
For companies, this means that a functioning internal whistleblowing system reduces the risk of cases escalating to the outside world. For whistleblowers: Anyone considering a public disclosure should carefully check whether the legal requirements are met for the protection under the HinSchG to apply.
To ensure that the whistleblower system does not remain abstract, it helps to take a look at the typical process.
This is how a notification under the HinSchG works
A whistleblower can contact the company's internal reporting office or an external reporting office. The report can be made in text form or verbally - depending on the design of the system. It is important that it is treated confidentially.
The internal reporting office confirms receipt of the report after seven days at the latest. This lets the person making the report know that the report has been received and is being processed.
It then checks whether the reported facts fall within the scope of the HinSchG. The Reporting Office assesses the validity of the report, requests further information if necessary and - as far as possible - remains in contact with the person making the report. Confidentiality and the rights of all parties involved must be respected.
Depending on the results of the audit, various measures can be initiated. These include, for example, internal investigations, discussions with the departments concerned, organizational adjustments or - if necessary - forwarding the matter to the relevant authorities. In some cases, the procedure is also discontinued, for example if the suspicion is not confirmed.
The whistleblower will receive feedback no later than three months after confirmation of receipt. This will state - while maintaining confidentiality - what measures have been taken or are still planned. In complex cases, an extension of the deadline is possible.
All reports must be carefully documented. The documentation is generally deleted three years after completion of the procedure, unless longer storage is necessary and proportionate.
Sanctions & violations
The law protects people who point out irregularities in a company. Anyone who ignores the requirements must expect tangible consequences, such as high fines. There is also the risk of a case becoming public and damaging the company in the long term.
Companies should therefore set up clear reporting channels and clean processes for handling reports and design their internal rules in such a way that they meet the legal requirements.
Sanctions for companies and employers
The Whistleblower Protection Act provides for various sanctions for companies and employers who violate the regulations. In the event of a breach of the Whistleblower Protection Act, companies and employers may face the following consequences:
- Fines: Companies must expect to face heavy fines if they do not set up and operate an internal whistleblower system or if they discriminate against whistleblowers and take reprisals.
- Reputational damage: A violation of the HinSchG can significantly damage a company's reputation. Negative reporting and a loss of trust on the part of stakeholders can be the result.
- Civil law consequences: If employers discriminate against whistleblowers or impose disciplinary sanctions, this can also have consequences under civil law. In such cases, claims for damages may arise.
- Criminal consequences: In particularly serious cases, there may even be criminal investigations. Especially if the violation of the HinSchG is connected to other criminal offenses.
Companies should therefore ensure that compliance and the responsible departments are aware of the requirements of the law and take the right steps at an early stage to prevent violations from occurring in the first place.
Fines and legal consequences
Liability exists if the organization of a company is flawed and violations of the law or damage cannot be prevented. This applies in particular to company management who are responsible for setting up internal reporting offices and preventing reprisals against whistleblowers. Liability factors according to HinSchG:
- Missing or inadequate internal reporting points: Companies with more than 50 employees must set up an internal reporting office to receive reports of legal violations. The reporting office must be accessible to employees and enable confidential reporting. Reports received anonymously should be processed. A mandatory anonymous reporting channel is not required by law in every case.
- Breach of the duty of confidentiality: The HinSchG protects the identity of the whistleblower and the persons who are the subject of the report. Violation of this confidentiality obligation can lead to fines.
- Reprisals against whistleblowers: The HinSchG prohibits any reprisals against persons who report grievances. This can lead to civil law claims by the whistleblower against the company if the perpetrator of the reprisal is identified.
Conclusion
The Whistleblower Protection Act (HinSchG) creates a secure and confidential environment in which whistleblowers can report misconduct without fear of reprisals. Since July 2, 2023, it obliges companies with 250 employees or more, and smaller companies since December 17, 2023, to set up data protection-compliant reporting channels and to process all reports immediately. Violations of these obligations can be punished with fines of up to 50,000 euros.
Beyond pure compliance, the HinSchG offers companies the opportunity to sustainably strengthen integrity and trust, both internally and towards stakeholders.
Frequently asked questions
The law applies to companies with 50 or more employees and public bodies. Companies with 250 or more employees were obliged to implement the law from July 2, 2023, and smaller companies with 50 or more employees from December 17, 2023 at the latest.
Violations that are punishable by law or can be punished with a fine can be reported - including corruption, fraud, data protection violations, money laundering or violations of environmental regulations. Anti-competitive behavior and violations in the digital sector can also be covered.
There is no general obligation to provide an anonymous reporting channel. However, reports received anonymously must be processed.
Employers must set up an internal reporting office, process reports confidentially and swiftly and protect whistleblowers from reprisals. In addition, proper documentation and regular feedback to the whistleblower are mandatory.
Violations of the HinSchG can be punished as an administrative offense. Depending on the severity of the violation, fines of up to €10,000, €20,000 or up to €50,000 may be imposed, for example in the event of reprisals against whistleblowers or the obstruction of reports.
Whistleblowers must receive feedback after three months at the latest. In more complex cases, this period can be extended to up to six months, whereby the reasons for this must be communicated.
Companies can appoint an internal person or department as a reporting office or outsource this task to an external service provider. It is crucial that the person responsible acts independently, is obliged to maintain confidentiality and has the necessary expertise.
Yes, the protection applies not only to employees, but to all persons who obtain information about breaches in a professional context. This includes self-employed persons, contractors, suppliers or applicants - the decisive factor is the professional context, not the hierarchy or contractual status.
Whistleblowers who submit a report in good faith and on the basis of sufficient evidence are protected even if the suspicion is not subsequently confirmed. However, anyone who knowingly reports false information may be liable for damages and does not enjoy protection under the HinSchG.
Yes, companies with 50 to 249 employees may set up and operate a joint internal reporting office. For companies with 250 or more employees, this is generally not provided for - they must have their own reporting office.
Whistleblowers generally have the choice of contacting an internal or external reporting office. External reporting offices - such as the Federal Office of Justice or the Federal Cartel Office - are independent, subject to strict confidentiality requirements and publish annual reports on their activities.
Alexander Hilmar
LinkedInESG-Compliance Experte · lawcode GmbH
Alexander Hilmar berät Unternehmen bei der Umsetzung von ESG-Compliance, nachhaltiger Berichterstattung und begleitet die Implementierung digitaler Lösungen für rechtssichere Lieferketten. Seine Fachbeiträge auf dem lawcode Blog verbinden regulatorische Tiefe mit praxisnahen Handlungsempfehlungen.
