Internal vs. external reporting office: Which solution fits?

Executive Summary

The Whistleblower Protection Act (HinSchG) obliges companies with 50 or more employees to set up and operate an internal reporting office (Section 12 HinSchG). According to Section 14 (1) HinSchG, companies have a choice: they can operate the reporting office themselves or outsource it to a third party. Both options are legally equivalent. However, the responsibility for suitable follow-up measures remains with the company in either case.

An internal solution offers decisive advantages: sensitive information and business secrets remain in-house, follow-up measures can be implemented more quickly via short channels and reports provide directly usable risk data for in-house compliance management. Outsourcing can make sense in special cases, for example for groups with many foreign locations or acute staff shortages. However, it results in long-term costs, longer communication channels and an outflow of information from the company.

For most companies, a professionally set up, digital internal reporting office is therefore the better choice from an economic and compliance strategy perspective. It meets all legal requirements in terms of confidentiality, deadlines and documentation, without the need to set up additional personnel structures and without dependence on an external service provider.

The HinSchG at a glance: Who is obliged?

The German Whistleblower Protection Act implements the EU Whistleblower Directive. It came into force on July 2, 2023.

The obligation to report internally applies to:

• Companies with 250 or more employees: since July 2, 2023
• Companies with 50 to 249 employees: since December 17, 2023 (Section 42 HinSchG)
• Public authorities and towns and municipalities with over 10,000 inhabitants
• certain regulated sectors (e.g. financial service providers) regardless of the number of employees (Section 12 (3) HinSchG)

Three organizational forms of an internal reporting office

According to Section 14 (1) HinSchG, companies have three options:

1. a person employed by the employer,
2. a work unit consisting of several employees, or
3. a third party who is entrusted with the tasks (outsourcing).

"External" is not the same as "external" - important distinction

In practice, two concepts are often confused:

1. External reporting office according to §§ 19-24 HinSchG (authority): The central external reporting office of the federal government is located at the Federal Office of Justice (BfJ) (Section 19). BaFin is responsible for the financial sector (Section 21) and the Federal Cartel Office for competition law infringements (Section 22). Whistleblowers have the right to choose between internal and external reporting.
2. Outsourcing of the internal reporting office to a third party (Section 14 para. 1 HinSchG): Here, the reporting office is handed over to a service provider, such as a law firm, compliance provider or ombudsperson.

When the term "external solution" is used below, variant 2 is meant: outsourcing the internal reporting office.

Requirements that apply in both models

Whether internal or outsourced, the reporting office must fulfill the following obligations:

• Reporting channels in text form and verbally (Section 16 (3))
• Confirmation of receipt after 7 days at the latest (§ 17 para. 1 no. 1)
• Re-registration after 3 months at the latest, extendable up to 6 months (§ 17 para. 2)
• Confidentiality of identity (§ 8)
• Independence and expertise without conflicts of interest (§ 15)
• Documentation, deletion 3 years after conclusion of proceedings (§ 11 para. 5)
• Anonymous reports should be processed without the obligation to set up anonymous channels (Section 16 (1))

Internal reporting office: advantages and disadvantages

Advantages of the internal solution

• Full control over sensitive information: Information on corruption, data protection incidents or business secrets remains in-house. This is particularly relevant as reports often concern business secrets (Section 6 HinSchG).
• In-depth understanding of internal processes: An internal reporting office knows structures, processes and risk areas, for example in purchasing, sales or data protection. This often enables them to assess the validity and follow-up measures more quickly.
• Fast follow-up measures and shorter decision-making processes: As the responsibility for remedying a violation remains with the company anyway (Section 14 (1) sentence 2 HinSchG), internal processing is closer to the necessary measures.
• Cultural effect and building trust: A well-managed internal whistleblower system sends the signal that misconduct is taken seriously, investigated and treated fairly. This strengthens psychological safety and the compliance culture.
• Valuable data for risk management: reports show where controls are not effective or where there is a need for training. This information can be used directly internally, without having to go through a service provider.
• Cost-effectiveness with a digital solution: Modern digital reporting systems meet the requirements for confidentiality (Section 8) and access restriction (Section 16 (2)) and relieve the burden on internal employees through deadline control, documentation and secure channels. In this way, legal requirements can be met without increasing staff and without outsourcing.

Disadvantages of the internal solution

• Specialist knowledge must be available: Section 15 (2) HinSchG requires the necessary specialist knowledge. Without training and processes, the person responsible is at risk of being overwhelmed.
• Avoid conflicts of interest: The separation between HR, management and the reporting office is not always easy, especially in smaller companies. § However, Section 15 (1) HinSchG prohibits conflicts of interest.
• Trust must be actively built up: Employees must be able to trust that their identity will be protected. A poorly communicated internal reporting office is rarely used.

External solution (outsourcing): Advantages and disadvantages

Advantages of outsourcing

• Structural distance from the workforce: A third party is outside the internal hierarchies. This can lower inhibitions.
• Specialized expertise right from the start: Service providers bring trained staff with them. A law firm appointed as an ombudsperson can also bring in professional confidentiality obligations.
• Relief of internal resources: SMEs without a compliance function save on staff expansion.

Disadvantages of outsourcing

• Responsibility nevertheless remains within the company: Section 14 (1) sentence 2 HinSchG: Commissioning a third party does not release the company from the obligation to take suitable measures itself. Outsourcing therefore only saves part of the work.
• Double the interface, double the need for coordination: every report has to be passed from the service provider to the company, which then has to take action. This lengthens communication channels.
• Outflow of information from the company: Sensitive content, including business secrets (§ 6 HinSchG), leaves the company.
• Knowledge gap about internal structures: External providers are initially unfamiliar with corporate culture and processes.
• Ongoing costs and contract commitment: Per-employee or flat-rate fees can be incurred permanently, even in times without notifications.
• No direct risk data for the company's own compliance management: findings about risk clusters only reach the company in filtered form.

Comparison: internal vs. external reporting office

Both models are legally equivalent, as Section 14 (1) HinSchG permits both an internal solution and outsourcing to a third party. The responsibility for follow-up measures also remains with the company in both cases, as commissioning a third party does not release the company from this obligation (Section 14 (1) sentence 2 HinSchG).

The differences lie elsewhere. An internal reporting office knows the structures, risk areas and culture of the company. This is knowledge that an external service provider has to build up first. Sensitive content such as business secrets (§ 6 HinSchG) remain in-house, whereas with outsourcing they cross company boundaries and contractual protection must take effect.

The picture is reversed when it comes to specialist knowledge: the service provider of an external reporting office brings this with them, while it must be actively built up internally in accordance with Section 15 (2) HinSchG. On the other hand, the internal response paths are shorter: the reporting office and the person responsible are located in the same building, which facilitates rapid follow-up measures. Outsourcing creates an additional interface through which every report is made.

An often overlooked point: findings from reports are valuable risk information for your own compliance management. Internally, they are immediately available, but when outsourced, they are only filtered and returned to the company.

In economic terms, an internal solution mainly incurs one-off set-up costs plus software costs. Outsourcing, on the other hand, incurs permanent fees, even in times without notifications.

When is the internal solution the right choice?

An internal reporting office, ideally with professional digital software, is particularly suitable if:

• the company wants to protect sensitive industry information or trade secrets,
• compliance, HR or legal structures are already in place that can be expanded with training,
• fast follow-up measures and short distances are important,
• reports are to be used as risk information for the company's own compliance management,
• a digital system that automates deadlines, documentation and confidentiality.

When is outsourcing to third parties worthwhile?

Outsourcing can make sense in special cases, for example:

• Group structures with many foreign locations and linguistic diversity,
• acute staff shortage without the possibility of appointing a suitable person,
• the need to appoint an ombudsperson with attorney-client privilege.

Risks of non-compliance: What fines are there really?

Anyone who ignores the requirements of the Whistleblower Protection Act (HinSchG) runs considerable financial and legal risks. The law classifies breaches of duty as administrative offenses and provides for a sliding scale of fines depending on the severity of the breach.

The costly omission: no internal reporting office set up

Companies that do not set up or operate an internal reporting office despite being legally obliged to do so (Section 12 para. 1 sentence 1 HinSchG) must expect a fine of up to EUR 20,000 (Section 40 para. 2 no. 2 HinSchG).

This obligation is already fully in force for all companies concerned:

• Since July 2, 2023 for companies with 250 or more employees.
• Since December 17, 2023 also for smaller companies with 50 to 249 employees.

Further severe sanctions at a glance

In addition to the pure set-up obligation, there are even more drastic penalties in the event of errors during operation or disregard of property rights.

If reports are obstructed in the company or the necessary communication is blocked, this constitutes a serious violation in accordance with Section 7 (2) HinSchG, which can be punished with a fine of up to EUR 50,000.

The law is just as strict if the whistleblower's protection is disregarded: If reprisals, such as dismissals, warnings, demotions or targeted bullying, are carried out or even threatened against whistleblowers, the person responsible also faces a fine of up to EUR 50,000 in accordance with Section 36 (1) sentence 1 HinSchG.

The same penalty of up to EUR 50,000 is due if the confidentiality requirement pursuant to Section 8 (1) sentence 1 HinSchG is violated intentionally or recklessly by disclosing the identity of the whistleblower to third parties without authorization.

Even if this identity data is not disclosed intentionally, but merely due to carelessness or inadequate security precautions in dealing with the parties involved, a negligent breach of confidentiality pursuant to Section 40 (4) HinSchG exists. This negligence can still be punished with a fine of up to 10,000 euros.

Civil liability and loss of reputation

In addition to the official fines, companies should not underestimate the consequences under civil law. If a whistleblower suffers damage (e.g. loss of career or psychological stress) as a result of identity disclosure or reprisals, the employer is obliged to pay compensation.

Conclusion

The choice between an internal vs. external reporting office is more than an organizational decision. An internal solution maintains control, protects sensitive information, provides valuable risk data and enables rapid follow-up action.

Outsourcing can make sense in special cases, for example in the case of very small or internationally dispersed structures. However, the responsibility remains with the company anyway in accordance with Section 14 para. 1 sentence 2 HinSchG. A professionally set up digital internal reporting office is therefore the more economical and more compliant solution for most companies.