Set up an internal reporting office: Instructions according to HinSchG

Important facts

Who is required by law to set up an internal reporting office?: All companies with at least 50 employees as a rule and certain regulated sectors, regardless of their number of employees, are obliged to set up the system.
What deadlines must be met for an incoming notification?: The receipt of a report must be confirmed after seven days at the latest. Feedback on planned or implemented follow-up measures is required within three months.
Can the internal reporting office be outsourced to an external service provider?: Yes, the tasks can be delegated to an external third party such as a law firm, whereby the ultimate responsibility for remedying the breach always remains with the company.
How high can the fines be for violations of the law?: A lack of a reporting office can result in fines of up to 20,000 euros, while a breach of confidentiality or reprisals against whistleblowers can be punished with up to 50,000 euros.
Do companies have to offer anonymous reporting channels?: There is no legal obligation to provide anonymous channels, but anonymous reports should be processed by the Reporting Office as far as possible.

Never miss an update on the HinSchG again.

New specialist articles, regulatory updates and practical tips, straight to your inbox. Once a week, no spam.

No spam Unsubscribe at any time GDPR-compliant

Executive Summary

The Whistleblower Protection Act (HinSchG) obliges companies with 50 or more employees to set up an internal reporting office. However, this obligation offers a great opportunity: it acts as an important early warning system that can be used to clarify grievances internally before whistleblowers involve external government agencies or the public and thus damage the company's reputation.

Independent and competent persons must be appointed and secure reporting channels established to ensure legally compliant implementation. A clear workflow ensures that the legal deadlines are adhered to: For example, receipt of a report must be confirmed after seven days at the latest and substantive feedback on planned follow-up measures must be provided within a maximum of three months.

Companies can staff the reporting office internally or outsource it to an external third party in order to further strengthen the trust of whistleblowers through the legal duty of confidentiality. In any case, the ultimate responsibility remains with the management. This is an important detail, as violations of the law or confidentiality can be punished with severe fines of up to 50,000 euros.

Obligations & possibilities of the Reporting Office

Who has to set up an internal reporting office?

The obligation to set up an internal reporting office arises directly from the law. It applies to all employers with at least 50 employees as a rule.

For certain industries, the obligation exists regardless of the number of employees. These include

Investment service providers and exchange operating companies
Credit institutions and securities institutions
Capital management companies
Insurance company
Payment service providers and crypto market institutions

Which organizational form is the right one?

The law allows three different ways to staff an internal reporting office organizationally. You can choose between the following options:

Option 1: The internal individual
In this case, a specifically named, employed person in the company is entrusted with the tasks, such as the compliance officer or an HR manager. The major advantage of this option is the short communication channels and the direct, in-depth knowledge of internal company structures.

Option 2: The internal work unit
This option involves setting up a defined, interdisciplinary team of several employees. Such a structure enables consistent compliance with the dual control principle on a day-to-day basis and pools valuable expertise from the areas of HR, legal and compliance at a central location.

Option 3: The external third party as ombudsperson
In this case, the tasks of the internal reporting office are completely outsourced to a specialized law firm, an external service provider or a neutral ombudsperson. A decisive advantage is the special legal protection provided by lawyers: an external lawyer is subject to the lawyer's duty of confidentiality, which demonstrably strengthens the trust of the whistleblowers concerned and lowers the inhibition threshold for reporting.

⚠️ Important:

Even if an external third party is commissioned in full, the ultimate responsibility for rectifying the breach and for follow-up measures and feedback always remains with the company concerned.

Special case for SMEs: the joint reporting office

Private employers with 50 to 249 employees may set up and operate a joint reporting office with other companies. However, the obligation to rectify deficiencies and report back to the whistleblower remains with each individual company.

Internal vs. external reporting office: Which should companies prefer?

The law grants whistleblowers a free right of choice. Employees can decide for themselves whether to contact the company's internal reporting office or an external state reporting office (such as the Federal Office of Justice).

However, companies should create targeted incentives so that employees choose the internal route first. If grievances are reported internally, they can be resolved quickly, directly and quietly before the incidents escalate to the authorities or the public and cause significant reputational damage. This is achieved by ensuring that the internal reporting office is absolutely trustworthy, easily accessible and free from reprisals.

Enable anonymous reporting

A general obligation to provide a reporting channel for anonymous reports does not explicitly exist under the HinSchG. However, the internal reporting office should process incoming reports anonymously. The possibility of anonymous reports strengthens the trust of whistleblowers and increases the willingness to report.

Since 2025, the provision of anonymous reporting channels for obligated companies has been firmly established and must be complied with. International standards such as ISO 37301 (compliance) and ISO 37001 (anti-corruption) already de facto require them today, especially for companies seeking certification or wishing to further develop their compliance structures. A ruling by the Nuremberg-Fürth Regional Court in 2025 also strengthens the importance of anonymous information by confirming that concrete and comprehensible anonymous reports can also justify investigations by the public prosecutor's office.

HinSchG-Deadlines-Process — Procedure & deadlines in the whistleblower system

Step-by-step: Set up an internal reporting office

Step 1: Appoint and train responsible persons

The persons responsible for the internal reporting office must act independently and have the necessary expertise. They may also perform other tasks within the company, but only if this does not give rise to any conflicts of interest.

Practical tip:

Anyone who makes far-reaching personnel decisions (e.g. the management) or could themselves be the subject of potential reports should not be appointed as the person responsible for the hotline. The necessary expertise must be ensured through regular, specific training.

Step 2: Set up technical and organizational reporting channels

The internal reporting channels must allow messages to be sent in different ways:

Written notifications: by e-mail, post or digital platform.
Verbal messages: by telephone or other forms of voice transmission.
Personal meeting: At the request of the whistleblower, a personal meeting must be offered within a reasonable period of time. With the consent of the whistleblower, this may also take place virtually via video and audio transmission.

Digital whistleblowing systems

Many companies rely on a digital whistleblowing system. It provides a password-protected, encrypted communication channel through which communication with the whistleblower can be maintained without compromising their identity.

Step 3: Ensure access rights and confidentiality

The reporting channels must be designed in such a way that only the responsible persons have access to the incoming reports. The strict confidentiality requirement under Section 8 HinSchG protects three groups of people:

The person making the reference.
Persons who are the subject of the notification.
Other persons named in the notification.

Step 4: Establish data protection and IT security in accordance with the GDPR

As highly sensitive personal data is processed here, data protection is the top priority. The system used must be protected against unauthorized access from outside and inside by state-of-the-art encryption technologies. Internal access rights must be extremely restrictive. Only expressly authorized hotline employees may view the files.

HinSchG-Set-up-Internal-Reporting-Channel — Step-by-step: Set up an internal reporting office

Step 5: Determine the procedure and legal deadlines

A structured, predefined workflow is crucial for legally compliant operation. The procedure under Section 17 HinSchG stipulates fixed deadlines that must be anchored in the process:

Initially, a maximum period of seven days applies for written confirmation of receipt of the report to the whistleblower.
In addition, the examination of subject matter jurisdiction must be carried out immediately in order to clarify whether the incident falls under the HinSchG, followed by an assessment of its substantive validity.
Feedback to the whistleblower on the content of any follow-up measures already planned or taken must be provided after a maximum of three months.
After the official conclusion of the entire procedure, all files and processes are subject to a statutory retention period of exactly three years before they must be deleted in accordance with data protection regulations.

Definition of the reporting area (factual delimitation):

In order to avoid overloading the reporting office with everyday conflicts or general dissatisfaction, it must be clearly defined which violations fall within the scope of the HinSchG. The law primarily protects reports of criminal offenses (e.g. fraud, theft, corruption) and certain serious administrative offenses. Pure HR complaints that do not violate the law should be handled by established internal complaints offices.

Step 6: Define follow-up measures and documentation

The internal reporting office checks the facts of the case and can take the following measures in accordance with § 18 HinSchG:

Initiate internal investigations (e.g. interview witnesses, inspect files).
Refer the whistleblower to other, more suitable offices.
Close the case for lack of evidence or other reasons.
Submit the case to an internal department (e.g. HR) or a competent authority for further investigation.

Legally compliant documentation:

All processes must be documented in a permanently retrievable form. In the case of verbal reports, an audio recording or verbatim transcript is only permitted with the consent of the whistleblower. If this is not available, a precise log of the content must be created. The whistleblower must be given the opportunity to review and approve the minutes.

Step 7: Involve the works council in good time

In companies with an existing works council, the establishment of the reporting office is not a purely unilateral decision by the management. In particular, the introduction of digital whistleblowing systems is subject to mandatory co-determination by the works council in accordance with Section 87 (1) No. 6 BetrVG, as these systems are theoretically suitable for monitoring behavior. Early involvement and the conclusion of a clear works agreement ensure internal peace and prevent legal delays during implementation.

Step 8: Inform employees and establish a "speak-up culture"

A whistleblowing system is only useful if the workforce is aware of it. Clear and easily accessible information about internal processes and alternative external reporting channels must be made available.

The intranet, training courses or employee handbooks are suitable channels. An open "speak-up culture" should be actively promoted: It should be conveyed that tips are in the interests of the company and are in no way seen as "snitching" or disloyal behavior.

What does an offense cost? Fines at a glance

The fines for violating the HinSchG are severe and depend strictly on the type of violation:

Up to €50,000: For preventing reports, taking reprisals against whistleblowers or for willful or reckless breach of confidentiality.
Up to € 20,000: In the event of the complete absence or incorrect operation of a prescribed internal reporting point.
Up to € 10,000: In all other legally defined breaches of duty.

Conclusion

Setting up an internal reporting office is far more than just an annoying legal obligation. With a clear process structure, qualified managers and transparent internal communication, companies create a powerful early warning system for their own operations. Risks are uncovered before any real economic or reputational damage occurs, and compliance is firmly anchored in the corporate culture.

Professional digital solutions and specialized external partners are available for legally compliant and low-effort implementation. Legally compliant software facilitates long-term HinSchG compliance and ensures that the company reliably meets all deadlines.

Frequently asked questions

What qualifications does the operator of the internal hotline need?

The persons responsible do not need a law degree, but must have the necessary specialist knowledge. This can be easily acquired through regular, specific training courses. Personal independence and the exclusion of conflicts of interest during processing are also important.

Do companies have to set up anonymous reporting channels?

No, the HinSchG does not explicitly oblige companies to provide a completely anonymous reporting channel. However, the law stipulates that reports received anonymously (e.g. an anonymous letter or an anonymous email) should be processed by the reporting office. A digital whistleblowing system is ideally suited for this purpose, as it enables completely anonymous but two-way communication.

What is the cost of a digital whistleblowing system?

The technical setup of a modern, cloud-based system such as Hintbox is usually completed within a few days. The ongoing effort is low, as the software largely automates important steps such as deadline checks, encryption and audit-proof logging.

How long do the reports have to be kept?

The documentation must generally be deleted three years after completion of the procedure. Longer storage is only permitted in exceptional cases if this is necessary and proportionate to fulfill other legal requirements.

Matthias Klein

ESG compliance expert - lawcode GmbH

Matthias Klein advises companies on the implementation of supply chain laws such as the CSDDD and supports the implementation of digital solutions for legally compliant supply chains. His specialist articles on the lawcode blog combine regulatory depth with practical recommendations for action.

Supply Chain / CSDDD EUDR HinSchG ESG compliance CSRD / VSME

Set up an internal reporting office in accordance with HinSchG: Step-by-step guide