DE
Important facts
- Which reporting channels must the software offer?
- At least one written and one verbal channel and, if desired, a personal meeting, also by video conference.
- Why is an anonymous two-way dialog so important?
- Because according to the law, the reporting office must maintain contact with the person making the report; without pseudonymous mailboxes, this would be impossible with anonymous reports.
- Which function protects the identity when uploading files?
- Automatic metadata removal, as files often contain author names, device IDs or GPS data that could give away the whistleblower.
- When is multi-client capability of the software indispensable?
- Whenever several companies with 50 to 249 employees operate a joint reporting office or a group has to report several subsidiaries.
- Which two deadlines must the system monitor automatically?
- The 7-day deadline for confirmation of receipt and the 3-month deadline for feedback to the whistleblower.
Executive Summary
Companies with 50 or more employees have been obliged to operate a whistleblower system since December 2023. Violations can result in fines of up to 50,000 euros. Software that complies with the HinSchG must combine verbal and written reporting channels, encrypted data storage, a granular rights concept, an anonymous two-way dialog and automated monitoring of the 7-day and 3-month deadlines.
In addition, functions such as audit-proof documentation, metadata removal when uploading files, multilingualism and multi-client capability are decisive for practical suitability. There are three options for the organizational form: own reporting office, joint reporting office for SMEs or outsourcing to an external service provider. However, the responsibility for remediation always remains with the company. The included 10-point checklist serves as a decision-making aid. The Hintbox is a solution that combines all of these requirements in one platform.
Never miss an update on the HinSchG again.
New specialist articles, regulatory updates and practical tips, straight to your inbox. Once a week, no spam.
What legal requirements must whistleblower software fulfill?
The HinSchG sets out clear minimum requirements for any whistleblowing system. These are non-negotiable.
Mandatory reporting channels: verbally, in writing, in person
Internal reporting channels must allow reporting both verbally and in text form. Verbal reports must be possible by telephone or another form of voice transmission.
Upon request, a personal meeting must also be made possible within a reasonable period of time. With consent, this can also take place via video and audio transmission.
Confidentiality and access protection
The confidentiality requirement under Section 8 HinSchG is the central principle. It protects the identity of:
- of the person making the reference,
- the persons who are the subject of the notification,
- all other persons named.
Only persons who are responsible for receipt and processing may have access.
Anonymity: target specification, not mandatory
The internal reporting office "should" also process anonymous incoming reports. However, there is no obligation to provide anonymous reporting channels.
In practice, anonymity is nevertheless a key selection criterion. It significantly lowers the inhibition threshold and thus the likelihood that cases will only become known after public escalation.
Documentation with reservation of consent
All reports must be documented in a permanently retrievable manner. In the case of telephone reports, an audio recording or a verbatim record may only be made with the consent of the person making the report.
If there is no consent, a content log must be created. The person providing the information must also be given the opportunity to check, correct and electronically confirm the record. The documentation is deleted three years after the end of the procedure.
Binding deadlines
The software must automatically monitor two hard deadlines:
- Confirmation of receipt: after 7 days at the latest
- Feedback: after 3 months at the latest, extendable to 6 months in complex cases
Protection against reprisals and reversal of the burden of proof
Reprisals against whistleblowers are prohibited. If a whistleblower suffers a disadvantage in connection with their professional activity, it is assumed that this is a case of reprisal.
The disadvantaged person must then prove that the measure was based on sufficiently justified reasons or was not related to the report. The protection does not apply to false reports due to intent or gross negligence.
Why the choice of whistleblower system determines fines
The HinSchG has applied to companies with 250 or more employees since July 2, 2023. Smaller companies with 50 to 249 employees had to follow suit by December 17, 2023. Public bodies are also affected. Towns and municipalities with more than 10,000 inhabitants are also subject to the obligation.
Anyone who ignores the requirements risks fines of up to €10,000, €20,000 or €50,000. In addition, there is reputational damage and civil claims.
A well-chosen system therefore not only protects whistleblowers, but also the company itself.
Which software functions are indispensable?
The legal obligations result in specific functional requirements for the whistleblower software. If you cut corners here, you not only risk fines, but also lose the trust of your own workforce.
Secure communication and encryption
Confidentiality is not an abstract wish in the HinSchG, but a technical requirement. External reporting offices must use secure communication channels and encrypt data in accordance with current data protection standards. The same applies to internal systems; anything else would be negligent given the sensitivity of the reports.
In practice, this means
Whistleblower software should encrypt both the transmission (transport) and storage (at-rest) of the data. End-to-end encryption is considered the gold standard because even the provider can then no longer view the content. In addition, access rights must be strictly regulated so that messages only reach authorized persons.
When making your selection, look for a GDPR-compliant hosting location within the EU and relevant security certifications. They are a reliable indication that the provider not only claims information security, but also implements it in a verified manner.
Granular roles and rights concept
The law expressly requires that only authorized persons may access reports. In reality, this means much more than a simple login: it requires a well thought-out authorization system that allows each processor exactly the view and actions that he or she needs for the respective role.
Good software maps this via roles and client-capable structures. Compliance officers see all cases, specialist departments only those relevant to them and external ombudspersons only those assigned to them. In the event of conflicts of interest, individual cases can be specifically excluded from the field of vision of certain processors.
In addition, there is the legal obligation to provide audit-proof, complete documentation of all processing steps. Who changed what in a case and when must remain traceable, not least because the burden of proof quickly lies with the company in the event of a dispute.
Two-way dialog without revealing identity
According to the HinSchG, the reporting office must maintain contact with the person making the report, for example in order to ask questions or communicate interim statuses. This is also necessary if the report was received anonymously. A simple e-mail address is not sufficient here, as it would immediately remove the anonymity.
The solution is pseudonymous mailboxes that are created automatically when the report is submitted. The person submitting the notification receives an access code and can log in again at any time to check the processing status, answer questions or submit additional documents.
This creates GDPR-compliant two-way communication without revealing identity. It is not only legally clean, but also psychologically effective: whistleblowers feel they are being taken seriously because they realize that their report is actually being processed.
File upload with metadata protection
Evidence is what makes a report reliable. Screenshots, emails, contracts or photos should therefore be easy to attach. But this is precisely where an often overlooked danger lurks: files often contain information in their metadata that can be traced back to the sender, such as author name, device ID, GPS coordinates or processing history.
Professional whistleblower software automatically recognizes this metadata and removes it during the upload. This preserves the content of the file without compromising the anonymity of the whistleblower. In addition, the system should perform a virus scan to prevent malware from reaching the company via the reporting channel.
These protection mechanisms work in the background. Whistleblowers do not have to worry about the technical details themselves, which is an important factor as very few people have specialist IT knowledge.
Workflow and deadline management
Confirmation of receipt after 7 days, feedback after 3 months. These deadlines are non-negotiable. Anyone who fails to meet them not only risks fines, but also gives whistleblowers a reason to place their report externally with the authorities or, in the worst case, publicly.
The software should therefore automatically monitor both deadlines and send timely reminders to the responsible processors. Ideally, there should be escalation levels: If a deadline is not met, the system automatically informs a superior. In this way, delays can be avoided, even if the processor is on vacation or sick.
In addition, structured case management helps to process each step efficiently and in a documented manner, from the initial check and triage to the final action. Dashboards with a real-time overview of open cases, status and deadlines give compliance officers the control they need for audits and reporting.
Protocol workflow with consent
In the case of verbal reports, the law makes a subtle but important distinction: An audio recording or a verbatim record may only be made with the consent of the person making the report. Without consent, a content log must be created instead.
Good software records this consent digitally and documents it together with the protocol. The person providing the information must then be given the opportunity to check, correct and electronically confirm the record. This ensures that the statement was recorded as it was intended.
This process sounds formal, but it protects both sides: the person making the report from misinterpretation and the company from later disputes about the exact content of the report.
Multilingualism
For corporations, international companies and businesses with foreign suppliers, multilingualism is not a nice-to-have, but a practical must. Anyone who has to submit a report in a foreign language will only do so if they can express themselves confidently in that language.
The law itself does not specify any requirements here, but standard market solutions often offer support for 30 or more languages. Some providers supplement this with AI-based translations that automatically translate incoming reports into the working language of the reporting office without the need for external translators and without jeopardizing confidentiality.
When making your selection, make sure that not only the user interface is multilingual, but also the automated messages such as confirmations of receipt, status messages and feedback.
Optional AI functions
Modern solutions go beyond what is required by law and use artificial intelligence to speed up case processing. These functions are not mandatory, but they do provide noticeable relief in day-to-day compliance work:
- Automatic categorization and prioritization: Incoming messages are assigned to a topic area based on their content and sorted according to urgency.
- AI-supported anonymization of personal data: Real names and sensitive information are automatically masked before being passed on to specialist departments.
- Executive summaries for the management: Summarized reports with KPIs and trend analyses for top management are created from several cases.
Especially in larger organizations with many reports per year, these functions can make the difference between an overburdened compliance department and a smoothly running process.
Hintbox: All functions combined in one solution
The Hintbox combines all requirements in a single platform, from encrypted communication, anonymous two-way dialog and automatic deadline monitoring to audit-proof documentation and multilingualism.
Own reporting office, joint reporting office or external service provider?
The HinSchG allows three organizational forms for the internal reporting office. The choice has far-reaching consequences, not only for the choice of software, but also for personnel requirements, costs and acceptance within the company. Which variant is suitable depends on the size of the company, the sector and the available resources.
Own internal reporting office
In the classic variant, the internal reporting office is located within the company. An individual employee, an entire work unit or an externally commissioned third party can be entrusted with the task. Compliance, legal or HR departments often take on this role, sometimes also the data protection officer as a secondary activity.
The decisive factor is
The persons appointed must act independently and have the necessary expertise. Independent means that they work for MROS free from instructions and that there are no conflicts of interest. Specialist knowledge means that the person is familiar with the legal framework, maintains confidentiality and can examine reports properly.
In practice, this often means a lot of training. Anyone who fills the role internally should plan for regular further training, both on the HinSchG itself and on conducting discussions, data protection and psychological aspects of whistleblowing. This option is usually standard for companies with 250 or more employees, as a joint reporting office is not permitted there.
Joint Reporting Office for SMEs
The law provides for explicit relief for smaller companies: Several private employers with between 50 and 249 employees may set up and operate a joint registration office. This can be done within a group of companies or across companies, for example if several SMEs from the same sector join forces.
The advantage is obvious: the costs for personnel, training and software can be shared. At the same time, more case experience is gathered in one place, which increases the processing quality. Important to know: The obligation to take remedial action and report back to the whistleblower remains with the individual company. Each member of the joint reporting office therefore remains responsible for the measures taken in their own company.
This means for the software:
Multi-client capability is mandatory so that data remains clearly separated between the participating companies. Each company only sees its own cases, while the overall processing is structured and traceable. Anyone planning a joint reporting office should put this point at the top of the list when selecting software.
Outsourcing to third parties
The third option is complete outsourcing to an external service provider, such as a specialized ombudsperson, a law firm or a professional compliance service provider. This option is particularly suitable if there is neither capacity nor expertise available internally or if the company deliberately wants to choose an external, neutral body for reasons of trust.
External service providers usually have several advantages: specialized experience with whistleblower cases, legal confidentiality obligations and a physical distance that can strengthen the trust of the workforce. Particularly in sensitive cases, such as allegations against the company's own management, this distance is often crucial for a report to be made at all.
However, it is important
The responsibility for measures to remedy the breach remains with the company. Outsourcing therefore does not mean "handing over the task completely", but rather "delegating receipt and initial review". The interface between the external service provider and internal compliance must therefore be clearly defined, ideally supported by software in which external persons can work with their own roles and access rights.
Checklist: Selecting a whistleblowing system in 10 points
HinSchG-compliant whistleblower software must fulfill ten key requirements. This list summarizes the most important requirements from the previous sections and serves as a practical decision-making aid when comparing providers.
- Provide verbal and written reporting channels so that whistleblowers can choose the form that suits them best.
- Enable telephone notification or voice transmission, optionally via hotline, voicemail or voice message.
- Offer a personal meeting on request, which may also take place via video conference.
- Encrypted data storage in accordance with current data protection standards, ideally with GDPR-compliant hosting in the EU
- Granular roles and rights concept with multi-client capability for groups or joint reporting offices.
- Anonymous two-way dialog via pseudonymous mailboxes with access code, even if not mandatory by law, hardly dispensable in practice.
- Automated deadline monitoring for 7-day and 3-month deadlines with reminder and escalation functions.
- Audit-proof documentation with automatic deletion three years after completion of the process.
- Protocol workflow with electronic confirmation by the whistleblower, including consent to recording.
- Multilingualism and optional AI functions such as automatic categorization, anonymization and executive summaries for management.
Anyone who fulfills all ten points not only has a legally compliant solution, but also a tool that noticeably relieves compliance officers in their day-to-day work.
Despite clear guidelines and many years of practice, some prejudices and misconceptions persist.
Common misunderstandings about whistleblowing systems
This misconception is widespread, but factually incorrect. Most whistleblowers do not want to damage the company, but want to remedy grievances. They only turn to the public if nothing happens internally or reprisals are to be feared. The HinSchG even expressly requires that an internal or external report be made first.
On the contrary: a functioning internal system catches reports at an early stage and significantly reduces the risk of escalation. Providing a secure, confidential channel prevents the very scenario that management fears the most, namely that an unresolved complaint ends up in the press.
There is also a positive side effect: companies with established whistleblowing systems signal to stakeholders that they take integrity seriously. This strengthens the trust of customers, investors and business partners and is now part of a professional compliance culture.
The concern is understandable: if you don't have to show your face, you could abuse the system for personal vendettas. In practice, however, this scenario plays a much smaller role than is often feared. In many cases, anonymous reports are even particularly substantive because whistleblowers only decide to report if they really have something to say.
The legal side is more important: Anyone who knowingly reports false information does not enjoy protection under the HinSchG. Intentional or grossly negligent false reports can even lead to liability for damages. The law therefore only protects those who act in good faith and this is precisely what effectively deters malicious individuals.
Professional software provides additional support through structured incoming checks and triage. Unfounded or obviously abusive reports can be quickly sorted out without the serious cases suffering as a result.
Some companies fear that the whistleblower system will turn every expression of dissatisfaction into a legally relevant case. This is not the case. Only reports of breaches within the meaning of Section 2 HinSchG are protected, i.e. criminal or finable breaches in areas such as corruption, data protection, money laundering, environmental law, product safety or consumer protection.
Personal conflicts, disagreements about the distribution of tasks, a harsh tone in the team or complaints about poor communication are expressly not included. Such issues belong in other internal processes: employee appraisals, conflict management, the works council or HR.
This demarcation is also important in practical terms. It protects compliance departments from being overloaded with topics for which they are neither responsible nor suitable. Clear communication about which topics belong in the whistleblowing system and which do not is therefore part of any successful introduction.
Conclusion
Selecting a whistleblower system means bringing together legal obligation and practiced confidentiality. Verbal and written reporting channels, strict access protection, encrypted storage and automated deadline monitoring are the non-negotiable key points.
If you work through the ten checklist points properly, you are on the safe side legally - and create the basis for a compliance culture that builds trust instead of producing mistrust.
Are you currently evaluating providers? Arrange a free demo and check all ten checklist points live in the software.
Larissa Ragg
LinkedInMarketing Managerin · lawcode GmbH
Larissa Ragg verantwortet die Content-Strategie bei lawcode und erstellt Fachbeiträge zu den Themen EUDR, ESG-Compliance, HinSchG, Supply Chain und CSRD. Ihre Beiträge auf dem lawcode Blog machen komplexe regulatorische Anforderungen verständlich und liefern Unternehmen praxisnahe Orientierung.
