Whistleblowing Directive & DSGVO: Mastering data protection in the whistleblower system

Executive Summary

The establishment of internal reporting offices in accordance with the Whistleblower Protection Act (HinSchG) leads to a complex data protection conflict with the GDPR. While the Whistleblower Protection Act prioritizes the absolute protection of the identity of whistleblowers, accused persons and witnesses, the GDPR demands transparency, strict purpose limitation and comprehensive data subject rights. Legally compliant processing in the reporting office is based on Section 10 HinSchG as the central permission standard, which even permits the processing of sensitive special categories such as health data, subject to compliance with strict technical and organizational protective measures (TOMs).

The sharpest legal conflict arises when an accused person asserts their right to information under Art. 15 GDPR in order to find out the identity of the whistleblower. The confidentiality requirement under Section 8 HinSchG effectively restricts this right in practice: The reporting office must make a detailed assessment in each individual case and ensure that all identifying information of the whistleblower and uninvolved third parties is redacted before providing information. Outside of narrowly defined official exceptions, identity disclosure is only permitted with separate, express consent.

In order to operate in compliance with data protection regulations, companies must implement a clear deletion concept that provides for the deletion of documentation exactly three years after the end of the procedure as standard. Although there is currently no strict obligation to provide anonymous reporting channels, around 73% of whistleblowers use this option, which is why digital reporting systems with end-to-end encryption are strongly recommended. Non-compliance can result in severe double sanctions: Fines of up to €50,000 under the HinSchG as well as immense fines in the millions for violations of the GDPR.

The legal basis: HinSchG and GDPR at a glance

In order to avoid the tension between the Whistleblower Protection Act and the GDPR, it is essential to look at their respective objectives and areas of application. Both laws focus on the protection of individuals, but set different priorities that must be agreed upon when designing a data protection-compliant whistleblower system.

What is the Whistleblower Protection Act (HinSchG)?

The HinSchG is the German implementation of the EU Whistleblower Directive (Directive EU 2019/1937) and came into force on July 2, 2023.

• Obligation to set up: The Whistleblower Protection Act came into force on July 2, 2023. Since this date, companies with 250 or more employees and public bodies have been obliged to set up internal reporting offices. Private employers with 50 to 249 employees had an extended implementation period until December 17, 2023.
• Material scope of application: The law covers reports of criminal offenses, violations subject to fines (if the violated regulation serves to protect life, limb, health or the rights of employees) as well as a large number of federal, state and EU legal provisions. These include core areas such as money laundering prevention, product safety, environmental protection, network security and data protection itself. It creates a formal framework to detect corruption, fraud and unethical practices at an early stage and protect against them.

The relevance of the GDPR for whistleblower systems

The GDPR fundamentally regulates the protection and processing of personal data and continues to apply without restriction to the operation of whistleblowing systems. In the context of the HinSchG, reporting offices inevitably process personal data, often of at least three groups of people:

1. The whistleblower,
2. of the accused person (subject of the report),
3. and other third parties named in the notification (e.g. witnesses or supporters).

The area of conflict: Why data protection and whistleblower protection collide

The data protection tension in the whistleblower system arises primarily from the fact that the HinSchG prioritizes the protection of the whistleblower and the clarification of grievances (which often requires secrecy), while the GDPR prioritizes the protection of data and the information rights of all parties involved (including the accused).

What is the legal basis for data processing in the Reporting Office?

The central authorization standard for the internal reporting office is Section 10 HinSchG. It authorizes reporting offices to process personal data "insofar as this is necessary for the fulfilment of their tasks specified in §§ 13 and 24".

This results in the following data protection pillars:

• General data: Processing is primarily based on Section 10 HinSchG in conjunction with Art. Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation).
• Special categories of data: For highly sensitive data (e.g. health data, trade union membership, religious beliefs or sexual orientation), Section 10 sentence 2 HinSchG expressly permits processing, in deviation from Art. 9 para. 1 GDPR.
• Protective measures in accordance with the BDSG: The prerequisite for this far-reaching processing authorization is that the reporting office provides for "specific and appropriate measures" to protect the interests of the data subjects. According to § 10 sentence 3 HinSchG, § 22 para. 2 sentence 2 BDSG (Federal Data Protection Act) is to be applied accordingly. This requires, among other things, technical and organizational protective measures such as encryption, access restrictions and logging.

Confidentiality requirement vs. GDPR data subject rights

What does the confidentiality requirement under Section 8 HinSchG protect?

The confidentiality requirement is the beating heart of whistleblower protection. According to Section 8 of the Whistleblower Protection Act, the identity of the following groups of people must be treated in strict confidence:

1. The person making the reference,
2. of the persons who are the subject of a report (accused),
3. and other persons named in the notification (e.g. witnesses).

These identities may only be disclosed to the persons responsible for receiving the reports or for carrying out follow-up measures, as well as their direct supporters. This obligation applies absolutely and irrespective of the actual responsibility of the reporting office.

When may the identity be disclosed? (§ 9 HinSchG)

The law provides for extremely narrow exceptions in § 9 HinSchG. The identity of the person providing the information may only be disclosed if:

• Criminal proceedings at the request of the criminal prosecution authorities,
• Orders in subsequent administrative or fine proceedings,
• judicial decisions,
• specific legal constellations at federal authorities such as BaFin and the Federal Cartel Office.

In addition, disclosure is permitted if the person providing the information has given separate, express and written consent in advance for the specific disclosure in question. A blanket prior consent (e.g. in the notification form) is legally invalid.

How do the right to information and confidentiality collide?

This is where the sharpest legal conflict arises: According to Art. 15 GDPR, an accused person has a comprehensive right to information about all processed data concerning them, including the origin of this data, i.e. the name of the whistleblower.

The HinSchG effectively restricts this right to protect the whistleblower. In practice, the following balance must be struck:

• Basic information: The accused person receives information about the allegations and data stored about them.
• Redaction and protection: Identifying information about the person providing the information and other uninvolved third parties must be made unrecognizable (redacted) before the information is provided.
• Case-by-case assessment: For each request for information, the Reporting Office must carry out a detailed assessment of interests on a case-by-case basis and document this in an audit-proof manner. A blanket refusal to provide information is not permitted.

Storage period: What do the HinSchG and GDPR say about erasure?

The principle of storage limitation (Art. 5 para. 1 lit. e GDPR) requires that data is deleted as soon as it is no longer required for the purpose of its processing. The HinSchG specifies this obligation very precisely in Section 11 (5):

This results in clear guidelines for the deletion concept of your whistleblowing system:

1. Standard case (3-year period): By default, the entire documentation of a report must be completely deleted exactly three years after the formal conclusion of the procedure (e.g. after completion of the internal investigation or follow-up measures).
2. Exceptions for longer storage: Longer storage is only permitted if other laws prescribe this (e.g. ongoing court, disciplinary or criminal proceedings) and this is proportionate.
3. Special feature for audio recordings: If verbal reports are recorded on audio/data carriers, these files (if they were used to create a written report) must be deleted immediately after completion and approval of the report.

Practical implementation in the company

To operate a data protection-compliant and HinSchG-secure system, companies must implement strict technical and organizational measures (TOMs).

Technical protective measures (TOMs)

• Secure reporting channels: Reporting channels must be designed in such a way that unauthorized employees are denied access. Digital whistleblower systems must offer seamless end-to-end encryption and ideally be hosted in certified data centers (ISO 27001) in Germany.
• Strict access restrictions (role and rights concept): Only named persons responsible for MROS and their direct supporters may have physical or digital access to the files and the tool.
• AI-supported anonymization: A highly professional, digital whistleblowing system should have functions for automatic, AI-supported anonymization. This technology recognizes names, locations, dates and organizations in continuous text and replaces them with neutral placeholders. This enables data protection-compliant internal forwarding of cases to specialist departments (e.g. HR or Internal Audit) for follow-up action without jeopardizing identities.

Organizational measures & training

• Specialist knowledge and independence: The persons entrusted with processing the notifications must act with absolute independence and have the necessary specialist knowledge.
• Regular training: The staff of the reporting office must be regularly trained on legal innovations, data protection issues and the psychological handling of whistleblowers.
• Data protection impact assessment (DPIA): As the processing of highly sensitive data in the context of whistleblowing systems poses a high risk to the rights and freedoms of natural persons (Art. 35 GDPR), it is generally necessary to carry out a DPIA for the system used.

Anonymous reporting channels: Added value and legal classification

A much-discussed point is anonymity. Here, the law distinguishes between provision and pure processing:

No absolute obligation to provide: The HinSchG does not currently explicitly oblige companies to set up anonymous reporting channels. However, it strongly recommends that incoming anonymous reports be processed. Practice shows that the majority of whistleblowers wish to remain anonymous.

Duty to process: However, if anonymous reports are received via the established channels, they should be processed just as carefully according to the law. External reporting offices must process anonymous reports.

The practical advantage: Practice clearly shows that the inhibition threshold for whistleblowers without anonymous channels is extremely high. According to statistics, 73.2% of whistleblowers opt for anonymity if this option is available in the system. Digital whistleblowing systems offer the ideal solution here: they enable a protected, anonymous dialog with the whistleblower via a virtual mailbox without the IP address or other identifying features being transmitted.

Risks of non-compliance: sanctions and reputational damage

Violations of the provisions of the HinSchG or the GDPR within the framework of the whistleblower system pose existential risks for companies and managers:

• Fines under the HinSchG (up to € 50,000): The law provides for severe fines if, for example, no internal reporting office is set up, reports are obstructed, reprisals are taken or the confidentiality requirement under Section 8 is violated.
• Fines under the GDPR: Irrespective of the HinSchG, data protection supervisory authorities can impose substantial fines (up to €20 million or 4% of annual global turnover) for unauthorized data processing, lack of TOMs or violation of data subjects' rights.
• Reputational damage and liability: If confidentiality is breached, the company risks a massive loss of trust among employees, customers and partners. In addition, affected whistleblowers can assert claims for damages.

Checklist: Set up a whistleblower system that complies with the HinSchG and GDPR

Use this checklist to set up your registration office in accordance with data protection law:

• Document legal basis: Written determination of data processing in accordance with § 10 HinSchG i.V.m. Art. 6 & Art. 9 GDPR.
• Update the register of processing activities (VVT): Entry of the internal reporting office in the register of processing activities (Art. 30 GDPR).
• Data protection impact assessment (DPIA): Preparation and documentation of a risk analysis in accordance with Art. 35 GDPR.
• Define roles and rights concept: Set up technical locks so that only the responsible reporting office personnel have access.
• Encryption & secure IT infrastructure: Ensuring end-to-end encryption and GDPR-compliant server hosting.
• Enable anonymous communication: Provision of an anonymous digital mailbox to strengthen trust (usage rate of approx. 73.2%).
• Implement deletion concept: Automatic resubmission and deletion of files exactly 3 years after conclusion of proceedings (Section 11 (5) HinSchG).
• Prepare consent workflow: Preparation of forms for separate, written consent for identity disclosure (Section 9 (3) HinSchG).
• Provide evidence of training: Document regular further training of hotline staff with regard to specialist knowledge and data protection.
• Fulfill information obligations: Provision of easily accessible data protection notices for employees (Art. 13/14 GDPR) regarding the reporting office.

Conclusion

The Whistleblower Protection Act and the GDPR are not an irreconcilable contradiction, but rather go hand in hand in optimal operation. While the Whistleblower Protection Act provides the necessary legal basis under data protection law via Section 10, the confidentiality requirement under Section 8 ensures the protection of those involved, and Section 11 (5) guarantees a clear time limit for data storage.

Those who dovetail these legal pillars with the classic GDPR standard obligations, such as a precise register of processing activities, robust technical protection measures (TOMs) and a well thought-out deletion concept, minimize the risk of fines and at the same time create a transparent, trusting corporate culture.