On December 16, 2022, the German Bundestag passed the Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG). The draft process is still ongoing and subject to adoption by the German Bundesrat.
The main purpose of the government's draft law is to
- ensure better protection of whistleblowers in Germany from retaliation in their working environment (e.g., dismissal or other disadvantageous treatment), - as well as to improve the framework of their protection.
In addition, the law provides for a mandatory internal response to whistle-blower complaints before they can be brought to the attention of the public and damage the company's image.
Below is an overview of the German whistleblower system and the data protection considerations that must be considered when establishing a whistle-blower framework.
Overview
Obligation to Introduce an Internal Reporting System
In Germany, employers with 50 or more employees will in principle be obliged to establish at least one whistle-blower responsible or department (contact point) from 2023. The following phased introduction obligations are stipulated according to the number of employees:
- At the time of entry into force of the law (scheduled for the second quarter of 2023) employers with 250 or more employees need to ensure at least one whistleblower contact point.
- Employers with 50 to 249 employees have a grace period until December 17, 2023 to establish a whistleblower protection system.
- Employers with less than 50 employees are not (yet) obligated to establish a whistleblower hotline.
As an exception, the above general rules do not apply to companies in the financial sector. Finance sector companies, regardless of the number of employees, are required to implement a whistleblower hotline as soon as the law comes into force. That means that even small investment services companies with less than 50 employees are subject to the introduction of a whistleblower office.
If a company is obliged to establish a whistleblower hotline depending on the number of employees or the type of business, but fails to do so, it will be considered illegal and they will risk a fine of up to 20,000 euros. If an internal report made within the company is not diligently attended to the informant may use an external reporting channel.
Internal (internal) and external (external) reporting channels
Both the EU Directive and the German bill distinguishes between internal (reporting to internal contact point) and external (reporting to the responsible administrative body) reporting channels, but both can be used.
Internal reporting
A whistleblower hotline will be particularly important for companies. Affected companies must establish at least one whistleblower contact point and make it visible and known to potential whistleblowers. The whistleblower contact point may be part of the compliance department. A corporate group may also establish a whistleblower contact point at the group level.
It is also possible to appoint a third party, such as a consulting firm or lawyer, to operate the whistleblower contact point as an ombudsperson. In this case, they are also recognized as data controllers within the meaning of Sec. 4.7 of the GDPR. The controller of the whistleblower contact point (employer and/or ombudsperson) may use a service provider that provides an application to receive and further contact whistleblowers. In this case, a data processing agreement pursuant to Sec. 28 of the DSGVO must be concluded.
External reporting
The external whistleblower contact points are those established by the federal government (Federal Ministry of Justice), the federal states, the financial supervisory authority BaFin, and the Federal Cartel Office.
As for the obligations of the recipient of the report, both the EU Directive and the draft German law stipulate obligations such as reporting receipt of the report within 7 days of receipt, appropriate followup such as internal investigation, and feedback within 3 months of receipt of the report, etc.
There is no significant difference between the internal and external reporting
Future Outlook and Recommendations
Things to keep in mind when establishing a whistleblower contact point
The whistleblower contact point is in general obliged to - accept the whistleblowing information and, - to process the affair on anonymous basis - to provide for further communication on an anonymous basis.
The obligation to report anonymously does not take effect until January 1, 2025. Whistleblowers must receive a receipt notice within seven days and feedback on the follow-up activities implemented and planned within three months of the receipt notice.
The legal basis for processing personal data is Sec. 6, paragraph 1 c HinSchG Sec. 10 of the GDPR. This basis also includes the processing of special categories of personal data under Article 9 GDPR. Notification must be documented, and the documentation must be deleted three years after the end of the procedure.
From a data protection perspective, it is important to note that the establishment of a whistleblower contact point is included in the list of processing actions (Sec. 30 GDPR), that a data protection impact assessment must be conducted prior to the introduction of the procedure (Sec. 35 GDPR), and that the controller must provide a data protection notice to the informant (Sec. 13 GDPR). The controller must provide a data protection notice to the informant (Sec. 13 of the GDPR). Trade unions, if any, should be involved in the process and a collective agreement should be signed.
CHALLENGE
In introducing and operating a whistleblower system, it is necessary to ensure on one side consistency with the global whistleblower system and on the other side compliance with the relevant EU directives, by also taking into account the (historical) background and view of whistleblowing in Germany.
Germany has a culture that discourages anonymous whistleblowing, where the whistleblower does not disclose his or her name. One of the reasons for this is thought to be the history of whistleblowing and snitching by the Stasi, a ministry that controlled the secret police and intelligence services during the Nazi era and the following years in the former East Germany.