Introduction

The Federal Ministry of Justice and Consumer Protection recently presented a draft bill for the Whistleblower Protection Act (Hinweisgeberschutzgesetz). The reason for the draft bill is the EU Whistleblowing Directive (2019/1937/EU), which aims to better protect whistleblowers (ie, internal employees who draw attention to their employers' compliance violations). Without adequate protection, whistleblowers are often subject to reprisals, which may lead to compliance breaches not being reported.

EU member states must implement the EU Whistleblowing Directive in national law by 17 December 2021. In Germany, this is to be done through the Whistleblower Protection Act. The bill is only a draft, so it may still be amended during the legislative process. However, since the draft implements the EU Whistleblowing Directive, the cornerstones of the new law are already fixed.

Who does the law protect?

Regarding companies, the law protects all personnel (eg, employees, trainees and individuals similar to employees) who have obtained information about violations or discovered certain facts in connection with their professional activities and reported them. The law also protects individuals who are the subject of such reports or are named therein.

What acts are covered by the law?

The scope of protection is broad and includes:

  • infringements which are subject to criminal penalties or fines;
  • violations of German laws, ordinances and other regulations and directly applicable EU laws;
  • information about combating terrorist financing; and
  • information about product safety and conformity.

Where can whistleblowers report information?

Whistleblowers should be given the opportunity to report such information via both internal and external reporting channels.

External reporting channels are set up by the government. Internal reporting channels must be implemented by private companies and authorities (eg, administrative offices and foundations under public law, as well as the courts).

What obligations exist for private companies?

Companies must set up and operate an internal reporting channel. Further, they should create incentives for whistleblowers to first report via the internal reporting channel before making a report externally.

When setting up internal reporting channels, companies must ensure that only the internal reporting channel has access to the reports received. The internal reporting channel must be independent.

Internal reporting channels must provide reporting lines that enable whistleblowers to report orally or in writing (eg, by email, fax or letter).

Further, internal reporting channels must process reports according to the procedures and deadlines specified in the Whistleblower Protection Act – namely:

  • contacting the whistleblower;
  • documenting the reports;
  • checking the validity of the reports; and
  • initiating follow-up measures – for example:
    • initiating internal investigations;
    • referring the whistleblower to other competent bodies;
    • closing the proceedings due to a lack of evidence or other reasons; or
    • handing over the proceedings to a competent authority for further investigation.

In this regard, companies must observe special safeguards and obligations. For example, confidentiality must be maintained (including the identities of the whistleblower, the individuals who are the subject of the report and other individuals named therein).

Further, whistleblowers may not be held legally responsible for obtaining or accessing information that they report. This does not apply if the acquisition or access to such information constitutes a criminal offence. No reprisals may be directed, threatened or attempted against the whistleblower.

In principle, the obligation to create an internal reporting channel applies only to companies that generally have at least 50 employees. There are some exceptions to this rule (eg, for securities service providers and data provision services).

From when must internal reporting channels be established?

According to the draft bill, the law will take effect on 17 December 2021. However, companies that generally have fewer than 250 employees need not create an internal reporting channel until 17 December 2023. For all companies with 250 or more employees, the obligation will apply from 17 December 2021.

What are the legal consequences of a violation?

Companies may be liable for damages if they violate the prohibition of reprisals. Fines of up to €100,000 may also be imposed where, for example, a company obstructs reports, attempts to do so or takes or threatens reprisals against a whistleblower.