Whistleblower Protection Act: new compliance requirements
The Federal Ministry of Justice and Consumer Protection recently presented a bill for the Whistleblower Protection Act (Hinweisgeberschutzgesetz). The reason for the bill is the EU Whistleblower Directive (2019/1937 / EU), which aims to better protect whistleblowers (i.e. internal employees who draw attention to violations of their employers’ compliance). Without adequate protection, whistleblowers are often subject to retaliation, which can lead to compliance breaches going unreported.
EU member states must transpose the EU Whistleblower Directive into their national law by December 17, 2021. In Germany, this must be done through the Whistleblower Protection Act. The bill is only a draft, so it can still be amended during the legislative process. However, as the project implements the EU whistleblower directive, the cornerstones of the new law have already been laid.
Who does the law protect?
With regard to companies, the law protects all personnel (for example, employees, trainees and persons similar to employees) who have obtained information about violations or discovered certain facts in the course of their professional activities and reported them. The law also protects individuals who are the subject of or named in such reports.
What acts are covered by the law?
The scope of protection is broad and includes:
- offenses punishable by criminal penalties or fines;
- violations of German laws, ordinances and other regulations and directly applicable EU laws;
- information on the fight against the financing of terrorism; and
- product safety and compliance information.
Where can whistleblowers report information?
Whistleblowers should have the ability to report this information through internal and external reporting channels.
External reporting channels are put in place by the government. Internal reporting channels should be set up by companies and private authorities (eg administrative offices and public law foundations, as well as courts).
What obligations exist for private companies?
Businesses need to set up and operate an internal reporting channel. In addition, they should encourage whistleblowers to report first through the internal reporting channel before reporting externally.
When setting up internal reporting channels, companies should ensure that only the internal reporting channel has access to the reports received. The internal reporting channel must be independent.
Internal reporting channels should provide reporting lines for whistleblowers to report orally or in writing (for example, by email, fax or letter).
In addition, internal reporting channels should process reports in accordance with the procedures and timeframes specified in the Whistleblower Protection Act, namely:
- contact the whistleblower;
- document reports;
- verify the validity of reports; and
- initiate follow-up actions – for example:
- launch internal investigations;
- directing the whistleblower to other competent bodies;
- termination of proceedings due to lack of evidence or other reasons; or
- forward the procedure to a competent authority for further investigation.
In this regard, companies must comply with special guarantees and obligations. For example, confidentiality must be maintained (including the identity of the whistleblower, the persons subject to the report and other persons named in the report).
In addition, whistleblowers cannot be held legally responsible for obtaining or accessing the information they report. This does not apply if the acquisition or access to such information constitutes a criminal offense. No reprisals may be directed, threatened or attempted against the whistleblower.
In principle, the obligation to create an internal reporting channel only applies to companies which generally have at least 50 employees. There are some exceptions to this rule (eg for securities service providers and data provision services).
When should internal reporting channels be established?
According to the bill, the law will come into force on December 17, 2021. However, companies that generally have less than 250 employees do not need to create an internal reporting channel before December 17, 2023. For all companies in 250 or more employees, the obligation will be to apply from December 17, 2021.
What are the legal consequences of a violation?
Companies can be held liable for damages if they violate the retaliation ban. Fines of up to € 100,000 can also be imposed when, for example, a company obstructs reports, attempts to do so, or exercises or threatens retaliation against a whistleblower.