First slowly, then quickly: The Whistleblower Protection Act is just around the corner

After a long and arduous legislative process, things are now getting serious: The Whistleblower Protection Act (“HinSchG”) has now been passed and will come into effect shortly – possibly as soon as June 2023, depending on when it is enacted. Contrary to what its name suggests, the Act is not just about protecting whistleblowers from retaliation, but the Act also requires companies to implement reporting mechanisms to facilitate any such reporting.

The HinSchG belatedly implements Directive (EU) 2019/1937 of the European Parliament and of the European Council of 23 October 2019 on the protection of persons who report breaches of Union law (amended as a result of Regulation (EU) 2020/1503).

Area of application

From a personal perspective, the HinSchG protects individuals providing information about legal violations in connection with their professional activity or in advance of a professional activity and who report or disclose them to the designated reporting offices. Individuals who are the subject of a report or disclosure as well as other individuals impacted by a report or disclosure shall also be protected. Employers  who employ at least one person are subject to these obligations. However, the requirement to establish an internal reporting office only applies to employers who usually employ at least 50 employees. In addition, a grace period is in force until 17 December 2023 for private employers with 50 to 249 employees to give them time to set up an internal reporting office, unless the companies operate within a particular sector (e.g., the financial services sector).

Subject

The HinSchG regulates reports and disclosures of information about violations that the HinSchG lists in a catalogue. It is important to note that  information about violations only falls within the scope of the Act only if it relates to the employer or another entity which the reporting person  has had professional contact with.

Establishment of internal reporting offices

Employers are obliged to set up internal reporting offices. These reporting offices run reporting channels, for example, which employees and temporary workers assigned to the employer can use to contact the internal reporting office and report information about legal violations. The internal reporting office can be established directly within the employer’s organization or the employer can commission a third party to fulfil this function. This allows employers to rely on external parties (e.g., external lawyers as so-called ombudspersons) or, if necessary, establish a central reporting office responsible for all companies within a group of companies. The internal reporting office must be independent and there may be no conflicts of interest, meaning that its staffing and management require careful assessment. In this respect, it is still a matter of debate whether or not and under what conditions a central internal reporting office can actually be set up within a group of companies; the HinSchG deviates here from the requirements of Union law. Even where an external provider is used, the employer remains responsible in all cases to remedy any violation and should also coordinate closely with the reporting office regarding the measures to be taken.

Procedure for internal reporting

Reports must be allowed either verbally or in text form. The Act also stipulates that upon the reporting person’s request a personal meeting must be arranged with the assigned person at the internal reporting office. After the draft law initially provided for an obligation to process anonymous reports, this obligation was dropped after a compromise was reached in the so-called Vermittlungsausschuss (mediation committee). It is now recommended that the internal reporting office “should” process anonymous reports but it is not obliged to do so. . There is no obligation to design the reporting channels in such a way that anonymous reports can be submitted.

The HinSchG also includes a clear procedure on how to deal with any incoming reports.

The internal reporting office

• confirms receipt of a report to the individual providing information within seven days at the latest,
• checks whether or not the reported violation falls within the material scope of the HinSchG,
• maintains contact with the reporting individual,
• checks the substance of the report received,
• wherever necessary asks the reporting individual for further information and,
• takes appropriate follow-up action.

Also, the internal reporting office provides feedback to the reporting individual within three months of acknowledgement of receipt of the report, including notification of any follow-up action planned or already taken and the underlying reasons. However, feedback to the reporting individual may only be provided to the extent that this does not have an impact on any internal enquiries or investigations and that it does not have a negative impact on the rights of any parties who are the subject of or named in the report. This complies with the protections expressly provided by law for those who are the subject of a report.

The Act only refers to follow-up actions in the form of examples, which may include an internal investigation or conclusion of the procedure.

External reporting offices

The Act also stipulates that the federal government shall set up a department for external reporting at the Federal Office of Justice. There are also reporting offices for special areas, such as the Federal Cartel Office. The external reporting office must also establish reporting channels through which violations reported by individuals can be received and processed. The employer must inform its employees about such reporting offices.

As with the internal reporting office, the Act also stipulates, for example, procedural specifications and regulations on follow- up action. It is important for employers to realise that there is no legal priority of internal vs. external reporting.. The Act leaves it up to the employers whether or not they wish to encourage internal reports. In practice, it will be in the employer’s interests that those who report information do not submit reports to external reporting offices, as this means the employer will lose control over how the reports are handled.

Protection of whistleblowers

In line with its name, the HinSchG contains provisions to protect reporting individuals who have made internal or external reports or who have made disclosures and who, at that time, had sufficient reason to believe that the information they reported or disclosed was true. It is further required that such information relates to violations falling within the scope of this act or that the individual providing information had reasonable grounds to believe at the time of the report or disclosure that this was the case.

It is therefore not required that the reported facts or conclusions actually are correct. It is sufficient that from an ex ante and an objective perspective there were grounds to suspect a violation. No excessive standards should be placed on any individual providing the information, although frivolous reports should not be protected. With regard to the assumption that a legal violation covered by the HinSchG has occurred, no major requirements should apply either. In all cases, the understanding of a legal layperson shall be deemed sufficient. If a reporting individual suffers negative consequences, e.g., in the form of termination of employment or warning, in connection with their professional activity and claims to have suffered discrimination as a result of a report or disclosure under this Act, it shall be assumed that such discrimination constitutes a reprisal for this report or disclosure. In such a case, the Act provides for a reversal of the burden of proof. This proved a controversial matter during the legislative process. While the reversal of the burden of proof remained in the Act, it is now required that the individuals assert that they are being retaliated against as a result of the reporting. In practice, this added requirement will probably make no difference.

If the whistleblower claims protection under the Act, the employer must demonstrate that the action was not taken as a result of the report or disclosure. When assessing the evidence, the court may consider the following points as examples:

• the seriousness of the reported violations
• any successful resolution of the procedure (e.g., remedy of reported grievances)
• lack of knowledge of the report by the individual who took the allegedly retaliatory action
• the chronology between the report and the retaliatory action

Damages and fines

Violations of the HinSchG can result in claims for damages as well as fines. Although compensation for immaterial damages was still provided for in the draft Act, this was removed after a compromise was reached in the mediation committee. In addition, the HinSchG also contains regulations on fines. While any disclosure of knowingly incorrect information represents a violation of the law, obstructing reports or disclosures, the failure to set up an internal reporting office, or retaliatory actions are also subject to fines. This also applies to breaches of confidentiality. Fines can be up to EUR 50,000 for a violation. However, a grace period of six months applies to a fine for not operating or setting up an internal reporting office.

Co-determination rights

Co-determination rights relating to compliance with  the HinSchG can arise from Section 87 (1) No. 1 of the Works Constitution Act (BetrVG - organisation of the operation and behaviour of employees within the operation) and Section 87

(1) No. 6 of the BetrVG (introduction and use of technical equipment designed to monitor performance and behaviour). If certain requirements are set for the reporting procedure, this does not merely touch on issues of work free from co-determination, but also on controlling the behaviour of employees within the operation. If technologically assisted reporting channels, e.g., using e-portals, are used, these qualify as technical equipment which is designed to monitor the performance and behaviour of employees. According to the jurisprudence of the Federal Labour Court, it is sufficient that equipment is suitable for monitoring, and monitoring does not need not be the actual purpose. Before implementing a reporting channel, a corresponding arrangement must therefore be made with the works council (possibly also the general or even the group works council). However, the location and staffing of the internal reporting office are not subject to any co-determination. Nevertheless, the co- determination rights of the works council may be affected when staff are assigned as long as a transfer or hiring has occurred.

Data protection challenges

Any reporting of grievances always presupposes that the reporting individual provides the names, etc., of the possible perpetrator and that their data be recorded. The individual can remain anonymous, but if individuals provide their name, the individual must expect to be faced with counter-claims, for example, if the alleged perpetrator feels falsely accused, or that they will be confronted with a reaction from the accused.

The protection of the data of all those affected by a reporting is first ensured by maintaining confidentiality: the internal reporting office or the persons working there are obliged to maintain confidentiality regarding the identity of the individual providing the information, the persons alleged by the report, or any other persons named. Exceptions only apply if, for example, the person concerned has consented to the disclosure of their data or certain conditions are met (if disclosure is necessary, for example, for criminal prosecution or for taking any follow-up action). Otherwise, the HinSchG only regulates that the reporting office may process data internally.

The General Data Protection Regulation (GDPR) also applies here. Employers must therefore implement the data protection principles of Art. 5 of the GDPR. They must ensure that any processing (including the transfer of data) is lawful, that the necessary authorisation and deletion concepts are implemented and that the transparency obligations of the GDPR, and, finally, the comprehensive rights of those affected to information, deletion, etc., in accordance with Art. 12 ff. DSGVO are implemented. This can lead to conflicts of interest.

Along with the basic data protection information pursuant to Art. 13 GDPR, which must be made available to every employee as well as other affected persons when data is collected, it must be checked when and how, for example, the accused person is informed about the origin of the data and thus also about the reporting person. As a matter of principle, the GDPR provides for an obligation to provide information within one month of the data being collected; the information can only be omitted under specific circumstances. Internal processes must be established to regulate how these challenges are dealt with.

Handling requests for information is also a critical issue according to Art. 15 GDPR: while German jurisprudence has affirmed that the person alleged by the report has comprehensive rights to being informed, with reference to the provisions of the Federal Data Protection Act (§§ 29, 33 BDSG) or the confidentiality requirement of the HinSchG, the information may be waived under certain circumstances if, after balancing the interests of the parties involved (the individual reporting, the person alleged, or other parties involved), the employer concludes that the information ought to be rejected on a case-by-case basis. Aspects including open or anonymous reports, the extent of the information reported, the correctness of the information, etc., must also be considered here. It is crucial that the considerations reflect the individual case, that they are always subjective, and that it can never be ruled out that courts or an authority might take a different view from that of the employer. Detailed documentation of the consideration process is therefore recommended.

The same applies to any deletion. Deletion concepts are not only to be implemented with regard to the documentation of the reporting procedure, but also for dealing with false reports. Although, in the past, the data protection supervisory authorities assumed a storage period of two months after receipt of a (false) report, this can no longer be justified due to the specifications of the HinSchG: the Act stipulates that documentation on the internal report must be kept for three years after the procedure has been completed and that the storage period can even be extended if necessary. The reporting office should not be expected to check the storage period in individual cases. Whether or not this complies with the principles of data minimisation and storage limitation in the GDPR is at least questionable. A careful review of the deletion periods and concepts is therefore recommended.

Conclusion

The processes are complex, and it does not suffice simply to publish contact details of the new internal reporting office on the website. The office must also be empowered to carry out its tasks in accordance with the applicable regulations. Companies must document, implement and transparently communicate the processes. In addition to coordinating with any existing works council and concluding necessary company agreements, a guideline should also be followed to implement the instructions on how to deal with reports or the requirements of the HinSchG, and to inform about the rights, obligations and risks that apply to the individual parties.

In addition, the topics that must be regulated and documented include the correct implementation of confidentiality, the documentation of the reporting procedure/follow-up measures, access rights, the protection of the systems/data using appropriate technical and organisational measures, the determination of the responsibilities and powers of the individual parties, handling of any given consent relating to the to pass on information, informing affected individuals, handling of requests for information and the documentation on how they are considered, the data protection impact assessment, and the implementation of the deletion concepts. If a third party is commissioned to operate the internal reporting office or if a global hotline is set up, suitable agreements must also be made here to fulfil the legal requirements.

Any existing processes are to be reviewed, adapted wherever necessary, or even re-implemented; due to the tight timeframe, this needs to be initiated soon.

We will be happy to support you.