Since December 17, 2023, authorities, cities, municipalities and companies with more than 50 employees have been obliged to introduce internal or external reporting points in accordance with the Whistleblower Protection Act. This law serves to protect whistleblowers who have become aware of violations of the law. You can report or disclose these violations to designated reporting agencies. The law serves to detect white-collar crime and general criminality in companies.
Whistleblower - protecting the company and its employees
The Whistleblower Protection Act (HinSchG) protects companies and employees. You shouldn’t lose sight of both.
Protection of the company
According to a study by the auditing firm KPMG, whistleblowers play an important role in uncovering grievances and criminal behavior in companies. Based on this study on white-collar crime in Germany in 2023, 52 percent of “white-collar criminal” acts were discovered through open tips from inside the company and 34 percent from outside the company. Around 25 percent of “white-collar criminal acts” were identified through the submission of anonymous tips.
Protection of employees
However, since, according to Section 2 (1) No. 1 HinSchG, any violation of a criminal law is a reason for reporting, employees are also subject to direct protective regulations such as sexual harassment, bullying, insults, untrue statements of fact, coercion, fraud or blackmail or negligent bodily harm in the area of crimes to be reported. Violations worthy of sanctions are acts or omissions (Section 3 (1) HinSchG).
Claiming the legal justification for the breach of secret
In certain cases (Section 6 I HinSchG), people may pass on or even disclose such information to an internal or external reporting office, which is protected as a trade secret within the meaning of Section 2 No. 1 of the Trade Secrets Act.
But information secured by a contractual obligation of confidentiality or by a legal regulation (§ 6 II HinSchG) may also be reported or disclosed in certain, legally regulated exceptional cases.
No responsibility for accessing or obtaining information
A person cannot be held responsible for accessing or obtaining information unless the obtaining or accessing itself does not constitute a criminal offense in itself.
In any case, this should be considered in every direction, as damage to property, theft, break-in or manipulation of a computer can in themselves be punishable.
The prohibition of reprisals
It is expressly prohibited to carry out reprisals against whistleblowers or even to threaten them (§ 36 I HinSchG). What is also important and worth mentioning in this case is the reversal of the burden of proof. This reversal of the burden of proof applies, for example, in accordance with Section 36 II HinSchG if a person claims professional disadvantage based on a tip-off. It is therefore sufficient for a person to prove that they are disadvantaged. Due to the reversal of the burden of proof, the company must prove that this disadvantage does not constitute retaliation.
Prohibition on reporting or disseminating inaccurate information
However, the ban on disclosing – making public – incorrect information about violations (Section 32 (2) HinSchG) as well as the obligation to pay damages following a false report (Section 38 HinSchG) should not go unmentioned.
Violations that justify reporting - economic crime, administrative offenses - danger to life, limb and health - maintaining confidentiality
Catalog of crimes
Crimes, for example against the protection of the environment, data protection or the protection of personal communication, but also money laundering or violations of antitrust law are part of the catalog of offenses that justify the use of the HinSchG (§ 2 I No. 1 – 10 HinSchG). Unfortunately, there is a lack of a general clause, so that it is the responsibility of the whistleblower to have checked the relevance of the criminal provisions.
No loss of confidentiality
In principle, whistleblowers are entitled to legal protection of confidentiality (Section 8 I HinSchG). This applies to the people who provided the information, the people named in the report and the other people named in the report.
If a tip is made that does not affect any relevant law despite the very extensive application catalog of Section 2 I HinSchG, the legally regulated confidentiality should still remain. According to Section 9 I 1 HinSchG, this only applies in the case of intentionally or grossly negligent false information. However, the prerequisite for maintaining confidentiality is that the informant “had sufficient reason to believe at the time of the report” that an application in accordance with Section 2 (1) HinSchG existed (Section 8 (1) No. 1 HinSchG).
The proposed procedure - the obligation to set up reporting points
There are various mandatory requirements for the procedure that must be observed by companies in order to ensure a legally compliant reporting system.
Criteria for a legally compliant reporting system
Possibility of written and/or oral reporting
Decision on the possibility of anonymous reports
No access for unauthorized persons to the reporting channels
Confirmation of receipt of the reports to the informing persons within seven days of receipt
of the report
Designate an impartial person or department to contact the whistleblower
Taking follow-up action, such as an internal investigation
Renewed feedback to the person who provided the information within three months of
confirmation of receipt of the report, including mention of possible measures taken
Deadlines, confidentiality, independence
The Whistleblower Protection Act provides for various important, legally defined procedural requirements, compliance with which can prevent whistleblowers from going public.
Deadlines
Within 7 days of receipt of a tip, this receipt must be confirmed to the informant (§ 17 (1) No. 1 HinSchG). Within 3 months of this receipt, the person providing the information will receive a report about planned or already taken follow-up measures (Section 17 (2) HinSchG).
Confidentiality
Unless the information is intentionally or grossly negligently incorrect (§ 9 I HinSchG), those who provide information enjoy confidentiality. This confidentiality does not apply in the event of a request from the public prosecutor’s office, a court order or for external reporting offices at the Federal Financial Supervisory Authority (Section 9 II HinSchG) and the Federal Cartel Office (Section 9 II No. 5 HinSchG).
Independence
The people working at an internal reporting office are independent (see Section 15 I 1 HinSchG), conflicts of interest should be avoided.
Disclosure of Information
Even with existing internal or external reporting offices, it may be justified for whistleblowers to make information publicly accessible and thus to disclose it within the meaning of (§ 3 (paragraph 5) HinSchG) (§ 32 I HinSchG).
Various reasons for disclosure
Both formal and substantive reasons can justify disclosure.
Missing a deadline as a reason for disclosure
This disclosure is particularly permissible if the deadline for feedback (7 days, Section 17 I No. 1 HinSchG) or for notification of follow-up measures (3 months, Section 17 II HinSchG) was not met (Section 32 I No. 2 HinSchG) .
The particular danger to public interests
However, disclosure is also justified if there is “sufficient reason to believe” that an “emergency, a risk of irreversible damage or comparable circumstances represents an immediate or obvious threat to public interests” (Section 32 I No. 2 a HinSchG). In addition to this imminent threat to public goods, the risk of reprisals in the event of an external report can also justify disclosure (Section 32 I No. 2 b HinSchG). But there is also the risk that “evidence could be suppressed or destroyed, there could be agreements between the responsible external reporting office and the perpetrator of the violation or, due to other special circumstances, the prospects are slim that the external reporting office will initiate effective follow-up measures in accordance with Section 29” ( § 32 I No. 2 c HinSchG) justifies disclosure.
The prohibition on disclosing inaccurate information
As already mentioned, disclosing incorrect information is prohibited (Section 32 (2) HinSchG), and it also leads to claims for damages (Section 38 HinSchG).
Sanctions if reporting points are missing or incorrectly set up
Since a violation of a criminal law also warrants a report, the legislature wants to ensure that internal and external reporting points are set up.
For example, if companies fail to meet these obligations despite having 50 or more employees (Section 12 (2) HinSchG), they face fines (Section 40 HinSchG).
Claims for damages from employees in the event of missing or ineffective internal reporting points
It may be questionable to what extent employees, customers or suppliers can assert claims for damages that go beyond the HinSchG due to missing or incorrect procedures.
Liable for damages due to omission
As with other behavioral obligations, violations of these lead to claims for damages. If, due to a lack of a reporting system, there is a lack of punishment for a first offense and further offenses or a continuation of offenses – for example against sexual self-determination – this omission is likely to be causal for the damage or extent of damage (cf. BGH, judgment of November 4th .2002 –
II ZR 224/00, BGHZ 152, 280; Resolution of February 18, 2008 – II ZR 62/07, GmbHR 2008, 488).“)
Criminal liability for failure to act
However, failure to have an effective and legally compliant internal reporting system can also result in criminal liability (cf. BGHSt, judgment of July 17, 2009 (Az 5 StR 394/08 RZ 25 ff)).
The question of the causal connection and of a corresponding intention will arise.
But the fundamental obligation to act according to the HinSchG to introduce a reporting system creates an obligation to take responsibility according to Section 13 StGB, the violation of which leads to criminal liability.
Conclusion - the importance of the whistleblower protection law also for crisis communication
The HinSchG is an urgently needed law, the implementation of which must be given top priority in companies‘ compliance departments.
It is not just a matter of “if” but also “how” of introducing the reporting office and the reporting system.
It is also important that the negative consequences of a missing or incorrect introduction are not limited to the HinSchG. Claims for damages or possibly even criminal liability cannot be ruled out.
Importance for crisis communication
The Whistleblower Protection Act is also important for crisis communication. The lessons learned from an incident while maintaining the confidentiality of the whistleblowers and the people involved can also be used in a company. Experienced communications consultants point this out.
