Search for:

What is coming soon for companies and what to do now

In brief

The EU Whistleblower Directive has been in force since 16 December 2019, and was to be implemented in national law by 17 December 2021. On 27 July 2022, the German Federal Cabinet approved a government draft of the Whistleblower Protection Act (“HinSchG-E”), so that—with considerable delay—the further legislative process has been initiated.

Key points of the government draft

  • Companies with at least 50 employees are obliged to set up an internal reporting system.
  • Whistleblowers are to be comprehensively protected, in particular from reprisals. Any discrimination against a whistleblower in connection with the report is prohibited. The burden of proof lies with the companies.
  • The whistleblower can freely choose whether to report the suspicious case internally or externally.
  • Groups can implement a central group-wide internal reporting system at the group level.
  • Companies are free to decide whether anonymous reports can be submitted.

Which companies have to implement a reporting system?

The obligation to establish a whistleblower system applies to companies with at least 50 employees (Sec. 12 para. 2 HinSchG-E). Regardless of the number of employees, companies in certain industries, such as financial services providers, are already required to set up reporting channels under existing law (Sec. 12 para. 3 HinSchG-E).

Who can be a whistleblower or rather who is protected?

The scope of the HinSchG-E includes any person who has obtained information about infringements  in connection with their professional activities (Section 1 para. 1 HinSchG-E). Primarily covered are employees of the company. Furthermore, companies can decide whether the reporting channels should also be accessible to third parties such as contractors or suppliers. The HinSchG-E also protects the confidentiality needs of the persons who are either the subject of a report or disclosure or who are affected by it (Sec. 1 para. 2 HinSchG-E). This applies to internal and external reports and to the disclosure of information to the public.

What kind of reports are protected?

The HinSchG-E is intended to cover reports of “significant infringements.” This includes criminal offences as well as administrative offences. However, the law only applies to administrative offences if the infringed regulation serves to protect life, limb, health or the rights of employees or their representative bodies (Sec. 2 para. 1 HinSchG-E). In addition to these general provisions, the draft lists further infringements that fall within the material scope of application, such as infringements of regulations on money laundering prevention, product safety and conformity, environmental protection and data protection. Public procurement and financial services are likewise relevant areas of law. Also included in the scope of protection are infringements of various European laws. The scope of application covers both European and German antitrust law. Excluded from the scope of protection are infringements of internal company policies and guidelines (provided there is no simultaneous infringement of criminal laws, etc.) as well as unethical behaviour. To what extent companies can provide the reporting channels for such infringements must be examined in detail, particularly from a data protection perspective. Furthermore, the scope of protection only applies if the misconduct relates to professional activities. Reports relating to misconduct in the private sphere are not protected. 

No priority for internal reporting channels

The government draft serves to protect whistleblowers. The primary protection is provided by the prohibition of reprisals (Sec. 36 para. 1 HinSchG-E). The term “reprisal” is defined broadly and ranges from termination to disciplinary measures, and also covers mobbing, discrimination or exclusion. The threat of reprisal and the attempt to carry out reprisals are already prohibited. If a whistleblower is pressured into a legal transaction, such as a termination agreement resulting from a reprisal, this agreement is void.

The draft law provides for a reversal of the burden of proof in favour of the whistleblower. It is thus presumed to be a case of reprisal if the whistleblower is disadvantaged in their professional activities after making the report. The company must then prove that there were sufficiently justified reasons for the discrimination or that such treatment has no connection to the report.

In the event of an infringement of the prohibition of reprisals, companies are obliged to pay damages to the whistleblower (Section 37 (1) HinSchG-E). Furthermore, reprisals can lead to a fine of up to EUR 100,000
(Sec. 40 para. 2 no. 3, para. 6 HinSchG-E).

Dealing with anonymous reporting

The government draft leaves it up to the companies as to whether or not they want to enable anonymous reporting. If companies decide to allow anonymous reports, depending on the available resources, they may process non-anonymous reports preferentially.

Should the identity of an initially anonymous whistleblower become known, the protective mechanisms described above will take effect.

What applies to corporate groups with a central reporting office?

In recent months, there have been numerous discussions on whether centralized reporting offices, for example at the group parent company, are sufficient or whether there must be independent local reporting offices. This was preceded by a statement from the EU Commission in favour of a local solution. The government draft positions itself in favour of the “group solution” and allows centrally organised whistleblower systems. However, the primary responsibility for remedying identified infringements remains with the local company. Reporting channels must also be made available in the locally predominant working language.

It remains to be seen, however, how the other member states will position themselves. In the worst case, there is a risk of a patchwork quilt with different requirements.

What awaits companies?

The protection of whistleblowers touches on several areas of law. This was also one of the reasons why the implementation of the whistleblower directive has been delayed so far. These difficulties do not only affect the legislator. In addition to the requirements of the Whistleblower Directive and of the local implementation laws, companies must also thoroughly examine whether they comply with data protection law requirements. In this respect, the government draft remains cautious and only states in Section 10 HinSchG-E, for example, that the reporting offices are authorized to process personal data insofar as this is necessary to fulfill the tasks assigned to them-Sections 13 and 24 HinSchG-E. In particular, questions of data protection law do not only arise with regard to the legal basis for a mutual exchange of information in connection with reports and subsequent investigations as well as with regard to notifications to the persons affected. If the corporate headquarters and thus the investigative unit is located outside the EU, the international transfer of data will raise questions. Furthermore, there are numerous other aspects of data protection law that must be taken into account. It also remains to be seen how the data protection authorities will position themselves. Furthermore, collective labour law aspects play an important role in Germany and other member states.

Due to the large number of new requirements under the Whistleblower Directive and the planned implementation law for Germany, it makes sense for companies to incorporate these requirements into an internal set of rules, in addition to setting up the corresponding reporting channels in order to document the company’s compliance with the requirements of the applicable whistleblower protection laws.

In the course of this, the company should check whether the requirements are complied with in the individual whistleblower channels. Practical difficulties can arise, particularly with regard to confidentiality and data protection.

What should companies do now?

Currently, only 10 of 27 member states have implemented the Whistleblower Directive. After France passed the corresponding implementation law at the beginning of 2022, many international corporations looked towards Germany with a wait-and-see attitude. While there may be further changes in the legislative process, now seems to be the right time to initiate the necessary adjustments in the European corporate units.

It has proven to be a resource-efficient approach to first develop a common denominator based on a company’s core markets that takes into account the legal requirements of the core markets. This transnational standard can then be adapted for the smaller markets, provided the scope of application is open.

View German version


Nicolai is a partner in the Dispute Resolution group of Baker McKenzie, a member of the Global Investigations, Compliance and Ethics Steering Committee and co-heads the Investigations, Compliance and Ethics practice in Germany. Nicolai is a regular speaker and author on compliance, white collar crime, innovation and legal tech topics. He is the inventor of the automated risk assessment and risk monitoring platform Compliance Cockpit and the founder of Global Compliance News. Nicolai is the editor of the knowledge platforms Compliance Lexikon and Litigation Lexikon.


Katja Häferer joined the Munich office of Baker McKenzie in January 2009. She is a member of the Firm’s European and Global Labor Law practice groups. She advises domestic and multinational companies on employment law matters, including outsourcing and other transactions. Katja frequently speaks at in-house and external seminars, and conducts training on a wide range of employment matters. She also practiced in the Firm’s San Francisco and Palo Alto offices.


Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP), since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Write A Comment