Search for:

The impact of the law upon companies

In brief

The German Whistleblower Protection Act (GWPA) has now (finally) been passed on 12 May 2023, after several attempts, following final amendments proposed by the Mediation Committee on 9 May 2023, which have now been accepted by the Federal Parliament (Bundestag) and the Federal Council (Bundesrat). The long overdue law serves to implement the European Whistleblower Directive (Directive (EU) 2019/1937), which actually provided for an implementation deadline of December 2021. The law will now come into force in mid-June 2023. For companies with fewer than 250 employees, the law still provides for an implementation period until 17 December 2023. For companies with more than 249 employees, the law then applies immediately.


  1. In depth

In depth

Main changes made by the Mediation Committee

  • Internal and external reporting offices are not obliged to allow anonymous reports to be submitted, but are expected to process them.
  • Violations of the law will be subject to lower fines than originally envisaged.
  • The presumption of retaliation when whistleblowers experience disadvantage after filing a report requires that they allege a connection between the report and the subsequent disadvantage.
  • Whistleblowers are not entitled to appropriate monetary compensation for damages that are not pecuniary damages.

Latest developments in the legislative process

On 27 July 2022, the Federal Cabinet adopted a government draft of the GWPA. After several (partly) extensive recommendations for change by the Legal Affairs Committee (Rechtsausschuss), the Federal Parliament passed the law on 16 December 2022. However, the Federal Council did not approve the bill. Accordingly, the Federal Government called the Mediation Committee on 5 April 2023, which reached the agreement that was subsequently adopted by the Bundestag and Bundesrat.

Purpose of the German Whistleblowing Protection Act 

The GWPA implements the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019. It serves to improve and sustain the protection of whistleblowers. As whistleblowers make a significant contribution to the detection, prevention and prosecution of misconduct in companies, the GWPA intends to provide them with legal certainty and clarity.

Core elements of the German Whistleblower Protection Act

Companies with at least 50 employees are obliged to implement a whistleblowing system (Sec. 12 para. 2 GWPA). The GWPA contains several core elements that every company that falls under the scope of applicability of the GWPA must consider. We summarize these core elements below: 

Whistleblower protection 

Sec. 2 GWPA regulates which whistleblower reports are covered. In short, this includes all references to “significant violations”. Criminal offenses and administrative offenses are included, as well as other regulations specified in Sec. 2 GWPA – administrative offenses. However, the GWPA only applies to administrative offenses because the violated regulation serves to protect the life, limb, health or the rights of employees or their representatives (e.g., works council members). Violations of (only) internal company policies and requirements are excluded from the scope of protection. It is important, however, that the reported or disclosed violation occurred in the context of a professional, entrepreneurial or administrative activity (Sec. 3 para. 2 GWPA). Accordingly, the GWPA only applies to reports and disclosures that relate to the company or other entity with which the whistleblower was in contact as a result of his or her professional activities (Section 3 para. 3 – 5 GWPA).

The GWPA protects not only the person providing the information, but also all persons who are the subject of a report or disclosure, as well as persons who are affected by a report or disclosure (Sec. 1 para. 2 GWPA). In addition, the GWPA also protects persons who have confidentially assisted the whistleblower in making the report and persons who are associated with the whistleblower who have themselves suffered reprisals in a professional context (Sec. 34 para. 1 and para. 2 GWPA).

Whistleblower protection is the core element of the GWPA. Thus, it sets outs a prohibition against reprisals (Sec. 36 Abs. 1 GWPA). Even attempted or threatened reprisals are prohibited. A reprisal is any kind of disadvantage that occurs as a result of a report. The term “reprisal” covers not only dismissal and disciplinary measures, but also mobbing, discrimination, exclusion and unequal treatment. 

To protect whistleblowers, the law provides for a reversal of the burden of proof if they experience disadvantages following a report or disclosure in connection with their professional activities. In this case, the existence of a reprisal is presumed. According to the amendments of the Mediation Committee, this presumption only applies if whistleblowers claim they have suffered disadvantages as a result of their report or disclosure.

Confidentiality requirement

Another core element is the confidentiality requirement (Sec. 8 GWPA). The confidentiality the protected persons’ identities must be maintained at every stage of the proceedings. The whistleblower must be able to rely on the protection of confidentiality so that they will not suffer any disadvantages as a result of the report. Sec. 8 GWPA intends to prevent the other protected persons from being exposed to false suspicions, being defamed or being influenced in their role as witnesses. The confidentiality requirement covers not only the identities of the persons named in a report, but also all other information from which these persons’ identities can be inferred.

Modalities of the whistleblowing system

Legislation has largely left the design of whistleblowing systems to companies’ discretion. The GWPA merely stipulates that reports must be made in writing, orally or, at the whistleblower’s request, in person within a reasonable period of time (with consent also possible virtually) (Sec. 16 para. 3 GWPA). Therefore, according to the legislator, the online platforms or e-mail addresses that are widely used in practice, are sufficient for written reports. Oral reports must be made by telephone or other voice transmission.

There is no obligation to allow anonymous reports, but anonymous reports should be processed. The handling of anonymous reports was probably the most controversial point of the government draft, on which only the Mediation Committee was able to agree.

If a company receives a report via its whistleblowing system, it must confirm receipt of the report to the whistleblower within seven days (Sec. 17 para. 1 No. 1 GWPA). After a further three months, the company must provide the whistleblower with feedback on the actions planned and already taken (Sec. 17 para. 2 GWPA).

Consequences of violations 

For violations of the GWPA, companies face a fine of up to EUR 50.000. The government draft originally proposed a fine of up to EUR 100.000, which was reduced at the suggestion of the Mediation Committee.

What companies should do now

Currently, 20 of the 27 Member States have implemented the Whistleblower Directive. After France passed its implementing law in early 2022, many international companies took a wait-and-see approach in Germany. Now that the GWPA is (finally) available, the time has come to make the necessary adjustments in the European corporate units. 

However, companies do not have to implement 27 different whistleblowing systems. According to the GWPA, it is sufficient to establish one group-wide whistleblowing system. It has proven to be a resource-efficient approach to first develop a common denominator based on a company’s core markets, considering the legal requirements of the core markets. This transnational standard can then be adapted for the smaller markets, provided that the scope of application is open.

What is at stake for companies?

As with any modern compliance law, violations of the EU Whistleblower Directive and its implementing legislation can result in fines (of up to EUR 50.000), particularly if a company fails to protect a whistleblower’s confidentiality or violates the prohibition on retaliation. Unlike other laws, the fines are monetary amounts and are not calculated as a percentage of the company’s turnover. However, because there is no central authority to oversee implementation across the EU, companies from up to 27 Member States can be subject to enforcement.

Click here to access the german version.


Nicolai is a partner in the Dispute Resolution group of Baker McKenzie, a member of the Global Investigations, Compliance and Ethics Steering Committee and co-heads the Investigations, Compliance and Ethics practice in Germany. Nicolai is a regular speaker and author on compliance, white collar crime, innovation and legal tech topics. He is the inventor of the automated risk assessment and risk monitoring platform Compliance Cockpit and the founder of Global Compliance News. Nicolai is the editor of the knowledge platforms Compliance Lexikon and Litigation Lexikon.


Christian Koops joined the Munich office of Baker McKenzie in 2015. He is a member of the Firm’s European and Global Labor Law practice groups. Christian advises domestic and multinational companies on employment law matters, including outsourcing and other transactions. He frequently speaks at in-house and external seminars, and conducts training on a wide range of employment matters. He also practiced in the Firm’s Berlin office.


Dr. Robin Haas is a Counsel in Baker McKenzie's Munich office. Robin has more than seven years of professional experience as a lawyer (Rechtsanwalt) and inhouse counsel (Syndicus). He is a member of our Compliance and Investigation Group and one of our Munich innovation ambassadors. Robin joined the Firm in 2015 after studying law in Mannheim (Dr. jur.), Swansea (University of Wales, Erasmus) and New York (Columbia University, LLM). Robin went inhouse for a year in 2021 and joined a DAX 40 company as a compliance manager (Syndicus) responsible for the whistleblowing system and internal investigations. He rejoined Baker McKenzie in October 2022. He has previously worked in our offices in Frankfurt, Zurich and New York.


Pia Marie König is an associate in Baker McKenzie's Dusseldorf office. She is a member of the antitrust practice and advises in the field of white-collar crime. Prior to joining the Firm in 2022, Pia was a member of the litigation practice of an international law firm in Düsseldorf and advised in white-collar crime and compliance related matters.


Katja Häferer joined the Munich office of Baker McKenzie in January 2009. She is a member of the Firm’s European and Global Labor Law practice groups. She advises domestic and multinational companies on employment law matters, including outsourcing and other transactions. Katja frequently speaks at in-house and external seminars, and conducts training on a wide range of employment matters. She also practiced in the Firm’s San Francisco and Palo Alto offices.


Dr. Anika Schürmann is a Partner in Baker McKenzie’s Dusseldorf office. She is a bar-certified professional in criminal law (Fachanwältin für Strafrecht) and has extensive experience in advising in all antitrust and white collar crime related matters. She is admitted to the Dusseldorf bar and is a member of the German White Collar Crime Association, the Criminal Law Section of the German Bar Association, the Criminal Law Commission of the German Women Lawyers Association, the Association of Female Lawyers in White Collar Crime and Criminal Tax Law as well as the German Association of Antitrust Lawyers. Prior to joining Baker McKenzie in 2013, Anika was a member of Freshfields Bruckhaus Deringer’s antitrust team (2007-2011), and practiced at Wessing & Partner, a Dusseldorf law firm that specializes in white collar crime law (2012-2013). Anika's antitrust and criminal law expertise has repeatedly been recognized by The Legal 500, the renowned German business magazine Handelsblatt has ranked her as one of Germany's Best Antitrust Lawyers since 2020 while the renowned German business magazine Wirtschaftswoche ranks her as one of Germany's Best Compliance Lawyers.


Marleen Kristin Ellinger is an associate in the Baker McKenzie office in Munich. She joined Baker McKenzie’s Dispute Resolution Practice Group in 2021 and focuses on internal investigations, compliance and ethics as well as commercial litigation. During her legal clerkship, Marleen worked at the Permanent Mission to the United Nations in Geneva and renowned international law firms in Dusseldorf.

Write A Comment