What is Germany's Whistleblower Protection Act?
The Whistleblower Protection Act is Germany’s implementation of the EU Whistleblowing Directive, which aims to establish standardised protection for whistleblowers across the EU for the first time.
The law regulates the protection of natural persons who have obtained information about violations in the course of their professional activities and pass it on to internal or external reporting bodies (whistleblowers). This includes employees, civil servants, self-employed persons, partners, interns, volunteers, employees of suppliers as well as persons whose employment relationship has already ended or has not yet begun and is in a pre-contractual stage.
The new whistleblowing law in Germany prohibits any reprisals or retaliation against whistleblowers.
EU member states had until 17 December 2021 to transpose the Directive into their national laws. Such a law is overdue and up until now whistleblowers have been provided with insufficient protection from reprisals or negative consequences. In Germany, there was a first push towards whistleblower protection in 2019 with the “Gesetz zum Schutz von Geschäftsgeheimnissen” or “Act on the Protection of Business Secrets”.
We are pleased that whistleblowers in Germany now finally have legal certainty when they report wrongdoing or criminal offences in the company, not just in the case of violations of EU law but also in the case of criminal offences such as corruption or tax evasion. This comprehensive protection is an important step towards more integrity in business”, stated Achim Weick, founder and CEO of EQS Group.
Whistleblower Protection Act: the timeline
End of 2020: The then Minister of Justice Christine Lambrecht (SPD) submits a first draft for coordination in the ministries.
April 2021: Minister Lambrecht’s draft bill is overturned by CDU/CSU and the grand coalition under CDU and SPD fails to reach an agreement for the national implementation of the Directive.
November 2021: In their coalition agreement, the three traffic light parties – SPD, Greens and FDP, agree to implement the EU Whistleblowing Directive “in a legally secure and practicable manner” while clearly positioning themselves as being in favour of whistleblower protection. They also intend to go beyond the minimum requirements of the European Union Directive 2019/1937 and extend the scope of application to national law. The coalition agreement is a concrete indication of the planned implementation period.
December 2021: The deadline for transposing the Directive passes on 17 December 2021 without a German law.
February 2022: The EU Commission initiates infringement proceedings against several EU countries, including Germany, for failing to transpose the Directive within the specified timeline.
April 2022: Justice Minister Dr. Marco Buschmann has a draft bill prepared by his ministry and it is sent to other ministries for review on 5 April. The content of the second draft is based on the first draft of former Minister of Justice Christine Lambrecht (SPD) from the end of 2020.
July 2022: The Federal Government passes a draft bill.
September 2022: The Bundesrat issues a statement on the proposed legislation and the Federal Government intends to submit its counterstatement at a later point. The bill is discussed in a first reading on 29 September 2022.
December 2022: On 16 December, the law was passed in the second and third reading in during the last session of the Bundestag. A bill amended by the Legal Affairs Committee was presented to MPs for discussion.
January 2023: Opposition brings draft law to a halt in the Bundesrat.
May 2023: Bundestag agrees on a compromised version of the draft law on May 11 and it is passed a day later.
June 2023: The law was announced in the Federal Law Gazette on 2 June.
July 2023: The law enters into force
What do companies need to know now in order to be prepared for the new whistleblowing law in Germany?
1) There will be two mandatory reporting channels: internal and external
- An internal reporting channel in the organisation, e.g. a digital whistleblowing system, staff from the compliance department or an ombudsman.
-
An external reporting channel will be established at the Federal Office of Justice. It will be responsible for the federation and federal states and will accept information from the private and public sectors. In special areas of responsibility, the Federal Financial Supervisory Authority and the Federal Cartel Office, with their already established whistleblowing systems, should function as external reporting channels with special responsibilities. In addition, the federal states can also establish their own reporting channels.
The hotlines may also process specially protected data according to the GDPR.
- Organisations with 250 or more employees must have implemented secure whistleblowing channels by 02 July 2023 while those with 50-249 employees have a transition period until December 2023.
- The whistleblowing procedure must be verbal or written and, if desired, in person
- Internal confirmation of the receipt of the report must be provided to the whistleblower within 7 days.
- Protected areas of application: EU law and national law if the offence is criminal or administrative in nature while endangering health or life.
- Within three months, the whistleblower must be informed about any action taken as a result of their report, e.g. the initiation of internal investigations or the forwarding of the report ot the competent authority.
- Companies must protect the identity of whistleblowers and comply with GDPR requirements
- Companies must provide information about the competent supervisory authority(ies).
2) Companies should develop incentives for the use of internal reporting channels
Whistleblowers are free to decide whether they want to make internal reports or submit information externally. However, the law stipulates that internal reporting channels should be used as a matter of priority.
Companies should therefore create incentives so that whistleblowers prefer to use internal reporting channels without hindering the submission of reports to external reporting bodies. For example, companies should provide clear and easily accessible information on the use of the internal reporting procedure.
In particular, external reporting bodies should also inform the whistleblower about the possibility of making an internal report.
If a whistleblower’s tips remain unacknowledged or if the person concerned sees sufficient reason for a “threat to the public interest”, they would then fall under the protection of the Act when going public (via the press, media or social media).
“Around 90% of all whistleblowers first try to address observed grievances internally before turning to the authorities, media or public – provided they find suitable channels and an open company culture”.
– FISCHER, EVA (2019): EU COMMISSION AND EUROPEAN PARLIAMENT CLASH OVER WHISTLEBLOWER PROTECTION
3) The scope of application should cover infringements of European AND national law
The law extends the material scope of application to violations of national law and thus goes beyond the minimum requirements of the EU Whistleblowing Directive. The prerequisite here is that the offences must be a criminal or administrative and endanger health/life.
The German legislator wants to avoid “value contradictions” with the extension, because in reality, the restriction of whistleblowing for violations of exclusively European law could cause uncertainty among whistleblowers. They could then refrain from reporting for fear that their report would not be covered by the law.
Whistleblowers could then draw attention to violations such as corruption or tax evasion. The Digital Markets Act of the European Union is now also to be included in the material scope of the law.
4) Processing anonymous tips is not obligatory
Originally, the law obliged reporting channels to process anonymous tips and to take precautions to enable anonymous communication with the whistleblower(s). Changing this was a key aspect of the compromise about the draft and companies do not have to design their reporting channels in such a way as to enable anonymous reporting. However, if such reports are received, they should still be processed according to the law.
5) Shared systems and outsourcing
For organisations with between 50 and 249 employees, the law provides for the sharing of whistleblowing systems. Similarly, companies/groups, regardless of their size, are allowed to use joint reporting channels. Here, the parent company can assume the role of the third party supervising the reporting system. Furthermore, it is possible to outsource the reporting channel to an institution outside the company such as an ombudsperson.
6) Reversal of the burden of proof in favour of the whistleblower and damages after reprisals
As required by the Directive, the law aims to prohibit possible reprisals against whistleblowers and to invoke the reversal of the burden of proof. The employer must therefore prove that there is no link whatsoever between an employee’s dismissal and whistleblowing.
7) Exceptions for classified information
The Whistleblower Protection Act does not cover information that is classified, and information that falls under the medical/lawyer’s duty of confidentiality or judicial secrecy.
However, an exception applies to the lowest level of secrecy “VS-Nur für den Dienstgebrauch” (classified information for official use only), as long as it concerns violations that are subject to punishment and are reported via an internal channel. This exception does not apply if a third party – pursuant to Section 14(1) – is entrusted with the internal reporting channel.
8) Sanctions and claims for damages
In case of non-compliance with the legal requirements, the law provides for sanctions against natural and legal persons.
Violations are to be punished as administrative offences under section § 30 OWiG with a fine. This includes, for example, obstructing reports or taking reprisals but also for knowingly disclosing incorrect information.
In the event of a violation of the prohibition of reprisals, the person providing the information must be compensated for the resulting damage. Persons who pass on false information – intentionally or through gross negligence – must pay for the resulting damage.
Anybody attempting to intimidate a whistleblower, prevent reporting or breach the confidentiality agreement can be subject to fines of up to €50,000.
What does whistleblower protection mean?
Whistleblower protection means that persons (whistleblowers) who uncover illegal wrongdoing by reporting it, and supporting society as a result, are shielded from reprisals by law. For example, the cashier in the supermarket who notices that the store manager is relabelling spoiled food and the accountant who discovers that the CEO is financing his private trips through the company account are probably asking themselves the same question: Should they report the wrongdoing and endanger their future as a result? This is because whistleblowers have not had it easy in the past. Not only do they have to fear for their job, but they often fail to find a new one.
Whistleblowers do not enjoy comprehensive protection, even though they often take great professional and private risks to inform society about abuses. The stigmatisation of the “informer” is still too widespread, even though it takes a lot of courage to disclose grievances.
This is exactly where the new law wants to have an impact:
Whistleblowers should be protected in the future from reprisals such as dismissal, warning, denial of promotion, change of assignment, damage to reputation, disciplinary measures, discrimination or bullying. In the event that whistleblowers suffer financial damages due to retaliation, they have the right to compensation.
What have been the biggest points of contention so far regarding the Whistleblower Protection Act?
In the first draft, the CDU/CSU disliked the SPD’s move to extend the law beyond the EU’s requirements to take German law into account and it accused its former coalition partner of imposing an additional burden on German companies during the pandemic. The CDU/CSU therefore demanded that the law be limited to the requirements of the EU Whistleblowing Directive.
The SPD countered that in this case whistleblowers could report data protection violations and would be protected. However, if a whistleblower disclosed extensive fraud – as in the Wirecard case – he or she would in no way be protected from reprisals under EU law. The same would apply to violations of German criminal offences such as corruption, tax evasion or bribery payments.
The CDU/CSU parliamentary group also expressed scepticism about the second draft and already announced that it was “anything but approvable”. For example, it lacked incentives for whistleblowers to first seek internal clarification of the facts.
Criticism of the Whistleblower Protection Act
Early drafts of the law were also met with criticism from other quarters.
NGO Transparency International Deutschland in particular saw a great need for improvement in some aspects, especially in terms of dealing with reports without clear names. This has now been amended as whistleblowing channels are also obliged to process anonymous reports.
Annegret Falter, chair of the Whistleblower Network, welcomed the measures as a great step forward but saw some gaps in protection for whistleblowers, especially in the area of classified information. According to the law, it only protects reports “if they relate to the lowest level of secrecy, concern criminal offences and are kept absolutely internal by the authorities”.
Our tips for companies
Along with the EU GDPR and the Lieferkettensorgfaltspflichtengesetz (Supply Chain Due Diligence Act), the Whistleblower Protection Act is another compliance regulation where there is a broad spectrum of impacted organisations.
1.) Do not wait too long to comply with the law
Companies should set up professional compliance structures immediately to encourage whistleblowers to report through internal channels. Practice shows that a whistleblowing system is particularly successful when it is embedded in a trustworthy and transparent corporate culture.
2.) Information and communication are the be-all and end-all
The better the channels are communicated and can be found on a company’s website or intranet, the more employees will be aware of them and access them when needed. All relevant information about the law must therefore be made available to employees.
In our White Paper “Whistleblower Protection for Businesses“, you can find many inspiring examples of successful communication of whistleblowing systems in companies and the public sector.
3.) Best Practice: Digital Whistleblowing System
The professional use of digital whistleblowing systems in companies and the public sector can prevent or solve many crimes and scandals at an early stage. It is telling that more and more organisations are introducing digital whistleblowing systems for internal and external reporting, a trend that is expected to continue due to the new legal landscape in Europe.
If a whistleblowing system is already in place within a compliance management system, companies should adapt it to the requirements of the Directive or relevant national law so that they comply and legal uncertainties can be avoided.
4.) Effective whistleblower protection is possible for SMEs without high costs
Cost-effective solutions for medium-sized and small companies are readily available. Often, a digital system will be bundled with an external ombudsperson, usually a lawyer from a neutral law firm.
Guide to the Introduction of Whistleblowing Systems
How to successfully implement a whistleblowing system in your organisation.