Corporate Compliance: Legal Obligations, Organisational Structure and Operational Implementation

Compliance, in the legal sense, encompasses all measures that ensure an organisation and its employees adhere to statutory requirements, regulatory obligations and internal rules. § 130(1) OWiG requires the management of an organisation to take the supervisory measures necessary to prevent violations of business-related obligations. Where this duty is breached and a business-related criminal offence or administrative violation results, fines of up to one million euros may be imposed against the organisation — irrespective of any criminal consequences for the individuals responsible.

This article describes the legal foundations of corporate compliance in Germany, identifies the compliance risks most relevant for SMEs, explains what a compliance management system must contain and how CIVAC enables the appointment of an external Compliance Officer within two working days.

The legal obligation to establish a compliance organisation in Germany arises from several sources. § 130(1) OWiG codifies the supervisory duty of the owner of a business or enterprise: anyone who intentionally or negligently omits the supervisory measures that would have been necessary to prevent a violation of business-related obligations is themselves committing an administrative offence. The fine under § 130(3) OWiG amounts to up to one million euros. The provision applies not only to corporations but also to sole traders and partnerships.

§ 30 OWiG enables fines to be imposed on legal persons and associations where a senior representative has committed a criminal offence or an administrative offence in connection with business activities. For corporations, this means that a fine can be imposed on the company itself — in addition to the personal liability of the responsible individuals.

Beyond OWiG, sector-specific compliance obligations apply: the Supply Chain Due Diligence Act (LkSG) for organisations with 1,000 or more employees, the NIS2 implementation in Germany for operators of essential services, and the Whistleblower Protection Act (HinSchG) for organisations with 50 or more employees, which requires the establishment of an internal reporting channel.

SMEs are exposed to compliance risks arising from their size, industry and organisational structure. A structured risk map is the starting point for a proportionate compliance programme. Not every organisation needs a full compliance department; but every organisation with 50 or more employees needs a documented risk assessment and a programme that addresses the material risks.

Five areas are particularly exposed: first, corruption prevention and competition law, where § 81 GWB penalises agreements with fines of up to 10% of group turnover; second, data protection, where the GDPR imposes fines of up to 4% of global annual turnover; third, occupational health and safety, where the Occupational Health and Safety Act (ArbSchG) and related regulations impose personal liability on management; fourth, environmental law, where the circular economy and environmental protection acts impose operational obligations; and fifth, the Supply Chain Due Diligence Act for larger organisations.

IDW PS 980 describes a compliance management system as the totality of principles and measures introduced in an organisation aimed at ensuring rule-compliant conduct by its legal representatives and employees. The seven core elements specify what an effective CMS must achieve:

1. Compliance culture: Tone from the top. Without credible commitment from management, any programme is ineffective. Culture is reflected not in mission statements, but in concrete decisions that prioritise compliance requirements over short-term operational convenience.
2. Compliance objectives: Which laws, internal rules and ethical standards does the organisation commit to observe? Objectives must be specific, measurable and linked to the risk assessment.
3. Compliance risks: A structured risk inventory that identifies and prioritises risks by likelihood and potential impact. The risk map forms the basis for the compliance programme.
4. Compliance programme: Policies, training and reporting channels that address the identified risks. Each programme element must be documented and actively communicated.
5. Compliance organisation: Clear responsibilities — who is the Compliance Officer, what authority do they have, what is their reporting line?
6. Compliance communication: Regular communication of compliance requirements to all employees, and channels for raising concerns or reporting violations.
7. Compliance monitoring and improvement: Regular review of the effectiveness of the CMS — are violations being detected, reported and remediated?

The Compliance Officer (CO) is the operational key figure in the compliance system. They monitor adherence to laws, policies and internal rules, identify risks, coordinate training and serve as the first point of contact for employees with compliance questions or reports of violations. They report to management regularly and at least quarterly, and escalate immediately in the event of concrete violations or structural risks. Every escalation step is documented with date, content and management response, and stored in a tamper-evident manner.

There is no statutory appointment obligation for a Compliance Officer in Germany in the same way as for a DPO under GDPR. However, the duty of supervision under § 130 OWiG requires effective organisational measures — and a documented Compliance Officer role is the most effective evidence of such measures. Organisations without a Compliance Officer bear the full burden of proving, in the event of a violation, that their supervisory measures were adequate despite the absence of this function.

The compliance programme is the operational core of the CMS. It comprises three main elements: policies, training and a whistleblowing system. Each element must not merely exist, but be demonstrably introduced, communicated and actively lived. A programme on paper is not a compliance element; a programme that is lived, documented, reviewed for effectiveness at least annually and adjusted where necessary meets the requirements of IDW PS 980.

Policies define expected conduct in specific risk areas: anti-corruption, competition law, data protection, information security, conflicts of interest and gifts. They must be written in plain language, accessible to all employees and updated whenever the legal or organisational situation changes. Every employee must confirm receipt and acknowledgement — this confirmation is the evidentiary foundation in the event of violations.

Training must be role-appropriate, documented and repeated at regular intervals. The Whistleblower Protection Act (HinSchG) requires organisations with 50 or more employees to establish an internal reporting channel that enables anonymous or confidential reporting of violations. The Compliance Officer administers this channel and ensures that every report is processed in accordance with the HinSchG procedure.

A compliance management system that is not monitored is not an effective compliance organisation, but a document collection. Effectiveness monitoring is the seventh core element under IDW PS 980 and the decisive difference between a functioning CMS and a paper programme. Authorities and auditors do not examine the mere existence of documents, but the demonstrable effectiveness of measures in day-to-day business — in particular whether violations are being detected, reported and remediated.

Effectiveness monitoring operates on three levels. First, ongoing monitoring: are policies being followed? Are training completions being documented? Are reports being processed via the whistleblowing system? Second, periodic review: at least annual effectiveness assessment by the Compliance Officer with reporting to management. Third, external verification: regular audits by internal audit or external auditors who independently assess the design and operational effectiveness of the CMS.

The choice between an internal and an external Compliance Officer is a business decision that weighs cost, availability, expertise and independence. For many SMEs with between 50 and 500 employees, an external CO is the more economical solution as long as a dedicated compliance team is not required. The decision has a direct impact on the quality of the supervisory evidence under § 130 OWiG and on the credibility of the compliance function vis-à-vis authorities and business partners.

CIVAC is a compliance platform and Officer-as-a-Service for all 25 officer roles. For the Compliance Officer, this means: licence the workspace for your internal CO, or appoint an external Compliance Officer from the certified CIVAC partner network. The Compliance Officer uses the CIVAC platform for policy management, training delivery, risk documentation and whistleblowing channel administration — all in a single auditable workspace.

Compliance programmes managed in CIVAC are audit-ready by design: every policy version is archived with a timestamp, every training completion is documented with a certificate, every escalation is logged with date, content and response. The next audit finds structured evidence, not a search for documents.

The CIVAC SLA: contract, person, appointment document within two working days. info@civac.de.

Corporate compliance starts with a risk inventory: what obligations apply to the organisation? Which risks are material? Is a whistleblowing system in place? Are policies documented and signed off by employees? Is there a Compliance Officer with a clear reporting line? These five questions identify the most significant gaps and prioritise the first measures.

Others manage compliance like a filing cabinet. CIVAC manages it like software: all policy versions, training records, risk documentation and escalation logs are maintained in a single platform workspace — documented, versioned, audit-ready. info@civac.de.