77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Compliance training: Obligations, evidence and repetition intervals according to Section 130 OWiG
Governance & Compliance

Compliance training: Obligations, evidence and repetition intervals according to Section 130 OWiG

1 June 202612 min readBy Dr. Henrik Bauer
CIVAC

Compliance training is not a marketing measure, but rather a supervisory obligation according to Section 130 OWiG. The article shows which content is mandatory, how often it has to be repeated and which evidence counts in the audit.

According to Section 130 OWiG, management is personally liable if supervisory measures are not taken and breaches of duty are thereby made possible. Documented compliance training is at the core of these supervisory obligations and is therefore not a voluntary cultural measure, but rather a component of release from liability. Fines according to § 30 OWiG can reach up to ten million euros for intentional offenses, plus profit skimming and reputational damage.

The article classifies compliance training according to the relevant legal sources: GDPR, HinSchG, GwG, LkSG, AGG, ArbSchG and sectoral regulations such as NIS2UmsuCG. You will find out which topics are mandatory, which intervals supervisory practice expects, which evidence is included in the audit and how training courses are linked to a verifiable compliance management system. The focus is on the question of what actually needs to be present on the day of the exam.

Key Takeaways

  • Compliance training is a specific supervisory obligation according to Section 130 OWiG, not a voluntary cultural measure.
  • Annual repetition is market standard; For GDPR, HinSchG and LkSG, the supervisory authority expects additional role-specific depths.
  • Compliance training only counts if the group of participants, content, date, test results and attendance are documented in an audit-proof manner.

Legal basis: Why compliance training is mandatory

The central norm is Section 130 OWiG. It obliges owners of companies to take the supervisory measures necessary to prevent violations of operational obligations. According to established supervisory and jurisprudence practice, training the workforce is a core component of these measures. Anyone who does not train runs the risk of committing an administrative offense on their own, regardless of the employee's subsequent offense.

In addition, there are special legal training requirements. Article 39 (1) (b) GDPR requires the data protection officer to raise awareness and train employees involved in processing operations. Section 6 of the GwG requires regular information in sectors relevant to money laundering. The HinSchG requires that internal reporting channels be made known. According to Section 6 Paragraph 4, the LkSG requires risk-related training for our own employees and, if necessary, for suppliers.

This results in a double standard for management. Firstly, there must be a training concept that regulates mandatory topics, target groups, frequency and evidence. Secondly, the implementation must be verifiable. The appointment certificate, signed, filed, verifiable. Without this line of documentation, arguments for exemption from liability in fine proceedings are ineffective. CIVAC interlinks these obligations in an external compliance assignment or in the workspace for internal representatives.

Mandatory topics: What must be covered in terms of content

The training program must be aligned with the company's risk profile. Generic sets of slides that are not related to the actual activity do not fulfil the supervisory obligation. The following topics are considered mandatory content in most medium-sized companies.

  • Data protection and information security: GDPR principles, reporting obligation according to Art. 33 GDPR with a 72-hour deadline, order processing according to Art. 28 GDPR, technical and organisational measures.
  • Anti-corruption: § 299 StGB, donations, invitations, Third parties, four-eye principle.
  • Antitrust law: Behaviour in associations, exchange of information with competitors, market agreements.
  • Money laundering prevention: §§ 10 ff. AMLA, risk analysis, due diligence, suspicious activity reports.
  • Whistleblower protection: Reporting channels according to HinSchG, protection against reprisals, Confidentiality.
  • Labour law and AGG: Prohibitions of discrimination, complaints office according to § 13 AGG.
  • Supply chain: Human rights and environmental risks according to LkSG, complaints procedure according to § 8 LkSG.

Sectoral additions are mandatory as soon as the company is under NIS-2, KritisDachG, MaRisk, MDR or comparable regulations falls. The role of the information security officer includes his own, technically focused training modules, which cannot be replaced by general compliance instruction.

Intervals: How often you need to train

There is no uniform legal frequency. However, supervisory practice and relevant industry standards provide clear guidelines that management should follow. Anyone who stays below this must be able to justify the deviation in the compliance management system.

TopicRecommended intervalSource/justification
Data protection generalannuallyArt. 39 GDPR, BfDI information
Data protection for key rolessemi-annuallyProcessing of special categories
Anti-corruption standardevery 24 monthsISO 37301 Annex A
Anti-corruption High-risk rolesannuallySales, purchasing, foreign business
Money launderingannually§ 6 GwG, BaFin interpretation notes
Whistleblower protectionannuallyHinSchG, Obligation to disclose
LkSGannually, event-related§ 6 para. 4 LkSG, BAFA-FAQ
Information Security Awarenessannually, plus phishing testsISO/IEC 27001:2022 A.6.3

Event-related training is added: after a data breach, an internal incident, a change in law or a significant reorganization. These ad hoc modules are not a replacement for the control frequency, but an additional requirement. The auditor calls, the evidence is ready.

Target groups: Who needs to be trained

All-inclusive training for the entire workforce is necessary, but not sufficient. The supervisory authority expects a differentiated analysis of the recipients. There are three levels.

First level: all employees. Basic instructions on data protection, IT security, reporting channels, protection against discrimination. Onboarding within the first 30 days, then annual refresher. Temporary employees, working students and interns also belong to this group.

Second level: risk groups. Sales, purchasing, human resources, finance, IT administration. In-depth modules are added here, for example on anti-corruption, antitrust law, sanctions and order processing. External service providers with access to personal data must also be involved in accordance with Art. 28 GDPR, at least contractually.

Third level: representatives and management personnel. Data protection officers, compliance officers, information security officers, money laundering officers, LkSG officers. They have their own training requirements, which are fulfilled through specialist conferences, certifications or structured self-study programs. The management is also an addressee: Section 4 Paragraph 3 LkSG expressly obliges them to deal with risk management.

CIVAC displays this addressee matrix in the workspace and automatically assigns duties, participant lists and evidence to the respective role. Licence the workspace for your internal representatives or have our representatives order it.

Formats: face-to-face, e-learning, hybrid

The format is legally freely selectable as long as its effectiveness can be proven. In practice, three pillars have been established, which are often combined.

E-learning covers the mandatory topics for large workforces in a scalable manner. The prerequisites are learning controls with a passing limit, repeat logic in the event of failure and an audit-proof learning management system. Pure click routes without tests are considered an indication of inadequate supervision.

In-person or live online training courses are indicated for risk groups and representatives. They allow case work, discussion and asking open-ended questions. Supervisory authorities regularly rate interactive formats for high-risk topics such as money laundering or antitrust law more highly than pure self-study.

Hybrid models combine e-learning basics with in-depth workshops. They are efficient and at the same time auditable if the handover points are clearly documented.

Regardless of the format, the same standard applies: comprehensible curriculum, dated group of participants, confirmed attendance, documented learning control, archived evidence. Others run compliance like a filing cabinet. We run it like software. Anyone who manages training in Outlook invitations and PowerPoint attachments will fail the exam because of the evidence, not the content.

Documentation: What counts in the audit

In the procedure according to Section 30 OWiG, in a GDPR audit or in an ISO/IEC 27001:2022 audit, what counts is not what has been trained, but what can be proven. Six documentation modules are mandatory.

  1. Curriculum: written training concept with mandatory topics, target groups, intervals, responsibilities.
  2. List of participants: by name, with function and date.
  3. Proof of content: Set of slides, e-learning module ID or script in the version of Training day.
  4. Learning control: Test results with a passing limit, repetitions if you fail.
  5. Confirmation: Signature, click-confirm or single sign-on confirmation with a time stamp.
  6. Retention: Retention period depending on the standard between three and ten years, audit-proof.

For external training, provider contracts come with Proof of qualifications of the lecturers and curriculum versions are added. An audit log is required for e-learning, which excludes subsequent manipulation. CIVAC complements this line with 490 ready-to-use audit templates and an audit-proof storage path in the EU data residence. Audit-proof, documented, § 130-proof.

Responsibilities: Who organises, who trains, who is responsible

The management has ultimate responsibility. It can operationally delegate, but not absolve. Section 130 OWiG requires careful selection, instruction and monitoring of the persons entrusted with supervision. Anyone who fills a role without resources has not fulfilled their duty.

As a rule, the training organisation lies with the compliance officer, in larger companies with the chief compliance officer. Subject areas are delegated to those responsible: data protection to the DSB, information security to the ISB, money laundering to the GwB, occupational safety to the SiFa. It is important to have a written distribution of tasks, ideally as an appointment certificate with a defined reporting line to the management.

External representatives are an effective option if capacity or qualifications are lacking internally. They meet the same legal requirements, but must be independent, have access to all relevant information and be able to report directly to management. CIVAC provides this function as an officer-as-a-service, including the appointment certificate, reporting line and training organisation.

It is important to clearly separate training organisation and training control. Those who train do not check the success of their own training. This separation of functions is one of the mandatory controls according to ISO/IEC 27001:2022 and is also good practice outside of certified environments.

Sanctions and reputational risks for failure to provide training

The financial risks are significant. Section 30 OWiG allows fines of up to ten million euros for intentional offenses and up to five million euros for negligent acts. For GDPR violations, fines according to Art. 83 GDPR can reach up to twenty million euros or four percent of global group sales. Under NIS-2, essential facilities are threatened with up to ten million euros or two percent of group sales, important facilities with up to seven million euros or 1.4 percent.

In addition, there is profit skimming according to Section 17 Paragraph 4 OWiG, civil law claims for damages, entry in the competition register and reputation-relevant publications by supervisory authorities. In procurement law and ESG reporting, a documented level of training is increasingly a suitability criterion. The deadline expires when we become aware of it.

The most common weak point in fine proceedings is not the lack of training, but the lack of proof. Companies that train but do not document are in the same position in the process as companies that have not trained. Structured training documentation is therefore the most important lever for turning a factually fulfilled obligation into a legally recognised release from liability. This is exactly where the CIVAC workspace comes in and turns training into a verifiable inventory.

Turn reading into an assignment

Compliance training is a supervisory obligation, not a cultural program. Those who organise them properly protect management from personal liability, the company from fines and the workforce from unclear expectations. Anyone who manages it as a mandatory foil will lose evidence in the audit.

CIVAC is a compliance platform and officer-as-a-service. In the workspace we interlink mandatory topics, target groups, intervals, audit templates, learning controls and evidence with the appointment certificate of the respective representative. For medium-sized companies that do not want to set up their own compliance department internally, our external representatives take on the function, including a reporting line to management and an EU data residence for all evidence. The 490 ready-to-use audit templates cover the most common training and audit situations and are continually adapted to changes in supervisory practice.

Turn reading into an assignment. If you would like to carry out your training obligations in accordance with Section 130 OWiG, GDPR, HinSchG, GwG and LkSG, write to info@civac.de or use the contact form on civac.de. We will answer within two working days whether a workspace setup or an external order is the right option.

FAQ

Is compliance training required by law?

Yes, indirectly via Section 130 OWiG and directly via numerous special laws. Art. 39 GDPR, Section 6 GwG, the HinSchG and Section 6 LkSG each require documented instructions. Management is personally liable if training obligations are not fulfilled or cannot be verifiably fulfilled.

How often does compliance training have to be repeated?

Market standard is an annual repetition for mandatory topics such as data protection, money laundering, whistleblower protection and LkSG. Shorter intervals are indicated for particularly high-risk functions or special categories of personal data. Anti-corruption training courses are often conducted on a 24-month cycle.

Is e-learning sufficient for supervision?

For general compulsory topics and large workforces, yes, as long as learning controls, repetition logic and audit-proof evidence are available. For risk groups and representatives, supervisory practice expects interactive formats with case work, for example in money laundering, antitrust law or high-risk countries.

Which documents do I need to have ready for the exam?

Training concept, dated participant lists, proof of content in the version of the training day, test results, confirmation of attendance and an audit-proof filing system. For external providers, contracts and proof of qualifications are also included. Depending on the standard, the retention period is between three and ten years.

Who is liable if employees violate the rules despite training?

The management is not liable if the selection, instruction and monitoring are documented. If there is insufficient training, Section 130 OWiG applies independently. The individual employee is also liable according to general rules, such as labour law or criminal law, depending on the violation.

Can external representatives take over the training organisation?

Yes. External data protection, compliance, IT security or money laundering officers meet the legal requirements, provided independence, reporting line to management and access to information are ensured. CIVAC provides this function with appointment certificate, reporting line and EU data residency.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles