HinSchG: What the German Whistleblower Protection Act Requires from Organisations

The Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) entered into force on 2 July 2023 and transposes EU Directive 2019/1937 on the protection of persons who report breaches of Union law into German law. For organisations with 50 or more employees, there is an obligation to establish a confidential reporting channel and an internal reporting office; businesses with 250 or more employees had to fulfil this obligation from 2 July 2023, and businesses with between 50 and 249 employees from 17 December 2023.

The Act protects whistleblowers against retaliation, requires organisations to comply with structured processing deadlines, and provides for fines of up to €20,000 for violations. This article explains which organisations are affected, what a legally compliant internal reporting office must deliver, how processing deadlines are to be met, and what liability risks arise from non-compliance.

Under § 12 para. 2 HinSchG, the Whistleblower Protection Act covers all companies and other employers that regularly employ at least 50 employees. The relevant count is the average number of employees in the preceding calendar year; temporary workers count towards the borrowing employer if the agency employment relationship is expected to last longer than six months.

In addition to the threshold rule, § 12 para. 3 HinSchG contains sector-specific exceptions: companies in the financial services sector that already maintain a reporting office under § 43b WpHG or § 25a KWG, and public bodies required to establish a complaints office under the Civil Service Status Act or comparable state regulations, may under certain conditions operate a joint reporting office with other companies within the same group.

For corporate groups with parent and subsidiary companies: the parent company may under § 14 HinSchG operate a central internal reporting office for subsidiaries with 50 to 249 employees. Subsidiaries with 250 or more employees, however, must establish their own reporting office.

The material scope of HinSchG covers reports of breaches of EU law and national law in the areas listed in Annexes 1 and 2 of HinSchG, including tax law, financial market law, environmental law, food law, product safety, and data protection (GDPR). Breaches that relate exclusively to internal labour law generally fall outside the scope of the Act, but may be difficult to distinguish in practice.

More on roles and responsibilities can be found on the CIVAC page on the Internal Reporting Office.

A legally compliant internal reporting office under HinSchG must satisfy several structural requirements derived from §§ 12 to 17 HinSchG.

Confidentiality: The identity of the whistleblower and all persons named in the report may only be accessible to the persons responsible for receiving and processing the report (§ 8 HinSchG). Disclosure to other parties is only permissible under narrow statutory conditions.

Multi-channel access: § 16 para. 1 HinSchG requires that reports be possible both in writing and orally; at the whistleblower's request also in a personal meeting. A purely written channel is therefore insufficient.

Anonymous reports: Anonymous submissions do not necessarily have to be processed, but § 16 para. 1 sentence 5 HinSchG recommends establishing appropriate systems. In practice, organisations that systematically ignore anonymous reports must explain to the authority in an inspection why they did not follow up on those reports.

Independence of the responsible person: The person or body entrusted with the task must be independent in the exercise of their activities and must not be subject to conflicts of interest (§ 15 HinSchG). A combination with roles that may themselves regularly be the subject of reports (e.g. HR, Legal) is critically to be assessed.

Documentation: § 11 HinSchG requires appropriate documentation of every report. The retention period is three years after conclusion of the proceedings under § 11 para. 5 HinSchG.

§ 17 HinSchG sets binding processing deadlines that apply to all organisations required to establish an internal reporting office.

Following receipt of a report, the whistleblower must be acknowledged within seven days. This acknowledgement obligation applies regardless of whether the report falls within the material scope of HinSchG and regardless of the identity of the whistleblower. For anonymous reports, acknowledgement may be dispensed with if no return channel is available.

Within three months of the acknowledgement, the reporting office must provide the whistleblower with feedback. This feedback must give information about planned or already taken follow-up measures (§ 17 para. 2 HinSchG). In concrete terms: either an internal investigation has been initiated, or a referral to a competent authority has taken place, or it has been established that no breach within the meaning of the Act exists.

The three-month deadline is the statutory maximum, not a minimum. If the organisation can conclude the proceedings more quickly, earlier feedback is preferable. In complex cases with authority involvement, the deadline cannot be unilaterally extended by the organisation.

In practice, the question of when the deadline begins is relevant: for written reports, the deadline runs from the date of receipt; for oral reports, from the creation of the meeting record under § 16 para. 3 HinSchG. The record must be presented to the whistleblower for approval.

Deadlines run from the point of knowledge. Systems that do not automatically record and track incoming reports structurally violate § 17 HinSchG.

The prohibition on retaliation against whistleblowers is the heart of HinSchG. § 36 para. 1 HinSchG prohibits any disadvantage in connection with a report, including dismissal, formal warning, transfer, pay reduction, denial of promotion, negative performance assessment, and indirect disadvantages such as threats of retaliation or social exclusion in the workplace.

Particularly relevant for organisations is the reversal of the burden of proof under § 36 para. 2 HinSchG: if the whistleblower suffers a disadvantage after making a report, it is presumed that this disadvantage constitutes retaliation. The organisation must prove that the disadvantage occurred for other reasons. This reversal of the burden of proof distinguishes HinSchG considerably from general employment law principles.

In the event of a breach of the prohibition on retaliation, the affected person has a compensation claim under § 37 HinSchG, which includes non-material damages. In addition, the competent authority may impose a fine under § 40 HinSchG of up to €50,000.

In practice this means: every personnel decision that is temporally connected to a report and affects the whistleblower must be carefully documented and based on objective grounds. The documentation must be in place before the decision and may not be created retrospectively. The officer responsible for the Internal Reporting Office should be involved in such decision-making processes to preserve the independence of the office.

HinSchG provides in § 40 HinSchG for a graduated fine framework that weights different violations differently.

The most serious category concerns actively preventing a report or carrying out retaliation: under § 40 para. 2 HinSchG, fines of up to €1,000,000 for legal persons and up to €50,000 for natural persons may be imposed. Negligent conduct is subject to fines in the same way as intentional conduct.

Failure to establish a reporting channel or operating a channel that does not meet the statutory requirements is penalised under § 40 para. 2 no. 2 HinSchG with up to €20,000. This fine threshold also applies to non-compliance with the processing deadlines under § 17 HinSchG.

Breach of the confidentiality obligation under § 8 HinSchG is also subject to fines. The competent supervisory authority is in most federal states the State Data Protection Authority or a specially designated authority; in some states the Federal Office of Justice (BfJ) is responsible for federal-level bodies.

Important: the fine provisions of HinSchG do not exclude criminal prosecution under general criminal law provisions. Anyone who actively suppresses a report and thereby conceals a criminal offence within the organisation may be criminally liable under §§ 258, 258a StGB (obstruction of justice). This criminal liability risk primarily affects compliance officers and managing directors who were aware of a report.

Organisations that do not yet operate a compliant reporting office should move quickly to establish one. The competent supervisory authorities began conducting active inspections in 2024.

HinSchG distinguishes between internal reporting offices (§§ 12 ff. HinSchG) established by the organisation itself, and external reporting offices (§§ 19 ff. HinSchG) at public authorities. The Act explicitly prioritises internal reporting: § 7 HinSchG states that internal reporting offices are to be promoted so that breaches can be remedied within the organisation.

Whistleblowers do, however, have the right to report directly to an external reporting office without first reporting internally. The central federal authority is the Federal Office of Justice (BfJ) under § 19 HinSchG; state-level offices may be established. Sector-specific external reporting offices also exist at BaFin (financial markets), the Federal Cartel Office, and the ECB.

For organisations, the competition between internal and external reporting offices means: a well-designed and credibly independent internal reporting office increases the likelihood that reports are first received internally and can be processed internally. Whistleblowers who have no trust in the internal reporting office will report directly externally or go public.

Under § 14 HinSchG, it is also permissible to operate a joint reporting office with other companies in the same corporate group. Companies with between 50 and 249 employees may also join an external ombudsman service, provided it meets the statutory requirements for confidentiality, independence, and processing deadlines.

The CIVAC workspace fully maps the statutory requirements for an internal reporting office: encrypted submission channels, automatic deadline monitoring, documentation module, and an audit-proof archive. Audit-ready, documented, compliant with § 17 HinSchG.

§ 15 HinSchG requires that the person entrusted with the task of the Internal Reporting Office possesses the technical expertise necessary to carry out their duties and is independent in the exercise of their activities. The Act does not specify concrete qualification requirements, but practice and regulatory practice have developed the following requirements.

Technical expertise in the context of HinSchG means: knowledge of the scope of the Act and of the relevant EU Directive 2019/1937; knowledge of the substantive law areas relevant to processing (tax law, financial market law, data protection, environmental law, etc.); knowledge of employment law and the reversal of the burden of proof under § 36 HinSchG; and practical experience in handling confidential information.

Independence means: the person entrusted must have no conflicts of interest and must not receive instructions regarding the substantive outcome of their review. A combination with the role of Head of HR, Head of Legal, or CFO is critically to be assessed, as these functions may themselves regularly be the subject of reports.

Many organisations resolve the independence problem by commissioning an external third party: a lawyer, a certified compliance expert, or a provider such as CIVAC that fully takes on the role of officer responsible for the Internal Reporting Office. The external solution has a further advantage: employees trust a clearly independent external office more than an internal function that reports to management.

Instrument of appointment, signed, filed, evidenced — this standard also applies to the officer of the Internal Reporting Office. The appointment must be made in writing and must clearly define the scope of the mandate, freedom from instruction, and the reporting path to management.

HinSchG does not stand alone but interacts with several other legal areas that must be taken into account in practical implementation.

GDPR: The processing of personal data in connection with a report constitutes processing within the meaning of Art. 4 no. 2 GDPR. The legal basis arises from Art. 6 para. 1 lit. c GDPR (legal obligation) in conjunction with HinSchG. The Data Protection Officer should be involved in the design of the reporting system, in particular regarding data minimisation, deletion periods (§ 11 para. 5 HinSchG: three years after conclusion), and access rights. A data protection impact assessment (DPIA) under Art. 35 GDPR may be required depending on the system.

Employment Law: The establishment of an internal reporting office may trigger co-determination rights of the works council. § 87 para. 1 no. 1 BetrVG (workplace order and employee conduct) and no. 6 BetrVG (introduction of technical monitoring systems) may be applicable. A works agreement is regularly advisable in co-determined organisations.

Criminal Law: § 5 HinSchG contains no obligation to file a criminal complaint, but does contain an obligation to take appropriate follow-up measures. If the internal investigation reveals indications of a criminal offence, the organisation must decide whether to file a criminal complaint under § 158 StPO. Deliberately suppressing this knowledge may be criminally liable under §§ 258, 258a StGB.

For compliance practice, close coordination is recommended between the officer of the Internal Reporting Office, the Data Protection Officer, and the Compliance Officer, to ensure consistent processes and avoid duplication.

Organisations that do not yet operate a compliant internal reporting office should approach the build-up in five steps. First: assess the scope (employee count, group structure, sector-specific exceptions). Second: choose the organisational form (internal, external, joint) and identify a suitable person or body with demonstrable technical expertise and structural independence.

Third: establish technical reporting channels that enable written and oral reports, and personal meetings on request. Fourth: implement a deadline management system that automatically monitors the seven-day acknowledgement and the three-month feedback obligations. Fifth: ensure documentation — every report must be documented under § 11 HinSchG and retained for three years.

CIVAC offers both models: licence the workspace for your internal officers or commission our officers. The CIVAC workspace covers all five steps as an integrated platform function: encrypted submission channels (written, audio, in-person), automatic deadline monitoring in the task dashboard, documentation module under § 11 HinSchG, and an audit-proof archive with defined access rights. CIVAC SLA: contract, officer, appointment document within two working days.

Others manage compliance like a filing cabinet. We manage it like software.

Turn reading into action. Write to us at info@civac.de or use the contact form on civac.de.