HinSchG Current Status: Obligations, Deadlines, and Implementation 2024

The Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) entered into force on 2 July 2023 and transposes the EU Whistleblowing Directive (EU 2019/1937) into German law. It requires organisations with 50 or more employees to establish an internal reporting office that protects whistleblowers reporting legal violations. The obligation applies regardless of sector, legal form, or stock exchange listing — the sole criterion is employee count.

Since the Act entered into force, organisations have been asking two central questions: who exactly is affected, and what must a compliant reporting office deliver? This article answers both questions on the basis of the current legal position, explains the fine risks arising from non-compliance, and describes the organisational options for implementation.

HinSchG distinguishes by company size and provides for different implementation deadlines. Companies with 250 or more employees have been required to establish an internal reporting office since 2 July 2023. For companies with 50 to 249 employees, an extended transitional period applied until 17 December 2023.

The scope of application is broad: it covers corporations (GmbH, AG, KGaA), partnerships, cooperatives, associations, and public bodies, provided they reach the employee count threshold. Groups must also assess requirements at the level of the individual company; a group-wide solution is possible if it individually meets the statutory requirements for each affected company (§ 14 HinSchG).

Companies with 50 to 249 employees may under § 14 para. 2 HinSchG establish a joint internal reporting office — a model relevant for corporate groups or trade associations. This joint reporting office must, however, meet all statutory requirements and may not create unreasonable access barriers for whistleblowers. External reporting office officers via CIVAC can take on this function for several companies simultaneously.

The internal reporting office must be accessible for breaches in certain areas of law. § 2 HinSchG defines the material scope exhaustively. Covered areas include: breaches of EU law in the areas of financial services, anti-money laundering, product safety, environmental protection, food and feed safety, public health, radiation protection, nuclear safety, data protection (GDPR, BDSG), network security (NIS-2), consumer and investor protection, and public procurement.

HinSchG additionally covers breaches of German criminal law and regulatory offences insofar as they relate to the protection of life, health, personal liberty, or the protection of employees. Pure employment law complaints (e.g. wage disputes without criminal law relevance) do not fall within the material scope of the Act.

Practical note: many companies extend the material scope internally beyond the statutory minimum and allow reporting of general compliance breaches against internal guidelines. This voluntary extension is permissible and increases acceptance of the reporting system. However, it must be clearly communicated and documented to avoid misunderstandings about the protection status of the whistleblower.

§ 17 HinSchG defines the procedural requirements for internal reporting offices. The most important obligations are:

• Multi-channel access: The reporting office must accept both written and oral reports. At the whistleblower's request, a personal meeting must also be possible (§ 16 para. 2 HinSchG).
• Acknowledgement of receipt: Following receipt of a report, the reporting office officer must acknowledge receipt to the whistleblower within seven days (§ 17 para. 1 no. 1 HinSchG).
• Follow-up measures: The reporting office must review the report, initiate follow-up measures, and provide the whistleblower with feedback on the measures taken within three months of the acknowledgement (§ 17 para. 1 no. 4 HinSchG).
• Confidentiality: The identity of the whistleblower must be treated in absolute confidence. Disclosure is only permissible in narrow exceptional cases (§ 9 HinSchG). Breach of the confidentiality obligation is one of the most serious sanction categories under HinSchG.

The reporting office is not required to process anonymous reports — but should do so if the report contains substantive indications. The handling of anonymous reports must be governed internally.

The heart of HinSchG is the protection of whistleblowers from retaliation. § 36 HinSchG contains a comprehensive prohibition on retaliation: dismissal, formal warning, transfer, pay reduction, denial of promotion, negative performance assessment, coercion, discrimination, and social exclusion are prohibited where they are connected to a report. The reversal of the burden of proof under § 36 para. 2 HinSchG is particularly relevant for employers: if an employee suffers a disadvantage after making a report and this disadvantage coincides temporally with the report, the employer must prove that the measure was not causally connected to the report.

Anyone who suffers a disadvantage despite the prohibition on retaliation has a compensation claim under § 37 HinSchG. This covers material damage (e.g. lost salary) and non-material damage. For the employer this means: every personnel measure that is issued after a report and affects the reporting person must be comprehensively documented and assessed for the absence of any connection to the report.

Audit-ready, documented, HinSchG-compliant: documentation of all reports, review steps, and follow-up measures is not only legally prescribed but is also the central piece of evidence in a dispute. Missing or incomplete documentation in legal proceedings further shifts the de facto burden of proof against the employer.

§ 40 HinSchG defines the fine framework for violations. The most important offences and fine levels:

• Failure to establish an internal reporting office (§ 40 para. 2 no. 2): Fine of up to €20,000.
• Breach of the confidentiality obligation (§ 40 para. 1 no. 1): Fine of up to €100,000.
• Obstruction or attempted obstruction of a report (§ 40 para. 1 no. 3): Fine of up to €100,000.
• Retaliation against whistleblowers (§ 40 para. 1 no. 2): Fine of up to €50,000.

The competent authority for imposing fines is determined under state law; in some federal states responsibility lies with the trade supervision offices. Active official monitoring of HinSchG compliance began in 2024, initially focused on companies with more than 250 employees.

In addition to the fine risk, there is the civil law compensation risk under § 37 HinSchG: without a correctly established reporting office, there is no evidence that the company has met its obligations — which considerably worsens the legal position in compensation proceedings.

HinSchG does not specify the organisational form of the internal reporting office. In practice, three models have become established:

• Internal solution: An employee (e.g. from the legal or compliance department) is named as reporting office officer. Advantage: proximity to the organisation and rapid response. Disadvantage: conflicts of interest where the officer is involved in the reported matters; lack of employee trust in confidentiality.
• External ombudsman/solicitor: An external lawyer or ombudsman takes on the reporting office function. Advantage: legal professional confidentiality strengthens whistleblower trust. Disadvantage: higher costs, longer response times.
• External reporting office platform: A specialist service provider operates the technical platform and provides trained officers for processing. Advantage: scalable, documented, audit-ready. Disadvantage: coordination effort for internal follow-up measures.

Under § 14 HinSchG, an external third party may also be commissioned with the reporting office function — but they must possess the necessary independence and technical expertise. CIVAC offers this function as an Officer-as-a-Service: instrument of appointment, signed, filed, evidenced.

§ 11 HinSchG requires documentation of every incoming report. The documentation must contain the type of reporting channel, the date of the report, the reported matter (to the extent possible without breaching confidentiality), the follow-up measures initiated, and the result of the review. The documents must be retained for three years after conclusion of the proceedings, unless a longer retention obligation under other provisions applies.

Special requirements apply to the confidentiality of documentation: the identity of the whistleblower may only be accessible to persons responsible for processing the report. Technical access restriction (role-based access control) is therefore not only good practice but a statutory requirement.

For the presentation of evidence in disputes, the quality of documentation is decisive. If a whistleblower asserts retaliation after making a report, the court will draw on the entire documentation of the proceedings. Gaps in documentation are treated in practice as evidence of inadequate processing. The CIVAC reporting office officer documents every procedural step in the workspace with an automatic audit log.

The reporting office officer is not an isolated function. They regularly work together with other officers: if a report describes a data protection matter, the Data Protection Officer (DPO) must be involved. For reports on IT security incidents, the Information Security Officer (ISO) must be informed. Reports with employment law relevance require involvement of the HR department and where applicable the works council.

The question of demarcation of responsibilities must be clearly governed in the company's internal reporting office concept. Where this governance is absent, processing gaps and jurisdictional conflicts arise that are assessed negatively in an inspection.

The relationship to the external reporting office of the Federal Office of Justice (BfJ) must also be communicated. § 13 HinSchG requires the company to inform its employees about the external reporting office and to make clear that it supplements rather than replaces the internal reporting office. Whistleblowers have the right to go directly to the external reporting office — the company cannot prevent this but should make it less attractive through a functioning internal reporting office.

HinSchG has been applicable law since July 2023 — for companies with 50 or more employees there is no legal way to avoid or delay the reporting office obligation. Anyone who does not yet have a compliant solution risks fines and a considerably worsened legal position in future compensation proceedings.

CIVAC offers two implementation models: licence the workspace for your internal reporting office officer — with pre-structured processing workflows, automatic audit log, and role-based access restriction. Or appoint an external reporting office officer via CIVAC who takes on the function in full. Instrument of appointment, signed, filed, evidenced — within two working days.

The auditor calls; the evidence is ready. If you wish to set up or review your reporting office, write to us: info@civac.de. Turn reading into action.