HinSchG and BMJV: Responsibilities, interpretations and operational consequences for reporting offices
The Federal Ministry of Justice is responsible for the Whistleblower Protection Act. Which interpretations does the BMJV publish? How do they affect companies with an internal reporting office? This article organises the publications, clarifies the interface to the Federal Reporting Office at the BfJ and shows what the interpretations mean for the appointment certificate.
The Whistleblower Protection Act, or HinSchG for short, has been in force in Germany since July 2, 2023 and since December 17, 2023 in full for employers with 50 to 249 employees. The lead department is the Federal Ministry of Justice, which oversees the implementation of the EU Whistleblower Directive 2019/1937, publishes FAQ documents and is responsible for the Federal Reporting Office at the Federal Office of Justice, BfJ. The BMJV is therefore the central interpretative authority for compliance officers.
This article is aimed at management, compliance officers and heads of internal reporting offices who have to mediate between the official legal text, administrative interpretation and everyday operational life. We organise the central BMJV publications, clarify the responsibility between the internal reporting office, the external reporting office at the BfJ and sector-specific reporting offices, and show which appointment certificate wordings the ministry implicitly expects.
Key Takeaways
- The BMJV is responsible for the HinSchG, the BfJ operates the external federal reporting office in accordance with Sections 19 ff. HinSchG.
- Fines range up to 50,000 euros for obstructing reports or breaching the confidentiality requirement.
- The BMJV FAQ does not contain any binding legal rules, but it does shape administrative practice and the expected audit standards.
Distribution of roles in the federal government: BMJV, BfJ, sector-specific bodies
According to the Federal Government's rules of procedure, the BMJV is responsible for the HinSchG. It develops legislative changes, coordinates the implementation of the EU Whistleblower Directive and publishes explanatory materials. The ministry does not exercise any operational supervisory functions. The Federal Office of Justice, BfJ, operates the federal external reporting office in accordance with Sections 19 ff. HinSchG, to which whistleblowers can turn if they do not consider an internal report to be appropriate or want to express their concerns externally.
Sector-specific external reporting offices complement the system. BaFin receives reports on financial market violations, the Federal Cartel Office on antitrust violations, the EU Commission on violations of Union law, and the BSI on IT security incidents according to NIS-2. This diversity means operationally: An internal reporting point must be able to correctly forward whistleblowers to the responsible external body without violating confidentiality protection.
The Whistleblower Protection Reporting Point according to HinSchG is in practice an interface function. It combines internal reports with external procedures, data protection in accordance with Art. 9 GDPR with criminal procedure law and labour law protection with management reporting obligations. The appointment certificate, signed, filed, verifiable - the function cannot be delegated to a human resources department without a clear confidentiality structure.
The BMJV FAQ: Which interpretations are relevant for companies
The BMJV publishes an FAQ document on the HinSchG on its website, supplemented by a justification for the government draft and occasional press releases. The FAQs do not replace case law, but they do shape administrative practice. Three focal points of interpretation are particularly relevant for companies. Firstly, the question of which reports are covered by the HinSchG and which are not. Secondly, the obligation to set up internal reporting channels. Thirdly, the requirements for confidentiality and identity concealment.
The FAQ makes it clear that the HinSchG is not limited to employees. Business partners, former employees, applicants, interns and people who provide information about violations in a professional context are also protected. This significantly expands the circle of recipients compared to older whistleblower models, which focused on the company's own workforce. The internal reporting office must offer reporting channels that are also accessible to external persons.
Another frequently cited interpretation concerns anonymity. Although Section 16 Para. 1 HinSchG does not provide for an obligation to process anonymous reports, the BMJV recommends accepting anonymous reports in order to increase the effectiveness of the protection system. In practice, this means that anyone who excludes anonymous reports risks a weaker administrative assessment when the reporting office is subsequently inspected. Audit-proof, documented, § 16-firm.
Thresholds and obligation to set up
§ 12 HinSchG obliges employers with at least 50 employees to set up an internal reporting office. The obligation has been in effect since July 2, 2023 for companies with 250 or more employees, and for companies with 50 to 249 employees since December 17, 2023. Sector-specific obligations apply regardless of the number of employees, for example for financial service providers according to Section 23 KWG, insurance companies according to Section 30 VAG and money laundering prevention according to Section 6 GwG.
Group structures raise special questions. Although Section 14 Paragraph 1 of the HinSchG allows for a common reporting office for group companies, the EU Commission and the EU member states interpret the whistleblower directive more strictly. According to the EU interpretation, every subsidiary with more than 250 employees must provide its own reporting point. The BMJV mediates between these interpretations and has reaffirmed the German position in the FAQ without legally rejecting the EU position.
In practice, a two-stage solution is recommended: central reporting point at group level plus local contact points with their own appointment certificates in the larger subsidiaries. This solution covers both interpretations and at the same time enables a consolidated evaluation. On the CIVAC FAQ you can find templates for both structural models, including the reporting lines to the management of the respective company.
Confidentiality, data protection and the conflict with Article 9 GDPR
§ 8 HinSchG requires strict confidentiality regarding the identity of the whistleblower. The data may only be passed on to people who are absolutely responsible for processing the report. This usually excludes HR management, management and external service providers without express necessity. Violations of the confidentiality requirement are punished with a fine of up to 50,000 euros in accordance with Section 40 of the HinSchG.
In terms of data protection law, the reporting office becomes the interface between the HinSchG and Article 9 of the GDPR. If a report contains sensitive data, such as health data, trade union membership or criminal allegations, the strict requirements of Articles 9 and 10 GDPR apply. A data protection impact assessment in accordance with Art. 35 GDPR is almost always required. The BMJV recommends a written description of the procedure with retention periods, deletion concept and access regulations.
The deadline expires as soon as we become aware of it - this logic from data protection law also affects the reporting centre work. In the case of a report that also represents a data protection incident in accordance with Art. 33 GDPR, the 72-hour reporting period and the HinSchG confirmation requirement begin in parallel. An integrated workspace structure with separate reporting lines for data protection and the reporting office reduces the risk of missing either deadline.
Reporting obligations of the reporting office in accordance with Sections 17 and 18 HinSchG
§ 17 HinSchG regulates the obligations of the reporting office after receiving a report. Confirmation of receipt must be provided within seven days, provided the whistleblower can be identified and has not objected to the confirmation. Feedback on any follow-up measures taken or planned must be provided within three months. This period begins with the confirmation of receipt, not with the receipt of the report.
§ 18 HinSchG requires written documentation of each report and retained for three years after completion of the procedure. The documentation includes the date and form of the report, the whistleblower, if known and necessary in the process, follow-up measures, conclusion of the process and, if necessary, external disclosure. For criminally relevant reports, the retention periods are extended in accordance with the respective statute of limitations.
In CIVAC's compliance platform and Officer-as-a-Service, the 24/72 logic and the HinSchG deadlines reflect the same technical workflow. The NIS-2 24/72 reporting path shares structural features with the HinSchG 7-day confirmation: time-critical receipt registration, separate processing lines, documented escalation path. Licence the workspace for your internal representatives or have our representatives order it. In both cases, the appointment certificate is available within two working days.
Fines and liability risks: What will really be pursued in 2026
§ 40 HinSchG provides for fines of up to 50,000 euros for obstructing a report, for reprisals against whistleblowers, for violations of the confidentiality requirement and for failing to set up a reporting office despite the obligation. In 2025, the BfJ opened the first fine proceedings for failure to set up, with a focus on companies with 50 to 249 employees that had not yet provided a reporting point after December 17, 2023.
The personal liability of management follows Section 130 OWiG. Anyone who does not meet with the supervisory organisation to set up and operate the reporting office is liable for breaches of duty with fines of up to 10 million euros in accordance with Section 30 OWiG. In addition, there are civil law claims for damages from whistleblowers in the event of reprisals, regulated in Section 37 HinSchG. The reversal of the burden of proof in accordance with Section 36 of the HinSchG makes these claims much easier.
On the insurance side, the risks have a double effect. In 2026, D&O insurance companies will increasingly require verifiable reporting offices with documented reporting lines as a prerequisite for insurance coverage. A missing appointment certificate will result in higher premiums or coverage exclusions. The auditor calls, the evidence is ready. - this logic has a double effect here because the appointment certificate serves both authorities and insurers.
External vs. internal reporting office: When the BfJ steps in
§ 19 HinSchG names the external federal reporting office at the Federal Office of Justice as an alternative contact point. Whistleblowers are free to choose whether they report internally or externally. There is no obligation to escalate from internal to external, but in practice whistleblowers often use the external body when there is a lack of trust in the internal processing. The BfJ publishes annual statistical reports with reporting channels, sectors and procedural results.
This results in an indirect control task for companies. Anyone who operates a trustworthy internal reporting centre reduces the likelihood that tips will end up directly externally. External reports lead to longer procedures, higher reputational risk and greater involvement of authorities. The BMJV materials therefore recommend clear communication via internal reporting channels, low access barriers and visible independence of the reporting office.
The Compliance Officer function and the reporting office are organizationally linked in many companies, but they are not identical. The reporting office needs its own appointment certificate, its own reporting line and its own data protection workflow. CIVAC separates these functions in the workspace without duplicating them. Others run compliance like a filing cabinet. We run it like software.
Operational implementation 2026: What management derives
Three levers will decide the effectiveness of the internal reporting office in 2026. Firstly, accessibility. The reporting office must offer several channels, at least by telephone, in writing and in person upon request. Anonymous reports should at least be accepted. Secondly, independence. HR management and the whistleblower's direct superiors must not be in the first line of processing, otherwise confidentiality protection will not apply.
Thirdly, audit readiness. A reporting office without an audit trail, without versioning and without documented deadline control will not pass an authority audit. Section 18 HinSchG requires written documentation; the BMJV also expects a description of the procedure, a data protection impact assessment and an emergency plan for the absence of the responsible officer. According to market observation, these three documents will be missing from most SME reporting offices in 2026.
Licence the workspace for your internal representatives or have our representatives order it. CIVAC comes with the templates that the BMJV implicitly expects: procedural description, DPIA template, emergency plan, report template to management, deadline calendar with 7-day and 3-month triggers. Making an order out of reading is meant literally here, because the reporting office needs an order and not a declaration of intent.
Turn reading into an assignment
The BMJV interpretations of the HinSchG are not binding case law, but they are the yardstick by which authorities and auditors measure the internal reporting office. Anyone who signs an appointment certificate in 2026 should know the BMJV FAQ, have the DPIA available and document the reporting line to management. These three building blocks are the minimum standards at which an audit begins.
CIVAC is the compliance platform and officer-as-a-service for companies that want to make their reporting office audit-proof. 25 representative roles are live, 490 audit templates are ready for use, the EU data residency meets ISO 27001:2022 requirements, the 24/72 reporting path covers NIS-2 and HinSchG in parallel. Licence the workspace for your internal representatives or have our representatives order it. Both ways provide the supervisory organisation that Section 130 OWiG requires.
Turn reading into a mandate. Write to info@civac.de with the number of employees, industry and the current reporting point structure. You will receive a written assessment within two working days of what adjustments are necessary to the appointment certificate, process description and reporting line. The contact form on civac.de forwards you directly to the ordering office.
FAQ
Is the BMJV the supervisory authority for the HinSchG?
No, the BMJV has departmental jurisdiction and is responsible for legislation and interpretation, but not direct supervision of companies. The federal external reporting office is operated by the Federal Office of Justice, BfJ. The BfJ also carries out fine proceedings for violations of the facility obligation.
Are the BMJV FAQs legally binding?
No, the FAQ is an interpretative aid, not a binding legal rule. However, they shape administrative practice and are often used by courts as an argumentative aid. Anyone who follows the FAQ is generally in the safe area, but without receiving any final legal clarity.
What fines are there for violations of the HinSchG?
Section 40 HinSchG provides for fines of up to 50,000 euros for obstruction of reports, reprisals, breaches of confidentiality and failure to set up the reporting office despite obligation. Personal liability of the management follows Section 130 OWiG with fines of up to 10 million euros according to Section 30 OWiG.
Does an internal reporting office have to process anonymous reports?
Section 16 (1) HinSchG does not provide for an obligation to process anonymous reports. However, the BMJV expressly recommends acceptance because otherwise the effectiveness of the protection system will suffer. In practice, a reporting office without an anonymous entry option tends to receive a lower rating in official audits.
How does the internal reporting office differ from the external reporting office?
The internal reporting office is operated by the company itself, the external federal reporting office is operated by the BfJ. Whistleblowers have free choice. Sector-specific external reporting bodies such as BaFin, the Federal Cartel Office or BSI supplement the system for certain violations. There is no obligation to escalate from internal to external.
Does the HinSchG also apply to external persons such as business partners?
Yes, the scope of protection extends to all persons who provide information from a professional context, including business partners, former employees, applicants and interns. The internal reporting office must therefore provide reporting channels that are also accessible to external persons, for example via the company website.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.