HinSchG Legislative History: What the Final Act Means for Your Internal Reporting Office

The Whistleblower Protection Act (HinSchG) entered into force on 2 July 2023, transposing the EU Whistleblower Directive (2019/1937/EU) into German law. The legislative journey was unusually protracted: a first government draft was rejected by the Federal Council in November 2022, and a revised draft did not pass the Mediation Committee until May 2023. For companies with 50 to 249 employees, an extended implementation deadline applied until 17 December 2023; companies with 250 or more employees were required to operate an internal reporting office from 2 July 2023 onwards.

This article reconstructs the key changes between the draft stages, sets out the obligations now in force under Sections 12 et seq. HinSchG, and shows which organisational requirements a legally compliant reporting office must meet. Whether you fill the role internally or outsource it: the requirements for confidentiality, documentation and feedback deadlines are fixed by statute and enforceable by supervisory authorities.

Directive EU 2019/1937 on the protection of persons reporting breaches of Union law required Member States to adopt national implementing legislation by 17 December 2021. Germany missed this deadline by a significant margin, thereby exposing itself to infringement proceedings by the European Commission, which were initiated in February 2022.

A first ministerial draft from the Federal Ministry of Justice in spring 2022 provided for a broad material scope of application, encompassing violations of purely national law. The subsequent government draft was blocked by the Federal Council on 11 November 2022: a majority of the states objected in particular to the mandatory possibility of anonymous reports and the broad interpretation of the material scope of protection. The Federal Council vote was not a formality but reflected genuine concerns about legal uncertainty and the administrative burden on companies.

The Mediation Committee worked out a compromise that differed on key points: anonymity remained permissible but was no longer mandatory for internal reporting offices (Section 16(1) HinSchG). The scope of protection was limited to violations of EU law and certain national criminal provisions. The final version of the HinSchG was approved by the Federal Council on 31 May 2023 and promulgated in the Federal Law Gazette (BGBl. I No. 140) on 2 July 2023. For compliance officers, comparing the draft stages is instructive because it explains where leeway was deliberately granted and where it was not. An external internal reporting office via CIVAC can fully cover both aspects.

The material scope of the HinSchG derives from Section 2(1). It covers violations of directly applicable EU legal acts in the areas listed therein — including financial services, product safety, environmental protection, food safety and public procurement — as well as criminal offences and administrative violations under German law, provided they serve to protect life, limb or health, or are subject to significant sanctions. Tax violations concerning exclusively internal company rules generally do not fall within the statutory scope of protection.

This was one of the central points of contention during the legislative process: SME associations had warned against excessively extending the scope to cover every compliance violation. The final version limits this scope, but expressly permits companies, under Section 3(1) HinSchG, to voluntarily expand the material scope of their reporting office. In practice, this extension is advisable for group companies, as a group-wide reporting office is permissible under certain conditions pursuant to Section 14(2) HinSchG.

Companies should document the scope decision for their reporting office in a procedural regulation and review it regularly. An undocumented scope decision may be treated as a lack of structural governance in an audit and increase the risk of fines. The deadline runs from the moment of knowledge — not from the point of an official enquiry. A voluntary extension of scope should be justified in writing and approved by management in order to render the decision transparent to the supervisory authority.

Section 1(1) HinSchG defines the personal scope of protection: natural persons are protected who have obtained information about violations in a professional context and report or disclose them. This includes employees, civil servants, self-employed persons, shareholders, suppliers and interns, as well as persons in a pre-contractual relationship — who may thus become aware of violations already during the application process.

Also significant is the protection extended to persons who support the whistleblower: colleagues who provide witness testimony, ombudspersons offering confidential advice, and persons personally close to the whistleblower are protected against retaliation under Section 34 HinSchG. The breadth of this definition goes beyond the original text of the Directive and was not articulated as clearly in earlier draft stages.

For companies, the key requirement is that the reporting office must be designed such that potential whistleblowers are genuinely aware of it and trust it in a real situation. Section 7(3) HinSchG obliges companies to actively promote internal reporting channels to employees. A reporting office that formally exists but is not communicated internally does not fulfil the statutory purpose. Verifiable communication measures — intranet, onboarding documents, notices on the bulletin board — therefore form part of the documentation obligation and should be stored in an audit-proof manner. Companies should document both internal and external communications about the reporting office — screenshots, intranet posts and minutes from staff meetings constitute suitable evidence.

Section 15(1) HinSchG stipulates that persons entrusted with the tasks of the internal reporting office must be independent in performing their duties and may not receive instructions that influence the exercise of their function. This requirement for organisational independence is the core principle of the appointment concept: a reporting office that is subordinate to the board or management and acts under instructions in practice does not meet the statutory requirements and creates significant liability risks.

Section 16(1) HinSchG governs confidentiality: the identity of the whistleblower and the persons named in the report may only be disclosed with their express consent or in exhaustively defined exceptional circumstances — in particular in criminal investigations pursuant to a court order. An intentional breach of this obligation is punishable by a fine of up to €100,000 under Section 40(2) No. 1 HinSchG.

The documentation obligation under Section 11 HinSchG requires that all incoming reports be recorded with the date, subject matter and measures taken. The retention period is at least three years after the conclusion of the procedure. In practical terms, this means: a reporting office without an audit-proof documentation system is structurally non-compliant. Order document, signed, filed, verifiable — this applies equally to the entire procedural documentation of the reporting office. The choice of an external representative is not a weakness but a structural strength: external representatives bring formal independence through their position, without the company having to build complex internal governance structures.

Section 17 HinSchG sets three operational deadlines that are directly relevant to the technical design of the reporting office. First, the reporting office must acknowledge receipt of a report to the whistleblower within seven days of receipt. Second, feedback on follow-up measures taken or planned must be provided within three months of the acknowledgement of receipt. Third, reporting documentation must be retained for at least three years after the conclusion of the procedure.

The seven-day deadline also applies to anonymously received reports, provided the whistleblower has supplied a return channel. A purely postal reporting channel without a systematic receipt-recording system is structurally prone to missing this deadline. Companies that opt for an email inbox approach must ensure the inbox is checked daily — including cover arrangements during holidays, illness or changes of representative.

The three-month feedback deadline requires that internal investigative steps are initiated. This demands a clear, documented escalation matrix: who receives the report, who initiates the investigation, which departments are involved, who communicates with the whistleblower? Companies without such a documented workflow face significant evidentiary weaknesses in an official audit. The deadline runs from the moment of knowledge — not from the point at which the report is discovered by chance. An additional safeguard is for the external representative to maintain their own deadline calendar and to alert the company proactively to approaching deadlines before escalation becomes necessary.

The HinSchG provides for two parallel reporting channels: internal reporting offices at the obligated company pursuant to Section 12 HinSchG and external reporting offices at public authorities pursuant to Section 19 HinSchG, primarily at the Federal Office of Justice. Whistleblowers have a statutory free choice between both channels; however, the Act expressly obliges companies to make internal channels sufficiently attractive that whistleblowers prefer the internal route.

Section 7(1) HinSchG establishes a statutory preference for the internal route: companies must create structural incentives. This requires the reporting office to be perceived as trustworthy and genuinely independent. A reporting office linked to the company's board of directors or lacking an anonymous reporting option will be avoided by rational whistleblowers. The functional value of an internal reporting office depends directly on its perceived level of protection.

The external reporting office under Section 19 HinSchG is located at the Federal Office of Justice and has been accepting reports since 1 December 2023. In certain regulated sectors — financial and capital markets, insurance — sector-specific external reporting offices exist at BaFin pursuant to Section 21 HinSchG. Companies in these sectors must ensure that their internal reporting office knows the interface to sector-specific external bodies and has defined escalation paths. This function should therefore be filled before the first case arises — reactive action is not a suitable strategy in whistleblower protection.

Section 40 HinSchG sets out the exhaustive list of offences subject to fines. Four case groups are of practical relevance. First, intentional or reckless obstruction of, or attempts to obstruct, reports or disclosures (Section 40(1) No. 1 HinSchG): fine of up to €50,000. Second, intentional retaliation against whistleblowers (Section 40(1) No. 2 HinSchG): fine of up to €50,000. Third, intentional disclosure of the whistleblower's identity in breach of Section 16(1) (Section 40(2) No. 1 HinSchG): fine of up to €100,000. Fourth, intentional or negligent failure by companies with 250 or more employees to establish an internal reporting office (Section 40(2) No. 2 HinSchG): fine of up to €20,000.

Beyond fines, there is potential civil liability of the whistleblower under Section 37(1) HinSchG, as well as reputational risks where violations become public. The reversal of the burden of proof under Section 36 HinSchG favours the whistleblower: the company must prove that the measures taken did not constitute retaliation.

For companies with 50 to 249 employees, the current fine framework for failure to establish a reporting office is not yet fully sanctioned in practice; however, supervisory authorities can compel establishment through formal orders. Forward-thinking companies establish their reporting office in a complete and audit-proof manner regardless of the current enforcement status. Compliance officers and in-house lawyers are also advised to monitor planned EU amendments: full harmonisation of the HinSchG is under discussion at EU level and could tighten the fine framework further.

The HinSchG expressly permits the internal reporting office function to be outsourced to an external third party (Section 14(1) HinSchG). This solution is attractive for companies that cannot or do not wish to satisfy the requirements for independence, confidentiality and technical infrastructure internally. The external solution typically meets the independence requirement more readily than an internal appointment, as the external representative is not subject to instructions from management.

CIVAC offers two models: licensing the workspace for an internally appointed reporting office representative, or having the function assumed by an externally appointed representative from the CIVAC partner network. Licence the workspace for your internal representatives or appoint our representatives. Both models share the same technical infrastructure: a digital reporting channel compliant with Section 16 HinSchG, automatic acknowledgement of receipt within the seven-day period, a deadline dashboard for the three-month feedback obligation, audit-proof document storage and encrypted communication with the whistleblower.

The CIVAC SLA provides for contract, person and order document within two working days. This documentation chain is crucial for companies that must demonstrate the propriety of their reporting office in an official audit or employment law proceeding. The auditor calls, the evidence is ready — complete, structured, legally sound. The CIVAC workspace also provides an encrypted communication function between the whistleblower and the reporting office, meeting the confidentiality requirements of Section 16 HinSchG while automatically monitoring deadlines under Section 17 HinSchG.

Companies that have not yet established an internal reporting office, or whose existing solution does not fully meet the legal requirements, should work through three steps in a structured manner. First: take stock of the current situation — does a reporting office exist? Is it formally independent? Are deadlines technically implemented? Is documentation audit-proof? What communication measures have been taken towards employees? Second: decide on the model — internal staffing with a workspace, or external representative — documented and formally approved by management. Third: ordering and operational commissioning, including internal communication and documentation of communication measures.

The material scope of the reporting office should be decided in parallel: the statutory minimum under Section 2(1) HinSchG, or voluntary extension to all significant compliance violations. The latter option protects against parallel channels — informal complaints to the works council, direct contact with journalists — and channels reports into structured processes with a documented outcome.

Technically, the reporting office must offer a secure reporting channel under Section 16(1) HinSchG through which reports can be submitted in writing, orally, or — if desired — in a personal meeting. A pure email address is permissible but susceptible to data protection gaps and missed deadlines. A data protection-compliant platform solution with automated deadline alerts is the industry standard. Turn reading into action — write to info@civac.de or use the contact form to activate the internal reporting office within two working days.