77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Whistleblower protection for 50 or more employees: obligation, deadline and reporting point
Equality & AGG

Whistleblower protection for 50 or more employees: obligation, deadline and reporting point

16 June 202613 min readBy Dr. Henrik Bauer
CIVAC

The Whistleblower Protection Act (HinSchG) requires companies with 50 or more employees to set up an internal reporting office. The article explains the scope, technical requirements, deadlines and fines of up to 50,000 euros.

The Whistleblower Protection Act (HinSchG) came into force on July 2, 2023 and implements the EU Whistleblower Directive 2019/1937 into German law. Section 12 HinSchG obliges employers with at least 50 employees to set up and operate an internal reporting office. For companies with 50 to 249 employees, an extended deadline applied until December 17, 2023. Since then, the obligation has been fully effective and the Federal Office of Justice is punishing violations with fines of up to 50,000 euros.

This article describes who exactly falls under the obligation, what technical, organisational and personnel requirements the HinSchG imposes, how confidentiality protection and the three-month feedback period are implemented and the consequences of violations have. You will receive a verifiable checklist for appointing and operating a reporting office, including the distinction between internal reporting office and external commissioning.

Key Takeaways

  • Section 12 HinSchG obliges all employers with 50 or more employees to set up an internal reporting office, without industry exceptions.
  • The reporting office must confirm receipt within seven days and provide feedback on follow-up measures within three months.
  • Violations of the installation obligation can be punished with fines of up to 20,000 euros, and reprisals against whistleblowers can be punished with fines of up to 50,000 euros.

Who is obliged to report to the reporting office according to the HinSchG?

According to Section 12 Paragraph 1 HinSchG, employers with at least 50 employees are obliged to set up and operate an internal reporting office. The employer is any employer within the meaning of labour law, i.e. natural and legal persons, partnerships with legal capacity, authorities and other bodies. The threshold refers to the total number of employees regardless of contract status: full-time, part-time, trainees, temporary workers and working students are included. Marginal employees are to be counted in full, unlike in parts of labour law.

Without a threshold, the obligation applies to certain sectors from the first employee: credit institutions, financial services institutions, securities institutions, insurance companies, capital management companies and other addressees of EU financial market regulation in accordance with Section 12 Paragraph 3 HinSchG. Parent companies with at least 50 employees also regularly fulfil the obligation across the group. For the group structure, Section 14 HinSchG allows a central reporting office within the group to take over the reporting office of individual group companies, provided certain requirements are met. A reference to whistleblower protection and the internal reporting office can be found in every legally secure corporate structure because the obligation is neither negotiable nor time-limited.

What the reporting office has to do

The reporting office is more than a mailbox. Section 16 HinSchG requires a channel that enables oral and written reports. Written includes written form by letter, email or electronic whistleblower system. Oral includes telephone and, if the informant requests, a personal meeting within a reasonable period of time. The reporting channels must maintain the confidentiality of the identity of the person making the report and the persons named in the report. Anonymous reports must also be processed since December 17, 2023, and there should be an option for anonymous reporting.

§ 17 HinSchG requires four obligations upon receipt: confirmation of receipt of the report within seven days to the person providing the information, checking the validity, if necessary establishing further contact for clarification, feedback on the follow-up measures taken or intended within three months of confirmation of receipt. Section 18 HinSchG lists permissible follow-up measures: internal investigations, referral to the responsible authorities, termination of the procedure with reasons or submission to the external federal reporting office. The reporting office acts independently of instructions and is technically, personally and financially equipped to carry out its tasks effectively, Section 15 HinSchG.

Confidentiality as a non-negotiable basis

§ 8 HinSchG is the protective standard: the identity of the person providing the information, the people affected by the report and other people mentioned in the report may in principle only be known to the people responsible for receiving it or taking follow-up measures. Disclosure without express consent is only permitted in very limited exceptions, such as on the orders of law enforcement authorities or as part of official investigations. Violations of confidentiality can be punished with fines and lead to liability for damages according to Section 37 HinSchG.

The technical implementation requires encryption in transmission and storage, access restriction through documented authorizations, logging of every access action and audit-proof storage. A dedicated tenant or a demarcated tenant per employer is required to ensure client separation. On the organisational side, the employees of the reporting office are obliged to maintain confidentiality; the reporting line goes directly to the management without any intermediate bodies. GDPR conformity must be ensured in parallel: the list according to Art. 30 GDPR contains the processing activity whistleblower protection, the legal basis is Art. 6 paragraph 1 letter c GDPR in conjunction with Section 10 HinSchG, the deletion periods according to Section 11 HinSchG are documented (three years after completion of the procedure, unless there is a longer retention requirement).

External or internal appointment of the reporting office

§ 14 HinSchG expressly allows the commissioning of third parties with the tasks of the internal reporting office. This option relieves the burden on small and medium-sized companies that do not have their own compliance function. The assignment is carried out by means of a written contract that fully reflects the obligations under Sections 15 to 18 of the HinSchG and regulates order processing in accordance with Article 28 of the GDPR. The responsibility remains with the employer: he remains responsible for the establishment, functioning and follow-up measures.

The choice between internal and external appointment follows three criteria. First: confidentiality. An external body is organizationally separated from management and reduces the risk of internal loyalty conflicts. Second: qualifications. External service providers provide trained ombudspersons, often with legal or forensic training. Third: costs. An internal reporting point ties up staff and infrastructure, an external solution runs on a monthly retainer. CIVAC offers compliance platform and officer-as-a-service for exactly this task. Licence the workspace for your internal representatives, or have our representatives order it. Both models use the same technical reporting channel and audit trail. Switching between models is possible during operation.

Seven-day and three-month deadlines in detail

The seven-day period according to Section 17 Paragraph 1 Number 1 HinSchG runs from receipt of the report. A confirmation of receipt to the person providing the information is mandatory unless there is an express notification against it or the confirmation would jeopardize confidentiality (e.g. in the case of anonymous reports without a return channel). The deadline applies regardless of weekends or public holidays. Operational consequence: an automatic confirmation of receipt workflow with a time stamp is standard.

The three-month period according to Section 17 Paragraph 1 Number 4 HinSchG runs from the day of the confirmation of receipt. Within these three months, the whistleblower must receive feedback on the follow-up measures planned or taken, provided that this does not impair internal research or investigations and does not conflict with any legitimate interests. If the procedure has not yet been completed after three months, an interim report is required with information about the expected further processing. The deadline begins as soon as we become aware of it. In practice, this means case management with a calendar of deadlines, tasks, responsibilities and automatic reminders. Each step is documented with a time stamp and responsible person. The auditor calls, the evidence is ready. A missing or delayed response is not just a formal error, but can entitle the whistleblower to report externally to authorities or to disclose it to the public in accordance with Section 32 of the HinSchG.

Fines, reprisals and reversal of the burden of proof

§ 40 HinSchG is the fine standard. Anyone who does not set up or operate an internal reporting centre can be fined up to 20,000 euros. Anyone who takes reprisals against whistleblowers (termination, transfer, discrimination, bullying) risks a fine of up to 50,000 euros. Anyone who violates the confidentiality of the person providing the information can also be fined up to 50,000 euros. The prosecution of fines is the responsibility of the Federal Office of Justice, which has already initiated fine proceedings since the HinSchG came into force.

Section 36 HinSchG is particularly consequential: the reversal of the burden of proof. If a reporting person suffers discrimination in connection with their professional activity after making a report, it is presumed that this discrimination is reprisal. The employer must prove that the measure was based on sufficiently justified reasons. In labour court practice, this reversal is a significant lever: without clean personnel file management and documented factual reasons for personnel measures, disputes regularly end in favor of the person who provided the information. The obligation to pay damages according to Section 37 of the HinSchG extends to material and immaterial damages, including compensation for pain and suffering. Anyone who leaves the Compliance Officer vacant in this matter will not only fail to comply with the HinSchG obligation, but will also open up a liability risk with a high probability of occurrence.

Interfaces to other compliance obligations

The HinSchG is not isolated. It interferes with several existing obligations. Section 4d FinDAG requires BaFin supervised entities to have their own reporting channels, which must now be coordinated with the HinSchG channel. Section 8 GwG requires internal security measures, including a whistleblower system, for those obliged to comply with the Money Laundering Act. Section 8 LkSG requires companies under the Supply Chain Due Diligence Act to have an effective complaint procedure along the supply chain, which can cooperate technically and organizationally with the HinSchG reporting office.

The GDPR must be observed in parallel. The processing of personal data in the reporting office requires a legal basis (Section 10 HinSchG in conjunction with Art. 6 Paragraph 1 Letter c GDPR), a processing directory in accordance with Art. 30 GDPR, technical and organisational measures in accordance with Art. 32 GDPR and a data protection impact assessment in accordance with Art. 35 GDPR, because the processing systematically includes personal data on employees and third parties. The retention period of three years according to Section 11 HinSchG must be coordinated with other retention obligations (HGB, AO, AGG, GwG) in order to avoid conflicts. A unified compliance platform with documented directories and links between obligations facilitates consistency. Audit-proof, documented, § 12-firm.

Convenient setup: 30-day plan

The establishment of a legally secure reporting office can be achieved in 30 days, provided management makes clear decisions. Day one to five: fundamental decision internally or externally, selection of the provider if appointed externally, determination of the reporting line, appointment of the ombudsperson or the reporting office manager with a written order in accordance with Section 15 HinSchG. Day six to ten: technical setup of the reporting channel with encryption, anonymous input module and management of multiple forms of input (written, oral, personal).

Day eleven to twenty: Creation of the rules of procedure with confirmation of receipt, validity check, follow-up measures, feedback workflow and storage. In parallel: data protection impact assessment according to Art. 35 GDPR, processing directory, TOM documentation, adaptation of the personal data protection declaration. Day twenty-one to thirty: internal communication, training of reporting office employees, publication of reporting channels (intranet, notices, onboarding material), connectivity to BaFin, BAFA or money laundering-specific special reporting channels, if relevant. The appointment certificate, signed, filed, verifiable. Regular operations begin on day thirty. Annual effectiveness testing is anchored in the calendar. Anyone who has exceeded the 30 days should prioritise the facility: the Federal Office of Justice examines cases and complaints.

Turn reading into an assignment

The obligation under Section 12 of the HinSchG cannot be postponed and the fines are real. An internal reporting point is an operational function, not a legal document. It needs a secure reporting channel, trained ombudspersons, a clear calendar of deadlines, a documented procedure and a reliable link with GDPR, AMLA, LkSG and BaFin special standards. CIVAC delivers compliance platform and officer-as-a-service with workspace, audit templates, appointment certificate and EU data residency for exactly this duty.

Turn reading into a mandate. Write to info@civac.de with your number of employees, the group structure, the existing solution (if available) and the industry-specific additional obligation (BaFin, GwG, LkSG, FinDAG). Within 48 hours you will receive a copied recommendation of an internal or external list, a named ombudsman service provider in the case of an outsourcing option and the draft of the appointment certificate. The reporting channel will be set up within two working days. The deadline begins as soon as we become aware of it. Delay costs.

FAQ

When does the reporting point requirement apply?

Section 12 HinSchG obliges all employers with at least 50 employees. The deadline for companies with 50 to 249 employees ended on December 17, 2023. Since then, the obligation has been fully enforceable. Certain financial sectors are obliged regardless of the number of employees.

Do anonymous reports have to be accepted?

Since December 17, 2023, internal reporting offices have had to accept and process anonymous reports. There should be an option for anonymous communication. Anonymous reports will be examined equally provided they contain sufficiently concrete evidence. Of course, there is no need to confirm receipt if there is no return channel.

What deadlines does the reporting office have to adhere to?

Confirmation of receipt within seven days, feedback on follow-up measures within three months of confirmation of receipt. If proceedings are still ongoing, an interim notification is required. The deadlines run according to the calendar, without taking weekends or public holidays into account.

What fines are there for violations?

Fines of up to 20,000 euros for missing or inadequate reporting points, up to 50,000 euros for reprisals against whistleblowers or breach of confidentiality. Obligations to pay damages in accordance with Section 37 of the HinSchG are added. Reversal of the burden of proof according to Section 36 of the HinSchG significantly increases the procedural risk.

Can an external body run the reporting office?

Yes. Section 14 HinSchG allows the commissioning of third parties. The employer remains responsible. The assignment is regulated by a written contract with the obligations according to Sections 15 to 18 HinSchG and an order processing agreement according to Art. 28 GDPR.

How long are reports retained?

Section 11 of the HinSchG provides for storage for three years after completion of the procedure, unless there is a longer statutory retention requirement. The data will be deleted after the deadline has expired. Storage in an audit-proof form with access restrictions and logging is mandatory.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles