Whistleblower Protection Act (HinSchG): Obligations, Reporting Offices and Implementation

The Whistleblower Protection Act (HinSchG) of 2 July 2023 implements the EU Whistleblower Directive (Directive EU 2019/1937) into national law and, for the first time in Germany, creates comprehensive legal protection for persons who report legal violations within organisations. The Act obliges companies, public authorities and other entities with 50 or more employees to establish and operate an internal reporting office that enables whistleblowers to communicate securely and confidentially.

For management, this creates a new, permanent compliance obligation: the reporting office must not merely exist in technical terms, but must have legally compliant procedures, be operated in a documented manner and be coordinated with other compliance functions. This article explains the complete legal framework — from the obligation to appoint a reporting officer to the risk of fines.

Directive EU 2019/1937 on the protection of persons reporting breaches of Union law was required to be transposed into national law by 17 December 2021. Germany significantly exceeded this deadline, only bringing the HinSchG into force on 2 July 2023. Due to the delayed transposition, the European Commission initiated infringement proceedings against Germany, which were discontinued after the law came into force.

The HinSchG comprises 42 sections and regulates: the personal and material scope of protection, the obligations to establish internal reporting offices, the procedure for handling reports, the external reporting offices (Federal Office of Justice, BfJ), protection against retaliation and the range of fines. It does not impose an obligation to receive anonymous reports, but recommends doing so.

In relation to the EU Directive, the HinSchG deviates on certain points. It restricts the material scope of application more narrowly than permitted by the Directive; the Federal Council had called for a broader expansion in its opinion. A revision of the HinSchG to achieve full conformity with the Directive remains possible, but is not currently scheduled. External reporting office representatives via CIVAC are automatically kept up to date in the event of legislative changes.

Section 1 HinSchG defines the personal scope of protection. Protection is afforded to natural persons who have obtained information about violations in connection with their professional activities and report them. This includes in particular: employees (including those on probation, part-time workers and temporary workers), trainees, self-employed persons and freelancers, suppliers and their staff, as well as former employees and job applicants.

Not covered by Section 1 HinSchG are persons who have obtained information about violations without a professional context — i.e. classic civil-society whistleblowers without an insider background. There remains no specific legal protection in Germany for this group, even though the EU Directive would have permitted a broader transposition.

Protection also extends to persons who support the reporting person (so-called facilitators) and to third parties who have a relationship with the reporting person and could suffer retaliation (e.g. family members, colleagues). This extension of the protective scope to third parties is a significant innovation compared to the previous legal position.

Section 2 HinSchG defines the material scope of application exhaustively. Reporting protection is available to whistleblowers who report violations in the following areas: financial services, financial products and financial markets (including money laundering prevention and terrorist financing), product safety and compliance, transport security, environmental protection (including radiation and nuclear safety), food and feed safety, animal health and welfare, public health, data protection (GDPR, BDSG), network and information systems security (NIS-2), consumer and investor protection, and public procurement.

In addition, criminal offences and administrative violations are covered where the legal interest at stake is the protection of life, health, personal liberty or the protection of employees. Purely contractual disputes (e.g. late payment, contract interpretation conflicts) without criminal law relevance do not fall within the scope of Section 2 HinSchG.

Important: reports concerning matters outside the scope of Section 2 HinSchG cannot claim protection from retaliation under the HinSchG. Companies that voluntarily expand their internal reporting scope must communicate clearly in which cases the statutory protection against retaliation applies and in which cases it does not.

Sections 12 to 17 HinSchG regulate the requirements for internal reporting offices. The key obligations at a glance:

• Channel diversity (Section 16(1)): The reporting office must accept reports both in writing and orally. At the whistleblower's request, a personal meeting must be made possible.
• Acknowledgement of receipt (Section 17(1) No. 1): Within seven days of receiving a report, the reporting office representative must confirm receipt to the whistleblower.
• Impartiality (Section 15(1)): The person assigned to the reporting office must be independent and free from conflicts of interest. They may not simultaneously act as a reporting line for the matters being reported.
• Expertise (Section 15(2)): The representative must possess the necessary specialist knowledge, in particular knowledge of data protection law, employment law and the relevant subject areas of Section 2 HinSchG.
• Feedback (Section 17(1) No. 4): Within three months of the acknowledgement of receipt, feedback must be provided on the follow-up measures taken.

For companies with 50 to 249 employees, Section 14(2) HinSchG permits a shared reporting office with other companies, which is particularly relevant for corporate groups and business associations.

Section 9 HinSchG establishes the confidentiality requirement as a central protective principle: the identity of the whistleblower may not be disclosed without their express consent. Exceptions apply only where disclosure is strictly necessary to initiate criminal proceedings and the competent authority requires the identity. Even in such cases, the whistleblower must be informed in advance, provided this does not jeopardise the investigation.

The confidentiality requirement extends to all persons involved in the processing of a report. Companies must therefore ensure that the documentation of a report is technically secured such that only those involved in processing it have access. Role-based access control (RBAC) is in practice indispensable.

The processing of personal data as part of the reporting procedure is subject to the GDPR. The Data Protection Officer (DPO) must be involved in the design of the reporting system and must review the Data Protection Impact Assessment (DPIA pursuant to Art. 35 GDPR), as the processing of reporting data can pose a high risk to the rights and freedoms of data subjects. The external Data Protection Officer via CIVAC can carry out and document this DPIA as part of their duties.

Sections 19 et seq. HinSchG regulate the external reporting offices. The Federal Office of Justice (BfJ) is designated as the central external reporting office at federal level. In addition, further external reporting offices may be established at state level. Sector-specific external reporting offices exist at BaFin (for financial services and capital markets) and at the Federal Cartel Office (for competition violations).

Under Section 7 HinSchG, whistleblowers have the right to report directly to external bodies without first using the internal reporting office. The Act contains no obligation to report internally as a preliminary step. Companies may encourage whistleblowers to report internally first, but cannot legally compel them to do so.

It is therefore strategically important for companies to design the internal reporting office in such a way that it earns the trust of employees and represents a genuine alternative to the external reporting channel. A well-documented approach to internal reports — demonstrating that reports are followed up and that follow-up measures are taken — is the most effective means of strengthening the internal reporting rate.

Section 36 HinSchG contains a comprehensive prohibition on retaliation. The following measures are prohibited where they are connected to a report: dismissal, formal warning, transfer, salary reduction, denial of promotion, negative performance appraisal, coercion, intimidation, discrimination, and any form of social exclusion. The prohibition applies not only to direct measures by the employer, but also to actions by colleagues or superiors that the employer tolerates.

The reversal of the burden of proof under Section 36(2) HinSchG is of particular importance for employers: if a whistleblower suffers a disadvantage following a report, it is presumed that this disadvantage constitutes retaliation. The employer must prove that the measure is based on other, objectively justifiable grounds. This reversal of the burden of proof makes the documentation of personnel decisions affecting whistleblowers a significant liability issue.

In practice, this means that every personnel measure (formal warning, dismissal, denial of promotion) issued after a report to the reporting person must be underpinned by comprehensive, prior documentary evidence showing that the measure was decided independently of the report.

Section 40 HinSchG defines the fine framework for administrative offences. The offences and maximum amounts at a glance:

• Violation of the confidentiality obligation (Section 40(1) No. 1): up to €100,000
• Retaliation against whistleblowers (Section 40(1) No. 2): up to €50,000
• Obstruction of reports (Section 40(1) No. 3): up to €100,000
• Failure to establish an internal reporting office (Section 40(2) No. 2): up to €20,000

The fine authorities determined under state law are responsible for enforcement, typically the trade inspectorates or public prosecutors' offices. Initial fine proceedings were initiated in 2024; the authorities' main areas of focus are the existence of the reporting office and compliance with the confidentiality obligation.

In addition to fines, civil liability arises under Section 37 HinSchG: compensation for material and non-material damages in cases of retaliation. Particularly relevant to liability is the combination of inadequate documentation of the reporting procedure and a subsequent personnel measure — this constellation is difficult to rebut in legal proceedings.

Establishing a HinSchG-compliant internal reporting office requires five operational steps: appointing a representative and documenting a conflict-of-interest check; setting up a reporting channel structure (written + oral + in-person); defining the procedure for acknowledgement of receipt, review and feedback; creating a data protection concept and DPIA; and informing employees about the reporting office and the scope of protection.

The combination of a technical platform and an appointed representative is the most practical solution for many companies. CIVAC offers both models: licence the workspace for your internal reporting office representative — with pre-structured procedures, an automatic audit log and role-based access restrictions. Alternatively, appoint an external reporting office representative via CIVAC. Order document, signed, filed, verifiable — within two working days.

Others manage compliance like a filing cabinet. We run it like software. If you would like to establish your reporting office, have it reviewed, or switch to an external representative, write to us: info@civac.de. Turn reading into action.