77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Implementing a Whistleblowing System: Obligations Under the Whistleblower Protection Act (HinSchG) at a Glance
Governance & Compliance

Implementing a Whistleblowing System: Obligations Under the Whistleblower Protection Act (HinSchG) at a Glance

27 May 202612 min readBy Dr. Henrik Bauer
CIVAC

Since 17 December 2023, companies with 50 or more employees are required to establish an internal reporting office. This guide sets out what is required technically, organisationally and in terms of personnel.

The Whistleblower Protection Act (HinSchG) has required companies with 50 or more employees to maintain an internal reporting channel since 17 December 2023 (§ 12(1) HinSchG). Those who ignore this obligation risk fines under § 40 HinSchG of up to €20,000 — and up to €100,000 in cases of systematic obstruction of whistleblowers. In addition, there is the reputational risk that arises when whistleblowers, in the absence of an internal channel, directly inform external authorities or the public.

This article explains the technical, organisational and personnel requirements of the Whistleblower Protection Act (HinSchG), the applicable deadlines, how the confidentiality obligation is to be implemented and what role an Internal Reporting Office Officer assumes in practice. You will receive a structured overview that can be directly translated into an implementation plan.

Key Takeaways

  • Companies with 50 or more employees are required under § 12 HinSchG to operate an internal reporting office — the deadline has passed since 17 December 2023.
  • The reporting office must provide written and oral submission channels, send acknowledgements of receipt within 7 days and provide feedback within 3 months.
  • The Internal Reporting Office Officer may be appointed internally or externally — CIVAC offers both models via the same workspace.

Scope of Application: Who Is Obliged?

The Whistleblower Protection Act (HinSchG) applies to all private-law legal persons with 50 or more employees (§ 12(1) HinSchG). The relevant figure is the regular number of employees; agency and temporary workers count proportionately under § 12(3) HinSchG. For companies with between 50 and 249 employees, a facilitation applies: they may operate the internal reporting office jointly with another company in the same group, provided confidentiality and independence are maintained.

For companies with 250 or more employees and for certain sectors — including financial service providers under § 12(2) HinSchG — the obligation applied from 2 July 2023. Small companies with fewer than 50 employees are not obliged to establish a system but may do so voluntarily, which is particularly advisable for export-oriented SMEs that encounter the EU Whistleblower Directive (EU 2019/1937) in other EU Member States.

Excepted are municipalities and other public-law legal persons with fewer than 10,000 inhabitants or fewer than 50 employees, provided no specific sectoral law (e.g. banking law) applies. The role of the Internal Reporting Office Officer at CIVAC includes a full assessment of the scope of application based on the specific corporate structure.

Material Scope: Which Reports Are Protected?

The Whistleblower Protection Act (HinSchG) protects reporting persons who report information about infringements obtained in a professional context (§ 2 HinSchG). Protection extends to infringements of national law and EU law in 22 specific areas — including data protection (GDPR), anti-money laundering, product safety, environmental protection, food safety, public procurement and financial services.

Reports that exclusively concern personal employment law matters (e.g. general dissatisfaction with superiors) are not protected, unless they overlap with one of the listed subject areas. The reporting office is moreover not obliged to follow up anonymously submitted reports — but it may do so and is expected pursuant to § 16(1) sentence 4 HinSchG to also consider anonymous reports.

For practice, this means: the substantive scope of the reporting system must be clearly documented so that case handlers can quickly decide whether an incoming report falls within the Whistleblower Protection Act (HinSchG) or is to be forwarded to another channel. If this documentation is absent, the company risks both procedural errors and liability for retaliation against reporting persons who have reported a protected matter.

Minimum Technical Requirements: Channels and Confidentiality

§ 16 HinSchG requires the reporting office to accept both written and oral reports. At the request of the reporting person, a personal meeting must also be possible. A mere email inbox is insufficient because the anonymity option is absent. Specialised software solutions offering encrypted communication channels with pseudonymised case numbers are suitable for practical use.

The confidentiality of the identity of the reporting person and all mentioned third parties must be maintained under § 8 HinSchG without exception. Disclosure is only permissible in narrowly defined exceptional circumstances — in particular where the reporting person expressly consents or a statutory disclosure obligation exists. From a technical perspective, this means that access logs, role-based access concepts and data protection impact assessments (DPIA under Art. 35 GDPR) are mandatory for the reporting system.

In addition to the technical aspects, the documentation obligation applies: each report must be recorded in a case register and retained for at least three years (§ 11 HinSchG). Records must be secured so that unauthorised persons cannot gain access. The external Data Protection Officer should be involved in the DPIA and the deletion concept to ensure GDPR compliance.

Procedural Deadlines: The 7-Day and 3-Month Rules

The Whistleblower Protection Act (HinSchG) prescribes two central deadlines: first, the reporting person must receive an acknowledgement within seven days of receipt of the report (§ 17(1) HinSchG). This deadline applies regardless of whether the report appears substantively plausible. An absent acknowledgement system therefore constitutes an immediate compliance risk.

Second, feedback to the reporting person is required within three months of the acknowledgement of receipt (§ 17(2) HinSchG). The feedback must provide information on follow-up measures initiated or planned, as well as the reasons where no measures are taken. The content of the feedback must not prejudice the rights of third parties — in particular, the presumption of innocence in favour of the persons concerned.

Both deadlines must be documented in the case register. In practice, manual deadline management frequently leads to oversights because case handlers are processing several cases in parallel. Automated reminder functions within the reporting system considerably reduce the risk of missed deadlines. The deadline runs from the moment of awareness — and the evidence that action was taken on time must be provable without gaps in the event of a dispute.

The Internal Reporting Office Officer: Requirements and Independence

§ 14 HinSchG requires that persons entrusted with the reporting office are professionally qualified and independent. Independence means in concrete terms: no conflicts of interest with the areas subject to reporting obligations, no instructions from persons who could be the subject of a report. For many SMEs, this structural independence is difficult to establish internally where only a few senior managers exist.

Appointment may be internal or external. For internal designation, a written mandate with a clear delineation of the role is required. For external appointment, a written service contract must be in place governing independence from instructions, confidentiality obligations and reporting lines. The external service provider must not simultaneously operate the reporting office for direct competitors where conflicts of interest could arise.

Professional qualifications encompass knowledge of the subject area (§ 2 HinSchG), procedural knowledge and the ability to initiate follow-up measures such as internal investigations or external reports to authorities. Regular training is not an explicit obligation, but is valuable as evidence of professional qualifications in the event of an inspection. The CIVAC role of Internal Reporting Office Officer is backed by the requisite proof of qualifications and is available for immediate appointment.

Prohibition of Retaliation and Liability Risks for Companies

§ 36 HinSchG prohibits any form of retaliation against reporting persons: dismissal, formal warning, transfer, pay reduction, non-promotion, negative references, harassment or the bringing of proceedings. An employer who takes retaliatory measures is liable for damages; the burden of proof is reversed under § 36(2) HinSchG in favour of the reporting person. The employer must demonstrate that an adverse measure was unconnected to the report.

Fines under § 40 HinSchG are threatened where reports are obstructed, where the confidentiality obligation is breached, where a reporting office is not established and where retaliatory measures are taken. Fines amount to up to €20,000 per infringement; up to €100,000 for systematic obstruction. These amounts are not limited to a single act — each infringement may be penalised separately.

For company management, this creates a direct personal liability risk under § 130 OWiG where supervisory duties are breached. Documented training for senior managers and procedural instructions for handling reports are therefore not merely advisable but form the liability protection wall in regulatory offence proceedings.

Interface with the External Reporting Office: Federal Office of Justice

Alongside the internal reporting office, the legislature has established an external reporting office at the Federal Office of Justice (BfJ) (§ 19 HinSchG). Reporting persons may report directly to the BfJ without having first used the internal channel. They are entitled to choose which channel to use — there is expressly no obligation to report internally first.

For the companies concerned, this means: a well-functioning internal reporting office with short response times and a recognisably protective approach is the best means of avoiding external escalation. Reporting persons typically choose the external route when they lack confidence in internal handling or when internal follow-up measures have not been taken.

Sectorally, additional external bodies exist: BaFin is responsible for the financial sector, the Federal Office for Economic Affairs and Export Control (BAFA) for the supply chain area, the Federal Office of Consumer Protection and Food Safety (BVL) for food safety. Companies with several regulated areas should document to which external body reports should be made in the respective subject area — this information belongs in the procedural instructions of the internal reporting office.

Implementation Project: Phases and Common Pitfalls

The introduction of a reporting system compliant with the Whistleblower Protection Act (HinSchG) can be divided into four phases: analysis, design, implementation and operation. In the analysis phase, the scope of application must be clarified (headcount, group structure, sector obligations), the existing infrastructure reviewed and the data protection impact assessment initiated. A common pitfall: many companies underestimate the DPIA obligation under Art. 35 GDPR for the reporting system.

In the design phase, the choice of channel, the role model (internal/external), the procedural instructions and the training concept must be developed. A frequent error is the absence of written procedural instructions: without a documented process, case handlers cannot in cases of doubt demonstrate that they acted in accordance with the standard. In the implementation phase, the software must be set up, the officer's letter of appointment created and the workforce informed — the information obligation under § 13 HinSchG covers both internal and external reporting offices.

During operations, case handling, deadline monitoring and annual reviews must be assured. Letter of appointment, signed, filed, evidenced — this requirement applies equally to the internal reporting office. CIVAC provides 490 ready-to-use audit templates, including one specifically for Whistleblower Protection Act (HinSchG) compliance reviews.

CIVAC: Setting Up an Internal Reporting Office Without Project Overhead

CIVAC is a German compliance platform and Officer-as-a-Service provider headquartered in Hamburg. For the internal reporting office under the Whistleblower Protection Act (HinSchG), CIVAC offers two routes: license the workspace for your internal officers or appoint our officers — depending on your resource situation and desired degree of independence.

The CIVAC workspace contains preconfigured process templates for acknowledgement of receipt, case register, deadline management and feedback routines. The platform meets the technical requirements under § 16 HinSchG: encrypted channels, pseudonymised case numbers, DPIA documentation, role-based access controls and automatic reminder functions for the 7-day and 3-month deadlines. All data are stored exclusively on EU servers.

External officers appointed via CIVAC are formally appointed within two working days — including a written letter of appointment and documented reporting line to company management. The conventional process via law firms typically takes two to six weeks.

Turn reading into action: contact us at info@civac.de or use the contact form at civac.de. The inspector calls; the evidence is ready.

FAQ

From when does the obligation to maintain an internal reporting office under the Whistleblower Protection Act (HinSchG) apply?

For companies with 250 or more employees, the obligation has applied since 2 July 2023. Companies with 50 to 249 employees have been obliged since 17 December 2023. For financial service providers and certain regulated sectors, different deadlines may apply.

Can the internal reporting office be outsourced to an external service provider?

Yes, § 14(1) HinSchG permits the appointment of external third parties. The precondition is a written contract governing professional qualifications, independence, confidentiality and reporting lines. The external service provider must have no conflicts of interest.

Must anonymous reports also be processed?

There is no statutory obligation to process anonymous reports; however, § 16(1) sentence 4 HinSchG requires that the possibility of anonymous reporting be provided. For liability reasons, a documented policy for handling anonymous submissions is advisable.

What deadlines apply when processing a report?

An acknowledgement of receipt must be issued within seven days (§ 17(1) HinSchG). Feedback on follow-up measures initiated is required within three months of that acknowledgement (§ 17(2) HinSchG). Both deadlines must be documented.

What fines are imposed for non-compliance with the Whistleblower Protection Act (HinSchG)?

§ 40 HinSchG provides for fines of up to €20,000 per infringement. In cases of systematic obstruction of reports or serious retaliatory measures, the range increases to up to €100,000. Each individual infringement may be penalised separately.

Must employees be informed about the internal reporting office?

Yes, § 13 HinSchG obliges companies to inform employees clearly and comprehensibly about the internal and external reporting offices and the applicable confidentiality rules. This information must be accessible, current and written in plain language.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles