Internal Reporting Officer

The Internal Reporting Officer (Beauftragter für die interne Meldestelle, often called whistleblowing officer) is the person designated under § 14 of the German Whistleblower Protection Act (HinSchG) to operate an internal reporting channel. The HinSchG entered into force on 02.07.2023 and transposed EU Directive 2019/1937 of 23.10.2019 into German law. It protects natural persons who, in a work-related context, obtain and report information about legal breaches. The material scope under § 2 HinSchG covers criminal offences, certain administrative offences (in particular those protecting life and health), AML, tax, consumer, environmental and data protection rules, plus sector-specific EU law such as financial services, product safety and anti-money laundering.

The appointment obligation under § 12 HinSchG covers employers with 50 or more employees. The deadline for companies with 250 or more employees was 02.07.2023; for companies between 50 and 249 employees the deadline was 17.12.2023. Banks, investment firms, insurers and listed companies are obliged regardless of headcount. For corporate groups, § 14 Para. 1 sentence 4 HinSchG allows a shared reporting body across subsidiaries, but the CJEU clarified in C-635/20 of 11.05.2023 that a parent company cannot fully replace a subsidiary's national obligations.

Under § 16 HinSchG, the officer receives reports orally, in writing or in person on request, acknowledges receipt within 7 days, examines the report, takes follow-up action and provides feedback to the reporting person within 3 months. Confidentiality of identity is mandatory under § 8 HinSchG, including towards supervisors and other shareholders. The retaliation ban under § 36 HinSchG reverses the burden of proof: any disadvantage suffered after a report is presumed to be retaliation unless the employer proves the contrary. Since the binding effective date of 17.12.2023 the channel must also accept anonymous reports under § 16 Para. 1 sentence 4 HinSchG.

The appointment obligation flows from § 12 HinSchG. Employers with 250 or more employees had to set up an internal reporting channel by 02.07.2023; employers with 50 to 249 employees by 17.12.2023. Missing the 17.12.2023 deadline can attract a fine of up to 20,000 EUR under § 40 Para. 2 HinSchG. Certain sectors are obliged regardless of size: banks under KWG, investment firms under WpHG, insurers under VAG, capital management companies under KAGB and listed companies under § 264d HGB. In groups, § 14 Para. 1 sentence 4 HinSchG allows a shared channel, but CJEU ruling C-635/20 of 11.05.2023 restricts this option for subsidiaries with 50 or more employees of their own.

§ 15 HinSchG requires the officer to possess the necessary expertise (Fachkunde). The legislator's explanatory memorandum specifies knowledge of procedural law (investigation methods, evidence preservation), data protection under GDPR and the relevant substantive law (employment, compliance, AML, tax, anti-bribery). Recognised trainings are offered by TUEV, DGCS, the German Compliance Association and specialised law firms; certification is not mandatory. The function must be independent under § 15 Para. 1 HinSchG, which generally rules out conflicts with HR, legal or compliance leadership; a dual role can be tolerated in small companies if escalation routes are documented. External appointment is expressly permitted under § 14 Para. 1 sentence 2 HinSchG and is the default solution in the German mid-market. Appointment must be in writing; under § 14 Para. 1 sentence 3 HinSchG the employer remains liable for proper establishment of the channel.