Corporate Compliance Program Template for Germany: Structure, Mandate, and Documentation

German corporate law does not codify a single mandatory compliance program. The duty to install one is nevertheless settled. § 130 OWiG obliges the owner of a business to take the supervisory measures required to prevent breaches of duty that carry a fine or penalty. § 91 Abs. 2 AktG requires the management board of a stock corporation to establish an early-warning system. The Federal Court of Justice confirmed in its ruling of 9 May 2017 (1 StR 265/16) that an effective compliance program can reduce a corporate fine. The Verbandssanktionengesetz draft of 2020 reinforced the same expectation for limited liability companies.

This article gives you a working corporate compliance program template for Germany. You receive a seven-element structure, a model mandate letter for the Compliance Officer, the minimum documentation set demanded by prosecutors, and the audit-ready evidence chain you must keep. The template assumes a mid-sized German entity with three to two thousand employees and addresses both the in-house officer model and the externally appointed officer model.

The starting point is § 130 OWiG. The provision imposes a fine of up to 1 million euro on owners of a business who fail to take the supervisory measures required to prevent breaches of duty inside their organisation. The Federal Court of Justice has held that suitable supervisory measures include a documented compliance organisation, written rules, training, and review. Where the breach generates an economic advantage, § 17 Abs. 4 OWiG allows the fine to exceed the statutory ceiling.

§ 91 Abs. 2 AktG addresses the management board of a stock corporation directly. The board must establish suitable measures, in particular a monitoring system, so that developments which threaten the continued existence of the company are recognised early. The duty extends by analogy to managing directors of a GmbH through § 43 GmbHG and the established case law on the duty of legality.

The Bundesgerichtshof confirmed in its ruling of 9 May 2017 (1 StR 265/16) that an effective compliance management system can be a mitigating factor when the court sets a corporate fine under § 30 OWiG. The court named four indicators: risk-adequate organisation, documented controls, post-incident response, and continuous improvement. For a deeper look at the Compliance Officer role, see our overview of the Compliance-Beauftragter. CIVAC is a Compliance-Plattform und Officer-as-a-Service.

Every defensible program begins with a written risk assessment. The assessment lists the legal areas relevant to the entity, scores each area by likelihood and impact, and assigns an owner. Typical areas for a German mid-sized company include antitrust under the GWB, anti-corruption under §§ 299 ff. StGB, data protection under DSGVO, anti-money-laundering under the GwG where applicable, export control under the AWG, the Lieferkettensorgfaltspflichtengesetz where thresholds apply, and the General Equal Treatment Act.

The assessment is not a one-page summary. It is a structured document that records who interviewed whom, which controls already exist, where gaps were found, and which mitigating actions were decided. Prosecutors and courts read it. The Bundesgerichtshof judgment of 9 May 2017 made clear that an undocumented assessment carries no weight.

Review the risk assessment annually and after any material change. Material change includes acquisitions, new markets, new product lines, new senior hires in finance or sales, and regulatory shifts such as the NIS-2 transposition or the EU AI Act. The CIVAC Workspace stores each version of the assessment, with timestamp, author, and approver. The audit trail satisfies the documentation expectation under § 130 OWiG and removes the recurring dispute over which version was effective at the time of an incident.

The Code of Conduct is the central rule book. It translates the risk assessment into binding behavioural rules for every employee, contractor, and director. The Code must be approved by the management board, dated, version-controlled, and acknowledged by every employee in writing or with a documented digital signature. The acknowledgment is the evidence that the rule existed and was known to the individual at the time of the conduct in question.

Beneath the Code sit topic-specific policies. The minimum set for a German entity includes: anti-corruption and gifts, antitrust and competitor contacts, data protection and information security, anti-money-laundering where applicable, conflicts of interest, donations and sponsoring, export control and dual-use goods, and the handling of internal reports under the Hinweisgeberschutzgesetz. Each policy names a responsible role, a review cycle, and a sanction in case of breach.

Avoid the trap of cloning a US Code. German employment law restricts certain US-style provisions, in particular global non-compete clauses, blanket monitoring rights, and mandatory arbitration. Adapt the wording to § 75f HGB, § 87 BetrVG, and the case law of the Bundesarbeitsgericht. CIVAC ships 37 einsatzbereite Audit-Vorlagen in Workspace, including a German-law Code of Conduct shell and the policy templates listed above.

The Compliance Officer must be appointed by a written Bestellurkunde signed by the management board. The Bestellurkunde defines the scope of the mandate, the resources granted, the reporting line, and the term. German jurisprudence treats the officer as a Garant under § 13 StGB. The officer therefore needs both the authority and the information to discharge the duty. An ambiguous mandate triggers personal exposure for the officer and undermines the mitigating effect for the company.

The reporting line must reach the management board directly. In a GmbH, the line goes to the Geschäftsführung. In a stock corporation, the line goes to a designated board member, typically the Chief Compliance Officer or the General Counsel, with a dotted line to the supervisory board’s audit committee. The officer files at least one annual written report and an ad-hoc report for any material incident. Both reports are minuted and stored.

The two operating models accepted in practice: appoint an internal officer or appoint an external officer. CIVAC supports both. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen. The Bestellurkunde, the role description, the reporting cadence, and the annual report all live in one place, audit-fest und dokumentiert.

Training is the element prosecutors test first. The Federal Court of Justice expects role-specific, recurring, and documented training. A single onboarding video does not meet the standard. The program must distinguish at least three audiences: all employees with general awareness training, function-specific staff such as sales, procurement, finance, and HR with deep-dive modules, and the management board and senior leadership with their own session.

The cadence is annual for general modules and at least biennial for deep-dive modules. New joiners receive training within 30 days. Each completion is logged with employee name, module, date, and result. The log is the evidence in any later proceeding. Where training is delivered through an external provider, the contract must allow CIVAC or the company to export the logs at any time.

Topics tied to specific regulation require specific training. Anti-money-laundering training is mandatory under § 6 Abs. 2 Nr. 6 GwG for obligated entities. Data protection training is implied by Art. 39 Abs. 1 b DSGVO. Information security training is required under ISO/IEC 27001:2022 control A.6.3 and under § 38 NIS2UmsuCG once in force. The CIVAC Workspace links the training log to the relevant control, so the auditor sees the evidence in one click. Der Prüfer ruft an, der Nachweis liegt bereit.

The Hinweisgeberschutzgesetz entered into force on 2 July 2023. Companies with 50 or more employees must operate an internal reporting channel. The channel must allow anonymous reports, confirm receipt within seven days, and inform the reporting person of the outcome within three months. Retaliation is prohibited and reversed in evidence under § 36 HinSchG.

The reporting channel sits inside the compliance program but reports through the dedicated case manager defined in § 14 HinSchG. The case manager is typically the Compliance Officer or a designated lawyer. The investigation file records intake, classification, interviews, evidence, findings, and remediation. The file is stored under access control because it routinely contains personal data of suspects and witnesses, and Art. 6 Abs. 1 f DSGVO governs the legal basis.

For the operational structure, our note on the interne Meldestelle nach HinSchG walks through the staffing options. CIVAC supplies the case-management template, the investigator checklist, and the EU-Datenresidenz hosting required when the data subjects are in the EU. The same Workspace links each case to the relevant compliance topic, so the annual report can quantify findings by risk area.

A program that is not tested is not a program. The Bundesgerichtshof judgment of 9 May 2017 cites continuous monitoring as one of the four indicators of an effective system. Monitoring means three concrete activities: periodic control testing by the second line, internal audit by the third line, and management review by the board.

Periodic control testing is a quarterly or half-yearly exercise. The Compliance Officer or a delegated controller picks a sample of transactions and tests whether the documented control was applied. Examples: a sample of 25 purchase orders above the four-eyes threshold, a sample of 10 sales transactions in a high-risk country, a sample of new-hire training acknowledgments. Test results, exceptions, and remediations are logged.

Internal audit covers the design and operating effectiveness of the program annually. Where no internal audit function exists, the company commissions an external review. The standard reference is the IDW PS 980 audit standard for compliance management systems. Audits performed under PS 980 are accepted by prosecutors as evidence of design and effectiveness. CIVAC includes the PS 980 evidence template in its 37 audit templates, plus the 93 controls aligned to ISO/IEC 27001:2022 for the information security part of the program.

Every program needs a response track. The response track sets out who acts when a potential breach is reported, what evidence is preserved, when external counsel is engaged, and when notification duties are triggered. Notification duties in Germany include Art. 33 DSGVO with its 72-hour deadline for personal data breaches, § 32 NIS2UmsuCG with the 24-hour early warning and 72-hour follow-up for significant incidents at essential and important entities, and § 6 GwG for suspicious transactions at obligated entities. Frist läuft ab Kenntnis.

Sanctions inside the company close the loop. Where a breach is confirmed, the company applies a proportionate consequence: warning, reprimand, termination, or claw-back of variable pay. The decision is documented and stored with the case file. A program that finds breaches and does not act sends the opposite signal and undermines mitigation.

Continuous improvement turns each incident into a control update. The Compliance Officer reviews findings annually and feeds them into the next risk assessment cycle, the policy refresh, and the training plan. The CIVAC Workspace ties each finding to a control ID, so the auditor sees the link between the incident and the remediation. The result: a program that gets stronger after every event, not weaker.

A template on a server is not a program. The work begins when the management board approves the risk assessment, signs the Bestellurkunde, allocates the budget, and books the first training round. The seven elements set out above are the minimum that German courts and prosecutors expect to see. Below the minimum, the company carries the full risk of § 130 OWiG. At the minimum, the company carries a defensible program that can mitigate a corporate fine under § 30 OWiG.

CIVAC is a Compliance-Plattform und Officer-as-a-Service. The Workspace ships the seven-element template, the 37 audit-ready templates, the Bestellurkunde shell, the reporting-line ledger, the case-management module for HinSchG, the training log, and the PS 980 evidence pack. Hosting is on EU-Datenresidenz infrastructure. The platform is operated under an ISO/IEC 27001:2022 ISMS. License the Workspace for your internal officers, or appoint CIVAC officers under the Officer-as-a-Service model.

Turn reading into a mandate. Write to info@civac.de or use the contact form, and a senior officer will respond within two working days with a scoping call, a draft Bestellurkunde, and a proposed timeline. Bestellurkunde, unterschrieben, abgelegt, belegbar.