On 11 May 2023, the Bundestag passed the "Act for Better Protection of Persons Providing Information (Whistleblower Protection Act - HinSchG)", after it had been renegotiated in the Mediation Committee. One day later, the Bundesrat also approved this amended version. The HinSchG will enter into force on July 2, 2023.
This will transpose the EU Directive on the provision of information (2019/1937) into national law with some delay. However, the HinSchG still goes beyond the EU requirements.
Scope of application
The HinSchG regulates the protection of natural persons who have obtained information about violations in connection with their professional activity or in the run-up to this activity and report or disclose these. This includes employees, trainees, interns and persons whose employment relationship has already ended. They can turn to the internal and external reporting bodies provided for in the HinSchG.
If whistleblowers confide in a reporting office or even disclose a violation, they should be protected from reprisals. If they nevertheless suffer reprisals, i.e. unjustified disadvantages in a professional context, such as dismissal, negative evaluations or mobbing, those responsible are obliged to compensate the whistleblowers for the resulting damage - including immaterial damage. In addition, there is a reversal of the burden of proof in favour of the whistleblower. This means that if they suffer a disadvantage in connection with their professional activity after a report or disclosure, it is presumed that this disadvantage is a reprisal.
Barbara Scheben
Partner, Audit, Regulatory Advisory, Head of Forensic, Head of Data Protection
KPMG AG Wirtschaftsprüfungsgesellschaft
Under certain circumstances, other persons are also covered by the scope of protection of the HinSchG. This may be the case if they confidentially assist a whistleblower in an internal or external report or disclosure in a professional context or are associated with the person and have suffered professional reprisals in connection with the report or disclosure.
The material scope of application of the HinSchG includes offences subject to a penalty and offences subject to a fine. The latter are only covered if the violated regulation serves to protect life, limb or health or to protect the rights of workers or their representative bodies. In addition, the law lists other areas of law that may be subject to reporting, such as violations related to money laundering and terrorist financing, product safety, environmental protection, food safety and certain aspects of animal welfare. At the end of the legislative process, violations of the EU Digital Markets Act and anti-constitutional statements by public officials were also included.
An infringement in the sense of the HinSchG is not only present if clearly unlawful acts have taken place, but can also be present in the case of abusive acts or omissions if these run counter to the aim or purpose of a covered regulation.
Internal reporting points
Employers (natural and legal persons under public and private law, partnerships with legal capacity and other associations of persons with legal capacity) with at least 50 employees as a rule must set up and operate internal reporting offices to which persons can turn with information. Certain employers, e.g. credit institutions, investment service providers, capital management companies and insurance companies, must establish internal reporting offices regardless of the minimum number of employees.
For private employment providers with usually 50 to 249 employees, certain simplifications apply. They have a slightly longer period of time (until 17 December 2023) to set up the internal reporting office and can also set up and operate a joint internal reporting office together with several other employers.
It must be possible to make reports orally (for example, by telephone, voice transmission or, at the request of the person making the report, in a personal meeting or by video communication) or in text form. Various documentation and confidentiality requirements must be taken into account.
Reporting offices should also process anonymous incoming reports, although there is no obligation to design the reporting channels in such a way that they allow anonymous reports to be submitted.
The internal reporting office shall acknowledge receipt of a report to the person making the report after seven days at the latest. It checks whether the reported violation falls within the material scope of application and is valid. It shall maintain contact with the whistleblower, request further information if necessary and take appropriate follow-up action. Follow-up measures are, in particular, internal investigations, but may also include submission to a competent authority.
External reporting bodies and disclosure
In addition to the internal reporting offices, the HinSchG provides for the establishment of external reporting offices. These are primarily established at the Federal Office of Justice, but also at the Federal Financial Supervisory Authority (BaFin), the Federal Cartel Office (Bundeskartellamt) and other federal and state agencies. The procedure for external hotlines is similar to that of internal hotlines, but provides for further specific requirements.
In principle, the whistleblower is free to choose between an internal and an external reporting office for submitting a report. However, an internal hotline should be preferred under the law if effective internal action can be taken against the violation and the whistleblower does not fear reprisals.
Under certain circumstances, the disclosure of a tip, for example to the press, may also be covered by the scope of protection of the HinSchG. This is the case if the whistleblower has initially made an external report and no appropriate follow-up action has been taken within the applicable time limits, or has not received any feedback on the taking of such follow-up action. The same applies if
- whistleblowers have sufficient reason to believe that the violation may pose an imminent or obvious threat to the public interest because of an emergency, the risk of irreversible damage or comparable circumstances,
- in the case of an external report, reprisals are to be feared or evidence could be suppressed or destroyed,
- there may be collusion between the responsible external reporting body and the perpetrators of the offence, and
- due to other special circumstances, there is little chance that the external reporting body will take effective follow-up action.
Sphere of the person providing the information
At the time of the report, the person providing the information must have had sufficient reason to believe that the information reported or disclosed by him or her was true. In addition, the information must concern violations that fall within the scope of the HinSchG, or the whistleblower must have had reasonable grounds to believe that this was the case at the time of the report.
Under certain conditions, the protection of the person providing the information even takes precedence over the prohibitions regulated in the Business Secrets Act (GeschGehG).
Sanctioning
In addition to the protective effects for whistleblowers already mentioned, the HinSchG provides for fines for non-compliance with certain requirements. For example, obstructing a report, failing to maintain confidentiality or taking reprisals are sanctioned with a fine of up to 50,000 euros, and failing to set up or operate a reporting office is sanctioned with a fine of up to 20,000 euros.
In this context, it should be mentioned that the disclosure of knowingly incorrect information can also lead to a fine of up to 20,000 euros.
What to do now?
The requirements of the law for the protection of whistleblowers are extensive. Therefore, both companies that do not yet operate a whistleblower system and those that have already established reporting channels are strongly advised to deal with the requirements of the HinSchG and to set up the necessary measures. In order to strengthen the trust of the workforce and promote the use of internal reporting channels, a focus should be placed on establishing effective prevention measures as well as measures for the internal investigation of violations.
Companies that are already covered by the Supply Chain Duty of Care Act (LkSG) (at least 3,000 employees) or will be in the near future (from 2024: at least 1,000 employees) are thereby obliged, among other things, to set up an "appropriate internal company complaints procedure" (§ 8 LkSG). This is also a whistleblowing system, but it must (also) comply with the special and more extensive requirements of the LkSG. The obligated companies should therefore consider the requirements of the LkSG complaints procedure when implementing the HinSchG in order to be able to arrive at efficient (overall) solutions.
KPMG's experts will be happy to assist you in the conception and implementation of reporting points and reporting channels as well as in the reaction to reported violations. Contact us.
Your contacts
Barbara Scheben
Partner, Audit, Regulatory Advisory, Head of Forensic, Head of Data Protection
KPMG AG Wirtschaftsprüfungsgesellschaft
Alexander Geschonneck
Partner, Forensic, Global Head of Forensic
KPMG AG Wirtschaftsprüfungsgesellschaft
Christoph Kampmeyer
Director, Audit, Regulatory Advisory, Forensic
KPMG AG Wirtschaftsprüfungsgesellschaft
Verena Hinze
Partnerin, Audit, Regulatory Advisory, Forensic
KPMG AG Wirtschaftsprüfungsgesellschaft