Having failed to meet the deadline for transposing the EU Whistleblowing Directive due to a long period of political back-and-forth, the German Whistleblower Protection Act only came into force very recently, on 2 July 2023.

The legislation follows the Directive rather closely, but also contains some specific provisions that companies operating in Germany should be aware of. In this article, we take a look at what employers need to know.

• Since 2 July 2023, all companies with 250 or more employees must set up a whistleblower system, i.e. secure and reliable channels for the internal reporting of violations. For financial institutions, this obligation applies regardless of the number of employees.
• From 1 December 2023, all companies with 250 or more employees and financial institutions that have not yet set up a whistleblower system will face a fine of up to EUR 20,000.
• From 17 December 2023, all companies with 50 or more employees must set up a whistleblower system; they also face a fine of EUR 20,000 from this date if they do not comply.

The employee thresholds apply to each legal entity, which means that smaller entities within in a group might not fall under the new legislation at all, or only from December onwards.

Interestingly, the German lawmaker has permitted corporate groups to set up a joint, centralised reporting channel at one of their group companies regardless of the size of the entities involved. This appears to be in conflict with the Directive which stipulates that (only) entities with 50 to 249 employees may share resources as regards the receipt of reports and investigations to be carried out. This point was emphasised by the European Commission in two statements in June 2021, when several lobbying organisations requested a more generous interpretation for entities with more than 250 workers. Against this background, some academics have already suggested that this part of the German legislation might violate the Directive. In practice, however, the legislator’s approach is good news: at least for now, it protects companies with many subsidiaries from the administrative nightmare of having to set up a separate whistleblowing system for each subsidiary.

In a change introduced at the very end of the legislative process, the obligation to allow anonymous reporting, which was originally intended to apply from 2025 onwards, was removed from the bill. Instead, the Act now says that companies should provide the opportunity for anonymous reporting. In practice, this makes sense, because statistics show that employees are far more likely to report violations internally when they can do so anonymously. As the legislator has failed to give clear priority to internal reporting, it is now up to the companies themselves to establish a whistleblower system that is as attractive and trustworthy as possible, so that employees use internal channels instead of disclosing information to authorities (or, even worse, to the public or the media).

The German legislation goes beyond the baseline set out in the Directive when it comes to the question which types of incidents and violations can be reported. Not only EU law violations fall within the Act’s scope, but also certain breaches of national law; most importantly, criminal and administrative offences. However, determining if a reported incident falls within the Act’s scope is often far from trivial. Notably, many cases of misconduct which could even justify a dismissal, like workplace harassment or discriminatory behaviour, do not qualify for whistleblower protection. Companies should take this into account when drawing up or adjusting their whistleblowing policies.

In line with the Directive, whistleblowers are protected by the duty of confidentiality and a prohibition on retaliation. HR managers should be aware that the German legislator has reversed the burden of proof when it comes to whistleblower retaliation. Where a whistleblower suffers detriment in connection with their job and claims to have suffered that detriment as a result of a report made under the Whistleblower Protection Act, that detriment is presumed to be retaliation, and it is for the employer to prove otherwise. Against this background, it is advisable to instruct HR departments to always carefully document the reasons for all measures taken vis-à-vis employees, as you never know if you are dealing with someone who may recently have filed a report.

When implementing reporting channels, companies should be aware of the co-determination rights of the local works council. In many cases, a works agreement on the whistleblowing system must be negotiated before it can go live.

Also, existing policies, such as those relating to the code of conduct, or to reporting channels already in place (e.g. a whistleblower hotline), might need to be adjusted to comply with the new legislation. Therefore, close collaboration between HR and compliance departments is advisable.

Companies operating in several EU countries might consider a centralised whistleblowing scheme, given that under the Directive, the general legal principles are the same across all member states. However, close attention should be paid to the details in national legislation.

Companies can outsource the management of their internal reporting channels to external providers. This can be an attractive solution for those who want to establish a particularly trustworthy whistleblowing system by using the services of a neutral ombudsperson, or for smaller companies who do not have the necessary resources and know-how (e.g. an in-house compliance department) for handling everything internally. Nonetheless, the liability for complying with the statutory requirements and for remedying reported violations remains with the company itself.

Various infringements of the new legislation constitute administrative offences. This includes failing to set up a proper whistleblower system, violating confidentiality or retaliating against whistleblowers. Fines can range up to EUR 500,000.

Having a state-of-the-art and trustworthy whistleblowing system is not just a matter of complying with the new statutory requirements. It is also an important tool for identifying compliance risks at an early stage, enabling the company to avoid possible damage to reputation or financial loss. In this regard, general awareness is still lacking in Germany, in particular in comparison to Anglo-American standards, arguably for cultural and historical reasons. Companies should be aware of this hurdle and tread carefully. Coming up with the right internal communication that proactively addresses potential reservations is therefore advisable.

Employers should act quickly to meet the December deadlines, and to seize the operational benefits of a compliant and well-functioning whistleblowing system.

*Kliemt.HR Lawyers