Whistleblower System Setup

Overview

This skill guides the implementation and review of internal whistleblower reporting systems under the German Hinweisgeberschutzgesetz (HinSchG), which transposes EU Directive 2019/1937. The HinSchG, effective since 2 July 2023, requires companies to establish internal reporting channels for employees and other persons to report violations of specified laws. Key provisions include § 12 (obligation to establish internal reporting channels), § 16 (requirements for the internal channel), § 15 (designation of responsible persons), § 8 (confidentiality), § 36 (prohibition of reprisals), and § 40 (fines for non-compliance). Use this skill when setting up a new whistleblower system, auditing an existing one for compliance, or advising on the handling of a specific report.

The HinSchG applies to a broad scope of reportable violations including EU law infringements, criminal offenses (Straftaten), certain administrative violations (Ordnungswidrigkeiten), and sector-specific rules. Companies that fail to establish a compliant reporting channel face fines of up to EUR 20,000 (§ 40 Abs. 1 HinSchG), while obstruction of reporting or retaliation against whistleblowers can result in fines up to EUR 50,000 (§ 40 Abs. 2, 6 HinSchG). Beyond fines, failure to comply creates significant reputational risk and may result in whistleblowers reporting directly to external authorities or the media.

---

Systematic Review

Step 1: Obligation Scope and Applicability (§ 12 HinSchG)

Determine whether the company is required to establish an internal reporting channel, and if so, under which deadline.

• Employee threshold (§ 12 Abs. 1 HinSchG): Companies with 50 or more employees must establish an internal reporting channel. The count includes all persons employed regardless of contract type — full-time, part-time, mini-jobbers (geringfugig Beschaftigte), temporary agency workers (Leiharbeitnehmer), and seconded staff. Trainees (Auszubildende) are also counted. The threshold is assessed based on the regular workforce, not a snapshot on any particular day.
• Compliance deadlines: Companies with 250+ employees since 2 July 2023; companies with 50-249 employees since 17 December 2023. Both deadlines have passed. Companies that have not yet implemented a compliant channel are in violation and subject to fines.
• Regulated sectors (§ 12 Abs. 3 HinSchG): Financial services companies (credit institutions, insurance undertakings, investment firms, payment service providers) must comply regardless of employee count. This captures even small fintech companies and insurance brokers with fewer than 50 employees.
• Public-sector entities: Municipalities, government agencies, and other public bodies with 50+ employees are equally obligated (§ 12 Abs. 1 HinSchG).
• Shared resources (§ 14 Abs. 2 HinSchG): Companies with 50-249 employees may share reporting channel resources — including the responsible person and the technical infrastructure — with other companies. This enables cost-efficient solutions for SME groups or companies in the same business park. Companies with 250+ employees may not share channels.
• Group structures: Each legal entity with 50+ employees must maintain its own reporting channel. A parent company’s channel does not automatically satisfy the obligation for subsidiaries, although the infrastructure (e.g., a shared digital platform) may be used, provided each entity has its own responsible person and processing is kept separate.

Flag as risk:

• Company exceeds the 50-employee threshold but has not established a channel
• Employee count does not include temporary agency workers, mini-jobbers, or seconded staff
• Compliance deadline already passed without implementation, creating ongoing fine exposure
• Financial services company below 50 employees assumes it is exempt
• Group using a single channel for all subsidiaries without entity-specific processing

Step 2: Internal Reporting Channel Setup (§ 16 HinSchG)

The channel must allow reports through multiple formats and protect the confidentiality of the reporting person’s identity.

• Report formats (§ 16 Abs. 3 HinSchG): The channel must accept reports in three formats: (a) written — dedicated email address, web-based reporting platform, or physical postal mailbox; (b) oral — telephone hotline, voice messaging system, or dedicated line; and (c) in person — a physical meeting upon request of the reporting person. All three formats must be available; a system that only accepts written reports is non-compliant.
• Confidentiality by design (§ 16 Abs. 2 HinSchG): The system must be designed to protect the identity of the reporting person, any persons named in the report, and any third parties. This requires: end-to-end encryption for digital platforms, access restrictions (only the designated responsible persons may access reports), secure storage, and separation from general HR or compliance case management systems.
• Accessibility (§ 16 Abs. 1 HinSchG): The channel must be accessible to all employees. Additionally, where appropriate, access should be extended to temporary workers, shareholders, board members, volunteers, suppliers, contractors, and former employees. Best practice: make the channel accessible via the company’s website (not behind a login wall) so that external parties can submit reports.
• Language: The channel should be available in the languages spoken by the workforce. For international companies with German operations, German plus English is typically the minimum.
• Outsourcing (§ 14 Abs. 1 HinSchG): The operation of the channel may be outsourced to a third party — typically an external ombudsperson (often a lawyer) or a specialized platform provider. Outsourcing does not relieve the company of its compliance obligations; the company must ensure the external provider meets all HinSchG requirements.
• Anonymous reporting (§ 16 Abs. 1 S. 5 HinSchG): The HinSchG does not require companies to accept anonymous reports, but it provides that internal channels should enable anonymous reporting (“sollen auch anonyme Meldungen ermoglichen”). In practice, enabling anonymous reporting significantly increases reporting volume and aligns with best-practice compliance standards. The external reporting channel operated by the Federal Office of Justice (BfJ) does accept anonymous reports.

Flag as risk:

• Channel only accepts written reports, not oral or in-person
• No confidentiality safeguards in the system design — reports accessible to persons outside the responsible team
• Channel not accessible to non-employee reporters (suppliers, contractors, former employees) where required
• No anonymous reporting capability despite the statutory “should” recommendation
• Outsourced channel provider lacks the expertise or independence required by § 15 HinSchG

Step 3: Designation of Responsible Persons (§ 15 HinSchG)

The company must designate qualified, independent persons to receive reports, assess them, and take follow-up action.

• Designation (§ 15 Abs. 1 HinSchG): One or more natural persons or an organizational unit (e.g., a compliance department) must be designated as responsible for operating the channel and following up on reports.
• Independence and freedom from conflicts of interest: Responsible persons must be free from instructions that could interfere with their impartial handling of reports. The responsible person should not report to the person most likely to be the subject of reports. Structural safeguards include: reporting line directly to the supervisory board or an independent compliance officer, separation from HR functions that handle employment disputes, and documented protocols for recusal when the responsible person has a personal interest.
• Expertise (Fachkunde, § 15 Abs. 2 HinSchG): The HinSchG requires professional competence (Fachkunde) in handling reports and in the applicable legal framework. This includes: knowledge of the material scope of the HinSchG (which violations are reportable), procedural requirements (timelines, documentation), confidentiality obligations, and anti-retaliation protections. Regular training is essential — at least annually.
• External ombudsperson: Using a lawyer as an external ombudsperson is a common and effective solution, particularly for SMEs. The attorney-client privilege (§ 203 StGB) provides an additional layer of confidentiality beyond the HinSchG requirements. However, the company remains ultimately responsible for compliance.
• Special dismissal protection (§ 15 Abs. 3 HinSchG): Internal responsible persons enjoy special protection against dismissal during their designation and for a reasonable period thereafter, similar to works council members. This protects the integrity of the reporting function.

Flag as risk:

• Responsible person reports directly to the person most likely to be the subject of reports (e.g., CEO with no supervisory board oversight)
• No documented training or qualification of responsible persons
• Conflict of interest not addressed (e.g., HR head responsible for the channel while also handling employment disputes involving potential whistleblowers)
• External ombudsperson lacks specialization in compliance or whistleblower protection law
• No deputy designated for absences (vacation, illness), leaving reports unprocessed

Step 4: Processing Timelines and Follow-Up (§ 17 HinSchG)

Strict timelines govern the handling of reports. Non-compliance with timelines is itself a violation that may trigger fines and may cause the whistleblower to escalate to external channels.

• Acknowledgment of receipt (§ 17 Abs. 1 S. 2 HinSchG): The responsible person must acknowledge receipt of the report to the whistleblower within seven days. The acknowledgment should confirm that the report has been received and is being assessed, without revealing details of any investigation.
• Scope assessment (§§ 2, 3 HinSchG): Determine whether the reported information falls within the material scope of the HinSchG. The law covers: (a) violations of EU legal acts in specified areas (public procurement, financial services, product safety, transport safety, environmental protection, food safety, public health, consumer protection, data protection, competition), (b) criminal offenses under German law, (c) certain administrative violations (Ordnungswidrigkeiten) where the violated provision protects life, limb, or health, or protects the rights of employees or their representative bodies, and (d) sector-specific regulations for financial services. If the report falls outside the material scope, the responsible person must document this assessment and inform the whistleblower.
• Follow-up measures (§ 18 HinSchG): The responsible person must take appropriate follow-up action, which may include: internal investigation (document review, witness interviews), referral to a competent external authority, or closure of the case due to lack of substantiation. The choice of measure must be proportionate and documented.
• Feedback to the whistleblower (§ 17 Abs. 2 HinSchG): Within three months of the acknowledgment of receipt, the whistleblower must receive feedback on the follow-up measures taken or planned. The feedback need not disclose the full outcome of an investigation but must provide meaningful information about what actions were taken.
• Documentation: Every step must be documented to establish procedural compliance. Documentation should include: date of report, content summary, scope assessment, follow-up measures taken, timelines met, and feedback provided. Reports and documentation must be retained for three years after the conclusion of the procedure (§ 11 Abs. 5 HinSchG).

Flag as risk:

• No acknowledgment sent within seven days
• No documented assessment of whether the report falls within HinSchG scope
• Three-month feedback deadline missed without documented justification
• Follow-up steps not documented, making procedural compliance unverifiable
• Documentation retained for longer than three years without justification, creating data minimization concerns

Step 5: Confidentiality Protections (§ 8 HinSchG)

Confidentiality of the whistleblower’s identity is a cornerstone of the HinSchG. Breach of confidentiality is an administrative offense subject to fines.

• Access restriction (§ 8 Abs. 1 HinSchG): The identity of the reporting person may only be disclosed to the designated responsible persons and to persons who need to know for the purpose of receiving and following up on the report. General disclosure to management, HR, or legal departments is prohibited unless those individuals are part of the designated team.
• Disclosure to the accused person: The identity of the whistleblower may not be disclosed to the person accused in the report, except where: (a) disclosure is necessary for criminal or disciplinary proceedings, (b) the whistleblower has given express consent, or (c) disclosure is required by law (e.g., court order). Even where disclosure is legally required, the whistleblower should be informed in advance where possible.
• Disclosure to third parties (§ 9 HinSchG): Beyond the accused person, disclosure to any third party is only permitted if it is indispensable for follow-up measures and is proportionate. The whistleblower’s consent should be obtained where feasible.
• Technical safeguards: Implement access controls (role-based access, two-factor authentication), need-to-know principles, encrypted storage for report files, audit logs of who accessed which reports, and physical security for paper-based reports. The reporting platform should be separated from general IT systems accessible to a wider group.
• Fine for breach (§ 40 Abs. 4 HinSchG): Violation of confidentiality obligations is a fine-carrying administrative offense (Ordnungswidrigkeit). The fine can be imposed on the individual who breaches confidentiality and, vicariously, on the company (§ 30 OWiG).

Flag as risk:

• Report files accessible to persons outside the designated responsible team
• Identity of the whistleblower disclosed to the accused person without legal basis
• No technical access controls on the reporting platform — reports stored in shared folders or general compliance databases
• Paper reports stored in an unlocked or shared filing location
• No audit log of who accessed which reports

Step 6: Anti-Retaliation Safeguards (§ 36 HinSchG)

The prohibition of reprisals is the most significant protection under the HinSchG. It includes a reversed burden of proof that shifts the litigation risk to the employer.

• Prohibited reprisals (§ 36 Abs. 1 HinSchG): The HinSchG provides a non-exhaustive list: termination, suspension, demotion, denial of promotion, transfer, reduction of pay, change of working hours, withholding of training, negative performance reviews, imposition of disciplinary measures, coercion, intimidation, harassment, ostracism, discrimination, and blacklisting.
• Burden of proof reversal (§ 36 Abs. 2 HinSchG): If a whistleblower suffers any disadvantage following a report, it is presumed to be a reprisal. The employer must then prove that the action was based on duly justified grounds entirely unrelated to the report. This is a high standard — temporal proximity alone between the report and the adverse action creates a strong presumption. The employer must produce documentary evidence of the independent justification (e.g., pre-existing performance improvement plan, business restructuring decided before the report).
• Damages and compensation (§ 37 HinSchG): Whistleblowers who suffer reprisals are entitled to full compensation for all material and immaterial damages. This includes lost wages, lost career opportunities, and compensation for emotional distress.
• Protection scope: The anti-retaliation protection extends not only to the whistleblower but also to persons who assist the whistleblower and to persons connected to the whistleblower (§ 34 HinSchG) — including colleagues, family members, and legal advisors.
• Management training: All managers, supervisors, HR personnel, and compliance officers must be trained on anti-retaliation obligations. Training should cover: what constitutes a reprisal, the burden of proof reversal, the documentation requirements for any personnel action affecting a known whistleblower, and the personal liability risk for individuals who commit reprisals.

Flag as risk:

• No anti-retaliation policy communicated to management and HR
• Personnel action taken against a whistleblower without documented justification unrelated to the report
• No training provided to managers on HinSchG obligations
• Whistleblower’s identity known to their direct supervisor who subsequently initiates adverse action
• Company relies on informal assurances rather than documented policies and procedures

---

Risk Assessment

Common Compliance Gaps

Gap	Fine Exposure	Recommended Action
No internal reporting channel	EUR 20,000 (§ 40 Abs. 1)	Establish channel immediately
Channel accepts only written reports	Non-compliance with § 16 Abs. 3	Add oral and in-person options
No responsible person designated	Non-compliance with § 15	Designate and train a responsible person
No anonymous reporting	Best-practice gap (not a fine, but increases external reporting risk)	Enable anonymous submissions
Acknowledgment not within 7 days	Procedural violation	Automate acknowledgment in the platform
Feedback not within 3 months	Procedural violation	Set calendar reminders and workflow triggers
Confidentiality breach	EUR fine (§ 40 Abs. 4) + damages (§ 37)	Implement technical access controls and audit logs
Retaliation against whistleblower	EUR 50,000 (§ 40 Abs. 6) + damages (§ 37)	Train management, document all personnel actions

---

Special Scenarios

Interaction with Data Protection (GDPR / BDSG)

Whistleblower systems process personal data of the whistleblower, the accused person, and witnesses. This triggers GDPR obligations:

• Lawful basis: Typically Art. 6 Abs. 1 lit. c GDPR (legal obligation) for companies subject to § 12 HinSchG. For companies below the threshold that voluntarily establish a channel, Art. 6 Abs. 1 lit. f (legitimate interest) may apply.
• Data protection impact assessment (Art. 35 GDPR): A DPIA is likely required given the sensitive nature of whistleblower data and the potential for adverse effects on the accused person.
• Information obligations (Art. 13, 14 GDPR): The whistleblower must be informed about data processing. For the accused person, information under Art. 14 may be deferred if it would jeopardize the investigation (Art. 14 Abs. 5 lit. b GDPR), but must be provided as soon as the risk subsides.
• Retention limits (§ 11 Abs. 5 HinSchG): Report documentation must be deleted three years after the conclusion of the procedure unless longer retention is necessary for ongoing proceedings.
• Works council (Betriebsrat): Introduction of a whistleblower system may trigger co-determination rights under § 87 Abs. 1 Nr. 1 BetrVG (workplace rules) and § 87 Abs. 1 Nr. 6 BetrVG (technical monitoring facilities). Consult the works council before implementation.

Cross-Border Reporting Structures

Multinational groups face the challenge of reconciling the HinSchG with whistleblower laws in other EU member states (each transposing Directive 2019/1937 differently) and in non-EU jurisdictions:

• One channel per entity: The HinSchG requires each obligated German entity to have its own channel, even within a multinational group. A global ethics hotline can serve as the infrastructure, but processing must be handled at the entity level.
• Language requirements: The German channel must be available in German. For international workforces, additional languages are best practice.
• Data transfers: If reports are processed by a central compliance team outside Germany, data transfer mechanisms (Art. 44-49 GDPR) must be in place. SCCs or BCRs may be required.

Handling Reports Against Senior Management

Reports against C-level executives, board members, or the responsible person themselves require special procedures:

• Recusal: The responsible person must recuse themselves if the report concerns them or a person to whom they report directly. A deputy or external ombudsperson should handle such reports.
• Escalation to supervisory board: In companies with a supervisory board (Aufsichtsrat), reports against managing directors should be escalated to the supervisory board chair or a designated supervisory board committee.
• External reporting: The whistleblower always retains the right to report directly to the external authority (BfJ) under § 7 Abs. 1 HinSchG, without any obligation to use the internal channel first.

---

Limitations of This Skill

This skill provides a structured implementation and review framework. In the following cases, engaging a lawyer is necessary:

• Handling of specific reports involving potential criminal conduct, regulatory violations, or complex factual investigations
• Internal investigations triggered by whistleblower reports, including witness interviews, document preservation, and privilege management
• Retaliation claims by whistleblowers, particularly where the burden of proof reversal creates significant employer exposure
• Cross-border whistleblower programs requiring coordination between HinSchG, EU Directive 2019/1937 implementations in other member states, and non-EU whistleblower regimes (e.g., SOX, Dodd-Frank)
• Works council negotiations on the introduction and design of the whistleblower system
• Sector-specific requirements for financial services institutions subject to additional BaFin guidance

Compound is happy to assist with the design, implementation, and review of whistleblower systems that comply with HinSchG requirements.