HinSchG: Focus on data protection and documentation requirements
After a long struggle, the legislator passed the Whistleblower Protection Act (HinSchG). Since its entry into force on 2 July 2023, the law obliges employers with more than 50 employees to set up an internal reporting system and imposes extensive information obligations. For financial service providers, this obligation applies immediately, regardless of the number of employees. Despite the lengthy and extensive legislative process, the result is a law that leaves many questions unanswered. Is the establishment of a group-wide internal reporting office permissible? Can a group-wide internal reporting office be located abroad? How should branches be dealt with? We summarise the key points of the new HinSchG for you and provide answers to the questions that are highly relevant for practice.
In addition to effective and welcome provisions for the protection of whistleblowers, the HinSchG leaves its legal user without an explicit answer in many cases:
1. Employers with usually more than 50 employees have to set up an internal whistleblower system. Depending on the size of the employers concerned, the implementation period varies from immediately to the end of this year. With regard to the material scope of application, the question of how it applies to branches is unclear. This is because when the legislator speaks of employers, it is primarily referring to legal persons under private and/or public law. However, since branches are not legal persons in the legal sense, the HinSchG does not apply to them. It remains to be seen how the European legislator will assess the – probably inadequate – implementation by Germany in this case.
2. It is important to note the broad personal scope of the HinSchG: not only current employees are entitled to report a (possible) violation, but also job applicants and employees who have already left.
3. The question of whether an existing internal reporting system abroad also fulfils the requirements of the HinSchG is controversial. In its explanatory memorandum, the German legislator assumes a group privilege. In any case, the HinSchG explicitly allows this. However, the relevant data protection regulations and special obligations resulting from the HinSchG, such as enabling a physical meeting at the whistleblower’s request, must be observed. For effective application of the HinSchG, care should also be taken to ensure that information about the HinSchG is available in German.
4. In principle, there is a right to choose between an internal or external reporting office. Since the legislator has failed to legally prescribe priority internal reporting, employers should promote their speak-up culture and establish incentives for priority internal reporting. For this very reason, we recommend making use of the possibility of introducing anonymous reporting. Furthermore, the question of whether the whistleblower’s right to turn to the external reporting office is exhausted if the person has already turned to the internal reporting system has not been conclusively clarified.
5. Whistleblowers enjoy extensive protection provided that their report falls within the scope of the HinSchG and there was sufficient cause for a report. Correctly, the law also only includes such violations in the scope of application that have an entrepreneurial, official or professional connection. After a justified report, any reprisals against the whistleblower are excluded by the law in a way that is to be welcomed and may even lead to compensation for damages. Conversely, the whistleblower is correctly obliged to pay damages if they intentionally or grossly negligently formulate a false report.
6. § 10 HinSchG permits the processing of personal data for the purpose of fulfilling the obligations under the HinSchG. Legal problems arise if the internal reporting system includes internal company guidelines in the scope of application in addition to the violations covered by the HinSchG. § 10 HinSchG cannot be used in relation to these violations. Against the background of the new ECJ case law on the invalidity of § 26 para. 1 BDSG, it should be observed on which legal basis employee data protection – including in the context of an internal reporting system – can be justified in the future.
7. Employers have a three-year documentation obligation for reports received and processed. This again shows the inflexible handling of the German legislator by not linking the documentation period of three years to the requirement of a serious report. The blanket time limit of three years for all notifications unnecessarily ignores possible potential for reducing bureaucracy.
8. Employers who fall within the scope of the HinSchG should review the following points in the future and adapt them if necessary:
- Does the existing whistleblower system fulfil all requirements under the new HinSchG? Are adjustments/refreshments necessary?
- Do the persons entrusted with the internal reporting office have sufficient expertise? Or is any training to be carried out?
- Be active: Promote and demand a speak-up culture.
- Observe the co-determination rights of the works council.
- Have all procedural requirements been complied with? Have the legally prescribed deletion and documentation periods been observed? Here, particular attention should be paid to the different deletion periods according to the LkSG.