1) Local Laws
a) Has the country implemented any laws / regulations on whistleblowing (Local Law)?
There is no general whistleblowing law in Germany and the EU-Directive on the protection of persons who report breaches is not yet transposed into German law. However, there are several legal provisions to protect whistleblowers.
Private sector: Labor law
Section 17 (2) of the Act on Occupational Safety and Health (Arbeitsschutzgesetz) grants protection to whistleblowers. Employees can contact the competent authority if they are of the opinion that specific measures to guarantee workplace safety and/or health protection are not sufficient. The employees may suffer no disadvantages as a result.
Pursuant to section 13 of the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz), employees have a right to appeal in the event of discrimination.
Section 84 of the Works Constitution Act (Betriebsverfassungsgesetz) also provides for a right of appeal for employees.
Whistleblowers are also protected by general legal provisions on termination (Protection Against Dismissal Act – Kündigungsschutzgesetz), developed by case law originating from the European Court of Human Rights (ECtHR).
In addition, section 612a of the German Civil Code (Bürgerliches Gesetzbuch) can protect the whistleblower against reprisals by the employer: the employer may not discriminate against any employee for exercising their rights in a permissible manner.
Private sector: Trade Secret Protection Law
The Trade Secret Protection Law (Gesetz zum Schuz von Geschäftsgeheimnissen) came into force in 2019. Section 5 No. 2 grants whistleblowers protection from prosecution and civil liabilities due to disclosure of business secrets if this uncovers unlawful actions or professional or other misconduct and is suited to protect the general public interest.
Private sector: German Code of Corporate Governance (GCCG)
This code contains suggestions for stock listed entities regarding the protection of whistleblowing. Though the GCCG is not legally binding, its recommendations do develop importance, due to the declaration of compliance in section 161 of the Stock Corporation Act (Aktiengesetz), which is binding for listed companies in Germany. Art. A.2. recommends that employees and third parties be given the opportunity to report suspected breaches of the law within the entity in a protective manner.
The current legal situation on protecting whistleblowers stipulates whistleblowing systems on a sector-specific basis, particularly the financial sector:
- Section 4d of the Act Establishing the Federal Financial Supervisory Authority (Finanzdienstleistungsaufsichtsgesetz)
- Section 25a (1) sent. 6 no. 3 of the Banking Act (Kreditwesengesetz)
- Sections 6 (5) and 53 (1) of the Money Laundering Act (Geldwäschegesetz)
- Section 28 (1) sent. 2 no. 9 of the German Capital Investment Code (Kapitalanlagegesetzbuch)
- Section 23 (6) of the Insurance Supervision Law (Versicherungsaufsichtsgesetz)
- Section 55b (2) sent. 2 no. 7 of the Act pertaining to Certified Accountants (Wirtschaftsprüferordnung)
Section 37 (2) sent. 2 of the Civil Servant Status Act (Beamtenstatusgesetz) and section 67 (2) sent. 2 of the Federal Civil Servant Act (Bundesbeamtengesetz) stipulate that the duty of confidentiality for civil servants can be deferred if certain conditions are met.
In addition, according to section 68 (1) no. 3 of the Federal Personnel Representation Act (Bundespersonalvertretungsgesetz), personnel representatives must receive complaints from employees and work out resolutions.
According to case law, protection of whistleblowers within limits is also guaranteed by the German Constitution (Grundgesetz) (article 2 (1) in conjunction with article 20 (3), the exertion of civic rights, and/or Article 5 (1). The prerequisite is that all internal administrative means are exhausted.
2) Scope of application
a) What types of wrongdoings are covered by the Local Law? Does it cover breaches of EU law?
There is no general whistleblowing law in Germany and only some of the relevant legal provisions mention specific types of wrongdoing.
According to section 37 (2) sent. 2 Civil Servant Status Act and section 67 (2) sent. 2 Federal Civil Servant Act, the duty of confidentiality for civil servants is deferred in the case of: a suspicion of any illegal activities that may jeopardize the free democratic order of Germany; the suspicion of a corruption crime according to sections 331 until 337 German Criminal Code; or the suspicion of a serious offence according to section 138 of the German Criminal Code.
Breaches of EU law regarding financial services are covered, pursuant to section 28 (1) sent. 2 no. 9 German Capital Investment Code, section 4d of the Act Establishing the Federal Financial Supervisory Authority, section 25a (1) sent. 6 no. 3 Banking Act, section 23 (6) of the Insurance Supervision Law and section 55b (2) sent. 2 no. 7 of the Act pertaining to Certified Accountants.
Money laundering and terrorist financing are specifically mentioned as per section 53 (1) Money Laundering Act. Section 5 Trade Secret Protection Law covers any unlawful actions and professional or other misconduct.
The types of wrongdoings expressly covered by local law include a disclosure regarding any risks for the health or safety of employees, through section 17 (2) of the Act on Occupational Safety and Health.
Implementing the EU Directive requires Germany to adopt further measures and thus cover breaches of EU law as mentioned in Article 2 of the Directive (public procurement, product and transport safety, etc).
b) Personal scope
i) Does the Local Law apply to reporting persons working in both the private and public sectors?
Yes, current legal provisions apply to people working in the public sector (civil servants) and to individuals working in the private sector.
In the private sector, the protection against termination and the right not to fear disciplinary action or discrimination applies to employees, workers, interns, trainees and quasi subordinates (as defined by section 5 (1) sent. 2). Since no disciplinary actions can result from a justified disclosure, the same applies to civil servants in the public sector.
Section 13 of the General Equal Treatment Act also applies to applicants. This is an individual right, so the applicants must be directly affected.
When implementing the Directive, Germany needs to ensure that protections also apply for persons stated in Article 4 of the Directive: self-employed individuals, board members, shareholders, volunteers, and so on.
ii) Does the Local Law apply only to breaches that the reporting person became aware of in a work-related context?
Most of the current legal provisions do not mention a work-related context.
Civil servants must maintain confidentiality regarding any official matters which come to their knowledge in the course of their duties or their official activities, in line with Sections 37 (1) of the Civil Servant Status Act and 67 (1) of the Federal Civil Servant Act.
Breaches pursuant to section 17 (2) of the Act on Occupational Safety and Health must also be obtained in a work-related context.
The Trade Secret Protection Law extends beyond breaches that the reporting person became aware of in a work-related context.
iii) Does the Local Law also protect: facilitators; people connected to the whistleblower and who could suffer retaliation in a work-related context; and legal entities the whistleblower owns, works for, or is otherwise connected with?
Facilitators are not explicitly mentioned in current legal provisions.
If an employee exercises their right of appeal to a Works Council in accordance with section 84 Works Constitution Act, the Works Council is obligated to maintain confidentiality (pursuant to section 79 Works Constitution Act) and can therefore not act as a facilitator or even whistleblower itself.
However, journalists, for example, can be protected by Article 5 of the German Constitution if they take up or publicize information by whistleblowers.
Furthermore, as a person is not liable to prosecution under section 23 Trade Secret Protection Law if the whistleblowing was justified under section 5; a criminal liability for aiding and abetting is also excluded. The same principle applies with regards to the permissibility under labor law.
c) Does the Local Law require specific conditions to protect reporting persons?
Yes, some legal provisions require specific conditions for the reporting person to be protected.
In the public sector, the duty of confidentiality for civil servants can be deferred, pursuant to section 37 (2) sent. 2 Civil Servant Status Act as well as section 67 (2) sent. 2 Federal Civil Servant Act if they disclose a suspicion of a corruption crime according to sections 331 until 337 German Criminal Code.
Civil servants may disclose official secrets if they are acting to protect the free democratic order of Germany or if there is a duty under section 138 German Criminal Code. This punishes the failure to report planned serious offences such as high treason, murder or robbery. Moreover, civil servants shall respect the existing official reporting channels pursuant to section 125 of the Federal Civil Servant Act and section 36 (2) of the Civil Servant Status Act.
In the private sector, protection from disciplinary actions by the employer arises from section 17 (2) of the Act on Occupational Safety and Health if the whistleblower contacts the competent authority if they are of the opinion that specific measures to guarantee safety and/or health protection are not sufficient. However, this only applies under the condition that the whistleblower first contacted the employer and the employer did not remedy any of the complaints.
In addition, section 612a German Civil Code and the general legal provisions on termination (Protection Against Dismissal Act) protect the whistleblower against reprisals by the employer, if they exercise their rights in a permissible manner, meaning they have to inform their employer before informing public authorities. However, the whistleblower is allowed to inform public authorities, if the employer knows about the misconduct and does not act accordingly. Additionally, section 612a German Civil Code does not protect abusive reports, meaning the whistleblower (solely) wants to harm their employer or colleagues and/or informing public authorities has to be excessive compared to the misconduct.
Pursuant to section 5 No. 2 of the Trade Secret Protection Law, a whistleblower is protected if an illegal act or another (professional) misconduct is disclosed, under the condition that they act with the intention of protecting general public interests or assume in good faith that public interests are violated or threatened.
3) Reporting channels
a) Does the Local Law allow anonymous reports? How are companies/agencies meant to handle them?
Anonymous reports must be enabled under: section 53 (1) Money Laundering Act; section 23 (6) Insurance Supervision Law; and section 4d (1) sent. 2 of the Act Establishing the Federal Financial Supervisory Authority.
The other legal provisions previously mentioned do not explicitly allow anonymous reports, but neither do they prohibit them. Regardless of whether anonymous reports are enabled, management is obligated to follow up on anonymous reports, as long as they are substantiated and suggest a serious legal offense.
b) Is there a duty of confidentiality and any derogation from this duty?
The whistleblowing system must enable the reporting person to make their report while maintaining confidentiality of their identity, pursuant to section 28 (1) sent. 2 no. 9 German Capital Investment Code, section 23 (6) Insurance Supervision Law and section 55b (2) sent. 2 no. 7 of the Act pertaining to Certified Accountants.
In the case of a disclosure pursuant to the Money Laundering Act, section 53 (3) stipulates that the competent supervisory authority may not announce the whistleblower’s identity without any of the stated grounds for exceptions. The same applies to a disclosure in accordance with section 4d of the Act Establishing the Federal Financial Supervisory Authority. Exceptions can be found in section 4d (3) sent. 3.
c) Public disclosures: does the Local Law provide for this possibility?
In line with previous ECtHR case law, public disclosure of legal violations is protected under German law only if the whistleblower (i) has initially reported internally or externally, but no timely action has been taken, (ii) they have reasonable grounds to believe that the violation poses an imminent or manifest threat to the public interest, or imminent or obvious danger, or (iii) there is little prospect of effective action because of special circumstances of the case.
Regarding matters of occupational safety, in the private sector public disclosure is possible if the whistleblower is of the opinion that specific measures to guarantee safety and/or health protection are not sufficient and the employer does not remedy any complaints raised in this regard (see section 17 (2) of the Act on Occupational Safety and Health).
Moreover, under section 5 (2) of the Trade Secret Protection Law, the reporting person can make a public disclosure if the disclosure helps to uncover unlawful activities or professional misconduct and is suited to protect the public interest.
Legal provisions that require whistleblowing systems in the financial sector do not provide for the possibility of public disclosure.
In the public sector, public disclosures can be made within narrow limits and after exhausting all internal administrative means by civil servants if they disclose official secrets while acting to protect the free democratic order of Germany.
4) Reporting channels: internal
a) Is there an obligation for private and/or public legal entities to establish channels and procedures for internal reporting and follow-ups?
The current legal situation only requires companies in the financial sector to establish any whistleblowing systems.
The obligation to implement channels and procedures for internal reporting of breaches only applies to companies in this sector pursuant to:
- Section 4d (1) of the Act Establishing the Federal Financial Supervisory Authority
- Section 25a (1) sent. 6 no. 3 Banking Act
- Sections 6 (5) and 53 (1) Money Laundering Act
- Section 28 (1) sent. 2 no. 9 German Capital Investment Code
- Section 23 (6) Insurance Supervision Law
- Section 55b (2) sent. 2 no. 7 of the Act pertaining to Certified Accountants
b) Do internal reporting channels need to allow reporting in writing, orally or both?
It is at the discretion of a respective company how to organize and structure whistleblowing system. However, this is not explicitly stated in the legal provisions. Germany shall therefore regulate by law the additional measures required by the EU Directive.
c) Procedures for internal reporting and follow-up: does the Local Law require legal entities to adopt internal reporting systems with the following elements?
i) Channels able to ensure the confidentiality of the identity of the reporting person and the protection of third parties mentioned in the report:
As mentioned above, the whistleblowing system must enable the reporting person to make their report while maintaining confidentiality of their identity. In the current legal situation, this applies to entities relating to the financial sector and its legal provisions: section 28 (1) sent. 2 no. 9 of the German Capital Investment Code, section 23 (6) of the Insurance Supervision Law and section 55b (2) sent. no. 7 of the Act pertaining to Certified Accountants. Moreover, the protection of personal data and the identity of the reporting persons must comply with the Federal Data Protection Act and the General Data Protection Regulation (GDPR, Datenschutz-Grundverordnung).
ii) Acknowledgement of receipt of the report to the whistleblower within seven days of receipt:
No, a legally required timeframe does not exist in the current relevant legal provisions.
iii) The designation of an impartial function/team to manage follow-ups on reports and maintain communication with the whistleblower:
No, such a team/function is not explicitly required under German Law.
iv) Any other follow-up requirements including those for anonymous complaints:
There are no other follow-up requirements regulated by law.
v) A reasonable timeframe to provide feedback, not exceeding three months from acknowledgment of receipt or if no acknowledgement was sent, three months from the expiry of the seven-day period after a report is made:
No reasonable timeframe to provide feedback is legally required in Germany.
vi) Providing clear and easily accessible information on internal reporting procedures and external reporting procedures to competent authorities and/or EU institutions/bodies:
No, such information isn’t explicitly required under German law.
vii) Should legal entities take any additional measures in order to comply with the above requirements?
Following implementation of the EU Directive, all legal entities in the public sector and private legal entities with more than 50 employees will have to implement at least one reporting channel and/or adapt existing channels to the requirements in the Directive.
In particular, the following additional requirements have to be considered when implementing the Directive into German law:
- Reporting persons will include not only employees but also self-employed workers, volunteers, trainees, shareholders, etc.
- Reports will concern all breaches as stated in the EU Directive: public procurement, product and transport safety, compliance, etc.
- Whistleblowers shall be protected from retaliation, both directly and indirectly. This includes colleagues and relatives. In this respect, the Directive provides for a wider list of prohibited behaviors that constitute retaliation compared to the current legal provisions in Germany: suspension, demotion or withholding of promotions or training, etc.
- Regarding the structure of the internal channels, all legal entities will need to allow whistleblowers to report orally (for example by telephone or other voice messaging system), in writing or both. In addition, at the request of the reporting person, it must be possible to make reports by means of a physical meeting.
- Legal entities, public and private, will need to designate an impartial person or department competent for following up on the report within the timeframe set forth by the EU Directive. A reasonable timeframe to provide feedback (maximum three months) shall be included in the procedure for internal reporting. Clear and easily accessible information regarding the procedures for reporting externally must also be provided to the reporting persons.
5) Reporting channels: external
a) Has the country designated a competent authority to receive and investigate whistleblower disclosure and retaliation complaints?
No, there is no competent authority to receive and investigate whistleblower reports in Germany. Whistleblowers currently usually contact law enforcement authorities or media representatives.
b) Is an independent and autonomous external reporting channel already established in the country?
No. However, the Federal Financial Supervisory Authority has set up an electronic whistleblower system and the German Securities and Markets Authorities are required to establish similar systems under section 3b (1) of the Stock Exchange Act (Börsengesetz).
In the case of a disclosure pursuant to the Money Laundering Act, the competent supervisory authorities are listed in section 50: for example, the Federal Financial Supervisory Authority, the supervisory authority for insurance matters.
In addition, reporting channels are set up by the respective labor ministry of each state to ensure compliance with occupational health and safety regulations. These follow the legal obligation resulting from section 17 (2) of the Act on Occupational Safety and Health. Employees can report misconduct regarding their working conditions through an anonymous telephone hotline or online application.
6) Processing of personal data
a) Is personal data concerning the reports processed in compliance with local and EU legislation such as EU Regulation 2018/1725 and local privacy laws?
The competent supervisory authority is authorized to process personal data, pursuant to section 53 (2) Money Laundering Act. However, there is no explicit information on this issue in other legal provisions regarding whistleblowing systems.
7) Record keeping of report
a) Is there any obligation regarding record keeping of reports as provided for by the EU Directive?
No, there is no explicit obligation regarding record keeping under current German law.
a) Is there any difference between whistleblower protections in the private and public sectors?
Civil servants (public sector) and employees (private sector) are subject to protection against discrimination and disadvantages when disclosing any information under the respective conditions. Both are protected against criminal law sanctions.
b) Are whistleblowers protected against all forms of retaliation including threats and attempts of retaliation? Which forms of retaliation are expressly indicated?
Whistleblowers cannot be liable to disciplinary actions regarding labor law or be otherwise discriminated or disadvantaged pursuant to sections 4d (6) of the Act Establishing the Federal Financial Supervisory Authority and 53 (5) Money Laundering Act.
Section 17 (2) of the Act on Occupational Safety and Health states that the reporting person may not suffer any disadvantages as a result of the reporting.
c) Does the Local Law provide for any other measures of support such as those indicated in the EU Directive?
No, the relevant legal provisions do not provide for further measures of support.
d) Does the Local Law provide for the necessary measures to prohibit any form of retaliation against whistleblowers?
Local law only provides for measures to prohibit the previously mentioned forms of retaliation.
e) Does the Local Law provide for any remedial measures, including interim relief measures?
No remedial measures are expressly indicated.
f) Does the Local Law provide for exemptions from liability for whistleblowers?
As stated, exemptions from liability for whistleblowers are expressly indicated in sections 4d (6) of the Act Establishing the Federal Financial Supervisory Authority and 53 (5) of the Money Laundering Act. Hereafter, whistleblowers are not liable for consequences in accordance with labor law and criminal law or to pay compensation for damages.
Regarding criminal liability due to section 23 of the Trade Secret Protection Law, section 5 provides for a special exemption from criminal liability by declaring what will not be considered “obtaining,” “using” or “disclosing” a business secret.
The German Criminal Code provides for exemptions to criminal liability in general.
According to section 34, the disclosure of information is only justified to the extent that the act committed is an adequate means to a present danger to life, liberty, honor, property or another legal interest which cannot otherwise be averted.
Another exemption of criminal liability exists if a reporting person is under a legal obligation to disclose the information. Due to the conflicting obligations to disclose the information and not disclose the information, a reporting person cannot be penalized if they disclose the information. This can be the case if, in the case of non-disclosure, the reporting person would be liable pursuant to section 138 German Criminal Code.
g) Does the Local Law provide for sanctions against natural and legal persons that violate whistleblowers’ protection or the duty of maintaining the confidentiality of their identity?
Under civil law, the violation of maintaining the confidentiality of the identity of whistleblowers might entail damage claims; for example, in cases when the whistleblower loses their job (sections 823 et seqq. German Civil Code).
Under criminal law, potential offenses can qualify as defamation pursuant to sections 185 et seqq. of the German Criminal Code. Sanctions are mainly targeted at individuals. However, it is possible to fine companies within narrow bounds.
h) Does the Local Law provide for sanctions in case of false reports?
There are no specific sanctions for whistleblowers who knowingly report or disclose false information. For this reason, de lege lata, only prosecution for libel offenses or an obligation to compensate for the damage resulting from the false report or disclosure can be considered.
The Federal Labour Court (Bundesarbeitsgericht) has confirmed the employer’s right of dismissal without notice in cases of knowingly untrue or negligent false statements or reports by employees.
9) Other issues
a) Under the Local Law, is adopting a whistleblowing system relevant to assess the adequacy of a compliance program? Does this have any value to mitigate or eliminate criminal liability for legal entities?
Yes. If a whistleblowing system has been implemented within a company’s CMS, this can result in liability advantages for the company in the case of sanctions pursuant to sections 30, 130 of the Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten). The possible sanctions may be mitigated because implementing the system is considered an indication that the company takes its supervisory duties seriously. Furthermore, reputational damage can be avoided if the information is first obtained through an internal whistleblowing channel.
b) Does the Local Law or another law in your country provide for whistleblower reward programs?
No, there is no law in Germany to provide for whistleblower reward programs.
c) Can companies benefit from any incentives in the case of voluntary self-disclosure of violations they became aware of following an internal report?
Companies may benefit from incentives in the case of voluntary self-disclosure or cooperation. For example, if a company becomes aware of tax fraud through an internal report, the company may benefit from voluntary self-disclosure pursuant to section 371 of the German Tax Code (Abgabenordnung). In addition, section 261 (9) German Criminal Code provides for the possibility of voluntary self-disclosure regarding money laundering.
In 2017, the Federal Court (Bundesgerichtshof) ruled that implementing an effective CMS can result in a reduced financial penalty.
A new Corporate Sanctioning Act (Verbandssanktionengesetz) is under discussion in the relevant committees in Germany. As a result, cooperation with the authorities and implementation of a CMS could be legally required for companies to benefit.
d) Will implementing the EU Directive create any issues with obligations provided for under other laws / regulations?
Conflicts relating to data protection and privacy may occur, as the EU Directive stipulates that data processing shall be conducted in accordance with the GDPR. However, the persons concerned must be informed in principle when data about them is stored and from whom this data was obtained pursuant to the GDPR, which may lead to a disclosure of the whistleblower’s identity. The duty to inform the persons concerned does only not apply if there is an exceptional circumstance in accordance with the GDPR.
For a pdf of the full guide please click on the button below.