German Whistleblower Protection Act Enters into Force

12 Juli 2023

On 2 July 2023, the German Whistleblower Protection Act (the Act) came into force (Link to official text in German). It requires most employers to establish internal reporting channels enabling employees to report certain illegal activities and prohibits retaliation against whistleblowers. 

The Act transposes Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law (the Whistleblowing Directive). However, across all 27 EU member states directives do not fully harmonize the rules on their respective subject matters, and therefore employers with several locations across EU countries need to be aware of the national specifics. (See also our alert on the Italian Whistleblowing Act). 

Material Scope 

Compared to the Whistleblowing Directive, the scope of the Act is significantly broader. It especially includes the following matters within the scope of behavior that may be reported through a whistleblowing scheme:

  • Violations of all German criminal laws;
  • Violations of all laws aimed at protecting the life, health, or bodily integrity of people or the rights of employees, to the extent such violations are punishable by fines (Bußgelder);
  • Laws regulating the rights of stockholders in stock corporations (Aktiengesellschaften); and
  • Tax laws applicable to companies.
Affected Companies

Employers’ obligations under the Act are generally subject to thresholds of employee numbers in Germany:

  • Up to 49 employees: no obligation to set up a reporting channel; 
  • 50 to 249 employees: obligation will enter into force from 17 December 2023; and
  • 250 employees or more: immediate obligation with effect from 2 July 2023.

Certain companies in the financial sector, such as financial service providers, credit institutions, capital management companies, or insurance companies, will need to deploy and maintain from 2 July 2023 onward an internal reporting channel, regardless of the number of their employees.

Implementation Options for Internal Reporting Channels

It is possible to outsource parts of or the complete reporting channel to a third party, like ombudspersons or specialized firms. However, conflicts of interests must be avoided (e.g., an external employment counsel advising the employer on day-to-day matters will generally not be independent enough to also run the reporting channel). 

Mid-size companies can also set up a reporting channel together with other companies and entrust it with further tasks under the Act, such as taking follow-up measures, even if the participating companies do not belong to the same group. However, this is only possible if every participating company falls in the 50 to 249 employees range, and each employer remains ultimately responsible for adequate follow-up on reports.

Participation of the Works Council

Employers should carefully consider whether the works council has a right of co-determination, and if so, at which level (e.g., company or group level). This can result in a need to obtain works council consent for certain aspects of a whistleblowing scheme—especially in relation to details of the reporting rules as well as potential possibilities to monitor employees. Where a required agreement with the works council cannot be reached, the dispute will be decided by a conciliation committee in an arbitration-like process. 

Anonymous Reporting

The Act does not require companies to process anonymous reports. Again, the position on anonymous reporting options can differ throughout other EU member states that already have or are still implementing similar whistleblower protection laws. Thus, for international group-wide reporting channels an anonymous reporting option may nevertheless be required. Further, allowing anonymous reporting often will be in a company’s own interest. 

Relationship With Other Laws
Sector-specific whistleblowing rules

The Act lists certain sector-specific whistleblowing laws that have priority over the (general) Whistleblowing Act. Only to the extent that there are specific rules on the reporting of violations in those sector-specific laws, do the sector-specific rules apply. Sector-specific whistleblowing rules exist primarily in the financial services sector and derive from EU laws referenced in the Whistleblowing Directive. 

Protection of Trade Secrets, Information Subject to Secrecy Obligations, or Personal Data

Whistleblowing reports may include trade secrets, information subject to an obligation of secrecy, or personal data if the reporting person has reasonable grounds to believe that the reporting or disclosure of the information is necessary in order to report a violation of a law within the scope of the Act. 

General Data Protection Regulation (GDPR) and German Data Privacy Laws

Reporting channels are generally prohibited from disclosing the identity of reporting persons. However, the duty of confidentiality and certain other protections under the Act, such as a reporter’s protection against retaliatory acts, only apply if the reporting person has reasonable grounds to believe that the information reported is true. The identity of the persons concerned by a report, i.e., alleged wrongdoers, and of other persons mentioned in a report are also protected, but this is subject to broader exceptions than those that exist with regard to the identity of reporting persons. The Act further impacts various other notification and data processing obligations. Data privacy considerations will need to be top of mind when structuring the reporting channel processes.

  • A failure to establish required reporting channels is subject to fines of up to €20,000. 
  • Hindering reporting or taking retaliatory measures against whistleblowers is subject to fines of up to €500,000. 
  • Persons knowingly disclosing information publicly that is untrue can be fined up to €20,000. 
  • Fines generally will only be imposed from 1 December 2023 (regardless of employer size).

Employers having locations in Germany should evaluate if they need to set up an internal reporting channel or adjust the configuration of an existing one to comply with the law.

K&L Gates’ Labor, Employment and Workplace Safety, Data Protection and Cybersecurity, and Internal Investigations teams remain available to assist you from our offices in the Americas, Asia, Australia, Europe, and Middle East.