Whistleblower Protection Act published in the Federal Law Journal

What does that mean?



Ralph Bockisch
Ralph Bockisch

We are following with interest the events surrounding the "Whistleblower Directive" and the German Whistleblower Protection Act (WPA).

According to this, employers with 250 or more employees are obliged to implement the requirements of the Whistleblower Protection Act from 2 July 2023. For companies with 50 to 249 employees, the implementation deadline ends on 17 December 2023, when whistleblowers and whistleblower protection concepts must be made available. Non-compliance may result in a fine of up to €50,000.

A decisive step towards more transparency and integrity was taken with the introduction of the Whistleblower Protection Act. This law is intended to provide adequate protection for people who point out wrongdoing in companies, authorities or other organisations. In this blog, we take a look at the current status of this important law and its impact. The Whistleblower Protection Act is designed to provide protection to those who disclose ethical misconduct, corruption, fraud or other violations of laws and regulations. It is designed to give whistleblowers the confidence to report their concerns without fear of reprisal or retaliation.

Digression: What is whistleblowing?

A whistleblower is a person who uncovers and makes public internal wrongdoing, illegal activities or ethical violations in organisations. These courageous people often expose themselves to great risks in order to bring the truth to light. Whistleblowing can be seen as an act of heroism that helps to fight corruption and injustice.

One issue related to whistleblowers who point out violations of the law is the characteristic of betrayal that always resonates with the topic of whistleblowing. However, it is not generally a bad thing for wrongdoing to be exposed - internally - especially when it involves violations of the law. Through internal whistleblowing, a company's own whistleblowers become an early warning system. As a result, reported problems can be solved instead of one day ending up as a scandal in the daily press or in the news.

When observing (legal) violations, an employee has to decide whether to report them or not. The risk is that reporting can lead to personal disadvantages, exclusion or dismissal. This risk has led to a culture of looking the other way. To minimise precisely this risk, the EU has decided to better protect whistleblowers with a Whistleblower Directive. Anyone who discloses a wrongdoing and thus protects the company should not fear reprisals and should not have to fear for their job and/or their future.

The EU Whistleblower Protection Directive (EU Directive 2019/1937) ...

... obliges all companies with more than 50 employees to set up a whistleblower system. This also applies to authorities and public institutions as well as municipalities with a population of 10,000 or more. For companies with 50 to 249 employees, there is an extended implementation period until 17 December 2023. The EU Directive, the Whistleblower Protection Act and the associated requirements for companies are intended to give whistleblowers security against reprisals if they point out violations. This is to be ensured by an internal whistleblower system as a reporting channel. This should be accessible not only to the company's own employees, but also to those of sales partners, customers and service providers.

It must become a law (national) because ...

... the Whistleblowing Directive is a directive and not - as with the General Data Protection Regulation - a regulation. It is therefore up to each EU member state to enact an individual national law. The EU Directive represents the "minimum". Further information on the political discussion about the WPA and the way through the mediation committee can be found on the internet. Here are some of the main changes:

Anonymity: There is no obligation to allow anonymous reporting (neither for internal nor for external reporting bodies). However, it is required that the offices also process anonymous incoming tips.
Internal/External reporting: Whistleblowers are to prefer the internal route if violations can be effectively addressed in this way.
Burden of proof: The law continues to provide for a reversal of the burden of proof if the whistleblower is disadvantaged in connection with his or her professional activity. However, the whistleblower must explicitly invoke this in the lawsuit. The right to compensation for pain and suffering has been deleted.
Fines: The fines for violations of the new regulations have been reduced from 100,000 euros to 50,000 euros.

Whistleblowers should in principle have the choice between external and internal reporting. This also means that employers are to create incentives for whistleblowers to first turn to the employer's respective internal reporting office before making a report to an external federal or state reporting office.

Who all is protected by the Whistleblower Act?

According to the law, all persons who come into contact with your company in the course of their work are eligible as potential whistleblowers. This applies not only to your employees, but also to customers or suppliers. You are therefore obliged to provide information in an easily understandable form about the reporting possibilities and the reporting process - for example, on your website to be able to report compliance violations.

It is imperative that you offer the whistleblower not only written or verbal reporting channels, but also the possibility of a personal exchange. It should be noted that all data in the context must be processed strictly in accordance with the GDPR.

The Whistleblower Directive does not envisage allowing anonymous reporting. The responsibility for this is left to the company or the authorities. Even after the amendment in the Conciliation Committee, the Whistleblower Protection Act only provides for "shall" and not "must" with regard to anonymity. Nevertheless, the recommendation is clear: only anonymity can create sufficient security and trust to lower the inhibition threshold.

What is the process for reporting?

However, the Directive does not only require the establishment of whistleblowing systems. It also requires the establishment of procedures for handling whistleblowing within your organisation. By setting specific deadlines for responding to whistleblowing, the Directive also requires monitoring of follow-up. By setting specific deadlines for responding to whistleblowing, the policy also requires By setting specific deadlines for responding to tips, the policy also requires monitoring of follow-up.

You have a deadline of 7 days to acknowledge receipt of the whistleblower's tip. It is imperative that this deadline be met.
It is mandatory to inform the whistleblower in an appropriate manner of the follow-up action taken within a maximum of three months.

In order to meet these additional requirements, it is important to appoint an independent person to act as a contact person and to be in contact with the whistleblower. Depending on the size of the company, this can be the management, a compliance officer or an external person. In any case, it must be ensured that the designated person is not subject to any conflicts of interest.

Note: If a whistleblower is later dismissed, the employer must prove that the dismissal is not related to the employee's report. Complete documentation of the entire process surrounding the whistleblowing is essential for both the employer and the whistleblower to ensure this. Keyword: reversal of the burden of proof.

The EU Directive requires the establishment of internal and external reporting channels.

Internal channels

The term "internal" in this context refers to a process that takes place within the legal entity / company. However, it is also possible to coordinate this internal reporting channel via an external service provider such as a lawyer.

An advantage of this procedure is the acceleration of the flow of information and the possibility to quickly counteract and solve problems internally. The recipient is familiar with the company and can better understand the content of the notice.  The standards in terms of security, data protection and process requirements are high so that the reporter feels secure. Therefore, increased communication to build trust is urgently needed.

It is very important to make the internal complaint available in a system that can ensure anonymity. The question of whether someone from within IT can find out who has made a complaint is particularly relevant here. An internal reporting channel that is independent of the own IT infrastructure can address these concerns. Support and processing can also be delegated to lawyers or compliance advisors.

External channels

The Directive also requires the establishment of external channels available to the whistleblower in addition to the internal reporting channel. The instance of the external channel must be provided by an authority in each EU member state. Of course, all requirements of the Whistleblower Protection Act also apply to external channels. The reporting of an external whistleblower automatically triggers an official investigation.

A positive aspect is the complete independence from the whistleblower's own company and the standardised examination of the reports. However, they only learn of the grievance in the case of escalation or through the initiation of an investigation. This represents an incalculable risk. It is of great importance that they explicitly refer to both communication channels - internal and external - and leave it up to their employees to decide through which channel they report. There is a significant incentive to design the internal reporting channel in such a way that it is intuitively accessible at all times and builds trust among staff. In this way, the need for external investigation by third parties can be avoided and the problem can be addressed and resolved internally.

In its statement, the EU announced tough sanctions against companies that do not set up an effective whistleblower system. According to the Whistleblower Protection Act in Germany, these violations can be punished with fines of up to €50,000. Also affected are companies that do not comply with the requirements of whistleblower protection, such as maintaining the confidentiality of whistleblowers or dissuasive measures towards whistleblowers.

Failure to comply with the requirements of the EU Whistleblower Directive has serious consequences: If the company does not provide the whistleblower with an easily accessible reporting system, even though an internal reporting channel is available, but the whistleblower is not promptly informed of the receipt of the whistleblower and also of the outcome of the investigation or any action taken, the whistleblower can make his information public without being criminally prosecuted. The whistleblower is covered by the EU Whistleblower Directive. The consequences of violating the Whistleblower Protection Act must be taken seriously.

What types of violations are currently covered?

The whistleblower is covered by the law when reporting the following violations:

  • violations of criminal law: This includes all criminal laws under German law.
  • Violations of regulations subject to fines, insofar as the violated regulation serves the protection of life, body or health or the right of employees or their representative bodies:
    • This includes, for example, regulations from the following areas:
      • Occupational health and safety
      • Health protection
      • Violations of the Minimum Wage Act,
      • Regulations under the Temporary Employment Act,
      • regulations that violate obligations to provide information to works councils and economic committees.
    • In addition, all violations of legal norms adopted to implement European regulations are included:
      • Regulations to combat money laundering,
      • regulations on product safety, the transport of dangerous goods, environmental protection, radiation protection,
      • food and feed safety,
      • quality and safety standards for medicinal products and medical devices,
      • consumer protection regulations,
      • data protection regulations,
      • security in information technology,
      • public procurement law,
      • accounting regulations for corporations.

Sanction and compensation measures in the German Whistleblower Protection Act.

The law provides that whistleblowers are compensated if they are not protected due to reprisals. However, whistleblowers are also liable for damages if they intentionally spread a false report. Companies that violate the Whistleblower Protection Act must expect fines. Unlike in the case of data protection, the right to compensation for whistleblowers was removed in the last amendment of the law. It is therefore extremely important to comply with the requirements of the law in order to avoid unpleasant consequences.

What are the benefits of using a digital whistleblowing system?

In a world where corruption, fraud and illegal behaviour consistently generate negative headlines that can have an unfavourable impact on one's reputation and customers' trust in a partner, whistleblower systems are crucial. They play an important role in the early detection of wrongdoing, promoting a culture of integrity, accountability and trust. The following are further benefits:

Anonymity and security:

A digital system allows whistleblowers to make their disclosures anonymously and securely. By using encrypted communication channels, whistleblowers can conceal their identity and hide from retaliation by the perpetrators. This anonymity creates a climate of trust and encourages all staff to act with integrity and take responsibility for their work and the work of their colleagues.

Efficient and fast communication:

Digital whistleblowing systems enable efficient and fast communication between the whistleblower and internal compliance departments through automation and processes. Working with a process-oriented system saves time, reduces human error and increases efficiency. Information can be automatically transmitted to the respective right persons, ensuring immediate response and investigation of reported incidents.

Protection against false reporting and misuse:

Such a system can implement mechanisms to verify and validate the reported information. This reduces the risk of false reporting and misuse. Reported incidents can be reviewed and investigated in a more focused manner, leading to more effective use of resources and enhancing credibility.

Documentation and follow-up:

Digitally capturing leads and the progress of investigations enables comprehensive documentation and tracking of reported incidents. This supports a thorough analysis and enables a complete record of the entire processes. In addition, statistics and reports can be generated to identify trends and patterns and to take preventive action.

Promoting a culture of integrity:

A clear signal is sent to employees, customers and the public that a company or organisation promotes a culture of integrity and ethical behaviour. It creates an atmosphere of trust and openness where people can report wrongdoing without fear of consequences. This establishes a positive corporate culture and strengthens faith in the organisation.

Common features of a digital whistleblower protection system and a service management solution

Digital whistleblower protection systems and service management solutions share common features. Both types of systems are designed to efficiently collect, manage and process information. They provide a platform for the exchange of information, whether between whistleblowers and authorities or between customers and service providers. Both systems emphasise the security and confidentiality of the information transmitted.

  • Management of reports:  Creating, processing and finalising notifications, work orders and work requests.
  • Management of instructions for processing: In the form of knowledge base entries, these can be kept and easily found.
  • Preventive escalation: Messages or incidents can be escalated horizontally or vertically based on their priority.
  • Reporting and analytics:  Data that is a system can be presented as reports, dashboards to provide insights into key processes and KPIs.
  • Mobile application: Web technology allows both reporting and processing to be done from the palm of your hand from both sides (reporter and processor).
  • Compliance: Easily create audit dashboards to demonstrate compliance.
  • Integrations:  Integrate both solutions with core business software, from SAP to Power BI, with API connections or through low-code integration.
  • Proactive / Predictive Action: By bundling incidents in one place, holes in compilance are identified and closed through action.
  • Multi-site capabilities:  Enterprise-friendly software gives you the ability to connect multiple sites, standardise strategy and create global reports. Certain multi-site platforms also usually manage to allow you to work across languages, time zones and currencies.

Overall, both digital whistleblower protection systems and service management solutions can help manage information securely and efficiently, improve communication and create an environment of trust. Regardless of their specific application, they share similar basic principles and help promote efficiency, transparency and accountability.

Choosing a software solution for you

Choosing the perfect software solution for your requirement can be a challenging task. Unfortunately, an estimated 80% of implementations fall short because of a lack of standards.

The ideal software for your team should already deliver many standards: include managing notifications and processing them, automating predictive activities, enabling proactive strategies, documenting compliance activities and more. Ultimately, though, you should choose a solution that can be customised and grow with you and your needs.

There are three key features to consider when making your selection:

    Configurability: every business and team has unique requirements. Therefore, it is important to choose a standard software suit that meets individual needs and grows with you over time.
    Professional services: A reliable partner that provides training, implementation support and long-term professional services is essential.
    User-friendliness: Software designed to make work easier must be easy to use. Therefore, user-friendliness is of great importance in the selection process.

How can you implement a solution quickly and efficiently?

Procedure with the EcholoN Compliance Platform for internal notices:

The "EcholoN Compliance Platform" ensures that the reporting person and their identity - if desired - remains anonymous and is thus secured at all times. There is no direct contact between the reporting person, us or them. The report is entered either online as text or by telephone via voice recording. You, as an EcholoN client, do not receive the original audio recording, but a transcript. The information received is checked by you or your co-worker. Further communication takes place (anonymously) via the "EcholoN Compliance Platform". Via a case number, the reporting person can find out about the status of the processing at any time.

The components in detail:

  • Web portal with the option of reporting by name or anonymously;
    • Simple integrated web form for easy and low-threshold recording of reports. Available in various languages.
  • Automatic confirmation of receipt to the reporting office;
  • Web portal for processing (checking, ...) whether the reported violation falls within the material scope of application of the PWA;
    • Standard EcholoN Web Client for processing the report and starting case management. The EcholoN Web Client can be adapted at the time of introduction, but can also be adapted later, depending on requirements.
  • Possibility of contacting the whistleblower via the EcholoN Web Portal or the EcholoN Web Client / Web App in order to obtain or provide further information if necessary;
  • Manual or automatic forwarding (escalation) of the incident, for example to the management ;
  • Compliance with confidentiality and fully anonymous communication,
  • Compliance with deadlines in accordance with regulatory requirements, In addition to conclusive documentation, a high level of data protection.
    • Automatic escalation if no feedback to the whistleblower has been received three months after acknowledgement of receipt of the whistleblower.

All processing of cases is documented centrally in one case, while maintaining confidentiality. This case is automatically deleted via a workflow after the procedure has been completed. If longer storage is necessary and proportionate for the processing of the case or due to other legal provisions, this must be justified and possible.

With our EcholoN Compliance Platform, we offer a well-rounded, simple digital whistleblowing system based on over 20 years of experience.

The EcholoN Compliance Platform is available 24/7 and 365 days a year!

Providing a SaaS solution on our infrastructure. This ensures that even your own IT administrators cannot access the data in the processes.

EcholoN customers receive a link from us - after conclusion of the contract - to open a notification, which is published throughout the company or on their own website, intranet, etc.  We also provide the access data for processing the cases, including the access data to your internal area in the whistleblower protection portal.

FAQ on the Whistleblower Protection Act

What is the Whistleblower Protection Act?

A: The Whistleblower Protection Act is a legal framework that ensures the protection of persons who report information about wrongdoing or violations of the law in companies or public institutions. It is designed to help whistleblowers avoid possible reprisals and to encourage the disclosure of wrongdoing.

When did the Whistleblower Protection Act come into force?

A: When published on 2 June 2023, employers with 250 or more employees will be required to implement the requirements of the Whistleblower Protection Act from 2 July 2023. For companies with 50 to 249 employees, the implementation deadline is 17 December 2023.

Who is considered a whistleblower?

A: A whistleblower is a person who, in good faith and outside their normal professional duties, reports information about possible violations or wrongdoing. This can be employees of a business, government officials, suppliers, customers or even members of the public.

What types of violations can be reported?

A: The Whistleblower Protection Act covers a wide range of violations, including corruption, fraud, tax evasion, environmental pollution, human rights violations, illegal price fixing, discrimination in the workplace or other forms of misconduct.

How are whistleblowers protected?

A: The Whistleblower Protection Act provides several safeguards to protect whistleblowers from retaliation. These include anonymity, confidentiality, a prohibition on discrimination or termination for reporting, and legal protections to take legal action if retaliation occurs.

Who can whistleblowers report to?

A: The Whistleblower Protection Act specifies the entities to which whistleblowers can report. These can be internal hotlines within a company, specialised external organisations or authorities responsible for receiving and investigating whistleblowing. The exact contact information should be specified in the relevant policies and procedures of the law.

What consequences can violations have?

A: Companies or individuals who violate the Whistleblower Protection Act may face legal consequences such as fines or claims for damages. The exact sanctions depend on the respective laws and regulations.

Does the Whistleblower Protection Act also apply to small companies?

A: In many countries, whistleblower protection laws are not limited to large companies with 250 or more employees, but also apply to small and medium-sized companies - from 50 to 249 employees.

FAQ on the EU Whistleblowing Directive

What is the EU Whistleblowing Directive?

The EU Whistleblowing Directive is a legal provision that regulates the protection of whistleblowers in the European Union (EU). It aims to create uniform standards of protection for people who report breaches of EU law.

What is meant by "whistleblowing"?

Whistleblowing refers to the reporting of information about wrongdoing, malpractice or breaches of laws or regulations by persons acting in good faith. Whistleblowers are persons who report such information publicly or confidentially in order to protect the public interest.

When did the EU Whistleblowing Directive come into force?

The EU Whistleblowing Directive was adopted on 16 December 2019. EU Member States have two years to transpose the Directive into national law. Exact implementation deadlines may vary by country.

What types of breaches can be reported?

The Whistleblowing Directive covers a wide range of breaches, including corruption, money laundering, fraud, breaches of environmental and consumer protection laws, road safety, nuclear power plants, public health and more.

What protections does the Directive provide to whistleblowers?

The Directive requires protections such as confidentiality, anonymity, protection from retaliation (such as termination, discrimination or harassment), and access to effective remedies and advice.

Do companies have to set up internal hotlines?

Yes, the policy requires certain companies to establish internal hotlines to which whistleblowers can report. These bodies must be confidential and ensure that appropriate investigations are carried out.

Does the Whistleblowing Directive apply to all EU Member States?

Yes, the Whistleblowing Directive applies to all 27 EU Member States. Member States must transpose the provisions into national law, but may provide for additional safeguards beyond the minimum requirements of the Directive.

Are there penalties for companies that violate the Directive?

Yes, Member States must lay down appropriate sanctions for companies that breach the provisions of the Whistleblowing Directive. The exact penalties may vary depending on national legislation.

Please note that this FAQ provides general information and does not constitute legal advice. If in doubt, you should consult a lawyer or a specialist in whistleblower protection laws to clarify specific issues.