Establishment of an internal reporting office (Whistleblower Protection Act) – How might it be implemented in the company?

How could an internal reporting office be implemented in the company?

In order to answer this question, the legal requirements of the HinSchG for the establishment of an internal reporting office must first be specified.

The reporting channels to be set up according to the bill must be open at least to the company’s own employees and temporary workers assigned to the company. In addition, the companies obliged to set up a reporting channel can decide for themselves whether the channel should also be open to external persons who have professional contact with the company and observe a violation there. In the first stage, the companies are free to decide whether to provide reporting systems that enable the submission and processing of anonymous reports. From 1 January 2025, anonymous communication with the whistleblower must be ensured. This last point is not only advisable from the point of view of data protection, but also to minimise the disincentive for the whistleblower to make a report.

The requirements for the establishment and design of internal reporting channels are deliberately kept general. Beyond the requirements set out in this law, the legal persons concerned should be free to decide how they operate the reporting office. A possible arrangement is to be chosen on the basis of the structure of the company and mentions the following functions by way of example:

• HR department,
• Legal department,
• Compliance department,
• Internal audit,
• Integrity officers or data protection officers.

However, the latter is not advisable, as there may be possible conflicts of interest of the functions of the data protection officer and the reporting officer in the processing of personal data.^[2]

Reports may be made either orally or in text form to the internal reporting office, as long as the chosen means of transmission preserves the confidentiality of the identity of the persons concerned by the report.

Pursuant to Section 17 HinSchG-E, the internal reporting office confirms receipt of the report to the whistleblower after seven days at the latest, checks whether the reported violation falls within the material scope of application, maintains contact with the whistleblower, checks the validity of the submitted report, asks the whistleblower for further information if necessary and takes appropriate follow-up measures. Thereafter, the internal reporting office provides feedback to the whistleblower within three months of confirming receipt of the report. In doing so, the company must ensure that any feedback to the whistleblower does not affect the internal investigation or enquiry and does not prejudice the rights of the persons who are the subject of the report.

Taking into account the above remarks, the procedure of an internal report in the company could be as shown in Figure 1.

There are various solutions for the design of a reporting channel. An internal solution, such as setting up an internal e-mail address, is pragmatic and can keep costs low. Here, however, it cannot be guaranteed that non-authorised persons (IT staff of the company) will not gain knowledge of the content of the report (by accessing the mail server), which would in turn contradict the confidentiality requirement (cf. Section 8 HinSchG-E).^[3] Other possible solutions include the establishment of an IT-supported system or the receipt of the information by an ombudsperson via an external telephone number. IT-supported systems from providers that are already established can fully meet the requirements of the HinSchG, but should – just like the provider itself – be audited with regard to data protection and information security. In particular, the provider should have taken appropriate technical-organisational measures and be able to show relevant certifications such as ISO 27001. An external phone number to an ombudsperson can incur very high costs due to the need to ensure permanent accessibility. Whichever solution a company chooses, there will be (additional) costs for the company in any case.

Finally, it can be stated that the implementation of the HinSchG, in addition to bureaucratic hurdles, also brings opportunities for companies. In principle, every company should have an interest in quickly clarifying and eliminating violations of the law in order to avoid or minimise reputational and other types of damage (e.g. financial).^[4] The establishment of an (anonymous) whistleblower system can build trust with employees and other stakeholders (e.g. customers) and help to optimise workflows. Ultimately, the combined benefits of a whistleblower protection system can create a competitive advantage.^[5]

1. Federal Statistical Office (Destatis), Small and medium-sized enterprises, available at: https://www.destatis.de/EN/Themes/Economic-Sectors-Enterprises/Enterprises/Small-Sized-Enterprises-Medium-Sized-Enterprises/_node.html (as of 13.02.2023).
2. Stuke/Fehr, BB 2021, 2740.
3. Birker/Würz, Hinweisgeberschutzgesetz im Bundestag verabschiedet (Whistleblower Protection Act passed in the Bundestag), available at: https://www.haufe.de/compliance/recht- politik/hinweisgebersysteme-und-die-eu- whistleblower-richtlinie_230132_528700.html (as of: 102.2023).
   
4. Franzen, EuZA 2022, 391 (392).
5. PwC, Hinweisgebersysteme: So verwandeln Sie die Pflicht in einen Wettbewerbsvortei (Whistleblower systems: How to turn duty into a competitive advantage), retrieved from: https://www.pwc.de/de/managementberatung/risk/hinweis gebersysteme-so-verwandeln-sie-die- pflicht-in-einen-wettbewerbsvorteil.html (Stand: 13.02.2023).